logo

fix
batch imapsync
2026-04-15 23:12:23 -05:00 · 2026-04-15 14:28:28 -05:00 · 2026-04-15 13:49:31 -05:00 · 2026-04-12 20:43:37 -05:00 · 2026-04-03 17:03:14 -05:00 · 2026-04-03 16:54:51 -05:00
112 changed files with 8288 additions and 7823 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 .env
 node_modules
--- a/DMS/Dockerfile
+++ b/DMS/Dockerfile
@@ -4,7 +4,6 @@ LABEL maintainer="andreas.knuth@bayarea-cc.com"
 LABEL description="Custom DMS with Python3 support and Sieve Sync"
 # 1. Python, pip und dependencies installieren
 # croniter hinzufügen!
 RUN apt-get update && \
    apt-get install -y --no-install-recommends \
        python3 \
@@ -20,9 +19,13 @@ WORKDIR /scripts
 COPY sync_dynamodb_to_sieve.py /scripts/sync.py
 RUN chmod +x /scripts/sync.py
-# 4. Schedule Konfiguration kopieren (Der Cron-String)
+# 4. Schedule Konfiguration kopieren
 COPY sieve-schedule /etc/sieve-schedule
 # 5. Supervisor Konfiguration kopieren
 # DMS scannt diesen Ordner beim Start
 COPY sieve-supervisor.conf /etc/supervisor/conf.d/sieve-sync.conf
 # 6. Dynamic Whitelist Script und Supervisor-Config kopieren
 COPY dynamic_whitelist.py /scripts/dynamic_whitelist.py
 RUN chmod +x /scripts/dynamic_whitelist.py
 COPY whitelist-supervisor.conf /etc/supervisor/conf.d/dynamic-whitelist.conf
--- a/DMS/batch_imapsync.sh
+++ b/DMS/batch_imapsync.sh
@@ -0,0 +1,58 @@
 #!/bin/bash
 # batch_imapsync.sh - Führt IMAP-Sync für alle User im Hintergrund aus
 # Format der CSV: email@domain.com,SecretPassword123
 HOST1=$1
 HOST2=$2
 CSV_FILE=$3
 if [ -z "$HOST1" ] || [ -z "$HOST2" ] || [ -z "$CSV_FILE" ]; then
    echo "Usage: $0 <source-host> <target-host> <users.csv>"
    echo "Beispiel: $0 secure.emailsrvr.com 147.93.132.244 stxmaterials.csv"
    exit 1
 fi
 # ======================================================================
 # Die eigentliche Sync-Funktion (wird in den Hintergrund geschickt)
 # ======================================================================
 run_sync_jobs() {
    TIMESTAMP=$(date +%Y%m%d_%H%M%S)
    LOG_DIR="sync_logs_$TIMESTAMP"
    mkdir -p "$LOG_DIR"
    echo "Beginne Sync-Lauf am $(date)" > "batch_master_${TIMESTAMP}.log"
    while IFS=, read -r email password; do
        email=$(echo "$email" | tr -d '\r' | xargs)
        password=$(echo "$password" | tr -d '\r' | xargs)
        [ -z "$email" ] && continue
        LOGFILE="$LOG_DIR/imapsync_${email}.log"
        echo "[$(date)] Syncing $email -> $LOGFILE" >> "batch_master_${TIMESTAMP}.log"
        # Führe Docker imapsync für den aktuellen User aus
        docker run --rm gilleslamiral/imapsync imapsync \
            --host1 "$HOST1" --user1 "$email" --password1 "$password" --ssl1 \
            --host2 "$HOST2" --user2 "$email" --password2 "$password" --ssl2 \
            --automap > "$LOGFILE" 2>&1 < /dev/null
    done < "$CSV_FILE"
    echo "Alle Sync-Jobs beendet am $(date)" >> "batch_master_${TIMESTAMP}.log"
 }
 # ======================================================================
 # Skript-Start: Entkopplung vom Terminal
 # ======================================================================
 echo "🚀 Starte Batch-IMAP-Sync im Hintergrund..."
 # Rufe die Funktion auf, leite alle restlichen Ausgaben ins Nichts und schicke sie in den Hintergrund (&)
 run_sync_jobs </dev/null >/dev/null 2>&1 &
 echo "✅ Der Job läuft jetzt autark im Hintergrund (sequenziell)."
 echo "Du kannst das SSH-Terminal jetzt bedenkenlos schließen!"
 echo "Überwache den Gesamtfortschritt mit:"
 echo "  tail -f batch_master_*.log"
 echo "Oder die Details eines einzelnen Postfachs mit:"
 echo "  tail -f sync_logs_*/imapsync_<email>.log"
--- a/DMS/docker-compose.yml
+++ b/DMS/docker-compose.yml
@@ -1,23 +1,26 @@
 services:
  mailserver:
    # image: docker.io/mailserver/docker-mailserver:latest  # AUSKOMMENTIERT
    build:
      context: .
      dockerfile: Dockerfile
    image: dms-custom:latest
    container_name: mailserver
-    hostname: mail.email-srvr.com
+
-    domainname: email-srvr.com
+    # Node-spezifischer Hostname - A-Record zeigt auf DIESEN Server.
    # email-srvr.com selbst zeigt auf einen anderen Server und wird hier NICHT verwendet.
    hostname: node1.email-srvr.com
    ports:
-      - "25:25"     # SMTP (parallel zu MailCow auf Port 25)
+      - "25:25"
-      - "587:587"    # SMTP Submission
+      - "587:587"
-      - "465:465"    # SMTP SSL
+      - "465:465"
-      - "143:143"    # IMAP
+      - "143:143"
-      - "993:993"    # IMAP SSL
+      - "993:993"
-      - "110:110"    # POP3
+      - "110:110"
-      - "995:995"    # POP3 SSL
+      - "995:995"
-      - "127.0.0.1:11334:11334" # Bindet nur an Localhost!
+      - "127.0.0.1:11334:11334"
    volumes:
      - ./docker-data/dms/mail-data/:/var/mail/
      - ./docker-data/dms/mail-state/:/var/mail-state/
@@ -27,67 +30,88 @@ services:
      - /etc/localtime:/etc/localtime:ro
      - ./sync_dynamodb_to_sieve.py:/scripts/sync.py:ro
      - ./sieve-cron:/etc/cron.d/sieve-sync:ro
-      - /var/lib/docker/volumes/caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.email-srvr.com:/etc/mail/certs:ro
+
      # -------------------------------------------------------
      # Caddy Zertifikate: gesamtes Cert-Verzeichnis mounten.
      #
      # Caddy legt Wildcard-Certs so ab:
      #   *.andreasknuth.de/
      #     *.andreasknuth.de.crt
      #     *.andreasknuth.de.key
      #   node1.email-srvr.com/
      #     node1.email-srvr.com.crt
      #     node1.email-srvr.com.key
      #
      # setup-dms-tls.sh referenziert per:
      #   /etc/mail/certs/*.domain/*.domain.crt|.key
      # -------------------------------------------------------
      # - /var/lib/docker/volumes/caddy_data/_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory:/etc/mail/certs:ro
      - /home/aknuth/git/email-amazon/caddy/caddy-data/caddy/certificates/acme-v02.api.letsencrypt.org-directory:/etc/mail/certs:ro
      # -------------------------------------------------------
      # Dovecot SNI Konfiguration (generiert von setup-dms-tls.sh)
      # DMS lädt /tmp/docker-mailserver/dovecot-sni.cf automatisch.
      # -------------------------------------------------------
      - ./docker-data/dms/config/dovecot-sni.cf:/etc/dovecot/conf.d/99-sni.conf:ro
    environment:
-      # Wichtig: Rspamd und andere Services deaktivieren für ersten Test
+      # -------------------------------------------------------
      # SSL Default-Cert: node1.email-srvr.com
      # Das ist das Fallback-Cert wenn kein SNI-Match gefunden wird
      # (z.B. bei direktem IP-Connect ohne Hostname).
      # Kundendomain-SNI wird über postfix-main.cf + dovecot-sni.cf gesteuert.
      # -------------------------------------------------------
      - SSL_TYPE=manual
-      # Diese Pfade beziehen sich auf das INNERE des Containers (wo wir hin mounten)
+      - SSL_CERT_PATH=/etc/mail/certs/node1.email-srvr.com/node1.email-srvr.com.crt
-      - SSL_CERT_PATH=/etc/mail/certs/mail.email-srvr.com.crt
+      - SSL_KEY_PATH=/etc/mail/certs/node1.email-srvr.com/node1.email-srvr.com.key
-      - SSL_KEY_PATH=/etc/mail/certs/mail.email-srvr.com.key     
+
      # SPAM / Rspamd
      - ENABLE_OPENDKIM=1
      - ENABLE_OPENDMARC=0
      - ENABLE_POLICYD_SPF=0
      # #### SPAM SECTION #####
      # SPAM  Rspamd aktivieren
      - ENABLE_RSPAMD=1
      # Greylisting AUS (vermeidet Verzögerungen)
      - RSPAMD_GREYLISTING=0
      # Eigene Mails NICHT scannen (vermeidet Probleme beim Senden)
      - RSPAMD_CHECK_AUTHENTICATED=0
      # Hostname Check AN (filtert Botnets, sehr sicher)
      - RSPAMD_HFILTER=1
      # Spam sortieren statt löschen (Sieve Magic)
      - MOVE_SPAM_TO_JUNK=1
      # Alte Dienste aus
      - ENABLE_AMAVIS=0
      - ENABLE_SPAMASSASSIN=0
      - ENABLE_POSTGREY=0
      # 2. ClamAV deaktivieren (Anti-Virus)
      - ENABLE_CLAMAV=0
-      # HACKERSCHUTZ (Pflicht!)
+
      # Sicherheit
      - ENABLE_FAIL2BAN=1
      # DNS Resolver (verhindert Spamhaus-Probleme)
      - ENABLE_UNBOUND=1
-      # #### END SPAM SECTION ##### 
+
-      # END SPAM SECTION
+      # Sonstige
      - ENABLE_MANAGESIEVE=0
      - ENABLE_POP3=1
      - RSPAMD_LEARN=1
      - ONE_DIR=1
      - ENABLE_UPDATE_CHECK=0
      - PERMIT_DOCKER=network
-        # - PERMIT_DOCKER=empty
+      - SPOOF_PROTECTION=0
-      - SSL_TYPE=manual
+      - ENABLE_SRS=0
-      - SSL_CERT_PATH=/tmp/docker-mailserver/ssl/cert.pem
+      - LOG_LEVEL=info
-      - SSL_KEY_PATH=/tmp/docker-mailserver/ssl/key.pem
+
-      # Amazon SES SMTP Relay
+      # Amazon SES Relay
      - RELAY_HOST=email-smtp.us-east-2.amazonaws.com
      - RELAY_PORT=587
      - RELAY_USER=${SES_SMTP_USER}
      - RELAY_PASSWORD=${SES_SMTP_PASSWORD}
-      # Content Filter AWS Credentials
+
      # AWS Credentials
      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
      - AWS_REGION=us-east-2
-      # Weitere Einstellungen
+
-      - POSTFIX_OVERRIDE_HOSTNAME=email-srvr.com
+      # Postfix
      # POSTFIX_OVERRIDE_HOSTNAME: Was Postfix im EHLO/HELO Banner sendet.
      # node1.email-srvr.com passt zum TLS-Cert und ist der echte Hostname.
      - POSTFIX_OVERRIDE_HOSTNAME=node1.email-srvr.com
      - POSTFIX_MYNETWORKS=172.16.0.0/12 172.17.0.0/12 172.18.0.0/12 [::1]/128 [fe80::]/64
      - POSTFIX_MAILBOX_SIZE_LIMIT=0
      - POSTFIX_MESSAGE_SIZE_LIMIT=0
-      - SPOOF_PROTECTION=0
+
      - ENABLE_SRS=0
      # Debug-Einstellungen
      - LOG_LEVEL=info
    cap_add:
      - NET_ADMIN
      - SYS_PTRACE
@@ -95,8 +119,8 @@ services:
    networks:
      mail_network:
        aliases:
          - mail.email-srvr.com
          - mailserver
          - node1.email-srvr.com
  roundcube:
    image: roundcube/roundcubemail:latest
@@ -111,18 +135,24 @@ services:
      - ROUNDCUBEMAIL_DB_NAME=roundcube
      - ROUNDCUBEMAIL_DB_USER=roundcube
      - ROUNDCUBEMAIL_DB_PASSWORD=${ROUNDCUBE_DB_PASSWORD}
-      # Einfache Konfiguration ohne SSL-Probleme (für ersten Test)
+      # Roundcube verbindet intern über den Docker-Alias
-      - ROUNDCUBEMAIL_DEFAULT_HOST=ssl://mail.email-srvr.com
+      - ROUNDCUBEMAIL_DEFAULT_HOST=ssl://node1.email-srvr.com
      - ROUNDCUBEMAIL_DEFAULT_PORT=993
-      - ROUNDCUBEMAIL_SMTP_SERVER=tls://mail.email-srvr.com
+      # Interner Traffic ohne TLS
-      - ROUNDCUBEMAIL_SMTP_PORT=587
+      - ROUNDCUBEMAIL_SMTP_SERVER=ssl://node1.email-srvr.com
-      #- ROUNDCUBEMAIL_PLUGINS=password,email_config,managesieve
+      - ROUNDCUBEMAIL_SMTP_PORT=465
      # WICHTIG: Variablen LEER lassen, damit Roundcube keine Authentifizierung versucht!
      - ROUNDCUBEMAIL_SMTP_USER=
      - ROUNDCUBEMAIL_SMTP_PASSWORD=
      - ROUNDCUBEMAIL_PLUGINS=password,email_config
-    # In docker-compose.yml bei roundcube hinzufügen:
+      # NEU: Schaltet die strikte PHP-Zertifikatsprüfung für interne Verbindungen ab
      - ROUNDCUBEMAIL_IMAP_CONN_OPTIONS={"ssl":{"verify_peer":false,"verify_peer_name":false}}
      - ROUNDCUBEMAIL_SMTP_CONN_OPTIONS={"ssl":{"verify_peer":false,"verify_peer_name":false}}      
    ports:
-      - "8888:80"  # Host:Container      
+      - "8888:80"
    volumes:
-      - ./docker-data/roundcube/config:/var/roundcube/config
+      # - ./docker-data/roundcube/config:/var/www/html/config
      - ./docker-data/roundcube/plugins/email_config:/var/www/html/plugins/email_config:ro
    networks:
      - mail_network
--- a/DMS/docker-data/dms/config/dovecot.cf
+++ b/DMS/docker-data/dms/config/dovecot.cf
@@ -0,0 +1,3 @@
 # Eigene Dovecot-Optimierungen für Outlook
 mail_max_userip_connections = 50
 imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
--- a/DMS/docker-data/dms/config/fail2ban-jail.cf
+++ b/DMS/docker-data/dms/config/fail2ban-jail.cf
@@ -0,0 +1,11 @@
 [DEFAULT]
 # Whitelist: Localhost, private Docker-Netze und die Budd Electric Office-IP
 ignoreip = 127.0.0.1/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 24.155.193.233 69.223.70.143 24.155.193.233
 [dovecot]
 # Erhöht die Anzahl der erlaubten Fehlversuche auf 20
 maxretry = 20
 [postfix]
 # Erhöht die Anzahl der erlaubten Fehlversuche auf 20
 maxretry = 20
--- a/DMS/docker-data/dms/config/rspamd/local.d/multimap.conf
+++ b/DMS/docker-data/dms/config/rspamd/local.d/multimap.conf
@@ -0,0 +1,8 @@
 DOCKER_WL {
  type = "from";
  filter = "email:domain";
  map = "/etc/rspamd/override.d/docker_whitelist.map";
  symbol = "DOCKER_WHITELIST";
  description = "Whitelist fuer eigene Domains";
  score = -50.0;
 }
--- a/DMS/docker-data/dms/config/rspamd/override.d/actions.conf
+++ b/DMS/docker-data/dms/config/rspamd/override.d/actions.conf
@@ -0,0 +1,4 @@
 # Standard-Aktionen überschreiben
 reject = 500;      # Erst ab 500 Punkten ablehnen (passiert nie)
 add_header = 6;    # Ab 6 Punkten: X-Spam Header setzen
 greylist = 500;    # Greylisting faktisch deaktivieren (Schwellwert unerreichbar hoch)
--- a/DMS/docker-data/dms/config/rspamd/override.d/docker_whitelist.map
+++ b/DMS/docker-data/dms/config/rspamd/override.d/docker_whitelist.map
--- a/DMS/docker-data/dms/config/rspamd/override.d/force_actions.conf
+++ b/DMS/docker-data/dms/config/rspamd/override.d/force_actions.conf
@@ -0,0 +1,6 @@
 rules {
  DOCKER_WHITELIST_FORCE {
    action = "no action";
    expression = "DOCKER_WHITELIST";
  }
 }
--- a/DMS/docker-data/dms/config/rspamd/override.d/greylist.conf
+++ b/DMS/docker-data/dms/config/rspamd/override.d/greylist.conf
@@ -0,0 +1 @@
 enabled = false;
--- a/DMS/docker-data/dms/config/rspamd/override.d/worker-controller.inc
+++ b/DMS/docker-data/dms/config/rspamd/override.d/worker-controller.inc
@@ -0,0 +1 @@
 password = "$2$eitni68mkfaaq957jx3bcx57sg1mmd9c$d9xyhjmmih7sjm3fpfu7r7tshhfm4ud93km65w5dkh151f5phiiy";
--- a/DMS/docker-data/dms/config/ssl/cert.pem
+++ b/DMS/docker-data/dms/config/ssl/cert.pem
@@ -1,49 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDljCCAxugAwIBAgISBjozmCOOzvH/aTFaP5JdZIt8MAoGCCqGSM49BAMDMDIx
 CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
 NzAeFw0yNTExMTcyMDU0NDFaFw0yNjAyMTUyMDU0NDBaMB4xHDAaBgNVBAMTE21h
 aWwuZW1haWwtc3J2ci5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQzcUl7
 crboIHaausaf+PKcQ9Q1YnitEYptUCnmLXV4rrBL8wJuqK2nXziFFL/TIoquuJV5
 N+BuJaoGppdFJCmqo4ICIzCCAh8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQG
 CCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRF9u/n
 S60FfiVi+hzhYw+caKfkjDAfBgNVHSMEGDAWgBSuSJ7chx1EoG/aouVgdAR4wpwA
 gDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lNy5pLmxlbmNy
 Lm9yZy8wHgYDVR0RBBcwFYITbWFpbC5lbWFpbC1zcnZyLmNvbTATBgNVHSAEDDAK
 MAgGBmeBDAECATAuBgNVHR8EJzAlMCOgIaAfhh1odHRwOi8vZTcuYy5sZW5jci5v
 cmcvMTI1LmNybDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AEmcm2neHXzs/Dbe
 zYdkprhbrwqHgBnRVVL76esp3fjDAAABmpPOvpoAAAQDAEgwRgIhAP/5ucrprAoN
 1yatL9NMD2g6lz5APNoj0tUPCPrCuCRXAiEA0GaG6fEcQfNnfpAbu/owF7llP8E9
 0RXRi7HAdeZxEAQAdgAOV5S8866pPjMbLJkHs/eQ35vCPXEyJd0hqSWsYcVOIQAA
 AZqTzr6aAAAEAwBHMEUCIQCMbarF0Pg8Keb3aMua184bxbQcKOGAn4OVjv61fdp8
 hgIgVT30nW0H2VJwIK7LVJoCVKCAvBLBkvs9/DwyHwaF7SgwCgYIKoZIzj0EAwMD
 aQAwZgIxAPpXnIr1uy/hUpYVDh3BTOzt6kA50/CBWMqXUHM+V4zSSy7L7zSMueEF
 FQBbqlqpfgIxAOncbLTJKRIixUPQ0tpDrpZzcrrqkHlsAVTkfrhVaWx8NE91wdvk
 e3KIaDlcBV+1KQ==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIEVzCCAj+gAwIBAgIRAKp18eYrjwoiCWbTi7/UuqEwDQYJKoZIhvcNAQELBQAw
 TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
 cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
 WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
 RW5jcnlwdDELMAkGA1UEAxMCRTcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARB6AST
 CFh/vjcwDMCgQer+VtqEkz7JANurZxLP+U9TCeioL6sp5Z8VRvRbYk4P1INBmbef
 QHJFHCxcSjKmwtvGBWpl/9ra8HW0QDsUaJW2qOJqceJ0ZVFT3hbUHifBM/2jgfgw
 gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
 ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSuSJ7chx1EoG/aouVgdAR4
 wpwAgDAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
 AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
 BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
 Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAjx66fDdLk5ywFn3CzA1w1qfylHUD
 aEf0QZpXcJseddJGSfbUUOvbNR9N/QQ16K1lXl4VFyhmGXDT5Kdfcr0RvIIVrNxF
 h4lqHtRRCP6RBRstqbZ2zURgqakn/Xip0iaQL0IdfHBZr396FgknniRYFckKORPG
 yM3QKnd66gtMst8I5nkRQlAg/Jb+Gc3egIvuGKWboE1G89NTsN9LTDD3PLj0dUMr
 OIuqVjLB8pEC6yk9enrlrqjXQgkLEYhXzq7dLafv5Vkig6Gl0nuuqjqfp0Q1bi1o
 yVNAlXe6aUXw92CcghC9bNsKEO1+M52YY5+ofIXlS/SEQbvVYYBLZ5yeiglV6t3S
 M6H+vTG0aP9YHzLn/KVOHzGQfXDP7qM5tkf+7diZe7o2fw6O7IvN6fsQXEQQj8TJ
 UXJxv2/uJhcuy/tSDgXwHM8Uk34WNbRT7zGTGkQRX0gsbjAea/jYAoWv0ZvQRwpq
 Pe79D/i7Cep8qWnA+7AE/3B3S/3dEEYmc0lpe1366A/6GEgk3ktr9PEoQrLChs6I
 tu3wnNLB2euC8IKGLQFpGtOO/2/hiAKjyajaBP25w1jF0Wl8Bbqne3uZ2q1GyPFJ
 YRmT7/OXpmOH/FVLtwS+8ng1cAmpCujPwteJZNcDG0sF2n/sc0+SQf49fdyUK0ty
 +VUwFj9tmWxyR/M=
 -----END CERTIFICATE-----
--- a/DMS/docker-data/dms/config/ssl/key.pem
+++ b/DMS/docker-data/dms/config/ssl/key.pem
@@ -1,5 +0,0 @@
 -----BEGIN EC PRIVATE KEY-----
 MHcCAQEEIFvBg5uuw4K36qMR6CYx09cfDcSPJOsCtQi/M/HKSYN1oAoGCCqGSM49
 AwEHoUQDQgAEM3FJe3K26CB2mrrGn/jynEPUNWJ4rRGKbVAp5i11eK6wS/MCbqit
 p184hRS/0yKKrriVeTfgbiWqBqaXRSQpqg==
 -----END EC PRIVATE KEY-----
--- a/DMS/docker-data/dms/config/user-patches.sh
+++ b/DMS/docker-data/dms/config/user-patches.sh
@@ -0,0 +1,47 @@
 #!/bin/bash
 # user-patches.sh laeuft bei jedem Start von DMS automatisch
 ACCOUNTS_FILE="/tmp/docker-mailserver/postfix-accounts.cf"
 WHITELIST_FILE="/etc/rspamd/override.d/docker_whitelist.map"
 # --- Rspamd Whitelist generieren ---
 STATIC_DOMAINS=(
  "bayarea-cc.com"
  "ruehrgedoens.de"
  "annavillesda.org"
  "bizmatch.net"
  "biz-match.com"
  "qrmaster.net"
  "nqsltd.com"
  "iitwelders.com"
 )
 echo "Patching: Generiere Rspamd Whitelist aus Accounts + statischen Domains..."
 {
  for domain in "${STATIC_DOMAINS[@]}"; do
    echo "$domain"
  done
  if [ -f "$ACCOUNTS_FILE" ]; then
    awk -F'|' '{print $1}' "$ACCOUNTS_FILE" | cut -d'@' -f2
  fi
 } | sort | uniq > "$WHITELIST_FILE"
 chmod 644 "$WHITELIST_FILE"
 chown _rspamd:_rspamd "$WHITELIST_FILE" 2>/dev/null || true
 echo "Whitelist erstellt:"
 cat "$WHITELIST_FILE"
 # --- local.d configs manuell kopieren (DMS kopiert local.d nicht automatisch) ---
 echo "Patching: Kopiere custom rspamd local.d configs..."
 SRC="/tmp/docker-mailserver/rspamd/local.d"
 DST="/etc/rspamd/local.d"
 if [ -d "$SRC" ]; then
  for f in "$SRC"/*; do
    [ -f "$f" ] || continue
    cp "$f" "$DST/$(basename "$f")"
    chown root:root "$DST/$(basename "$f")"
    chmod 644 "$DST/$(basename "$f")"
    echo "  Kopiert: $(basename "$f") -> $DST/"
  done
 fi
--- a/DMS/docker-data/roundcube/config/config.inc.php
+++ b/DMS/docker-data/roundcube/config/config.inc.php
@@ -0,0 +1,16 @@
 <?php
 // WICHTIG: Zuerst die vom Docker-Container generierte Config einbinden!
 // Deine Overrides (hier wird alles überschrieben, was wir brauchen)
 $config['smtp_server'] = 'ssl://mailserver';
 $config['smtp_port']   = 465;
 $config['smtp_conn_options'] = array(
    'ssl' => array(
        'verify_peer'       => false,
        'verify_peer_name'  => false,
        'allow_self_signed' => true,
    ),
 );
 $config['language'] = 'en_US';
--- a/DMS/dynamic_whitelist.py
+++ b/DMS/dynamic_whitelist.py
@@ -0,0 +1,87 @@
 #!/usr/bin/env python3
 import os
 import re
 import time
 import subprocess
 import threading
 from datetime import datetime
 try:
    from croniter import croniter
 except ImportError:
    print("Bitte 'croniter' via pip installieren!")
    exit(1)
 LOG_FILE = '/var/log/mail/mail.log'
 WHITELIST_DURATION_SEC = 24 * 60 * 60 # 24 Stunden
 CRON_SCHEDULE = "0 * * * *" # Jede Stunde
 active_ips = {}
 # Regex für Dovecot IMAP/POP3 erfolgreiche Logins
 LOGIN_REGEX = re.compile(r"dovecot: (?:imap|pop3)-login: Login: user=<[^>]+>.*rip=([0-9]{1,3}(?:\.[0-9]{1,3}){3}),")
 # Private Netze (Docker/Local) ignorieren
 IGNORE_REGEX = re.compile(r"^(172\.|10\.|192\.168\.|127\.)")
 def run_command(cmd):
    try:
        subprocess.run(cmd, shell=True, check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
    except Exception as e:
        print(f"Fehler bei: {cmd} - {e}")
 def cleanup_job():
    """Cron-Thread für das stündliche Aufräumen abgelaufener IPs."""
    iter = croniter(CRON_SCHEDULE, datetime.now())
    while True:
        next_run = iter.get_next(datetime)
        sleep_seconds = (next_run - datetime.now()).total_seconds()
        if sleep_seconds > 0:
            time.sleep(sleep_seconds)
        print(f"[{datetime.now()}] Starte stündlichen Whitelist-Cleanup...")
        now = time.time()
        expired_ips = [ip for ip, timestamp in active_ips.items() if now - timestamp > WHITELIST_DURATION_SEC]
        for ip in expired_ips:
            print(f"[{datetime.now()}] Whitelist für {ip} abgelaufen. Entferne...")
            run_command(f"fail2ban-client set dovecot delignoreip {ip}")
            run_command(f"fail2ban-client set postfix delignoreip {ip}")
            del active_ips[ip]
 def follow_log():
    """Verwendet System 'tail -F', da dies Log-Rotation automatisch handhabt."""
    print(f"[{datetime.now()}] Dynamic Whitelist Monitor gestartet...")
    while not os.path.exists(LOG_FILE):
        time.sleep(2)
    process = subprocess.Popen(['tail', '-F', LOG_FILE], stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, text=True)
    for line in process.stdout:
        match = LOGIN_REGEX.search(line)
        if match:
            ip = match.group(1)
            if IGNORE_REGEX.match(ip):
                continue
            now = time.time()
            # Neue IP in die Fail2ban Whitelist eintragen
            if ip not in active_ips:
                print(f"[{datetime.now()}] Neuer erfolgreicher Login von {ip}. Setze auf Whitelist...")
                run_command(f"fail2ban-client set dovecot addignoreip {ip}")
                run_command(f"fail2ban-client set postfix addignoreip {ip}")
            # Timestamp (Last Seen) aktualisieren
            active_ips[ip] = now
 if __name__ == '__main__':
    # Warte kurz, bis Fail2ban nach einem Container-Start hochgefahren ist
    time.sleep(15)
    # Cron-Cleanup im Hintergrund starten
    threading.Thread(target=cleanup_job, daemon=True).start()
    # Log-Überwachung in der Endlosschleife starten
    follow_log()
--- a/DMS/run_sync.sh
+++ b/DMS/run_sync.sh
@@ -0,0 +1,41 @@
 #!/bin/bash
 # 1. Prüfen, ob die Umgebungsvariablen HOST1 und HOST2 gesetzt sind
 if [ -z "$HOST1" ] || [ -z "$HOST2" ]; then
  echo "Fehler: Die Umgebungsvariablen HOST1 und/oder HOST2 sind nicht gesetzt."
  echo "Bitte setze diese vor dem Ausführen des Skripts, zum Beispiel mit:"
  echo 'export HOST1="65.254.254.50"'
  echo 'export HOST2="147.93.132.244"'
  exit 1
 fi
 # 2. E-Mail-Adresse interaktiv abfragen
 read -p "Bitte E-Mail-Adresse eingeben: " EMAIL
 # 3. Passwort interaktiv und unsichtbar (-s) abfragen
 read -s -p "Bitte Passwort eingeben: " PASSWORD
 echo "" # Zeilenumbruch für eine saubere Darstellung nach der Passworteingabe
 # 4. Log-Datei mit Zeitstempel und E-Mail definieren
 LOGFILE="imapsync_${EMAIL}_$(date +%Y%m%d_%H%M%S).log"
 echo "Starte imapsync für $EMAIL..."
 echo "Quell-Host (HOST1): $HOST1"
 echo "Ziel-Host (HOST2): $HOST2"
 echo "Logs werden gespeichert in: $LOGFILE"
 echo "---------------------------------------------------"
 # 5. Docker-Container ausführen und Output mit 'tee' loggen
 docker run --rm -i gilleslamiral/imapsync imapsync \
  --host1 "$HOST1" \
  --user1 "$EMAIL" \
  --password1 "$PASSWORD" \
  --ssl1 \
  --host2 "$HOST2" \
  --user2 "$EMAIL" \
  --password2 "$PASSWORD" \
  --ssl2 \
  --automap 2>&1 | tee "$LOGFILE"
 echo "---------------------------------------------------"
 echo "Sync abgeschlossen. Das vollständige Log findest du in: $LOGFILE"
--- a/DMS/setup-dms-tls.sh
+++ b/DMS/setup-dms-tls.sh
@@ -0,0 +1,207 @@
 #!/bin/bash
 # setup-dms-tls.sh
 # Gehört ins Root-Verzeichnis des DMS (neben docker-compose.yml).
 #
 # Generiert Dovecot- und Postfix-SNI-Konfigurationen für Multi-Domain TLS.
 # Liest Domains aus dem laufenden DMS und erstellt:
 #   - docker-data/dms/config/dovecot-sni.cf
 #   - docker-data/dms/config/postfix-main.cf
 #   - docker-data/dms/config/postfix-sni.map (NEU für Postfix SNI)
 #
 # Cert-Konvention (Caddy Wildcard):
 #   Caddy speichert *.domain.tld unter: wildcard_.domain.tld/wildcard_.domain.tld.crt
 #   Im Container (gemountet unter /etc/mail/certs):
 #     /etc/mail/certs/wildcard_.domain.tld/wildcard_.domain.tld.crt
 #     /etc/mail/certs/wildcard_.domain.tld/wildcard_.domain.tld.key
 #
 # Usage:
 #   ./setup-dms-tls.sh
 #   DMS_CONTAINER=mailserver NODE_HOSTNAME=node1.email-srvr.com ./setup-dms-tls.sh
 set -e
 DMS_CONTAINER=${DMS_CONTAINER:-"mailserver"}
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 CONFIG_DIR="$SCRIPT_DIR/docker-data/dms/config"
 CERTS_BASE_PATH=${CERTS_BASE_PATH:-"/etc/mail/certs"}
 # Node-Hostname: Fallback-Cert für DMS (kein Wildcard, direktes Cert)
 # Muss mit dem 'hostname' in docker-compose.yml übereinstimmen.
 NODE_HOSTNAME=${NODE_HOSTNAME:-"node1.email-srvr.com"}
 echo "============================================================"
 echo " 🔐 DMS TLS SNI Setup (Multi-Domain)"
 echo " DMS Container: $DMS_CONTAINER"
 echo " Config Dir:    $CONFIG_DIR"
 echo " Certs Base:    $CERTS_BASE_PATH"
 echo " Node Hostname: $NODE_HOSTNAME"
 echo "============================================================"
 # --- Domains aus DMS lesen ---
 echo ""
 echo "📋 Lese Domains aus DMS..."
 DOMAINS=$(docker exec "$DMS_CONTAINER" setup email list 2>/dev/null \
    | grep -oP '(?<=@)[^\s]+' \
    | sort -u)
 if [ -z "$DOMAINS" ]; then
    echo "❌ Keine Accounts im DMS gefunden!"
    echo "   Bitte zuerst anlegen: ./manage_mail_user.sh add user@domain.com PW"
    exit 1
 fi
 echo "   Gefundene Domains:"
 for d in $DOMAINS; do echo "   - $d"; done
 # --- Cert-Pfad Hilfsfunktionen ---
 wildcard_cert_path() {
    echo "$CERTS_BASE_PATH/wildcard_.${1}/wildcard_.${1}.crt"
 }
 wildcard_key_path() {
    echo "$CERTS_BASE_PATH/wildcard_.${1}/wildcard_.${1}.key"
 }
 # --- Cert-Verfügbarkeit im Container prüfen ---
 echo ""
 echo "🔍 Prüfe Zertifikat-Verfügbarkeit..."
 DOMAINS_OK=""
 DOMAINS_MISSING=""
 for domain in $DOMAINS; do
    CERT_PATH=$(wildcard_cert_path "$domain")
    KEY_PATH=$(wildcard_key_path "$domain")
    if docker exec "$DMS_CONTAINER" test -f "$CERT_PATH" 2>/dev/null; then
        echo "   ✅ $domain → $CERT_PATH"
        DOMAINS_OK="$DOMAINS_OK $domain"
    else
        echo "   ⚠️  $domain → KEIN Cert unter $CERT_PATH"
        echo "         → update-caddy-certs.sh ausführen + caddy reload!"
        DOMAINS_MISSING="$DOMAINS_MISSING $domain"
    fi
 done
 # Node-Hostname Cert prüfen (direktes Cert, kein Wildcard)
 NODE_CERT_PATH="$CERTS_BASE_PATH/$NODE_HOSTNAME/$NODE_HOSTNAME.crt"
 NODE_KEY_PATH="$CERTS_BASE_PATH/$NODE_HOSTNAME/$NODE_HOSTNAME.key"
 if docker exec "$DMS_CONTAINER" test -f "$NODE_CERT_PATH" 2>/dev/null; then
    echo "   ✅ $NODE_HOSTNAME → Cert vorhanden (Node Default)"
 else
    echo "   ⚠️  $NODE_HOSTNAME → KEIN Cert! Caddy-Block im Caddyfile prüfen."
 fi
 if [ -n "$DOMAINS_MISSING" ]; then
    echo ""
    echo "   ⚠️  Fehlende Certs:$DOMAINS_MISSING"
    echo "   Diese Domains werden NICHT in SNI-Config eingetragen."
 fi
 if [ -z "$DOMAINS_OK" ]; then
    echo "❌ Kein einziges Kundendomain-Cert gefunden!"
    echo "   Bitte zuerst update-caddy-certs.sh ausführen + caddy reload abwarten."
    exit 1
 fi
 # ================================================================
 # DOVECOT SNI Konfiguration
 # ================================================================
 DOVECOT_CFG="$CONFIG_DIR/dovecot-sni.cf"
 echo ""
 echo "📝 Generiere: $DOVECOT_CFG"
 cat > "$DOVECOT_CFG" << 'HEADER'
 # dovecot-sni.cf - Automatisch generiert von setup-dms-tls.sh
 # SNI-basierte Zertifikat-Auswahl für Dovecot (IMAP/POP3).
 # Dovecot liest dieses File über den Volume-Mount in /tmp/docker-mailserver/
 # und wendet es automatisch an.
 HEADER
 for domain in $DOMAINS_OK; do
    CERT_PATH=$(wildcard_cert_path "$domain")
    KEY_PATH=$(wildcard_key_path "$domain")
    cat >> "$DOVECOT_CFG" << EOF
 # $domain
 local_name mail.$domain {
  ssl_cert = <$CERT_PATH
  ssl_key  = <$KEY_PATH
 }
 local_name imap.$domain {
  ssl_cert = <$CERT_PATH
  ssl_key  = <$KEY_PATH
 }
 local_name smtp.$domain {
  ssl_cert = <$CERT_PATH
  ssl_key  = <$KEY_PATH
 }
 local_name pop.$domain {
  ssl_cert = <$CERT_PATH
  ssl_key  = <$KEY_PATH
 }
 EOF
 done
 echo "   ✅ Dovecot SNI: $(echo $DOMAINS_OK | wc -w) Domain(s)"
 # ================================================================
 # POSTFIX SNI Konfiguration (Neu geschrieben für echte SNI Maps)
 # ================================================================
 POSTFIX_CFG="$CONFIG_DIR/postfix-main.cf"
 POSTFIX_MAP="$CONFIG_DIR/postfix-sni.map"
 echo ""
 echo "📝 Generiere: $POSTFIX_CFG und $POSTFIX_MAP"
 if [ -f "$POSTFIX_CFG" ]; then
    cp "$POSTFIX_CFG" "${POSTFIX_CFG}.bak.$(date +%Y%m%d%H%M%S)"
 fi
 # 1. postfix-main.cf erstellen
 cat > "$POSTFIX_CFG" << POSTFIX_EOF
 # postfix-main.cf - Automatisch generiert von setup-dms-tls.sh
 # 
 # 1. Fallback-Zertifikat (Wird genutzt, wenn kein SNI-Match gefunden wird)
 smtpd_tls_chain_files = ${NODE_KEY_PATH}, ${NODE_CERT_PATH}
 # 2. SNI-Mapping aktivieren
 # Wir nutzen 'texthash', damit Postfix die Map direkt lesen kann, 
 # ohne dass 'postmap' ausgeführt werden muss!
 tls_server_sni_maps = texthash:/tmp/docker-mailserver/postfix-sni.map
 POSTFIX_EOF
 # 2. postfix-sni.map erstellen
 echo "# postfix-sni.map - Automatisch generiert (Format: host key_pfad cert_pfad)" > "$POSTFIX_MAP"
 for domain in $DOMAINS_OK; do
    KEY_PATH=$(wildcard_key_path "$domain")
    CERT_PATH=$(wildcard_cert_path "$domain")
    cat >> "$POSTFIX_MAP" << EOF
 mail.${domain} ${KEY_PATH} ${CERT_PATH}
 smtp.${domain} ${KEY_PATH} ${CERT_PATH}
 imap.${domain} ${KEY_PATH} ${CERT_PATH}
 pop.${domain}  ${KEY_PATH} ${CERT_PATH}
 ${domain}      ${KEY_PATH} ${CERT_PATH}
 EOF
 done
 echo "   ✅ Postfix SNI: $(echo $DOMAINS_OK | wc -w) Domain(s) konfiguriert"
 # ================================================================
 # Zusammenfassung
 # ================================================================
 echo ""
 echo "============================================================"
 echo "✅ Konfigurationen generiert."
 echo ""
 echo "🔄 Lade Postfix und Dovecot neu (ohne Downtime)..."
 docker exec "$DMS_CONTAINER" postfix reload || echo "⚠️ Postfix Reload fehlgeschlagen"
 docker exec "$DMS_CONTAINER" dovecot reload || echo "⚠️ Dovecot Reload fehlgeschlagen"
 echo ""
 echo "📋 Nächste Schritte:"
 echo ""
 echo "1. TLS testen (SNI):"
 for domain in $DOMAINS_OK; do
    echo "   openssl s_client -connect mail.$domain:993 -servername mail.$domain 2>/dev/null | grep 'subject\|issuer'"
 done
 echo "============================================================"
--- a/DMS/sync_dynamodb_to_sieve.py
+++ b/DMS/sync_dynamodb_to_sieve.py
@@ -1,9 +1,7 @@
 #!/usr/bin/env python3
 """
 sync_dynamodb_to_sieve.py - Sync DynamoDB rules to Dovecot Sieve
 """
 import boto3
 import os
 import shutil
 from pathlib import Path
 import json
 import time
@@ -41,7 +39,7 @@ def generate_sieve(email, rules):
    if forwards:
        lines.append('# rule:[forward]')
        for fwd in forwards:
-            lines.append(f'redirect :copy "{fwd}";')
+           lines.append(f'redirect :copy "{fwd}";')
        lines.append('')
    # OOO
@@ -58,105 +56,165 @@ def generate_sieve(email, rules):
                '',
                msg,
                '.',
-                ';' # <--- HIER WAR DER FEHLER
+                ';'
            ])
        else:
            # Sicherheitshalber JSON dump für escaping von Anführungszeichen nutzen
            safe_msg = json.dumps(msg, ensure_ascii=False)
            lines.append(f'vacation :days 1 :from "{email}" {safe_msg};')
    return '\n'.join(lines) + '\n'
-def sync():
+def deactivate_sieve(email, mailbox_home):
-    """Sync all rules from DynamoDB to Sieve"""
+    """
-    response = table.scan()
+    SICHERHEITS-VARIANTE:
    Überschreibt das Sieve-Skript mit einem leeren 'keep;', 
    anstatt Dateien zu löschen.
    """
-    for item in response.get('Items', []):
+    # Pfad zur aktiven Datei
-        email = item['email_address']
+    sieve_path = mailbox_home / '.dovecot.sieve'
        domain = email.split('@')[1]
        user = email.split('@')[0]
-        # Path: /var/mail/domain.de/user/.dovecot.sieve
+    # Inhalt: Nur "keep;" -> Mail behalten, nichts tun.
-        mailbox_dir = Path(VMAIL_BASE) / domain / user
+    safe_content = (
        '# Script deactivated by DynamoDB Sync (User not in DB)\n'
        'keep;\n'
    )
-        # Skip if mailbox doesn't exist
+    # Prüfen, ob wir überhaupt etwas tun müssen (um unnötige Schreibvorgänge zu meiden)
-        if not mailbox_dir.exists():
+    # Wenn der Inhalt schon "keep;" ist, brechen wir ab.
-            print(f'⚠ Skipped {email} (mailbox not found)')
+    if sieve_path.exists() and not sieve_path.is_symlink():
-            continue
+        try:
            current_content = sieve_path.read_text()
            if "Script deactivated" in current_content:
                return # Ist schon deaktiviert
        except:
            pass
-        sieve_path = mailbox_dir / '.dovecot.sieve'
+    # Datei sicher schreiben (überschreibt auch Symlinks, wenn os.open genutzt wird, 
    # aber pathlib write_text folgt symlinks oder überschreibt file).
    # Um sicher zu gehen, dass wir keinen Symlink auf eine Systemdatei überschreiben:
    if sieve_path.is_symlink():
        try:
            os.unlink(sieve_path) # Link entfernen
        except OSError:
            pass
-        # Generate & write
+    try:
-        script = generate_sieve(email, item)
+        sieve_path.write_text(safe_content)
        sieve_path.write_text(script)
-        # Compile
+        # Kompilieren (wichtig, damit Dovecot die Änderung sofort sieht)
        os.system(f'sievec {sieve_path}')
-        # Copy to sieve dir
+        # Ownership sicherstellen
-        sieve_dir = mailbox_dir / 'sieve'
+        os.system(f'chown docker:docker {sieve_path}')
        sieve_dir.mkdir(exist_ok=True)
        managed_script = sieve_dir / 'default.sieve'
        managed_script.write_text(script)
        os.system(f'sievec {managed_script}')
-        # Ownership
+        print(f'⚪ {email} (Regeln deaktiviert/geleert)')
        os.system(f'chown -R docker:docker {sieve_dir}')
-        # Aktivieren mit doveadm sieve put
+    except Exception as e:
-        os.system(f'doveadm sieve put -u {email} -a default {managed_script}')
+        print(f"Fehler beim Deaktivieren von {email}: {e}")
 def sync():
    """Sync logic"""
    # 1. DB Status abrufen
    try:
        response = table.scan()
        db_users = {item['email_address']: item for item in response.get('Items', [])}
    except Exception as e:
        print(f"FATAL: Konnte DynamoDB nicht lesen ({e}). Breche ab, um keine Regeln zu löschen.")
        return
    # 2. Filesystem scannen
    base_path = Path(VMAIL_BASE)
    if not base_path.exists():
        print("Warnung: /var/mail existiert nicht.")
        return
    # Iteriere durch Domains
    for domain_dir in base_path.iterdir():
        if not domain_dir.is_dir(): continue
        # Iteriere durch User
        for user_dir in domain_dir.iterdir():
            if not user_dir.is_dir(): continue
            user = user_dir.name
            domain = domain_dir.name
            email = f"{user}@{domain}"
            # WICHTIG: Wir arbeiten NUR im 'home' Unterordner
            # Die Mails liegen in user_dir/cur etc. -> Die fassen wir nicht an.
            mailbox_home = user_dir / 'home'
            # --- FALL A: User ist in der DB (Update) ---
            if email in db_users:
                item = db_users[email]
                if not mailbox_home.exists():
                    mailbox_home.mkdir(exist_ok=True)
                    os.system(f'chown docker:docker {mailbox_home}')
                sieve_path = mailbox_home / '.dovecot.sieve'
                script = generate_sieve(email, item)
                sieve_path.write_text(script)
                os.system(f'sievec {sieve_path}')
                # Ownership
                os.system(f'chown docker:docker {sieve_path}')
                # (Optional) Auch in den sieve/ Ordner spiegeln für Roundcube Kompatibilität
                sieve_dir = mailbox_home / 'sieve'
                if sieve_dir.exists():
                     managed_script = sieve_dir / 'default.sieve'
                     managed_script.write_text(script)
                     os.system(f'sievec {managed_script}')
                     os.system(f'chown -R docker:docker {sieve_dir}')
                print(f'✓ {email}')
            # --- FALL B: User ist NICHT in DB (Deaktivieren) ---
            else:
                # Nur wenn der Home-Ordner existiert (wir legen keine Leichen für nicht-existente User an)
                if mailbox_home.exists():
                    deactivate_sieve(email, mailbox_home)
        print(f'✓ {email}')
 def wait_for_dovecot():
    """Wartet, bis der Dovecot Auth Socket verfügbar ist."""
    # Der Pfad zum Socket, über den doveadm kommuniziert
    socket_path = '/var/run/dovecot/auth-userdb'
    print("⏳ Warte auf Dovecot Start...")
    while not os.path.exists(socket_path):
        print(f"   ... Socket {socket_path} noch nicht da. Schlafe 5s.")
        time.sleep(5)
    print("✅ Dovecot ist bereit!")
 if __name__ == '__main__':
    # 1. Erst warten, bis Dovecot da ist, sonst hagelt es Fehler beim Start
    wait_for_dovecot()    
    # Pfad zur Cron-Definition (nur der String, z.B. "*/5 * * * *")
    CRON_FILE = '/etc/sieve-schedule'
    # Fallback, falls Datei fehlt
    cron_string = "*/5 * * * *" 
    if os.path.exists(CRON_FILE):
        with open(CRON_FILE, 'r') as f:
            # Kommentare entfernen und String holen
            content = f.read().strip()
            if content and not content.startswith('#'):
                cron_string = content
-    print(f"DynamoDB Sieve Sync gestartet. Zeitplan: {cron_string}")
+    print(f"DynamoDB Sieve Sync (Safe Mode) gestartet. Zeitplan: {cron_string}")
    print(f"AWS Region: {os.environ.get('AWS_DEFAULT_REGION', 'nicht gesetzt')}") # Debug Check
    # Initialer Lauf beim Start? (Optional, hier auskommentiert)
    sync()
    # Iterator erstellen
    base_time = datetime.now()
    iter = croniter(cron_string, base_time)
    while True:
        # Den nächsten Zeitpunkt berechnen
        next_run = iter.get_next(datetime)
        now = datetime.now()
        sleep_seconds = (next_run - now).total_seconds()
        if sleep_seconds > 0:
            # Warten bis zum nächsten Slot
            time.sleep(sleep_seconds)
        try:
@@ -164,5 +222,4 @@ if __name__ == '__main__':
            sync()
        except Exception as e:
            print(f"Fehler beim Sync: {e}")
            # Wichtig: Bei Fehler nicht abstürzen, sondern weitermachen
            pass
--- a/DMS/update_dms_config.sh
+++ b/DMS/update_dms_config.sh
@@ -1,91 +0,0 @@
 #!/bin/bash
 # update_dms_config.sh
 # Fügt eine neue Domain zur lokalen DMS Konfiguration hinzu:
 # 1. Ergänzt SRS_EXCLUDE_DOMAINS in docker-compose.yml
 # 2. Ergänzt Whitelist in smtp_header_checks
 set -e
 DOMAIN=$1
 DOCKER_COMPOSE_FILE="./docker-compose.yml"
 HEADER_CHECKS_FILE="./docker-data/dms/config/postfix/smtp_header_checks"
 if [ -z "$DOMAIN" ]; then
    echo "Usage: $0 <domain>"
    echo "Example: $0 cielectrical.com"
    exit 1
 fi
 echo "=== Aktualisiere lokale Konfiguration für $DOMAIN ==="
 # ---------------------------------------------
 # 1. Update docker-compose.yml (SRS Exclude)
 # ---------------------------------------------
 if [ -f "$DOCKER_COMPOSE_FILE" ]; then
    echo "-> Prüfe docker-compose.yml..."
    # Prüfen, ob Domain schon in der Zeile steht
    if grep -q "SRS_EXCLUDE_DOMAINS=.*$DOMAIN" "$DOCKER_COMPOSE_FILE"; then
        echo "   Domain bereits in SRS_EXCLUDE_DOMAINS vorhanden."
    else
        # Backup erstellen
        cp "$DOCKER_COMPOSE_FILE" "${DOCKER_COMPOSE_FILE}.bak"
        # sed Magie: Suche Zeile mit SRS_EXCLUDE_DOMAINS, hänge ",domain" am Ende an
        # Wir nutzen ein Komma als Trenner vor der neuen Domain
        sed -i "s/SRS_EXCLUDE_DOMAINS=.*/&,$DOMAIN/" "$DOCKER_COMPOSE_FILE"
        echo "   ✅ $DOMAIN zu SRS_EXCLUDE_DOMAINS hinzugefügt."
    fi
 else
    echo "❌ Fehler: $DOCKER_COMPOSE_FILE nicht gefunden!"
    exit 1
 fi
 # ---------------------------------------------
 # 2. Update smtp_header_checks (PCRE Whitelist)
 # ---------------------------------------------
 if [ -f "$HEADER_CHECKS_FILE" ]; then
    echo "-> Prüfe smtp_header_checks..."
    # Domain für Regex escapen (der Punkt muss \. sein)
    ESCAPED_DOMAIN="${DOMAIN//./\\.}"
    NEW_LINE="/.*@${ESCAPED_DOMAIN}/   DUNNO"
    # Prüfen, ob Eintrag existiert
    if grep -Fq "@$ESCAPED_DOMAIN/" "$HEADER_CHECKS_FILE"; then
        echo "   Domain bereits in smtp_header_checks vorhanden."
    else
        # Backup erstellen
        cp "$HEADER_CHECKS_FILE" "${HEADER_CHECKS_FILE}.bak"
        # Wir fügen die Zeile oben bei den Whitelists ein (nach dem Kommentar "# 1. EIGENE...")
        # Oder einfach am Anfang der Datei, falls die Reihenfolge egal ist.
        # Aber bei PCRE ist Reihenfolge wichtig! Whitelist muss VOR Rewrite stehen.
        # Strategie: Wir suchen die erste Zeile, die mit /.*@ anfängt und fügen davor ein
        # Oder wir hängen es einfach oben an einen definierten Marker an.
        # Einfachste sichere Methode für dein File: Nach dem Kommentarblock einfügen
        # Wir suchen nach der Zeile mit "1. EIGENE DOMAINS" und fügen 3 Zeilen später ein
        # Aber sed insert ist tricky.
        # Bessere Methode: Wir wissen, dass Whitelists ganz oben stehen sollen.
        # Wir erstellen eine temporäre Datei.
        # 1. Header (Kommentare) behalten oder neu schreiben?
        # Wir hängen es einfach GANZ OBEN in die Datei ein (vor alle anderen Regeln), 
        # das ist bei "DUNNO" (Whitelist) immer sicherste Variante.
        sed -i "1i $NEW_LINE" "$HEADER_CHECKS_FILE"
        echo "   ✅ $DOMAIN zu smtp_header_checks hinzugefügt (ganz oben)."
    fi
 else
    echo "⚠️ Warnung: $HEADER_CHECKS_FILE nicht gefunden. Überspringe."
 fi
 echo "========================================================"
 echo "Konfiguration aktualisiert."
 echo "HINWEIS: Damit die Änderungen wirksam werden, führen Sie bitte aus:"
 echo "  docker compose up -d --force-recreate"
 echo "========================================================"
--- a/DMS/whitelist-supervisor.conf
+++ b/DMS/whitelist-supervisor.conf
@@ -0,0 +1,6 @@
 [program:dynamic-whitelist]
 command=/usr/bin/python3 -u /scripts/dynamic_whitelist.py
 autostart=true
 autorestart=true
 stderr_logfile=/var/log/supervisor/dynamic-whitelist.err.log
 stdout_logfile=/var/log/supervisor/dynamic-whitelist.out.log
--- a/backup_mail.sh
+++ b/backup_mail.sh
@@ -0,0 +1,92 @@
 #!/bin/bash
 # ==============================================================================
 # KONFIGURATION
 # ==============================================================================
 BASE_MAIL_PATH="/home/aknuth/git/email-amazon/DMS/docker-data/dms/mail-data"
 RCLONE_CONFIG="/home/aknuth/.config/rclone/rclone.conf"
 LOGFILE="/var/log/mail_backup.log"
 # ==============================================================================
 # HILFSFUNKTION: LOGGING (Bildschirm + Datei)
 # ==============================================================================
 log() {
    # Schreibt Zeitstempel + Text auf stdout (Bildschirm) UND in das Logfile
    echo "$(date '+%Y-%m-%d %H:%M:%S') | $1" | tee -a "$LOGFILE"
 }
 # ==============================================================================
 # PARAMETER & VALIDIERUNG
 # ==============================================================================
 DOMAIN=$1
 REMOTE_NAME=$2
 BUCKET_NAME=$3
 if [[ -z "$DOMAIN" || -z "$REMOTE_NAME" || -z "$BUCKET_NAME" ]]; then
    echo "FEHLER: Fehlende Parameter."
    echo "Benutzung: sudo $0 <DOMAIN> <RCLONE_REMOTE> <BUCKET>"
    echo "Beispiel:  sudo $0 buddelectric.net buddelectric buddelectric-mails"
    exit 1
 fi
 SOURCE_PATH="${BASE_MAIL_PATH}/${DOMAIN}"
 if [ ! -d "$SOURCE_PATH" ]; then
    log "FEHLER: Quell-Ordner existiert nicht: $SOURCE_PATH"
    exit 1
 fi
 if [[ $EUID -ne 0 ]]; then
   echo "FEHLER: Dieses Skript muss als root ausgeführt werden (sudo)." 
   exit 1
 fi
 # ==============================================================================
 # LOCKING
 # ==============================================================================
 LOCKFILE_PATH="/var/run/rclone_mail_${DOMAIN}.lock"
 if [ -e ${LOCKFILE_PATH} ] && kill -0 `cat ${LOCKFILE_PATH}` 2>/dev/null; then
    log "ABBRUCH: Backup für $DOMAIN läuft bereits."
    exit 1
 fi
 trap "rm -f ${LOCKFILE_PATH}; exit" INT TERM EXIT
 echo $$ > ${LOCKFILE_PATH}
 # ==============================================================================
 # BACKUP START
 # ==============================================================================
 log "----------------------------------------------------------------"
 log "START Backup"
 log "Domain: $DOMAIN"
 log "Quelle: $SOURCE_PATH"
 log "Ziel:   $REMOTE_NAME:$BUCKET_NAME"
 # Rclone ausführen
 # --progress zeigt den Balken im Terminal (landet nicht im Logfile, das ist gut so)
 # --log-file schreibt technische Details NUR ins Logfile (nicht auf den Schirm, um ihn nicht zu fluten)
 /usr/bin/rclone sync "$SOURCE_PATH" "$REMOTE_NAME:$BUCKET_NAME" \
  --config "$RCLONE_CONFIG" \
  --exclude "**/tmp/**" \
  --exclude "*.lock" \
  --exclude "dovecot-uidlist.lock" \
  --exclude ".dovecot.lda-dupes" \
  --transfers 32 \
  --checkers 32 \
  --fast-list \
  --min-age 15m \
  --log-file $LOGFILE \
  --log-level INFO \
  --progress
 EXIT_CODE=$?
 if [ $EXIT_CODE -eq 0 ]; then
    log "STATUS: ERFOLG - $DOMAIN erfolgreich gesichert."
 else
    log "STATUS: FEHLER - Exit Code $EXIT_CODE. Details siehe $LOGFILE"
 fi
 log "----------------------------------------------------------------"
 exit $EXIT_CODE
--- a/basic_setup/awss3.sh
+++ b/basic_setup/awss3.sh
@@ -43,7 +43,7 @@ aws s3api put-bucket-lifecycle-configuration \
        "ID": "DeleteOldEmails",
        "Status": "Enabled",
        "Expiration": {
-          "Days": 30
+          "Days": 14
        },
        "Filter": {
          "Prefix": ""
--- a/basic_setup/awsses.sh
+++ b/basic_setup/awsses.sh
@@ -1,7 +1,16 @@
 #!/bin/bash
-# awsses_lambda_global.sh - SES Setup mit S3 + Global Lambda Shim -> SQS
+# awsses.sh - SES Setup mit S3 + Global Lambda Shim -> SQS
 # Dieses Skript ist idempotent: Es kann sicher mehrfach ausgeführt werden.
 # Globale Lambda für alle Domains.
 #
 # MAIL FROM Subdomain:
 #   Standard: mail.${DOMAIN_NAME}
 #   Override: export MAIL_FROM_SUBDOMAIN="mailfrom" (nur der Prefix, ohne Domain)
 #
 # Beispiel:
 #   export DOMAIN_NAME="buddelectric.net"
 #   export MAIL_FROM_SUBDOMAIN="mailfrom"   # → mailfrom.buddelectric.net
 #   ./awsses.sh
 set -e
@@ -21,6 +30,10 @@ AWS_REGION=${AWS_REGION:-"us-east-2"}
 EMAIL_PREFIX=${EMAIL_PREFIX:-""}
 CONFIGURATION_SET_NAME="relay-outbound"
 # MAIL FROM Subdomain (konfigurierbar)
 MAIL_FROM_SUBDOMAIN=${MAIL_FROM_SUBDOMAIN:-"mail"}
 MAIL_FROM_DOMAIN="${MAIL_FROM_SUBDOMAIN}.${DOMAIN_NAME}"
 # Bucket Name generieren falls leer
 if [ -z "$S3_BUCKET_NAME" ]; then
  S3_BUCKET_NAME=$(echo "$DOMAIN_NAME" | tr '.' '-' | awk '{print $0 "-emails"}')
@@ -35,6 +48,7 @@ LAMBDA_ROLE_NAME="SesShimGlobalRole"
 echo "=========================================================="
 echo " SES Setup (S3 -> Global Lambda Shim -> SQS) für $DOMAIN_NAME"
 echo " MAIL FROM: $MAIL_FROM_DOMAIN"
 echo "=========================================================="
 # ---------------------------------------------------------
@@ -46,9 +60,11 @@ if ! aws sesv2 get-email-identity --email-identity ${DOMAIN_NAME} --region ${AWS
 fi
 # Update Attributes (Idempotent)
 aws sesv2 put-email-identity-dkim-attributes --email-identity ${DOMAIN_NAME} --signing-enabled --region ${AWS_REGION}
-aws sesv2 put-email-identity-mail-from-attributes --email-identity ${DOMAIN_NAME} --mail-from-domain "mail.${DOMAIN_NAME}" --behavior-on-mx-failure USE_DEFAULT_VALUE --region ${AWS_REGION}
+aws sesv2 put-email-identity-mail-from-attributes --email-identity ${DOMAIN_NAME} --mail-from-domain "${MAIL_FROM_DOMAIN}" --behavior-on-mx-failure USE_DEFAULT_VALUE --region ${AWS_REGION}
 aws sesv2 put-email-identity-configuration-set-attributes --email-identity ${DOMAIN_NAME} --configuration-set-name "$CONFIGURATION_SET_NAME" --region ${AWS_REGION}
 echo " -> MAIL FROM Domain: ${MAIL_FROM_DOMAIN}"
 # ---------------------------------------------------------
 # 2. SQS Queue holen (nur zur Validierung, Lambda holt dynamisch)
 # ---------------------------------------------------------
@@ -149,7 +165,7 @@ RULE_JSON=$(jq -n \
  --arg larn "$LAMBDA_ARN" \
  --arg rule "$RULE_NAME" \
  --arg domain "$DOMAIN_NAME" \
-  --arg subdomain "mail.$DOMAIN_NAME" \
+  --arg subdomain "${MAIL_FROM_DOMAIN}" \
  '{
    Name: $rule,
    Enabled: true,
@@ -181,7 +197,12 @@ else
 fi
 # Aktivieren
 aws ses set-active-receipt-rule-set --rule-set-name "bizmatch-ruleset" --region ${AWS_REGION}
 echo "========================================================"
-echo "✅ Setup erfolgreich. Globale Lambda ($LAMBDA_NAME) für alle Domains."
+echo "✅ Setup erfolgreich."
-echo " S3 -> Lambda -> Domain-spezifische SQS"
+echo "   Domain:        $DOMAIN_NAME"
 echo "   MAIL FROM:     $MAIL_FROM_DOMAIN"
 echo "   S3 Bucket:     $S3_BUCKET_NAME"
 echo "   SQS Queue:     $QUEUE_NAME"
 echo "   Lambda:        $LAMBDA_NAME (global)"
 echo "========================================================"
--- a/basic_setup/cloudflareDns.sh
+++ b/basic_setup/cloudflareDns.sh
@@ -157,24 +157,6 @@ echo "--- Autodiscover & Caddy Konfiguration ---"
 create_dns_record "A" "autodiscover.${DOMAIN_NAME}" "$CADDY_SERVER_IP" "false"
 create_dns_record "A" "autoconfig.${DOMAIN_NAME}"   "$CADDY_SERVER_IP" "false"
 # SRV-Records für Apple & Mobile Clients
 # Wir decken jetzt ALLE Varianten ab, damit das iPhone sicher den richtigen Port findet.
 # 1. IMAP SSL (Port 993) - Das bevorzugt das iPhone!
 create_srv_record "_imaps"      "_tcp" "993" "$MAIL_SERVER_HOSTNAME"
 # 2. IMAP STARTTLS (Port 143) - Als Fallback (optional, falls Port 143 offen ist)
 # create_srv_record "_imap"       "_tcp" "143" "$MAIL_SERVER_HOSTNAME" 
 # (Wenn du 993 im "_imap" Eintrag lassen willst, ist das okay, aber _imaps ist wichtiger)
 create_srv_record "_imap"       "_tcp" "993" "$MAIL_SERVER_HOSTNAME"
 # 3. SMTP SSL (Port 465) - Das bevorzugt das iPhone oft für den Ausgang
 create_srv_record "_smtps"      "_tcp" "465" "$MAIL_SERVER_HOSTNAME"
 # 4. SMTP STARTTLS (Port 587) - Der Standard
 create_srv_record "_submission" "_tcp" "587" "$MAIL_SERVER_HOSTNAME"
 # ==========================================
 # 4. SPF & DMARC
 # ==========================================
--- a/basic_setup/cloudflareMigrationDns.sh
+++ b/basic_setup/cloudflareMigrationDns.sh
@@ -0,0 +1,329 @@
 #!/bin/bash
 # cloudflareMigrationDns.sh
 # Setzt DNS Records für Amazon SES Migration + Cloudflare
 # Unterstützt: DKIM, SPF (Merge), DMARC, MX, Autodiscover
 # Setzt mail/imap/smtp/pop Subdomains für domain-spezifischen Mailserver-Zugang
 #
 # MIGRATIONS-FLAGS:
 #   SKIP_CLIENT_DNS=true  → Abschnitt 8 (imap/smtp/pop/webmail) + 10 (SRV) überspringen
 #                           Nutzen: Client-Subdomains bleiben beim alten Provider
 #   SKIP_DMARC=true       → Abschnitt 7 (DMARC) überspringen
 #                           Nutzen: Bestehenden DMARC-Record nicht anfassen
 #
 # Typischer Migrations-Ablauf:
 #   Phase 0 (Vorbereitung):  SKIP_CLIENT_DNS=true SKIP_DMARC=true  → nur SES + SPF
 #   Phase 1 (MX Cutover):    MX umstellen (manuell)
 #   Phase 2 (Client Switch):  ohne SKIP Flags → alle Records setzen
 set -e
 # --- KONFIGURATION ---
 AWS_REGION=${AWS_REGION:-"us-east-2"}
 DRY_RUN=${DRY_RUN:-"false"}
 # Migrations-Flags (NEU)
 SKIP_CLIENT_DNS=${SKIP_CLIENT_DNS:-"false"}
 SKIP_DMARC=${SKIP_DMARC:-"false"}
 # IP des Mailservers - PFLICHT wenn keine CNAME-Kette gewünscht
 MAIL_SERVER_IP=${MAIL_SERVER_IP:-""}
 # Ziel-Server für Mailclients. Standard: mail.<kundendomain>
 TARGET_MAIL_SERVER=${TARGET_MAIL_SERVER:-"mail.${DOMAIN_NAME}"}
 # --- CHECKS ---
 if [ -z "$DOMAIN_NAME" ]; then echo "❌ Fehler: DOMAIN_NAME fehlt."; exit 1; fi
 if [ -z "$CF_API_TOKEN" ]; then echo "❌ Fehler: CF_API_TOKEN fehlt."; exit 1; fi
 if ! command -v jq &> /dev/null; then echo "❌ Fehler: 'jq' fehlt."; exit 1; fi
 if ! command -v aws &> /dev/null; then echo "❌ Fehler: 'aws' CLI fehlt."; exit 1; fi
 if [ -z "$MAIL_SERVER_IP" ] && [ "$TARGET_MAIL_SERVER" == "mail.$DOMAIN_NAME" ]; then
    echo "⚠️  WARNUNG: MAIL_SERVER_IP ist nicht gesetzt!"
    echo "   mail.$DOMAIN_NAME braucht einen A-Record."
    echo "   Setze: export MAIL_SERVER_IP=<deine-server-ip>"
    # Kein exit - Abschnitt 8 wird ggf. übersprungen
 fi
 echo "============================================================"
 echo " 🛡️  DNS Migration Setup für: $DOMAIN_NAME"
 echo " 🌍  Region: $AWS_REGION"
 echo " 📬  Mail-Server Target: $TARGET_MAIL_SERVER"
 [ -n "$MAIL_SERVER_IP" ] && echo " 🖥️  Server IP: $MAIL_SERVER_IP"
 [ "$DRY_RUN" = "true" ] && echo " ⚠️  DRY RUN MODE - Keine Änderungen!"
 [ "$SKIP_CLIENT_DNS" = "true" ] && echo " ⏭️  SKIP: Client-Subdomains (imap/smtp/pop/webmail/SRV)"
 [ "$SKIP_DMARC" = "true" ] && echo " ⏭️  SKIP: DMARC Record"
 echo "============================================================"
 # 1. ZONE ID HOLEN
 echo "🔍 Suche Cloudflare Zone ID..."
 ZONE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$DOMAIN_NAME" \
    -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" | jq -r '.result[0].id')
 if [ "$ZONE_ID" == "null" ] || [ -z "$ZONE_ID" ]; then
    echo "❌ Zone nicht gefunden."
    exit 1
 fi
 echo "   ✅ Zone ID: $ZONE_ID"
 # ------------------------------------------------------------------
 # FUNKTION: ensure_record
 # Prüft Existenz -> Create oder Update (je nach Typ)
 # ------------------------------------------------------------------
 ensure_record() {
    local type=$1
    local name=$2
    local content=$3
    local proxied=${4:-false}
    local priority=$5 # Optional für MX
    echo "   ⚙️  Prüfe $type $name..."
    local search_res=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?type=$type&name=$name" \
        -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json")
    local rec_id
    local rec_content
    if [ "$type" == "TXT" ] && [ "$name" == "$DOMAIN_NAME" ] && [[ "$content" == v=spf1* ]]; then
        # Spezialfall Root-Domain SPF: Filtere gezielt den SPF-Eintrag heraus,
        # damit z.B. Google Site Verification nicht überschrieben wird.
        rec_id=$(echo "$search_res" | jq -r '.result[] | select(.content | contains("v=spf1")) | .id' | head -n 1)
        rec_content=$(echo "$search_res" | jq -r '.result[] | select(.content | contains("v=spf1")) | .content' | head -n 1)
    else
        # Standardverhalten für alle anderen (A, CNAME, MX, etc.)
        rec_id=$(echo "$search_res" | jq -r '.result[0].id')
        rec_content=$(echo "$search_res" | jq -r '.result[0].content')
    fi
    # Fallback für jq, damit das restliche Skript funktioniert
    [ -z "$rec_id" ] && rec_id="null"
    [ -z "$rec_content" ] && rec_content="null"
    if [ "$type" == "MX" ]; then
        json_data=$(jq -n --arg t "$type" --arg n "$name" --arg c "$content" --argjson p "$proxied" --argjson prio "$priority" \
            '{type: $t, name: $n, content: $c, ttl: 3600, proxied: $p, priority: $prio}')
    else
        json_data=$(jq -n --arg t "$type" --arg n "$name" --arg c "$content" --argjson p "$proxied" \
            '{type: $t, name: $n, content: $c, ttl: 3600, proxied: $p}')
    fi
    if [ "$rec_id" == "null" ]; then
        if [ "$DRY_RUN" = "true" ]; then
            echo "      [DRY] Würde ERSTELLEN: $content"
        else
            res=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
                -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" --data "$json_data")
            if [ "$(echo $res | jq -r .success)" == "true" ]; then
                echo "      ✅ Erstellt."
            else
                echo "      ❌ Fehler beim Erstellen: $(echo $res | jq -r '.errors[0].message')"
            fi
        fi
    else
        if [ "$rec_content" == "$content" ]; then
            echo "      🆗 Identisch. Überspringe."
        else
            if [ "$type" == "MX" ] && [ "$name" == "$DOMAIN_NAME" ]; then
                echo "      ⛔ Root-MX existiert aber ist anders: $rec_content"
                echo "         → Wird NICHT automatisch geändert (Migrations-Schutz)"
                return
            fi
            if [ "$DRY_RUN" = "true" ]; then
                echo "      [DRY] Würde UPDATEN: '$rec_content' → '$content'"
            else
                res=$(curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$rec_id" \
                    -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" --data "$json_data")
                if [ "$(echo $res | jq -r .success)" == "true" ]; then
                    echo "      ✅ Aktualisiert."
                else
                    echo "      ❌ Fehler beim Updaten: $(echo $res | jq -r '.errors[0].message')"
                fi
            fi
        fi
    fi
 }
 # ------------------------------------------------------------------
 # SCHRITT 1: MAIL FROM Domain (aus SES lesen)
 # ------------------------------------------------------------------
 echo ""
 echo "--- 1. MAIL FROM Domain ---"
 MAIL_FROM_DOMAIN=$(aws sesv2 get-email-identity \
    --email-identity "$DOMAIN_NAME" \
    --region "$AWS_REGION" \
    --query 'MailFromAttributes.MailFromDomain' \
    --output text 2>/dev/null || echo "NONE")
 if [ "$MAIL_FROM_DOMAIN" == "NONE" ] || [ "$MAIL_FROM_DOMAIN" == "None" ] || [ -z "$MAIL_FROM_DOMAIN" ]; then
    echo "   ℹ️  Keine MAIL FROM Domain in SES konfiguriert."
    echo "   → Überspringe MAIL FROM DNS Setup."
    MAIL_FROM_DOMAIN=""
 fi
 # ------------------------------------------------------------------
 # SCHRITT 2: DKIM Records
 # ------------------------------------------------------------------
 echo ""
 echo "--- 2. DKIM Records ---"
 DKIM_TOKENS=$(aws sesv2 get-email-identity \
    --email-identity "$DOMAIN_NAME" \
    --region "$AWS_REGION" \
    --query 'DkimAttributes.Tokens' \
    --output text 2>/dev/null || echo "")
 if [ -n "$DKIM_TOKENS" ] && [ "$DKIM_TOKENS" != "None" ]; then
    for TOKEN in $DKIM_TOKENS; do
        ensure_record "CNAME" "${TOKEN}._domainkey.${DOMAIN_NAME}" "${TOKEN}.dkim.amazonses.com" false
    done
 else
    echo "   ⚠️  Keine DKIM Tokens gefunden. SES Identity angelegt?"
 fi
 # ------------------------------------------------------------------
 # SCHRITT 3: SES Verification TXT
 # ------------------------------------------------------------------
 echo ""
 echo "--- 3. SES Verification TXT ---"
 VERIFICATION_TOKEN=$(aws ses get-identity-verification-attributes \
    --identities "$DOMAIN_NAME" \
    --region "$AWS_REGION" \
    --query "VerificationAttributes.\"${DOMAIN_NAME}\".VerificationToken" \
    --output text 2>/dev/null || echo "")
 if [ -n "$VERIFICATION_TOKEN" ] && [ "$VERIFICATION_TOKEN" != "None" ]; then
    ensure_record "TXT" "_amazonses.${DOMAIN_NAME}" "$VERIFICATION_TOKEN" false
 else
    echo "   ⚠️  Kein Verification Token. SES Identity angelegt?"
 fi
 # ------------------------------------------------------------------
 # SCHRITT 4: MAIL FROM Subdomain (MX + SPF)
 # ------------------------------------------------------------------
 echo ""
 echo "--- 4. MAIL FROM Subdomain (${MAIL_FROM_DOMAIN:-'nicht konfiguriert'}) ---"
 if [ -n "$MAIL_FROM_DOMAIN" ]; then
    # Prüfe ob CNAME-Konflikt auf der MAIL FROM Subdomain existiert
    CNAME_CHECK=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?type=CNAME&name=$MAIL_FROM_DOMAIN" \
        -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" | jq -r '.result[0].content')
    if [ "$CNAME_CHECK" != "null" ] && [ -n "$CNAME_CHECK" ]; then
        echo "   ⛔ CNAME-Konflikt! $MAIL_FROM_DOMAIN hat CNAME → $CNAME_CHECK"
        echo "      MX + TXT können nicht neben CNAME existieren."
        echo "      → awsses.sh mit anderem MAIL_FROM_SUBDOMAIN erneut ausführen"
        exit 1
    fi
    ensure_record "MX" "$MAIL_FROM_DOMAIN" "feedback-smtp.${AWS_REGION}.amazonses.com" false 10
    ensure_record "TXT" "$MAIL_FROM_DOMAIN" "v=spf1 include:amazonses.com ~all" false
 else
    echo "   ℹ️  Übersprungen (keine MAIL FROM Domain konfiguriert)."
 fi
 # ------------------------------------------------------------------
 # SCHRITT 5: Root Domain SPF (Merge mit altem Provider)
 # ------------------------------------------------------------------
 echo ""
 echo "--- 5. Root Domain SPF ---"
 # Aktuellen SPF-Record lesen
 # Cloudflare liefert TXT-Content manchmal mit Anführungszeichen,
 # daher erst alle TXT-Records holen und dann filtern
 CURRENT_SPF=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?type=TXT&name=$DOMAIN_NAME" \
    -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" \
    | jq -r '[.result[] | select(.content | gsub("^\"|\"$";"") | startswith("v=spf1"))][0].content // ""')
 # Anführungszeichen sofort entfernen
 CURRENT_SPF=$(echo "$CURRENT_SPF" | tr -d '"')
 if [ -n "$CURRENT_SPF" ]; then
    echo "   📋 Aktueller SPF: $CURRENT_SPF"
    # Prüfe ob amazonses.com schon drin ist
    if echo "$CURRENT_SPF" | grep -q "include:amazonses.com"; then
        echo "   🆗 SPF enthält bereits include:amazonses.com"
    else
        # amazonses.com einfügen direkt nach v=spf1
        NEW_SPF=$(echo "$CURRENT_SPF" | sed 's/v=spf1 /v=spf1 include:amazonses.com /')
        # ?all → ~all upgraden
        NEW_SPF=$(echo "$NEW_SPF" | sed 's/?all/~all/')
        echo "   📝 Neuer SPF: $NEW_SPF"
        ensure_record "TXT" "$DOMAIN_NAME" "$NEW_SPF" false
    fi
 else
    echo "   ℹ️  Kein SPF Record vorhanden. Erstelle neuen."
    ensure_record "TXT" "$DOMAIN_NAME" "v=spf1 include:amazonses.com ~all" false
 fi
 # ------------------------------------------------------------------
 # SCHRITT 6: Root Domain MX (nur Info, wird nicht geändert)
 # ------------------------------------------------------------------
 echo ""
 echo "--- 6. Root Domain MX (nur Info, wird nicht geändert) ---"
 CURRENT_MX=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?type=MX&name=$DOMAIN_NAME" \
    -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" \
    | jq -r '.result[0].content // "keiner"')
 echo "   ℹ️  MX vorhanden: $CURRENT_MX (wird nicht geändert)"
 # ------------------------------------------------------------------
 # SCHRITT 7: DMARC
 # ------------------------------------------------------------------
 echo ""
 echo "--- 7. DMARC ---"
 if [ "$SKIP_DMARC" = "true" ]; then
    echo "   ⏭️  Übersprungen (SKIP_DMARC=true)"
    echo "   ℹ️  Bestehender DMARC-Record bleibt unverändert."
 else
    ensure_record "TXT" "_dmarc.$DOMAIN_NAME" "v=DMARC1; p=none; rua=mailto:postmaster@$DOMAIN_NAME" false
 fi
 # ------------------------------------------------------------------
 # SCHRITT 8: Mailclient Subdomains (A + CNAME)
 # ------------------------------------------------------------------
 echo ""
 echo "--- 8. Mailclient Subdomains (A + CNAME) ---"
 if [ "$SKIP_CLIENT_DNS" = "true" ]; then
    echo "   ⏭️  Übersprungen (SKIP_CLIENT_DNS=true)"
    echo "   ℹ️  imap/smtp/pop/webmail bleiben beim alten Provider."
    echo "   ℹ️  Setze SKIP_CLIENT_DNS=false nach MX-Cutover + Client-Umstellung."
 else
    if [ -n "$MAIL_SERVER_IP" ]; then
        # A-Record für mail.<domain> direkt auf Server-IP
        ensure_record "A" "mail.$DOMAIN_NAME" "$MAIL_SERVER_IP" false
    else
        # CNAME auf externen Ziel-Host (nur wenn verschieden)
        if [ "$TARGET_MAIL_SERVER" != "mail.$DOMAIN_NAME" ]; then
            ensure_record "CNAME" "mail.$DOMAIN_NAME" "$TARGET_MAIL_SERVER" false
        fi
    fi
    # imap, smtp, pop, webmail → CNAME auf mail.<domain>
    ensure_record "CNAME" "imap.$DOMAIN_NAME"    "mail.$DOMAIN_NAME" false
    ensure_record "CNAME" "smtp.$DOMAIN_NAME"    "mail.$DOMAIN_NAME" false
    ensure_record "CNAME" "pop.$DOMAIN_NAME"     "mail.$DOMAIN_NAME" false
    ensure_record "CNAME" "webmail.$DOMAIN_NAME" "mail.$DOMAIN_NAME" false
 fi
 # ------------------------------------------------------------------
 # SCHRITT 9: Autodiscover / Autoconfig
 # ------------------------------------------------------------------
 echo ""
 echo "--- 9. Autodiscover / Autoconfig ---"
 ensure_record "CNAME" "autodiscover.$DOMAIN_NAME" "mail.$DOMAIN_NAME" false
 ensure_record "CNAME" "autoconfig.$DOMAIN_NAME"   "mail.$DOMAIN_NAME" false
 echo ""
 echo "============================================================"
 echo "✅ Fertig für Domain: $DOMAIN_NAME"
 if [ "$SKIP_CLIENT_DNS" = "true" ]; then
    echo ""
    echo "   ⚠️  Client-Subdomains wurden NICHT geändert."
    echo "   Nach MX-Cutover + Worker-Validierung erneut ausführen mit:"
    echo "   SKIP_CLIENT_DNS=false SKIP_DMARC=false ./cloudflareMigrationDns.sh"
 fi
 echo ""
 echo "   Mailclient-Konfiguration für Kunden:"
 echo "   IMAP:    imap.$DOMAIN_NAME    Port 993 (SSL)"
 echo "   SMTP:    smtp.$DOMAIN_NAME    Port 587 (STARTTLS) oder 465 (SSL)"
 echo "   POP3:    pop.$DOMAIN_NAME     Port 995 (SSL)"
 echo "   Webmail: webmail.$DOMAIN_NAME"
 echo "============================================================"
--- a/basic_setup/create-queue.sh
+++ b/basic_setup/create-queue.sh
@@ -1,55 +1,58 @@
 #!/bin/bash
-# create-queue.sh
+# create-queue.sh (v2 — mit SNS Fan-Out + Standby Queue)
 # Usage: DOMAIN=andreasknuth.de ./create-queue.sh
 #
 # Erstellt pro Domain:
 #   - Primary Queue + DLQ          (wie bisher, für Contabo)
 #   - Standby Queue + DLQ          (NEU, für Office-VM)
 #   - SNS Topic                    (NEU, Fan-Out)
 #   - 2 SNS Subscriptions          (NEU, Topic → Primary + Standby)
 set -e
 AWS_REGION="us-east-2"
 # Domain aus Environment Variable
 if [ -z "$DOMAIN" ]; then
    echo "Error: DOMAIN environment variable not set"
    echo "Usage: DOMAIN=andreasknuth.de $0"
    exit 1
 fi
-QUEUE_NAME="${DOMAIN//./-}-queue"
+DOMAIN_SLUG="${DOMAIN//./-}"
 QUEUE_NAME="${DOMAIN_SLUG}-queue"
 DLQ_NAME="${QUEUE_NAME}-dlq"
 STANDBY_QUEUE_NAME="${DOMAIN_SLUG}-standby-queue"
 STANDBY_DLQ_NAME="${STANDBY_QUEUE_NAME}-dlq"
 TOPIC_NAME="${DOMAIN_SLUG}-topic"
 ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
 echo "========================================"
-echo "Creating SQS Queue for Email Delivery"
+echo "Creating SQS + SNS for Email Delivery"
 echo "========================================"
 echo ""
-echo "📧 Domain: $DOMAIN"
+echo "📧 Domain:         $DOMAIN"
-echo "   Region: $AWS_REGION"
+echo "   Region:         $AWS_REGION"
 echo "   Account:        $ACCOUNT_ID"
 echo ""
-# Dead Letter Queue erstellen
+# ============================================================
 # 1. Primary DLQ + Queue (wie bisher)
 # ============================================================
 echo "━━━ Primary Queue (Contabo) ━━━"
 echo "Creating DLQ: $DLQ_NAME"
 DLQ_URL=$(aws sqs create-queue \
    --queue-name "${DLQ_NAME}" \
    --region "${AWS_REGION}" \
-    --attributes '{
+    --attributes '{"MessageRetentionPeriod": "1209600"}' \
-        "MessageRetentionPeriod": "1209600"
+    --query 'QueueUrl' --output text 2>/dev/null \
-    }' \
+    || aws sqs get-queue-url --queue-name "${DLQ_NAME}" --region "${AWS_REGION}" --query 'QueueUrl' --output text)
-    --query 'QueueUrl' \
+DLQ_ARN=$(aws sqs get-queue-attributes --queue-url "${DLQ_URL}" --region "${AWS_REGION}" \
-    --output text 2>/dev/null || aws sqs get-queue-url --queue-name "${DLQ_NAME}" --region "${AWS_REGION}" --query 'QueueUrl' --output text)
+    --attribute-names QueueArn --query 'Attributes.QueueArn' --output text)
 echo "   ✓ DLQ: ${DLQ_ARN}"
-echo "   ✓ DLQ URL: ${DLQ_URL}"
+echo "Creating Queue: $QUEUE_NAME"
 # DLQ ARN ermitteln
 DLQ_ARN=$(aws sqs get-queue-attributes \
    --queue-url "${DLQ_URL}" \
    --region "${AWS_REGION}" \
    --attribute-names QueueArn \
    --query 'Attributes.QueueArn' \
    --output text)
 echo "   ✓ DLQ ARN: ${DLQ_ARN}"
 echo ""
 # Haupt-Queue erstellen mit Redrive Policy
 echo "Creating Main Queue: $QUEUE_NAME"
 QUEUE_URL=$(aws sqs create-queue \
    --queue-name "${QUEUE_NAME}" \
    --region "${AWS_REGION}" \
@@ -59,18 +62,146 @@ QUEUE_URL=$(aws sqs create-queue \
        \"ReceiveMessageWaitTimeSeconds\": \"20\",
        \"RedrivePolicy\": \"{\\\"deadLetterTargetArn\\\":\\\"${DLQ_ARN}\\\",\\\"maxReceiveCount\\\":\\\"3\\\"}\"
    }" \
-    --query 'QueueUrl' \
+    --query 'QueueUrl' --output text 2>/dev/null \
-    --output text 2>/dev/null || aws sqs get-queue-url --queue-name "${QUEUE_NAME}" --region "${AWS_REGION}" --query 'QueueUrl' --output text)
+    || aws sqs get-queue-url --queue-name "${QUEUE_NAME}" --region "${AWS_REGION}" --query 'QueueUrl' --output text)
 QUEUE_ARN=$(aws sqs get-queue-attributes --queue-url "${QUEUE_URL}" --region "${AWS_REGION}" \
    --attribute-names QueueArn --query 'Attributes.QueueArn' --output text)
 echo "   ✓ Queue: ${QUEUE_ARN}"
 echo ""
-echo "   ✓ Queue URL: ${QUEUE_URL}"
+# ============================================================
 # 2. Standby DLQ + Queue (NEU)
 # ============================================================
 echo "━━━ Standby Queue (Office-VM) ━━━"
 echo "Creating Standby DLQ: $STANDBY_DLQ_NAME"
 STANDBY_DLQ_URL=$(aws sqs create-queue \
    --queue-name "${STANDBY_DLQ_NAME}" \
    --region "${AWS_REGION}" \
    --attributes '{"MessageRetentionPeriod": "1209600"}' \
    --query 'QueueUrl' --output text 2>/dev/null \
    || aws sqs get-queue-url --queue-name "${STANDBY_DLQ_NAME}" --region "${AWS_REGION}" --query 'QueueUrl' --output text)
 STANDBY_DLQ_ARN=$(aws sqs get-queue-attributes --queue-url "${STANDBY_DLQ_URL}" --region "${AWS_REGION}" \
    --attribute-names QueueArn --query 'Attributes.QueueArn' --output text)
 echo "   ✓ Standby DLQ: ${STANDBY_DLQ_ARN}"
 echo "Creating Standby Queue: $STANDBY_QUEUE_NAME"
 STANDBY_QUEUE_URL=$(aws sqs create-queue \
    --queue-name "${STANDBY_QUEUE_NAME}" \
    --region "${AWS_REGION}" \
    --attributes "{
        \"VisibilityTimeout\": \"300\",
        \"MessageRetentionPeriod\": \"86400\",
        \"ReceiveMessageWaitTimeSeconds\": \"20\",
        \"RedrivePolicy\": \"{\\\"deadLetterTargetArn\\\":\\\"${STANDBY_DLQ_ARN}\\\",\\\"maxReceiveCount\\\":\\\"3\\\"}\"
    }" \
    --query 'QueueUrl' --output text 2>/dev/null \
    || aws sqs get-queue-url --queue-name "${STANDBY_QUEUE_NAME}" --region "${AWS_REGION}" --query 'QueueUrl' --output text)
 STANDBY_QUEUE_ARN=$(aws sqs get-queue-attributes --queue-url "${STANDBY_QUEUE_URL}" --region "${AWS_REGION}" \
    --attribute-names QueueArn --query 'Attributes.QueueArn' --output text)
 echo "   ✓ Standby Queue: ${STANDBY_QUEUE_ARN}"
 echo ""
 # ============================================================
 # 3. SNS Topic (NEU)
 # ============================================================
 echo "━━━ SNS Topic (Fan-Out) ━━━"
 echo "Creating Topic: $TOPIC_NAME"
 TOPIC_ARN=$(aws sns create-topic \
    --name "${TOPIC_NAME}" \
    --region "${AWS_REGION}" \
    --query 'TopicArn' --output text)
 echo "   ✓ Topic: ${TOPIC_ARN}"
 echo ""
 # ============================================================
 # 4. SNS → SQS Subscriptions (NEU)
 # ============================================================
 echo "━━━ Subscriptions ━━━"
 # SNS braucht Berechtigung, in die SQS Queues zu schreiben
 # Policy für Primary Queue
 POLICY_PRIMARY="{
  \"Version\": \"2012-10-17\",
  \"Statement\": [{
    \"Effect\": \"Allow\",
    \"Principal\": {\"Service\": \"sns.amazonaws.com\"},
    \"Action\": \"sqs:SendMessage\",
    \"Resource\": \"${QUEUE_ARN}\",
    \"Condition\": {\"ArnEquals\": {\"aws:SourceArn\": \"${TOPIC_ARN}\"}}
  }]
 }"
 aws sqs set-queue-attributes \
    --queue-url "${QUEUE_URL}" \
    --region "${AWS_REGION}" \
    --attributes "{\"Policy\": $(echo "$POLICY_PRIMARY" | jq -c '.' | jq -Rs '.')}" \
    > /dev/null
 echo "   ✓ Primary Queue Policy gesetzt"
 # Policy für Standby Queue
 POLICY_STANDBY="{
  \"Version\": \"2012-10-17\",
  \"Statement\": [{
    \"Effect\": \"Allow\",
    \"Principal\": {\"Service\": \"sns.amazonaws.com\"},
    \"Action\": \"sqs:SendMessage\",
    \"Resource\": \"${STANDBY_QUEUE_ARN}\",
    \"Condition\": {\"ArnEquals\": {\"aws:SourceArn\": \"${TOPIC_ARN}\"}}
  }]
 }"
 aws sqs set-queue-attributes \
    --queue-url "${STANDBY_QUEUE_URL}" \
    --region "${AWS_REGION}" \
    --attributes "{\"Policy\": $(echo "$POLICY_STANDBY" | jq -c '.' | jq -Rs '.')}" \
    > /dev/null
 echo "   ✓ Standby Queue Policy gesetzt"
 # Subscription: Topic → Primary Queue
 SUB_PRIMARY=$(aws sns subscribe \
    --topic-arn "${TOPIC_ARN}" \
    --protocol sqs \
    --notification-endpoint "${QUEUE_ARN}" \
    --region "${AWS_REGION}" \
    --attributes '{"RawMessageDelivery": "true"}' \
    --query 'SubscriptionArn' --output text)
 echo "   ✓ Subscription Primary: ${SUB_PRIMARY}"
 # Subscription: Topic → Standby Queue
 SUB_STANDBY=$(aws sns subscribe \
    --topic-arn "${TOPIC_ARN}" \
    --protocol sqs \
    --notification-endpoint "${STANDBY_QUEUE_ARN}" \
    --region "${AWS_REGION}" \
    --attributes '{"RawMessageDelivery": "true"}' \
    --query 'SubscriptionArn' --output text)
 echo "   ✓ Subscription Standby: ${SUB_STANDBY}"
 echo ""
 # ============================================================
 # Zusammenfassung
 # ============================================================
 echo "========================================"
-echo "✅ Queue created successfully!"
+echo "✅ Setup complete for $DOMAIN"
 echo "========================================"
 echo ""
-echo "Configuration:"
+echo "Primary (Contabo):"
-echo "  Domain:     $DOMAIN"
+echo "  Queue:    $QUEUE_URL"
-echo "  Queue:      $QUEUE_NAME"
+echo "  DLQ:      $DLQ_URL"
-echo "  Queue URL:  $QUEUE_URL"
+echo ""
-echo "  DLQ:        $DLQ_NAME"
+echo "Standby (Office-VM):"
-echo "  Region:     $AWS_REGION"
+echo "  Queue:    $STANDBY_QUEUE_URL"
 echo "  DLQ:      $STANDBY_DLQ_URL"
 echo ""
 echo "SNS Fan-Out:"
 echo "  Topic:    $TOPIC_ARN"
 echo "  → Primary:  $SUB_PRIMARY"
 echo "  → Standby:  $SUB_STANDBY"
 echo ""
 echo "⚠️  Nächste Schritte:"
 echo "  1. Lambda-Funktion updaten: sns.publish() statt sqs.send_message()"
 echo "  2. Lambda IAM Role: sns:Publish Berechtigung hinzufügen"
 echo "  3. Worker auf Office-VM: QUEUE_SUFFIX=-standby-queue konfigurieren"
 echo "  4. Worker auf Office-VM: STANDBY_MODE=true setzen"
--- a/basic_setup/manage_mail_user.sh
+++ b/basic_setup/manage_mail_user.sh
@@ -14,7 +14,7 @@ EMAIL=$2
 PASSWORD=$3
 # Container Name deines DMS
-DMS_CONTAINER="mailserver-new"
+DMS_CONTAINER="mailserver"
 AWS_REGION="us-east-2"
 # Hilfsfunktion: Usage
--- a/basic_setup/requeue_email.sh
+++ b/basic_setup/requeue_email.sh
@@ -0,0 +1,111 @@
 #!/bin/bash
 # requeue_email.sh
 # Nimmt eine existierende Email aus S3 und stellt ein Event in die SQS Queue,
 # um eine erneute Verarbeitung durch den Worker auszulösen.
 set -e
 # --- Parameter ---
 DOMAIN="$1"
 RECIPIENT="$2"
 MESSAGE_ID="$3" # Das ist der S3 Key (die lange Zeichenkette aus dem Log)
 AWS_REGION=${AWS_REGION:-"us-east-2"}
 if [ -z "$DOMAIN" ] || [ -z "$RECIPIENT" ] || [ -z "$MESSAGE_ID" ]; then
    echo "Usage: $0 <domain> <recipient> <s3-message-id>"
    echo "Example: $0 buddelectric.net Tyler@buddelectric.net cn8j6j970atkh7n3fstdhgqr9imgrivegnm70jg1"
    exit 1
 fi
 # --- Variablen ableiten ---
 BUCKET_NAME=$(echo "$DOMAIN" | tr '.' '-')"-emails"
 QUEUE_NAME=$(echo "$DOMAIN" | tr '.' '-')"-queue"
 TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
 echo "============================================================"
 echo "  Requeue S3 Email"
 echo "============================================================"
 echo "  Domain:    $DOMAIN"
 echo "  Recipient: $RECIPIENT"
 echo "  Bucket:    $BUCKET_NAME"
 echo "  Key (ID):  $MESSAGE_ID"
 echo ""
 # --- Schritt 1: Prüfen ob S3 Objekt existiert ---
 echo "[1/2] Checking S3 object: s3://${BUCKET_NAME}/${MESSAGE_ID} ..."
 if aws s3 ls "s3://${BUCKET_NAME}/${MESSAGE_ID}" --region "$AWS_REGION" > /dev/null 2>&1; then
    echo "  ✓ Object found."
 else
    echo "  ❌ ERROR: Object s3://${BUCKET_NAME}/${MESSAGE_ID} does not exist!"
    exit 1
 fi
 # --- Schritt 2: Nachricht in SQS stellen ---
 echo "[2/2] Placing message in SQS queue..."
 QUEUE_URL=$(aws sqs get-queue-url \
    --queue-name "$QUEUE_NAME" \
    --region "$AWS_REGION" \
    --output text \
    --query 'QueueUrl')
 if [ -z "$QUEUE_URL" ]; then
    echo "  ❌ ERROR: Queue $QUEUE_NAME not found!"
    exit 1
 fi
 # SES event payload (Simuliert die Lambda-Ausgabe)
 # Wir nutzen "requeue@admin" als Source, da der Worker den echten Absender 
 # ohnehin aus den Email-Headern im S3-File parst.
 SES_DATA=$(jq -n \
    --arg msgId "$MESSAGE_ID" \
    --arg source "requeue-admin@${DOMAIN}" \
    --arg recipient "$RECIPIENT" \
    --arg ts "$TIMESTAMP" \
    --arg bucket "$BUCKET_NAME" \
    '{
        mail: {
            messageId: $msgId,
            source: $source,
            timestamp: $ts,
            destination: [$recipient]
        },
        receipt: {
            recipients: [$recipient],
            timestamp: $ts,
            action: {
                type: "S3",
                bucketName: $bucket,
                objectKey: $msgId
            }
        }
    }')
 # Fake SNS wrapper (Gleiches Format wie Lambda Shim)
 SQS_BODY=$(jq -n \
    --arg sesData "$SES_DATA" \
    --arg ts "$TIMESTAMP" \
    '{
        Type: "Notification",
        MessageId: "requeue-\(now | tostring)",
        TopicArn: "arn:aws:sns:ses-shim:global-topic",
        Subject: "Amazon SES Email Receipt Notification",
        Message: $sesData,
        Timestamp: $ts
    }')
 # Senden
 SQS_MSG_ID=$(aws sqs send-message \
    --queue-url "$QUEUE_URL" \
    --region "$AWS_REGION" \
    --message-body "$SQS_BODY" \
    --output text \
    --query 'MessageId')
 echo "  ✓ Done (SQS MessageId: ${SQS_MSG_ID})"
 echo ""
 echo "============================================================"
 echo "  Email successfully requeued!"
 echo "  Worker should pick it up immediately."
 echo "============================================================"
--- a/basic_setup/ses_sns_shim_global.py
+++ b/basic_setup/ses_sns_shim_global.py
@@ -8,24 +8,38 @@ from botocore.exceptions import ClientError
 import time
 import random
 # Logging konfigurieren
 logger = logging.getLogger()
 logger.setLevel(logging.INFO)
 sqs = boto3.client('sqs')
 sns = boto3.client('sns')
 sts_account_id = None
 # Retry-Konfiguration
 MAX_RETRIES = 3
-BASE_BACKOFF = 1  # Sekunden
+BASE_BACKOFF = 1
 def exponential_backoff(attempt):
    """Exponential Backoff mit Jitter"""
    return BASE_BACKOFF * (2 ** attempt) + random.uniform(0, 1)
 def get_account_id():
    global sts_account_id
    if sts_account_id is None:
        sts_account_id = boto3.client('sts').get_caller_identity()['Account']
    return sts_account_id
 def get_topic_arn(domain):
    """
    Generiert Topic-ARN aus Domain.
    Konvention: domain.tld -> domain-tld-topic
    """
    topic_name = domain.replace('.', '-') + '-topic'
    region = os.environ.get('AWS_REGION', 'us-east-2')
    account_id = get_account_id()
    return f"arn:aws:sns:{region}:{account_id}:{topic_name}"
 def get_queue_url(domain):
    """
-    Generiert Queue-Namen aus Domain und holt URL.
+    Fallback: Direkter SQS-Send für Domains ohne SNS-Topic.
    Konvention: domain.tld -> domain-tld-queue
    """
    queue_name = domain.replace('.', '-') + '-queue'
    try:
@@ -38,11 +52,53 @@ def get_queue_url(domain):
        else:
            raise
 def publish_to_sns(topic_arn, message_body, msg_id):
    attempt = 0
    while attempt < MAX_RETRIES:
        try:
            sns.publish(
                TopicArn=topic_arn,
                Message=message_body
            )
            logger.info(f"✅ Published {msg_id} to SNS: {topic_arn}")
            return True
        except ClientError as e:
            error_code = e.response['Error']['Code']
            # Fallback auf SQS bei Topic-nicht-gefunden ODER fehlender Berechtigung
            if error_code in ('NotFound', 'NotFoundException', 'AuthorizationError'):
                logger.info(f"ℹ️ SNS unavailable for {topic_arn} ({error_code}) — falling back to SQS")
                return False
            attempt += 1
            logger.warning(f"Retry {attempt}/{MAX_RETRIES} SNS: {error_code}")
            if attempt == MAX_RETRIES:
                raise
            time.sleep(exponential_backoff(attempt))
    return False
 def send_to_sqs(queue_url, message_body, msg_id):
    """Fallback: Direkter SQS-Send (wie bisher)."""
    attempt = 0
    while attempt < MAX_RETRIES:
        try:
            sqs.send_message(
                QueueUrl=queue_url,
                MessageBody=message_body
            )
            logger.info(f"✅ Sent {msg_id} to SQS: {queue_url}")
            return
        except ClientError as e:
            attempt += 1
            error_code = e.response['Error']['Code']
            logger.warning(f"Retry {attempt}/{MAX_RETRIES} SQS: {error_code}")
            if attempt == MAX_RETRIES:
                raise
            time.sleep(exponential_backoff(attempt))
 def lambda_handler(event, context):
    """
-    Nimmt SES Event entgegen, extrahiert Domain dynamisch,
+    Nimmt SES Event entgegen, extrahiert Domain dynamisch.
-    verpackt Metadaten als 'Fake SNS' und sendet an die domain-spezifische SQS.
+    Strategie: SNS Publish (Fan-Out an Primary + Standby Queue).
-    Mit integrierter Retry-Logik für SQS-Send.
+    Fallback: Direkter SQS-Send falls kein SNS-Topic existiert.
    """
    try:
        records = event.get('Records', [])
@@ -51,13 +107,12 @@ def lambda_handler(event, context):
        for record in records:
            ses_data = record.get('ses', {})
            if not ses_data:
-                logger.warning(f"Invalid SES event: Missing 'ses' in record: {record}")
+                logger.warning(f"Invalid SES event: Missing 'ses' in record")
                continue
            mail = ses_data.get('mail', {})
            receipt = ses_data.get('receipt', {})
            # Domain extrahieren (aus erstem Recipient)
            recipients = receipt.get('recipients', []) or mail.get('destination', [])
            if not recipients:
                logger.warning("No recipients in event - skipping")
@@ -69,23 +124,19 @@ def lambda_handler(event, context):
                logger.error("Could not extract domain from recipient")
                continue
            # Wichtige Metadaten loggen
            msg_id = mail.get('messageId', 'unknown')
            source = mail.get('source', 'unknown')
            logger.info(f"Processing Message-ID: {msg_id} for domain: {domain}")
-            logger.info(f" From: {source}")
+            logger.info(f"  From: {source}")
-            logger.info(f" To: {recipients}")
+            logger.info(f"  To: {recipients}")
            # SES JSON als String serialisieren
            ses_json_string = json.dumps(ses_data)
            # Payload Größe loggen und checken (Safeguard)
            payload_size = len(ses_json_string.encode('utf-8'))
-            logger.info(f" Metadata Payload Size: {payload_size} bytes")
+            logger.info(f"  Metadata Payload Size: {payload_size} bytes")
-            if payload_size > 200000:  # Arbitrary Limit < SQS 256KB
+            if payload_size > 200000:
-                raise ValueError("Payload too large for SQS")
+                raise ValueError("Payload too large")
            # Fake SNS Payload
            fake_sns_payload = {
                "Type": "Notification",
                "MessageId": str(uuid.uuid4()),
@@ -95,26 +146,16 @@ def lambda_handler(event, context):
                "Timestamp": datetime.utcnow().isoformat() + "Z"
            }
-            # Queue URL dynamisch holen
+            message_body = json.dumps(fake_sns_payload)
            queue_url = get_queue_url(domain)
-            # SQS Send mit Retries
+            # Strategie: SNS zuerst, SQS als Fallback
-            attempt = 0
+            topic_arn = get_topic_arn(domain)
-            while attempt < MAX_RETRIES:
+            sns_success = publish_to_sns(topic_arn, message_body, msg_id)
-                try:
+
-                    sqs.send_message(
+            if not sns_success:
-                        QueueUrl=queue_url,
+                # Kein SNS-Topic für diese Domain → direkt in SQS (wie bisher)
-                        MessageBody=json.dumps(fake_sns_payload)
+                queue_url = get_queue_url(domain)
-                    )
+                send_to_sqs(queue_url, message_body, msg_id)
                    logger.info(f"✅ Successfully forwarded {msg_id} to SQS: {queue_url}")
                    break
                except ClientError as e:
                    attempt += 1
                    error_code = e.response['Error']['Code']
                    logger.warning(f"Retry {attempt}/{MAX_RETRIES} for SQS send: {error_code} - {str(e)}")
                    if attempt == MAX_RETRIES:
                        raise
                    time.sleep(exponential_backoff(attempt))
        return {'status': 'ok'}
--- a/basic_setup/test_migration_email.sh
+++ b/basic_setup/test_migration_email.sh
@@ -0,0 +1,168 @@
 #!/bin/bash
 # test_migration_email.sh - Places a test email into S3 + SQS
 #
 # Simulates the complete SES inbound flow: Mail goes to S3, metadata to SQS.
 # The worker picks it up and processes it (Delivery or Forward).
 #
 # Usage:
 #   ./test_migration_email.sh cielectrical.com carlosr@cielectrical.com
 #   ./test_migration_email.sh buddelectric.net service@buddelectric.net
 #
 # Optional sender address:
 #   ./test_migration_email.sh cielectrical.com carlosr@cielectrical.com sender@example.com
 set -e
 # --- Parameters ---
 DOMAIN="$1"
 RECIPIENT="$2"
 FROM_ADDR="${3:-support@bayarea-cc.com}"
 AWS_REGION=${AWS_REGION:-"us-east-2"}
 if [ -z "$DOMAIN" ] || [ -z "$RECIPIENT" ]; then
    echo "Usage: $0 <domain> <recipient> [from-address]"
    echo "Example: $0 cielectrical.com carlosr@cielectrical.com"
    exit 1
 fi
 # --- Derived variables ---
 BUCKET_NAME=$(echo "$DOMAIN" | tr '.' '-')"-emails"
 QUEUE_NAME=$(echo "$DOMAIN" | tr '.' '-')"-queue"
 MESSAGE_ID="test-migration-$(date +%s)-$$"
 TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
 DATE_RFC2822=$(date -R)
 echo "============================================================"
 echo "  Migration Test Email"
 echo "============================================================"
 echo "  Domain:    $DOMAIN"
 echo "  Recipient: $RECIPIENT"
 echo "  Sender:    $FROM_ADDR"
 echo "  Bucket:    $BUCKET_NAME"
 echo "  Queue:     $QUEUE_NAME"
 echo "  Key:       $MESSAGE_ID"
 echo ""
 # --- Step 1: Create RFC822 email ---
 echo "[1/3] Creating test email..."
 TMP_FILE=$(mktemp /tmp/test-mail-XXXXXX.eml)
 cat > "$TMP_FILE" << EOF
 From: Migration Test <${FROM_ADDR}>
 To: ${RECIPIENT}
 Subject: Migration Test $(date '+%Y-%m-%d %H:%M:%S')
 Date: ${DATE_RFC2822}
 Message-ID: <${MESSAGE_ID}@test.email-srvr.com>
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 7bit
 Hello!
 This is a test email to validate the email migration pipeline.
 Sent:       $(date)
 Domain:     ${DOMAIN}
 Recipient:  ${RECIPIENT}
 Message-ID: ${MESSAGE_ID}
 If you see this email in your inbox, the complete path is working:
 S3 -> SQS -> Worker -> Forward/Delivery
 -- 
 Bay Area Affiliates - Migration Test
 EOF
 echo "  Done ($(wc -c < "$TMP_FILE") bytes)"
 # --- Step 2: Upload to S3 ---
 echo "[2/3] Uploading to S3: s3://${BUCKET_NAME}/${MESSAGE_ID} ..."
 aws s3 cp "$TMP_FILE" "s3://${BUCKET_NAME}/${MESSAGE_ID}" \
    --region "$AWS_REGION" \
    --quiet
 echo "  Done"
 # --- Step 3: Place SQS message in fake-SNS format ---
 echo "[3/3] Placing message in SQS queue..."
 QUEUE_URL=$(aws sqs get-queue-url \
    --queue-name "$QUEUE_NAME" \
    --region "$AWS_REGION" \
    --output text \
    --query 'QueueUrl')
 if [ -z "$QUEUE_URL" ]; then
    echo "  ERROR: Queue $QUEUE_NAME not found!"
    rm -f "$TMP_FILE"
    exit 1
 fi
 # SES event payload (what the Lambda normally produces)
 SES_DATA=$(jq -n \
    --arg msgId "$MESSAGE_ID" \
    --arg source "$FROM_ADDR" \
    --arg recipient "$RECIPIENT" \
    --arg ts "$TIMESTAMP" \
    '{
        mail: {
            messageId: $msgId,
            source: $source,
            timestamp: $ts,
            destination: [$recipient]
        },
        receipt: {
            recipients: [$recipient],
            timestamp: $ts,
            action: {
                type: "S3",
                bucketName: "test",
                objectKey: $msgId
            }
        }
    }')
 # Fake SNS wrapper (same format as ses_sns_shim_global.py)
 SQS_BODY=$(jq -n \
    --arg sesData "$SES_DATA" \
    --arg ts "$TIMESTAMP" \
    '{
        Type: "Notification",
        MessageId: "test-\(now | tostring)",
        TopicArn: "arn:aws:sns:ses-shim:global-topic",
        Subject: "Amazon SES Email Receipt Notification",
        Message: $sesData,
        Timestamp: $ts
    }')
 SQS_MSG_ID=$(aws sqs send-message \
    --queue-url "$QUEUE_URL" \
    --region "$AWS_REGION" \
    --message-body "$SQS_BODY" \
    --output text \
    --query 'MessageId')
 echo "  Done (SQS MessageId: ${SQS_MSG_ID})"
 # --- Cleanup ---
 rm -f "$TMP_FILE"
 echo ""
 echo "============================================================"
 echo "  Test email placed successfully!"
 echo "============================================================"
 echo ""
 echo "  Watch worker logs:"
 echo "    docker logs -f email-worker --tail 50"
 echo ""
 echo "  Expected output:"
 echo "    Processing: ${MESSAGE_ID:0:20}... -> ${RECIPIENT}"
 echo "    Forwarded via legacy SMTP ... (if forward rule exists)"
 echo "    OR"
 echo "    Delivered to ${RECIPIENT} (if DMS mailbox exists)"
 echo ""
 echo "  Check S3 object:"
 echo "    aws s3 ls s3://${BUCKET_NAME}/${MESSAGE_ID} --region ${AWS_REGION}"
 echo "============================================================"
--- a/caddy/.gitignore
+++ b/caddy/.gitignore
@@ -0,0 +1,2 @@
 caddy-data/
 caddy-config/
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -0,0 +1,7 @@
 {
    email {env.CLOUDFLARE_EMAIL}
    acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
    acme_ca https://acme-v02.api.letsencrypt.org/directory
    debug
 }
 import mail_certs
--- a/caddy/Dockerfile.caddy
+++ b/caddy/Dockerfile.caddy
@@ -0,0 +1,13 @@
 # Dockerfile.caddy
 ARG CADDY_VERSION=2.9.1
 FROM caddy:${CADDY_VERSION}-builder AS builder
 # Caddy in exakt dieser Version + Plugins bauen
 RUN xcaddy build ${CADDY_VERSION} \
  --with github.com/caddy-dns/cloudflare \
  --with github.com/caddyserver/replace-response
 FROM caddy:${CADDY_VERSION}
 COPY --from=builder /usr/bin/caddy /usr/bin/caddy
 RUN mkdir -p /var/log/caddy
--- a/caddy/docker-compose.yml
+++ b/caddy/docker-compose.yml
@@ -0,0 +1,31 @@
 services:
  caddy:
    image: custom-caddy:2.9.1-rr1
    container_name: caddy
    build:
      context: .
      dockerfile: Dockerfile.caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    extra_hosts:
      - 'host.docker.internal:host-gateway'
    networks:
      - mail_network
    volumes:
      - $PWD/Caddyfile:/etc/caddy/Caddyfile
      - $PWD/mail_certs:/etc/caddy/mail_certs
      # email_autodiscover entfernt - Snippet ist jetzt in mail_certs eingebettet
      # email.mobileconfig.html entfernt - Inhalt ist jetzt inline in mail_certs
      - $PWD/email-setup:/var/www/email-setup
      - ./caddy-data:/data
      - ./caddy-config:/config
      - /home/aknuth/log/caddy:/var/log/caddy
    environment:
      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
 networks:
  mail_network:
    external: true
--- a/caddy/email-setup/logo.png
+++ b/caddy/email-setup/logo.png
--- a/caddy/email-setup/setup.html
+++ b/caddy/email-setup/setup.html
@@ -0,0 +1,122 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Email Setup</title>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/qrcodejs/1.0.0/qrcode.min.js"></script>
    <style>
        body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif; background: #f2f2f7; display: flex; justify-content: center; align-items: center; min-height: 100vh; margin: 0; padding: 20px; box-sizing: border-box; }
        .card { background: white; padding: 2.5rem; border-radius: 24px; box-shadow: 0 12px 30px rgba(0,0,0,0.1); width: 100%; max-width: 420px; text-align: center; transition: all 0.3s ease; }
        .logo { width: 80px; height: 80px; margin-bottom: 1.5rem; }
        h1 { margin: 0 0 1rem 0; color: #1a1a1a; font-size: 1.8rem; }
        p { color: #666; line-height: 1.5; margin-bottom: 2rem; }
        /* Input Section */
        #input-section { transition: opacity 0.3s ease; }
        input { width: 100%; padding: 16px; margin-bottom: 16px; border: 2px solid #eee; border-radius: 14px; font-size: 16px; box-sizing: border-box; transition: border-color 0.2s; outline: none; }
        input:focus { border-color: #007AFF; }
        button { width: 100%; padding: 16px; background: #007AFF; color: white; border: none; border-radius: 14px; font-size: 18px; font-weight: 600; cursor: pointer; transition: background 0.2s, transform 0.1s; }
        button:hover { background: #0062cc; }
        button:active { transform: scale(0.98); }
        /* QR Section (initially hidden) */
        #qr-section { display: none; opacity: 0; transition: opacity 0.5s ease; }
        #qrcode { margin: 2rem auto; padding: 15px; background: white; border-radius: 16px; box-shadow: 0 4px 12px rgba(0,0,0,0.08); display: inline-block; }
        #qrcode img { margin: auto; } /* Centers the generated QR code */
        .hint { font-size: 0.9rem; color: #888; margin-top: 1.5rem; }
        .hint strong { color: #333; }
        .error { color: #d32f2f; background: #fde8e8; padding: 10px; border-radius: 8px; font-size: 0.9rem; display: none; margin-bottom: 16px; }
        .back-btn { background: transparent; color: #007AFF; margin-top: 1rem; font-size: 16px; }
        .back-btn:hover { background: #f0f8ff; }
    </style>
 </head>
 <body>
 <div class="card">
    <img src="/email-setup/logo.png" alt="Logo" class="logo">
    <div id="input-section">
        <h1>Email Setup</h1>
        <p>Enter your email address to automatically configure your iPhone or iPad.</p>
        <div id="error-msg" class="error">Please enter a valid email address.</div>
        <input type="email" id="email" placeholder="name@company.com" required autocomplete="email">
        <button onclick="generateQR()">Generate QR Code</button>
    </div>
    <div id="qr-section">
        <h1>Scan me!</h1>
        <p>Open the <strong>Camera app</strong> on your iPhone and point it at this code.</p>
        <div id="qrcode"></div>
        <p class="hint">
            Tap the banner that appears at the top.<br>
            Click <strong>"Allow"</strong> and then go to <strong>Settings</strong> to install the profile.
        </p>
        <button class="back-btn" onclick="resetForm()">Back</button>
    </div>
 </div>
 <script>
    const inputSection = document.getElementById('input-section');
    const qrSection = document.getElementById('qr-section');
    const emailInput = document.getElementById('email');
    const errorMsg = document.getElementById('error-msg');
    let qrcode = null;
    function generateQR() {
        const email = emailInput.value.trim();
        if (!email || !email.includes('@') || email.split('@')[1].length < 3) {
            errorMsg.style.display = 'block';
            emailInput.focus();
            return;
        }
        errorMsg.style.display = 'none';
        const domain = email.split('@')[1];
        // The magic link
        const targetUrl = `https://autodiscover.${domain}/apple?email=${email}`;
        // Hide input, show QR
        inputSection.style.display = 'none';
        qrSection.style.display = 'block';
        setTimeout(() => qrSection.style.opacity = '1', 50);
        // Generate (or update) QR Code
        if (qrcode === null) {
            qrcode = new QRCode(document.getElementById("qrcode"), {
                text: targetUrl,
                width: 200,
                height: 200,
                colorDark : "#000000",
                colorLight : "#ffffff",
                correctLevel : QRCode.CorrectLevel.H
            });
        } else {
            qrcode.clear();
            qrcode.makeCode(targetUrl);
        }
    }
    function resetForm() {
        qrSection.style.opacity = '0';
        setTimeout(() => {
            qrSection.style.display = 'none';
            inputSection.style.display = 'block';
            emailInput.value = '';
            emailInput.focus();
        }, 300);
    }
    emailInput.addEventListener("keypress", function(event) {
        if (event.key === "Enter") generateQR();
    });
 </script>
 </body>
 </html>
--- a/caddy/update-caddy-certs.sh
+++ b/caddy/update-caddy-certs.sh
@@ -0,0 +1,378 @@
 #!/bin/bash
 # update-caddy-certs.sh
 # Gehört ins Caddy-Verzeichnis (neben dem Caddyfile).
 #
 # Liest alle Domains aus dem DMS und generiert die Wildcard-Cert-Blöcke
 # für Caddy in die Datei "mail_certs" (per "import mail_certs" im Caddyfile).
 #
 # Generiert pro Domain:
 #   - Wildcard-Cert Block (*.domain + domain)
 #   - Webmail Block (reverse_proxy zu Roundcube)
 #   - Autodiscover/Autoconfig Block (importiert email_settings Snippet)
 #   - Email-Setup Block (QR-Code Seite für iPhone)
 #
 # Bei neuen Domains: Script erneut laufen lassen + caddy reload.
 #
 # Usage:
 #   ./update-caddy-certs.sh
 #   DRY_RUN=true ./update-caddy-certs.sh
 #   DMS_CONTAINER=mailserver CADDY_CONTAINER=caddy ./update-caddy-certs.sh
 set -e
 DMS_CONTAINER=${DMS_CONTAINER:-"mailserver"}
 CADDY_CONTAINER=${CADDY_CONTAINER:-"caddy"}
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 OUTPUT_FILE="$SCRIPT_DIR/mail_certs"
 DRY_RUN=${DRY_RUN:-"false"}
 # Node-Hostname des Mailservers (für Default-Cert Block)
 NODE_HOSTNAME=${NODE_HOSTNAME:-"node1.email-srvr.com"}
 echo "============================================================"
 echo " 📜 Caddy Wildcard-Cert Konfig Generator"
 echo " DMS Container:   $DMS_CONTAINER"
 echo " Caddy Container: $CADDY_CONTAINER"
 echo " Output:          $OUTPUT_FILE"
 echo " Node Hostname:   $NODE_HOSTNAME"
 [ "$DRY_RUN" = "true" ] && echo " ⚠️  DRY RUN - Keine Dateien werden geschrieben"
 echo "============================================================"
 # --- Domains aus DMS lesen ---
 echo ""
 echo "📋 Lese Domains aus DMS..."
 DOMAINS=$(docker exec "$DMS_CONTAINER" setup email list 2>/dev/null \
    | grep -oP '(?<=@)[^\s]+' \
    | sort -u)
 if [ -z "$DOMAINS" ]; then
    echo "⚠️  Keine DMS-Accounts gefunden. Nur Node-Hostname wird eingetragen."
 fi
 if [ -n "$DOMAINS" ]; then
    echo "   Gefundene Domains:"
    for d in $DOMAINS; do echo "   - $d"; done
 fi
 # --- Konfig generieren ---
 echo ""
 echo "📝 Generiere Caddy-Konfiguration..."
 OUTPUT=""
 OUTPUT="${OUTPUT}# mail_certs - Automatisch generiert von update-caddy-certs.sh\n"
 OUTPUT="${OUTPUT}# Wildcard-Zertifikate + Webmail + Autodiscover für DMS-Domains.\n"
 OUTPUT="${OUTPUT}# Einbinden im Caddyfile: import mail_certs\n"
 OUTPUT="${OUTPUT}# Generiert: $(date)\n"
 OUTPUT="${OUTPUT}\n"
 # =====================================================================
 # Autodiscover/Autoconfig Snippet (dynamisch)
 # {labels.1}.{labels.0} = Basisdomain aus Hostname
 # =====================================================================
 OUTPUT="${OUTPUT}# ═══════════════════════════════════════════════\n"
 OUTPUT="${OUTPUT}# Autodiscover/Autoconfig Snippet (dynamisch)\n"
 OUTPUT="${OUTPUT}# {labels.1}.{labels.0} = Basisdomain aus Hostname\n"
 OUTPUT="${OUTPUT}# ═══════════════════════════════════════════════\n"
 OUTPUT="${OUTPUT}(email_settings) {\n"
 # --- 1. Outlook Classic Autodiscover (POST + GET XML) ---
 OUTPUT="${OUTPUT}    # Outlook Autodiscover (XML) - POST und GET\n"
 OUTPUT="${OUTPUT}    route /autodiscover/autodiscover.xml {\n"
 OUTPUT="${OUTPUT}        header Content-Type \"application/xml\"\n"
 OUTPUT="${OUTPUT}        respond \`<?xml version=\"1.0\" encoding=\"utf-8\"?>\n"
 OUTPUT="${OUTPUT}<Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006\">\n"
 OUTPUT="${OUTPUT}  <Response xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a\">\n"
 OUTPUT="${OUTPUT}    <Account>\n"
 OUTPUT="${OUTPUT}      <AccountType>email</AccountType>\n"
 OUTPUT="${OUTPUT}      <Action>settings</Action>\n"
 OUTPUT="${OUTPUT}      <Protocol>\n"
 OUTPUT="${OUTPUT}        <Type>IMAP</Type>\n"
 OUTPUT="${OUTPUT}        <Server>imap.{labels.1}.{labels.0}</Server>\n"
 OUTPUT="${OUTPUT}        <Port>993</Port>\n"
 OUTPUT="${OUTPUT}        <DomainRequired>off</DomainRequired>\n"
 OUTPUT="${OUTPUT}        <LoginName></LoginName>\n"
 OUTPUT="${OUTPUT}        <SPA>off</SPA>\n"
 OUTPUT="${OUTPUT}        <SSL>on</SSL>\n"
 OUTPUT="${OUTPUT}        <AuthRequired>on</AuthRequired>\n"
 OUTPUT="${OUTPUT}      </Protocol>\n"
 OUTPUT="${OUTPUT}      <Protocol>\n"
 OUTPUT="${OUTPUT}        <Type>SMTP</Type>\n"
 OUTPUT="${OUTPUT}        <Server>smtp.{labels.1}.{labels.0}</Server>\n"
 OUTPUT="${OUTPUT}        <Port>465</Port>\n"
 OUTPUT="${OUTPUT}        <DomainRequired>off</DomainRequired>\n"
 OUTPUT="${OUTPUT}        <LoginName></LoginName>\n"
 OUTPUT="${OUTPUT}        <SPA>off</SPA>\n"
 OUTPUT="${OUTPUT}        <SSL>on</SSL>\n"
 OUTPUT="${OUTPUT}        <AuthRequired>on</AuthRequired>\n"
 OUTPUT="${OUTPUT}      </Protocol>\n"
 OUTPUT="${OUTPUT}    </Account>\n"
 OUTPUT="${OUTPUT}  </Response>\n"
 OUTPUT="${OUTPUT}</Autodiscover>\` 200\n"
 OUTPUT="${OUTPUT}    }\n"
 OUTPUT="${OUTPUT}\n"
 # --- 2. Outlook New / Microsoft 365 (JSON v2) ---
 # Outlook New sendet GET auf /autodiscover/autodiscover.json?Protocol=AutodiscoverV1&...
 # Antwort muss den XML-Endpoint zurückgeben
 OUTPUT="${OUTPUT}    # Outlook New/365 (JSON → Redirect zu XML)\n"
 OUTPUT="${OUTPUT}    route /autodiscover/autodiscover.json {\n"
 OUTPUT="${OUTPUT}        header Content-Type \"application/json\"\n"
 OUTPUT="${OUTPUT}        respond \`{\"Protocol\":\"AutodiscoverV1\",\"Url\":\"https://autodiscover.{labels.1}.{labels.0}/autodiscover/autodiscover.xml\"}\` 200\n"
 OUTPUT="${OUTPUT}    }\n"
 OUTPUT="${OUTPUT}\n"
 # --- 3. Thunderbird Autoconfig ---
 OUTPUT="${OUTPUT}    # Thunderbird Autoconfig\n"
 OUTPUT="${OUTPUT}    route /mail/config-v1.1.xml {\n"
 OUTPUT="${OUTPUT}        header Content-Type \"application/xml\"\n"
 OUTPUT="${OUTPUT}        respond \`<?xml version=\"1.0\"?>\n"
 OUTPUT="${OUTPUT}<clientConfig version=\"1.1\">\n"
 OUTPUT="${OUTPUT}  <emailProvider id=\"{labels.1}.{labels.0}\">\n"
 OUTPUT="${OUTPUT}    <displayName>{labels.1}.{labels.0} Mail</displayName>\n"
 OUTPUT="${OUTPUT}    <domain>{labels.1}.{labels.0}</domain>\n"
 OUTPUT="${OUTPUT}    <incomingServer type=\"imap\">\n"
 OUTPUT="${OUTPUT}      <hostname>imap.{labels.1}.{labels.0}</hostname>\n"
 OUTPUT="${OUTPUT}      <port>993</port>\n"
 OUTPUT="${OUTPUT}      <socketType>SSL</socketType>\n"
 OUTPUT="${OUTPUT}      <authentication>password-cleartext</authentication>\n"
 OUTPUT="${OUTPUT}      <username>%%EMAILADDRESS%%</username>\n"
 OUTPUT="${OUTPUT}    </incomingServer>\n"
 OUTPUT="${OUTPUT}    <outgoingServer type=\"smtp\">\n"
 OUTPUT="${OUTPUT}      <hostname>smtp.{labels.1}.{labels.0}</hostname>\n"
 OUTPUT="${OUTPUT}      <port>465</port>\n"
 OUTPUT="${OUTPUT}      <socketType>SSL</socketType>\n"
 OUTPUT="${OUTPUT}      <authentication>password-cleartext</authentication>\n"
 OUTPUT="${OUTPUT}      <username>%%EMAILADDRESS%%</username>\n"
 OUTPUT="${OUTPUT}    </outgoingServer>\n"
 OUTPUT="${OUTPUT}  </emailProvider>\n"
 OUTPUT="${OUTPUT}</clientConfig>\` 200\n"
 OUTPUT="${OUTPUT}    }\n"
 OUTPUT="${OUTPUT}\n"
 # --- 4. Apple MobileConfig (inline, wie Autodiscover/Autoconfig) ---
 OUTPUT="${OUTPUT}    # Apple MobileConfig (inline respond)\n"
 OUTPUT="${OUTPUT}    route /apple {\n"
 OUTPUT="${OUTPUT}        header Content-Type \"application/x-apple-aspen-config; charset=utf-8\"\n"
 OUTPUT="${OUTPUT}        header Content-Disposition \"attachment; filename=email.mobileconfig\"\n"
 OUTPUT="${OUTPUT}        respond \`<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
 OUTPUT="${OUTPUT}<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n"
 OUTPUT="${OUTPUT}<plist version=\"1.0\">\n"
 OUTPUT="${OUTPUT}<dict>\n"
 OUTPUT="${OUTPUT}    <key>PayloadContent</key>\n"
 OUTPUT="${OUTPUT}    <array>\n"
 OUTPUT="${OUTPUT}        <dict>\n"
 OUTPUT="${OUTPUT}            <key>EmailAccountDescription</key>\n"
 OUTPUT="${OUTPUT}            <string>{query.email}</string>\n"
 OUTPUT="${OUTPUT}            <key>EmailAccountName</key>\n"
 OUTPUT="${OUTPUT}            <string>{query.email}</string>\n"
 OUTPUT="${OUTPUT}            <key>EmailAccountType</key>\n"
 OUTPUT="${OUTPUT}            <string>EmailTypeIMAP</string>\n"
 OUTPUT="${OUTPUT}            <key>EmailAddress</key>\n"
 OUTPUT="${OUTPUT}            <string>{query.email}</string>\n"
 OUTPUT="${OUTPUT}            <key>IncomingMailServerAuthentication</key>\n"
 OUTPUT="${OUTPUT}            <string>EmailAuthPassword</string>\n"
 OUTPUT="${OUTPUT}            <key>IncomingMailServerHostName</key>\n"
 OUTPUT="${OUTPUT}            <string>imap.{labels.1}.{labels.0}</string>\n"
 OUTPUT="${OUTPUT}            <key>IncomingMailServerPortNumber</key>\n"
 OUTPUT="${OUTPUT}            <integer>993</integer>\n"
 OUTPUT="${OUTPUT}            <key>IncomingMailServerUseSSL</key>\n"
 OUTPUT="${OUTPUT}            <true/>\n"
 OUTPUT="${OUTPUT}            <key>IncomingMailServerUsername</key>\n"
 OUTPUT="${OUTPUT}            <string>{query.email}</string>\n"
 OUTPUT="${OUTPUT}            <key>OutgoingMailServerAuthentication</key>\n"
 OUTPUT="${OUTPUT}            <string>EmailAuthPassword</string>\n"
 OUTPUT="${OUTPUT}            <key>OutgoingMailServerHostName</key>\n"
 OUTPUT="${OUTPUT}            <string>smtp.{labels.1}.{labels.0}</string>\n"
 OUTPUT="${OUTPUT}            <key>OutgoingMailServerPortNumber</key>\n"
 OUTPUT="${OUTPUT}            <integer>465</integer>\n"
 OUTPUT="${OUTPUT}            <key>OutgoingMailServerUseSSL</key>\n"
 OUTPUT="${OUTPUT}            <true/>\n"
 OUTPUT="${OUTPUT}            <key>OutgoingMailServerUsername</key>\n"
 OUTPUT="${OUTPUT}            <string>{query.email}</string>\n"
 OUTPUT="${OUTPUT}            <key>OutgoingPasswordRequired</key>\n"
 OUTPUT="${OUTPUT}            <true/>\n"
 OUTPUT="${OUTPUT}            <key>PayloadDescription</key>\n"
 OUTPUT="${OUTPUT}            <string>E-Mail Konfiguration</string>\n"
 OUTPUT="${OUTPUT}            <key>PayloadDisplayName</key>\n"
 OUTPUT="${OUTPUT}            <string>{labels.1}.{labels.0} E-Mail</string>\n"
 OUTPUT="${OUTPUT}            <key>PayloadIdentifier</key>\n"
 OUTPUT="${OUTPUT}            <string>com.{labels.1}.{labels.0}.email.account</string>\n"
 OUTPUT="${OUTPUT}            <key>PayloadType</key>\n"
 OUTPUT="${OUTPUT}            <string>com.apple.mail.managed</string>\n"
 OUTPUT="${OUTPUT}            <key>PayloadUUID</key>\n"
 OUTPUT="${OUTPUT}            <string>A1B2C3D4-E5F6-7890-ABCD-EF1234567890</string>\n"
 OUTPUT="${OUTPUT}            <key>PayloadVersion</key>\n"
 OUTPUT="${OUTPUT}            <integer>1</integer>\n"
 OUTPUT="${OUTPUT}        </dict>\n"
 OUTPUT="${OUTPUT}    </array>\n"
 OUTPUT="${OUTPUT}    <key>PayloadDescription</key>\n"
 OUTPUT="${OUTPUT}    <string>E-Mail Einrichtung</string>\n"
 OUTPUT="${OUTPUT}    <key>PayloadDisplayName</key>\n"
 OUTPUT="${OUTPUT}    <string>{labels.1}.{labels.0} E-Mail</string>\n"
 OUTPUT="${OUTPUT}    <key>PayloadIdentifier</key>\n"
 OUTPUT="${OUTPUT}    <string>com.{labels.1}.{labels.0}.email.profile</string>\n"
 OUTPUT="${OUTPUT}    <key>PayloadOrganization</key>\n"
 OUTPUT="${OUTPUT}    <string>Bay Area Affiliates, Inc.</string>\n"
 OUTPUT="${OUTPUT}    <key>PayloadRemovalDisallowed</key>\n"
 OUTPUT="${OUTPUT}    <false/>\n"
 OUTPUT="${OUTPUT}    <key>PayloadType</key>\n"
 OUTPUT="${OUTPUT}    <string>Configuration</string>\n"
 OUTPUT="${OUTPUT}    <key>PayloadUUID</key>\n"
 OUTPUT="${OUTPUT}    <string>F0E1D2C3-B4A5-6789-0FED-CBA987654321</string>\n"
 OUTPUT="${OUTPUT}    <key>PayloadVersion</key>\n"
 OUTPUT="${OUTPUT}    <integer>1</integer>\n"
 OUTPUT="${OUTPUT}</dict>\n"
 OUTPUT="${OUTPUT}</plist>\` 200\n"
 OUTPUT="${OUTPUT}    }\n"
 # --- 5. Samsung Email (nutzt ebenfalls autoconfig, kein extra Block nötig) ---
 # Samsung Email-App versucht:
 #   1. https://autoconfig.<domain>/mail/config-v1.1.xml (= Thunderbird-Format, schon abgedeckt)
 #   2. Alternativ: Outlook Autodiscover XML
 # → Kein separater Block erforderlich.
 OUTPUT="${OUTPUT}}\n\n"
 # =====================================================================
 # Email-Setup Snippet (QR-Code Seite für iPhone)
 # =====================================================================
 OUTPUT="${OUTPUT}# ═══════════════════════════════════════════════\n"
 OUTPUT="${OUTPUT}# Email-Setup Snippet (QR-Code Seite)\n"
 OUTPUT="${OUTPUT}# ═══════════════════════════════════════════════\n"
 OUTPUT="${OUTPUT}(email_setup_page) {\n"
 OUTPUT="${OUTPUT}    route /email-setup* {\n"
 OUTPUT="${OUTPUT}        uri strip_prefix /email-setup\n"
 OUTPUT="${OUTPUT}        root * /var/www/email-setup\n"
 OUTPUT="${OUTPUT}        try_files {path} /setup.html\n"
 OUTPUT="${OUTPUT}        file_server\n"
 OUTPUT="${OUTPUT}    }\n"
 OUTPUT="${OUTPUT}}\n\n"
 # Node-Hostname immer als erstes (Default-Cert des DMS)
 echo "   → Node-Hostname Block: $NODE_HOSTNAME"
 OUTPUT="${OUTPUT}# Node-Hostname (Default-Cert für DMS Fallback)\n"
 OUTPUT="${OUTPUT}${NODE_HOSTNAME} {\n"
 OUTPUT="${OUTPUT}    tls {\n"
 OUTPUT="${OUTPUT}        dns cloudflare {env.CLOUDFLARE_API_TOKEN}\n"
 OUTPUT="${OUTPUT}    }\n"
 OUTPUT="${OUTPUT}    respond \"OK\" 200\n"
 OUTPUT="${OUTPUT}}\n\n"
 # Wildcard-Blocks + Webmail + Autodiscover pro Kundendomain
 for domain in $DOMAINS; do
    echo "   → Wildcard Block:     *.${domain}"
    echo "   → Webmail Block:      webmail.${domain}"
    echo "   → Autodiscover Block: autodiscover.${domain}, autoconfig.${domain}"
    echo "   → Email-Setup Block:  webmail.${domain}/email-setup"
    # Wildcard-Cert Block (für Cert-Generierung + Fallback)
    OUTPUT="${OUTPUT}# ═══════════════════════════════════════════════\n"
    OUTPUT="${OUTPUT}# ${domain}\n"
    OUTPUT="${OUTPUT}# ═══════════════════════════════════════════════\n\n"
    OUTPUT="${OUTPUT}# Wildcard-Cert für $domain\n"
    OUTPUT="${OUTPUT}*.${domain}, ${domain} {\n"
    OUTPUT="${OUTPUT}    tls {\n"
    OUTPUT="${OUTPUT}        dns cloudflare {env.CLOUDFLARE_API_TOKEN}\n"
    OUTPUT="${OUTPUT}    }\n"
    OUTPUT="${OUTPUT}    respond \"OK\" 200\n"
    OUTPUT="${OUTPUT}}\n\n"
    # Webmail Block (Roundcube + Email-Setup)
    OUTPUT="${OUTPUT}# Roundcube Webmail + Email-Setup für $domain\n"
    OUTPUT="${OUTPUT}webmail.${domain} {\n"
    OUTPUT="${OUTPUT}    import email_setup_page\n"
    OUTPUT="${OUTPUT}    reverse_proxy roundcube:80\n"
    OUTPUT="${OUTPUT}    encode gzip\n"
    OUTPUT="${OUTPUT}    log {\n"
    OUTPUT="${OUTPUT}        output stderr\n"
    OUTPUT="${OUTPUT}        format console\n"
    OUTPUT="${OUTPUT}    }\n"
    OUTPUT="${OUTPUT}}\n\n"
    # Autodiscover / Autoconfig Block
    OUTPUT="${OUTPUT}# Autodiscover/Autoconfig für $domain\n"
    OUTPUT="${OUTPUT}autodiscover.${domain}, autoconfig.${domain} {\n"
    OUTPUT="${OUTPUT}    import email_settings\n"
    OUTPUT="${OUTPUT}    respond \"Autodiscover Service Online\" 200\n"
    OUTPUT="${OUTPUT}}\n\n"
 done
 # --- Ausgabe ---
 if [ "$DRY_RUN" = "true" ]; then
    echo ""
    echo "--- VORSCHAU ---"
    printf '%b' "$OUTPUT"
    echo "--- ENDE ---"
 else
    printf '%b' "$OUTPUT" > "$OUTPUT_FILE"
    echo "   ✅ Geschrieben: $OUTPUT_FILE"
 fi
 # --- Import im Caddyfile prüfen ---
 CADDYFILE="$SCRIPT_DIR/Caddyfile"
 if [ -f "$CADDYFILE" ]; then
    if grep -q "import mail_certs" "$CADDYFILE"; then
        echo "   ✅ 'import mail_certs' bereits im Caddyfile vorhanden."
    else
        echo ""
        echo "⚠️  AKTION: 'import mail_certs' fehlt noch im Caddyfile!"
        echo "   Bitte nach dem globalen {} Block eintragen:"
        echo ""
        echo "   {                              ← globaler Block"
        echo "       email {env.CLOUDFLARE_EMAIL}"
        echo "       ..."
        echo "   }"
        echo "   import mail_certs             ← hier einfügen"
    fi
    # Prüfe ob alte email_autodiscover Referenz entfernt werden kann
    if grep -q "import email_autodiscover" "$CADDYFILE"; then
        echo ""
        echo "⚠️  AUFRÄUMEN: 'import email_autodiscover' im Caddyfile gefunden!"
        echo "   Das Snippet (email_settings) ist jetzt in mail_certs eingebettet."
        echo "   Bitte 'import email_autodiscover' aus dem Caddyfile entfernen."
    fi
 fi
 # --- Prüfe ob alte Dateien noch existieren ---
 if [ -f "$SCRIPT_DIR/email_autodiscover" ]; then
    echo ""
    echo "⚠️  AUFRÄUMEN: Datei 'email_autodiscover' kann entfernt werden!"
    echo "   Das Snippet ist jetzt in mail_certs eingebettet."
 fi
 if [ -f "$SCRIPT_DIR/email-setup/autodiscover.xml" ]; then
    echo ""
    echo "⚠️  AUFRÄUMEN: 'email-setup/autodiscover.xml' kann entfernt werden!"
    echo "   Statische XML wird nicht mehr benötigt (dynamisch über Caddy)."
 fi
 echo ""
 echo "============================================================"
 echo "🔄 Nächste Schritte:"
 echo ""
 echo "1. Caddy Konfiguration validieren:"
 echo "   docker exec $CADDY_CONTAINER caddy validate --config /etc/caddy/Caddyfile"
 echo ""
 echo "2. Caddy neu laden (kein Downtime):"
 echo "   docker exec $CADDY_CONTAINER caddy reload --config /etc/caddy/Caddyfile"
 echo ""
 echo "3. Cert-Generierung verfolgen (~30s pro Domain):"
 echo "   docker logs -f $CADDY_CONTAINER 2>&1 | grep -i 'certificate\|acme\|tls\|error'"
 echo ""
 echo "4. Autodiscover testen:"
 for domain in $DOMAINS; do
    echo "   # Thunderbird:"
    echo "   curl -s https://autoconfig.${domain}/mail/config-v1.1.xml | head -10"
    echo "   # Outlook:"
    echo "   curl -s https://autodiscover.${domain}/autodiscover/autodiscover.xml | head -10"
    echo "   # Apple (sollte .mobileconfig liefern):"
    echo "   curl -sI \"https://autodiscover.${domain}/apple?email=test@${domain}\""
    echo ""
 done
 echo "5. iPhone Email-Setup QR-Code Seite:"
 for domain in $DOMAINS; do
    echo "   https://webmail.${domain}/email-setup"
 done
 echo "============================================================"
--- a/deprecated_worker/Dockerfile
+++ b/deprecated_worker/Dockerfile
@@ -1,26 +0,0 @@
 FROM python:3.11-slim
 # Metadata
 LABEL maintainer="your-email@example.com"
 LABEL description="Domain-specific email worker for SMTP delivery"
 # Non-root user für Security
 RUN useradd -m -u 1000 worker && \
    mkdir -p /app && \
    chown -R worker:worker /app
 # Boto3 installieren
 RUN pip install --no-cache-dir boto3
 # Worker Code
 COPY --chown=worker:worker worker.py /app/worker.py
 WORKDIR /app
 USER worker
 # Healthcheck
 HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
  CMD pgrep -f worker.py || exit 1
 # Start worker mit unbuffered output
 CMD ["python", "-u", "worker.py"]
--- a/deprecated_worker/docker-compose.yml
+++ b/deprecated_worker/docker-compose.yml
@@ -1,53 +0,0 @@
 services:
  worker:
    image: python:3.11-slim
    container_name: email-worker-${WORKER_DOMAIN}
    restart: unless-stopped
    network_mode: host  # Zugriff auf lokales Netzwerk für Postfix
    # Worker-Code mounten
    volumes:
      - ./worker.py:/app/worker.py:ro
    working_dir: /app
    # Python Dependencies installieren und Worker starten
    command: >
      sh -c "apt-get update && 
            apt-get install -y --no-install-recommends procps && 
            rm -rf /var/lib/apt/lists/* &&
            pip install --no-cache-dir boto3 &&
            python -u worker.py"
    environment:
      # ⚠️ WICHTIG: WORKER_DOMAIN muss von außen gesetzt werden!
      - WORKER_DOMAIN=${WORKER_DOMAIN}
      # AWS Credentials
      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
      # Worker Settings
      - POLL_INTERVAL=${POLL_INTERVAL:-20}
      - MAX_MESSAGES=${MAX_MESSAGES:-10}
      - VISIBILITY_TIMEOUT=${VISIBILITY_TIMEOUT:-300}
      # SMTP Configuration
      - SMTP_HOST=${SMTP_HOST:-localhost}
      - SMTP_PORT=${SMTP_PORT:-25}
      - SMTP_USE_TLS=${SMTP_USE_TLS:-false}
      - SMTP_USER=${SMTP_USER:-}
      - SMTP_PASS=${SMTP_PASS:-}
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "5"
    healthcheck:
      test: ["CMD", "pgrep", "-f", "worker.py"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s
--- a/deprecated_worker/manage-worker.sh
+++ b/deprecated_worker/manage-worker.sh
@@ -1,30 +0,0 @@
 #!/bin/bash
 # manage-worker.sh
 DOMAIN=$1
 if [ -z "$DOMAIN" ]; then
    echo "Usage: $0 <domain> [action]"
    echo "Example: $0 andreasknuth.de"
    echo "         $0 andreasknuth.de down"
    echo "         $0 andreasknuth.de logs -f"
    exit 1
 fi
 # Entfernt den ersten Parameter ($1 / DOMAIN) aus der Argumentenliste
 shift
 # Nimm ALLE verbleibenden Argumente ($@). Wenn keine da sind, nimm "up -d".
 ACTION="${@:-up -d}"
 PROJECT_NAME="${DOMAIN//./-}"
 ENV_FILE=".env.${DOMAIN}"
 if [ ! -f "$ENV_FILE" ]; then
    echo "Error: $ENV_FILE not found!"
    exit 1
 fi
 # $ACTION wird hier nicht in Anführungszeichen gesetzt, 
 # damit "logs -f" als zwei separate Befehle erkannt wird.
 docker compose -p "$PROJECT_NAME" --env-file "$ENV_FILE" $ACTION
--- a/deprecated_worker/update-all-workers.sh
+++ b/deprecated_worker/update-all-workers.sh
@@ -1,19 +0,0 @@
 #!/bin/bash
 # update-all-workers.sh (smart version)
 DOMAINS=$(docker ps --filter "name=email-worker-" --format "{{.Names}}" | sed 's/email-worker-//')
 if [ -z "$DOMAINS" ]; then
    echo "No workers found"
    exit 1
 fi
 echo "Found workers: $DOMAINS"
 echo ""
 for domain in $DOMAINS; do
    echo "═══ $domain ═══"
    ./manage-worker.sh "$domain" restart
 done
 echo "✓ Done"
--- a/deprecated_worker/worker.py
+++ b/deprecated_worker/worker.py
@@ -1,885 +0,0 @@
 import os
 import sys
 import boto3
 import smtplib
 import json
 import time
 import traceback
 import signal
 from email.parser import BytesParser
 from email.policy import SMTP as SMTPPolicy
 from datetime import datetime
 from botocore.exceptions import ClientError  # Neu: Korrekter Import für SES-Exceptions
 # AWS Configuration
 AWS_REGION = 'us-east-2'
 s3 = boto3.client('s3', region_name=AWS_REGION)
 sqs = boto3.client('sqs', region_name=AWS_REGION)
 ses = boto3.client('ses', region_name=AWS_REGION)  # Neu: Für OOO/Forwards
 # ✨ Worker Configuration (domain-spezifisch)
 WORKER_DOMAIN = os.environ.get('WORKER_DOMAIN')  # z.B. 'andreasknuth.de'
 WORKER_NAME = os.environ.get('WORKER_NAME', f'worker-{WORKER_DOMAIN}')
 # Worker Settings
 POLL_INTERVAL = int(os.environ.get('POLL_INTERVAL', '20'))
 MAX_MESSAGES = int(os.environ.get('MAX_MESSAGES', '10'))
 VISIBILITY_TIMEOUT = int(os.environ.get('VISIBILITY_TIMEOUT', '300'))
 # SMTP Configuration (einfach, da nur 1 Domain pro Worker)
 SMTP_HOST = os.environ.get('SMTP_HOST', 'localhost')
 SMTP_PORT = int(os.environ.get('SMTP_PORT', '25'))
 SMTP_USE_TLS = os.environ.get('SMTP_USE_TLS', 'false').lower() == 'true'
 SMTP_USER = os.environ.get('SMTP_USER')
 SMTP_PASS = os.environ.get('SMTP_PASS')
 # Graceful shutdown
 shutdown_requested = False
 # DynamoDB Ressource für Bounce-Lookup
 # DynamoDB Ressource für Bounce-Lookup und Rules
 try:
    dynamo = boto3.resource('dynamodb', region_name=AWS_REGION)
    msg_table = dynamo.Table('ses-outbound-messages')
    rules_table = dynamo.Table('email-rules')  # Neu: Für OOO/Forwards
 except Exception as e:
    log(f"Warning: Could not connect to DynamoDB: {e}", 'WARNING')
    msg_table = None
    rules_table = None
 def get_bucket_name(domain):
    """Konvention: domain.tld -> domain-tld-emails"""
    return domain.replace('.', '-') + '-emails'
 def is_ses_bounce_notification(parsed):
    """
    Prüft ob Email von SES MAILER-DAEMON ist
    """
    from_h = (parsed.get('From') or '').lower()
    return 'mailer-daemon@us-east-2.amazonses.com' in from_h
 def get_bounce_info_from_dynamodb(message_id, max_retries=3, retry_delay=1):
    """
    Sucht Bounce-Info in DynamoDB anhand der Message-ID
    Mit Retry-Logik für Timing-Issues
    Returns: dict mit bounce info oder None
    """
    import time
    for attempt in range(max_retries):
        try:
            response = msg_table.get_item(Key={'MessageId': message_id})
            item = response.get('Item')
            if item:
                # Gefunden!
                return {
                    'original_source': item.get('original_source', ''),
                    'bounceType': item.get('bounceType', 'Unknown'),
                    'bounceSubType': item.get('bounceSubType', 'Unknown'),
                    'bouncedRecipients': item.get('bouncedRecipients', []),
                    'timestamp': item.get('timestamp', '')
                }
            # Nicht gefunden - Retry falls nicht letzter Versuch
            if attempt < max_retries - 1:
                log(f"  Bounce record not found yet, retrying in {retry_delay}s (attempt {attempt + 1}/{max_retries})...")
                time.sleep(retry_delay)
            else:
                log(f"⚠ No bounce record found after {max_retries} attempts for Message-ID: {message_id}")
                return None
        except Exception as e:
            log(f"⚠ DynamoDB Error (attempt {attempt + 1}/{max_retries}): {e}", 'ERROR')
            if attempt < max_retries - 1:
                time.sleep(retry_delay)
            else:
                return None
    return None
 def apply_bounce_logic(parsed, subject):
    """
    Prüft auf SES Bounce, sucht in DynamoDB und schreibt Header um.
    Returns: (parsed_email_object, was_modified_bool)
    """
    if not is_ses_bounce_notification(parsed):
        return parsed, False
    log("🔍 Detected SES MAILER-DAEMON bounce notification")
    # Message-ID aus Header extrahieren
    message_id = (parsed.get('Message-ID') or '').strip('<>').split('@')[0]
    if not message_id:
        log("⚠ Could not extract Message-ID from bounce notification")
        return parsed, False
    log(f"  Looking up Message-ID: {message_id}")
    # Lookup in DynamoDB
    bounce_info = get_bounce_info_from_dynamodb(message_id)
    if not bounce_info:
        return parsed, False
    # Bounce Info ausgeben
    original_source = bounce_info['original_source']
    bounced_recipients = bounce_info['bouncedRecipients']
    bounce_type = bounce_info['bounceType']
    bounce_subtype = bounce_info['bounceSubType']
    log(f"✓ Found bounce info:")
    log(f"  Original sender: {original_source}")
    log(f"  Bounce type: {bounce_type}/{bounce_subtype}")
    log(f"  Bounced recipients: {bounced_recipients}")
    # Nehme den ersten bounced recipient als neuen Absender
    # (bei Multiple Recipients kann es mehrere geben)
    if bounced_recipients:
        new_from = bounced_recipients[0]
        # Rewrite Headers
        parsed['X-Original-SES-From'] = parsed.get('From', '')
        parsed['X-Bounce-Type'] = f"{bounce_type}/{bounce_subtype}"
        parsed.replace_header('From', new_from)
        if not parsed.get('Reply-To'):
            parsed['Reply-To'] = new_from
        # Subject anpassen
        if 'delivery status notification' in subject.lower() or 'thanks for your submission' in subject.lower():
            parsed.replace_header('Subject', f"Delivery Status: {new_from}")
        log(f"✓ Rewritten FROM: {new_from}")
        return parsed, True
    log("⚠ No bounced recipients found in bounce info")
    return parsed, False
 def signal_handler(signum, frame):
    global shutdown_requested
    print(f"\n⚠ Shutdown signal received (signal {signum})")
    shutdown_requested = True
 signal.signal(signal.SIGTERM, signal_handler)
 signal.signal(signal.SIGINT, signal_handler)
 def log(message: str, level: str = 'INFO'):
    """Structured logging with timestamp"""
    timestamp = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
    print(f"[{timestamp}] [{level}] [{WORKER_NAME}] {message}", flush=True)
 def domain_to_queue_name(domain: str) -> str:
    """Konvertiert Domain zu SQS Queue Namen"""
    return domain.replace('.', '-') + '-queue'
 def get_queue_url() -> str:
    """Ermittelt Queue-URL für die konfigurierte Domain"""
    queue_name = domain_to_queue_name(WORKER_DOMAIN)
    try:
        response = sqs.get_queue_url(QueueName=queue_name)
        return response['QueueUrl']
    except Exception as e:
        raise Exception(f"Failed to get queue URL for {WORKER_DOMAIN}: {e}")
 def mark_as_processed(bucket: str, key: str, invalid_inboxes: list = None):
    """
    Markiert E-Mail als erfolgreich zugestellt
    Wird nur aufgerufen wenn mindestens 1 Recipient erfolgreich war
    """
    try:
        head = s3.head_object(Bucket=bucket, Key=key)
        metadata = head.get('Metadata', {}) or {}
        metadata['processed'] = 'true'
        metadata['processed_at'] = str(int(time.time()))
        metadata['processed_by'] = WORKER_NAME
        metadata['status'] = 'delivered'
        metadata.pop('processing_started', None)
        metadata.pop('queued_at', None)
        # Invalid inboxes speichern falls vorhanden
        if invalid_inboxes:
            metadata['invalid_inboxes'] = ','.join(invalid_inboxes)
            log(f"⚠ Invalid inboxes recorded: {', '.join(invalid_inboxes)}", 'WARNING')
        s3.copy_object(
            Bucket=bucket,
            Key=key,
            CopySource={'Bucket': bucket, 'Key': key},
            Metadata=metadata,
            MetadataDirective='REPLACE'
        )
        log(f"✓ Marked s3://{bucket}/{key} as processed", 'SUCCESS')
    except Exception as e:
        log(f"Failed to mark as processed: {e}", 'WARNING')
 def mark_as_all_invalid(bucket: str, key: str, invalid_inboxes: list):
    """
    Markiert E-Mail als fehlgeschlagen weil alle Recipients ungültig sind
    """
    try:
        head = s3.head_object(Bucket=bucket, Key=key)
        metadata = head.get('Metadata', {}) or {}
        metadata['processed'] = 'true'
        metadata['processed_at'] = str(int(time.time()))
        metadata['processed_by'] = WORKER_NAME
        metadata['status'] = 'failed'
        metadata['error'] = 'All recipients are invalid (mailboxes do not exist)'
        metadata['invalid_inboxes'] = ','.join(invalid_inboxes)
        metadata.pop('processing_started', None)
        metadata.pop('queued_at', None)
        s3.copy_object(
            Bucket=bucket,
            Key=key,
            CopySource={'Bucket': bucket, 'Key': key},
            Metadata=metadata,
            MetadataDirective='REPLACE'
        )
        log(f"✓ Marked s3://{bucket}/{key} as failed (all invalid)", 'SUCCESS')
    except Exception as e:
        log(f"Failed to mark as all invalid: {e}", 'WARNING')
 def mark_as_failed(bucket: str, key: str, error: str, receive_count: int):
    """
    Markiert E-Mail als komplett fehlgeschlagen
    Wird nur aufgerufen wenn ALLE Recipients fehlschlagen
    """
    try:
        head = s3.head_object(Bucket=bucket, Key=key)
        metadata = head.get('Metadata', {}) or {}
        metadata['status'] = 'failed'
        metadata['failed_at'] = str(int(time.time()))
        metadata['failed_by'] = WORKER_NAME
        metadata['error'] = error[:500]  # S3 Metadata limit
        metadata['retry_count'] = str(receive_count)
        metadata.pop('processing_started', None)
        s3.copy_object(
            Bucket=bucket,
            Key=key,
            CopySource={'Bucket': bucket, 'Key': key},
            Metadata=metadata,
            MetadataDirective='REPLACE'
        )
        log(f"✗ Marked s3://{bucket}/{key} as failed: {error[:100]}", 'ERROR')
    except Exception as e:
        log(f"Failed to mark as failed: {e}", 'WARNING')
 def is_temporary_smtp_error(error_msg: str) -> bool:
    """
    Prüft ob SMTP-Fehler temporär ist (Retry sinnvoll)
    4xx Codes = temporär, 5xx = permanent
    """
    temporary_indicators = [
        '421',  # Service not available
        '450',  # Mailbox unavailable
        '451',  # Local error
        '452',  # Insufficient storage
        '4',    # Generisch 4xx
        'timeout',
        'connection refused',
        'connection reset',
        'network unreachable',
        'temporarily',
        'try again'
    ]
    error_lower = error_msg.lower()
    return any(indicator in error_lower for indicator in temporary_indicators)
 def is_permanent_recipient_error(error_msg: str) -> bool:
    """
    Prüft ob Fehler permanent für diesen Recipient ist (Inbox existiert nicht)
    550 = Mailbox not found, 551 = User not local, 553 = Mailbox name invalid
    """
    permanent_indicators = [
        '550',  # Mailbox unavailable / not found
        '551',  # User not local
        '553',  # Mailbox name not allowed / invalid
        'mailbox not found',
        'user unknown',
        'no such user',
        'recipient rejected',
        'does not exist',
        'invalid recipient',
        'unknown user'
    ]
    error_lower = error_msg.lower()
    return any(indicator in error_lower for indicator in permanent_indicators)
 def send_email(from_addr: str, recipient: str, raw_message: bytes) -> tuple:
    """
    Sendet E-Mail via SMTP an EINEN Empfänger
    Returns: (success: bool, error: str or None, is_permanent: bool)
    """
    try:
        with smtplib.SMTP(SMTP_HOST, SMTP_PORT, timeout=30) as smtp:
            smtp.ehlo()
            # STARTTLS falls konfiguriert
            if SMTP_USE_TLS:
                try:
                    smtp.starttls()
                    smtp.ehlo()
                except Exception as e:
                    log(f"  STARTTLS failed: {e}", 'WARNING')
            # Authentication falls konfiguriert
            if SMTP_USER and SMTP_PASS:
                try:
                    smtp.login(SMTP_USER, SMTP_PASS)
                except Exception as e:
                    log(f"  SMTP auth failed: {e}", 'WARNING')
            # E-Mail senden
            result = smtp.sendmail(from_addr, [recipient], raw_message)
            # Result auswerten
            if isinstance(result, dict) and result:
                # Empfänger wurde abgelehnt
                error = result.get(recipient, 'Unknown refusal')
                is_permanent = is_permanent_recipient_error(str(error))
                log(f"  ✗ {recipient}: {error} ({'permanent' if is_permanent else 'temporary'})", 'ERROR')
                return False, str(error), is_permanent
            else:
                # Erfolgreich
                log(f"  ✓ {recipient}: Delivered", 'SUCCESS')
                return True, None, False
    except smtplib.SMTPException as e:
        error_msg = str(e)
        is_permanent = is_permanent_recipient_error(error_msg)
        log(f"  ✗ {recipient}: SMTP error - {error_msg}", 'ERROR')
        return False, error_msg, is_permanent
    except Exception as e:
        # Connection errors sind immer temporär
        log(f"  ✗ {recipient}: Connection error - {e}", 'ERROR')
        return False, str(e), False
 def extract_body_parts(parsed):
    """
    Extrahiert sowohl text/plain als auch text/html Body-Parts.
    Returns: (text_body: str, html_body: str or None)
    """
    text_body = ''
    html_body = None
    if parsed.is_multipart():
        for part in parsed.walk():
            content_type = part.get_content_type()
            if content_type == 'text/plain':
                try:
                    text_body += part.get_payload(decode=True).decode('utf-8', errors='ignore')
                except Exception as e:
                    log(f"⚠ Error decoding text/plain part: {e}", 'WARNING')
            elif content_type == 'text/html':
                try:
                    html_body = part.get_payload(decode=True).decode('utf-8', errors='ignore')
                except Exception as e:
                    log(f"⚠ Error decoding text/html part: {e}", 'WARNING')
    else:
        try:
            payload = parsed.get_payload(decode=True)
            if payload:
                decoded = payload.decode('utf-8', errors='ignore')
                if parsed.get_content_type() == 'text/html':
                    html_body = decoded
                else:
                    text_body = decoded
        except Exception as e:
            log(f"⚠ Error decoding non-multipart body: {e}", 'WARNING')
            text_body = str(parsed.get_payload())
    return text_body.strip() if text_body else '(No body content)', html_body
 def create_ooo_reply(original_parsed, recipient, ooo_msg, content_type='text'):
    """
    Erstellt eine Out-of-Office Reply als komplette MIME-Message.
    Behält Original-Body (text + html) bei.
    """
    from email.mime.multipart import MIMEMultipart
    from email.mime.text import MIMEText
    from email.utils import formatdate, make_msgid
    text_body, html_body = extract_body_parts(original_parsed)
    original_subject = original_parsed.get('Subject', '(no subject)')
    original_from = original_parsed.get('From', 'unknown')
    # Neue Message erstellen
    msg = MIMEMultipart('mixed')
    msg['From'] = recipient
    msg['To'] = original_from
    msg['Subject'] = f"Out of Office: {original_subject}"
    msg['Date'] = formatdate(localtime=True)
    msg['Message-ID'] = make_msgid(domain=recipient.split('@')[1])
    msg['In-Reply-To'] = original_parsed.get('Message-ID', '')
    msg['References'] = original_parsed.get('Message-ID', '')
    msg['Auto-Submitted'] = 'auto-replied'  # Verhindert Loops
    # Body-Teil erstellen
    body_part = MIMEMultipart('alternative')
    # Text-Version
    text_content = f"{ooo_msg}\n\n"
    text_content += "--- Original Message ---\n"
    text_content += f"From: {original_from}\n"
    text_content += f"Subject: {original_subject}\n\n"
    text_content += text_body
    body_part.attach(MIMEText(text_content, 'plain', 'utf-8'))
    # HTML-Version (wenn gewünscht und Original vorhanden)
    if content_type == 'html' or html_body:
        html_content = f"<div>{ooo_msg}</div><br><hr><br>"
        html_content += "<blockquote style='margin:10px 0;padding:10px;border-left:3px solid #ccc;'>"
        html_content += f"<strong>Original Message</strong><br>"
        html_content += f"<strong>From:</strong> {original_from}<br>"
        html_content += f"<strong>Subject:</strong> {original_subject}<br><br>"
        html_content += (html_body if html_body else text_body.replace('\n', '<br>'))
        html_content += "</blockquote>"
        body_part.attach(MIMEText(html_content, 'html', 'utf-8'))
    msg.attach(body_part)
    return msg
 def create_forward_message(original_parsed, recipient, forward_to, original_from):
    """
    Erstellt eine Forward-Message als komplette MIME-Message.
    Behält ALLE Original-Parts inkl. Attachments bei.
    """
    from email.mime.multipart import MIMEMultipart
    from email.mime.text import MIMEText
    from email.utils import formatdate, make_msgid
    original_subject = original_parsed.get('Subject', '(no subject)')
    original_date = original_parsed.get('Date', 'unknown')
    # Neue Message erstellen
    msg = MIMEMultipart('mixed')
    msg['From'] = recipient
    msg['To'] = forward_to
    msg['Subject'] = f"FWD: {original_subject}"
    msg['Date'] = formatdate(localtime=True)
    msg['Message-ID'] = make_msgid(domain=recipient.split('@')[1])
    msg['Reply-To'] = original_from
    # Forward-Header als Text
    text_body, html_body = extract_body_parts(original_parsed)
    # Body-Teil
    body_part = MIMEMultipart('alternative')
    # Text-Version
    fwd_text = "---------- Forwarded message ---------\n"
    fwd_text += f"From: {original_from}\n"
    fwd_text += f"Date: {original_date}\n"
    fwd_text += f"Subject: {original_subject}\n"
    fwd_text += f"To: {recipient}\n\n"
    fwd_text += text_body
    body_part.attach(MIMEText(fwd_text, 'plain', 'utf-8'))
    # HTML-Version
    if html_body:
        fwd_html = "<div style='border-left:3px solid #ccc;padding-left:10px;margin:10px 0;'>"
        fwd_html += "<strong>---------- Forwarded message ---------</strong><br>"
        fwd_html += f"<strong>From:</strong> {original_from}<br>"
        fwd_html += f"<strong>Date:</strong> {original_date}<br>"
        fwd_html += f"<strong>Subject:</strong> {original_subject}<br>"
        fwd_html += f"<strong>To:</strong> {recipient}<br><br>"
        fwd_html += html_body
        fwd_html += "</div>"
        body_part.attach(MIMEText(fwd_html, 'html', 'utf-8'))
    msg.attach(body_part)
    # WICHTIG: Attachments kopieren
    if original_parsed.is_multipart():
        for part in original_parsed.walk():
            # Nur non-body parts (Attachments)
            if part.get_content_maintype() == 'multipart':
                continue
            if part.get_content_type() in ['text/plain', 'text/html']:
                continue  # Body bereits oben behandelt
            # Attachment hinzufügen
            msg.attach(part)
    return msg
 # ==========================================
 # HAUPTFUNKTION: PROCESS MESSAGE
 # ==========================================
 def process_message(message_body: dict, receive_count: int) -> bool:
    """
    Verarbeitet eine E-Mail aus der Queue (SNS-wrapped SES Notification)
    Returns: True (Erfolg/Löschen), False (Retry/Behalten)
    """
    try:
        # 1. UNPACKING (SNS -> SES)
        # SQS Body ist JSON. Darin ist meist 'Type': 'Notification' und 'Message': '...JSONString...'
        if 'Message' in message_body and 'Type' in message_body:
            # Es ist eine SNS Notification
            sns_content = message_body['Message']
            if isinstance(sns_content, str):
                ses_msg = json.loads(sns_content)
            else:
                ses_msg = sns_content
        else:
            # Fallback: Vielleicht doch direkt SES (Legacy support)
            ses_msg = message_body
        # 2. DATEN EXTRAHIEREN
        mail = ses_msg.get('mail', {})
        receipt = ses_msg.get('receipt', {})
        message_id = mail.get('messageId')  # Das ist der S3 Key!
        # FIX: Amazon SES Setup Notification ignorieren
        if message_id == "AMAZON_SES_SETUP_NOTIFICATION":
            log("ℹ️ Received Amazon SES Setup Notification. Ignoring.", 'INFO')
            return True # Erfolgreich (löschen), da kein Fehler        
        from_addr = mail.get('source')
        recipients = receipt.get('recipients', [])
        # S3 Key Validation
        if not message_id:
            log("❌ Error: No messageId in event payload", 'ERROR')
            return True # Löschen, da unbrauchbar
        # Domain Validation
        # Wir nehmen den ersten Empfänger um die Domain zu prüfen
        if recipients:
            first_recipient = recipients[0]
            domain = first_recipient.split('@')[1]
            if domain.lower() != WORKER_DOMAIN.lower():
                log(f"⚠ Security: Ignored message for {domain} (I am worker for {WORKER_DOMAIN})", 'WARNING')
                return True # Löschen, gehört nicht hierher
        else:
            log("⚠ Warning: No recipients in event", 'WARNING')
            return True
        # Bucket Name ableiten
        bucket = get_bucket_name(WORKER_DOMAIN)
        key = message_id
        log(f"\n{'='*70}")
        log(f"Processing Email (SNS/SES):")
        log(f"  ID: {key}")
        log(f"  Recipients: {len(recipients)} -> {recipients}")
        log(f"  Bucket: {bucket}")
        # 3. LADEN AUS S3
        try:
            response = s3.get_object(Bucket=bucket, Key=key)
            raw_bytes = response['Body'].read()
            log(f"✓ Loaded {len(raw_bytes)} bytes from S3")
        except s3.exceptions.NoSuchKey:
            # Race Condition: SNS war schneller als S3.
            # Wir geben False zurück, damit SQS es in 30s nochmal versucht.
            if receive_count < 5:
                log(f"⏳ S3 Object not found yet (Attempt {receive_count}). Retrying...", 'WARNING')
                return False 
            else:
                log(f"❌ S3 Object missing permanently after retries.", 'ERROR')
                return True # Löschen
        except Exception as e:
            log(f"❌ S3 Download Error: {e}", 'ERROR')
            return False # Retry
        # 4. PARSING & BOUNCE LOGIC
        try:
            parsed = BytesParser(policy=SMTPPolicy).parsebytes(raw_bytes)
            subject = parsed.get('Subject', '(no subject)')
            # Hier passiert die Magie: Bounce Header umschreiben
            parsed, modified = apply_bounce_logic(parsed, subject)
            if modified:
                log("  ✨ Bounce detected & headers rewritten via DynamoDB")
                # Wir arbeiten mit den modifizierten Bytes weiter
                raw_bytes = parsed.as_bytes()
                from_addr_final = parsed.get('From') # Neuer Absender für SMTP Envelope
            else:
                from_addr_final = from_addr # Original Envelope Sender
        except Exception as e:
            log(f"⚠ Parsing/Logic Error: {e}. Sending original.", 'WARNING')
            from_addr_final = from_addr
        # 5. OOO & FORWARD LOGIC (neu, vor SMTP-Versand)
        if rules_table and not is_ses_bounce_notification(parsed):
            for recipient in recipients:
                try:
                    rule = rules_table.get_item(Key={'email_address': recipient}).get('Item', {})
                    # OOO handling
                    if rule.get('ooo_active', False):
                        ooo_msg = rule.get('ooo_message', 'Default OOO message.')
                        content_type = rule.get('ooo_content_type', 'text')
                        sender = parsed.get('From')
                        try:
                            # Erstelle komplette MIME-Message
                            ooo_reply = create_ooo_reply(parsed, recipient, ooo_msg, content_type)
                            # Sende via send_raw_email (unterstützt komplexe MIME)
                            ses.send_raw_email(
                                Source=recipient,
                                Destinations=[sender],
                                RawMessage={'Data': ooo_reply.as_bytes()}
                            )
                            log(f"✓ Sent OOO reply to {sender} from {recipient}")
                        except ClientError as e:
                            error_code = e.response['Error']['Code']
                            log(f"⚠ SES OOO send failed ({error_code}): {e}", 'ERROR')
                    # Forward handling
                    forwards = rule.get('forwards', [])
                    if forwards:
                        original_from = parsed.get('From')
                        for forward_to in forwards:
                            try:
                                # Erstelle komplette Forward-Message mit Attachments
                                fwd_msg = create_forward_message(parsed, recipient, forward_to, original_from)
                                # Sende via send_raw_email
                                ses.send_raw_email(
                                    Source=recipient,
                                    Destinations=[forward_to],
                                    RawMessage={'Data': fwd_msg.as_bytes()}
                                )
                                log(f"✓ Forwarded to {forward_to} from {recipient} (original: {original_from})")
                            except ClientError as e:
                                error_code = e.response['Error']['Code']
                                log(f"⚠ SES forward failed to {forward_to} ({error_code}): {e}", 'ERROR')
                except ClientError as e:
                    error_code = e.response['Error']['Code']
                    if error_code == 'MessageRejected':
                        log(f"⚠ SES rejected send for {recipient}: Check verification/quotas.", 'ERROR')
                    elif error_code == 'AccessDenied':
                        log(f"⚠ SES AccessDenied for {recipient}: Check IAM policy.", 'ERROR')
                    else:
                        log(f"⚠ SES error for {recipient}: {e}", 'ERROR')
                except Exception as e:
                    log(f"⚠ Rule processing error for {recipient}: {e}", 'WARNING')
                    traceback.print_exc()
        # 6. SMTP VERSAND (Loop über Recipients)
        log(f"📤 Sending to {len(recipients)} recipient(s)...")
        successful = []
        failed_permanent = []
        failed_temporary = []
        for recipient in recipients:
            # Wir nutzen raw_bytes (ggf. modifiziert)
            # WICHTIG: Als Envelope Sender nutzen wir 'from_addr_final' 
            # (bei Bounces ist das der Original-Empfänger, sonst der SES Sender)
            success, error, is_perm = send_email(from_addr_final, recipient, raw_bytes)
            if success:
                successful.append(recipient)
            elif is_perm:
                failed_permanent.append(recipient)
            else:
                failed_temporary.append(recipient)
        # 6. RESULTAT & CLEANUP
        log(f"📊 Results: {len(successful)} OK, {len(failed_temporary)} TempFail, {len(failed_permanent)} PermFail")
        if len(successful) > 0:
            # Mindestens einer durchgegangen -> Erfolg
            mark_as_processed(bucket, key, failed_permanent if failed_permanent else None)
            log(f"✅ Success. Deleted from queue.")
            return True
        elif len(failed_permanent) == len(recipients):
            # Alle permanent fehlgeschlagen (User unknown) -> Löschen
            mark_as_all_invalid(bucket, key, failed_permanent)
            log(f"🛑 All recipients invalid. Deleted from queue.")
            return True
        else:
            # Temporäre Fehler -> Retry
            log(f"🔄 Temporary failures. Keeping in queue.")
            return False
    except Exception as e:
        log(f"❌ CRITICAL WORKER ERROR: {e}", 'ERROR')
        traceback.print_exc()
        return False # Retry (außer es crasht immer wieder)
 def main_loop():
    """Hauptschleife: Pollt SQS Queue und verarbeitet Nachrichten"""
    # Queue URL ermitteln
    try:
        queue_url = get_queue_url()
    except Exception as e:
        log(f"FATAL: {e}", 'ERROR')
        sys.exit(1)
    log(f"\n{'='*70}")
    log(f"🚀 Email Worker started")
    log(f"{'='*70}")
    log(f"  Worker Name: {WORKER_NAME}")
    log(f"  Domain: {WORKER_DOMAIN}")
    log(f"  Queue: {queue_url}")
    log(f"  Region: {AWS_REGION}")
    log(f"  SMTP: {SMTP_HOST}:{SMTP_PORT} (TLS: {SMTP_USE_TLS})")
    log(f"  Poll interval: {POLL_INTERVAL}s")
    log(f"  Max messages per poll: {MAX_MESSAGES}")
    log(f"  Visibility timeout: {VISIBILITY_TIMEOUT}s")
    log(f"{'='*70}\n")
    consecutive_errors = 0
    max_consecutive_errors = 10
    messages_processed = 0
    last_activity = time.time()
    while not shutdown_requested:
        try:
            # Messages aus Queue holen (Long Polling)
            response = sqs.receive_message(
                QueueUrl=queue_url,
                MaxNumberOfMessages=MAX_MESSAGES,
                WaitTimeSeconds=POLL_INTERVAL,
                VisibilityTimeout=VISIBILITY_TIMEOUT,
                AttributeNames=['ApproximateReceiveCount', 'SentTimestamp'],
                MessageAttributeNames=['All']
            )
            # Reset error counter bei erfolgreicher Abfrage
            consecutive_errors = 0
            if 'Messages' not in response:
                # Keine Nachrichten
                if time.time() - last_activity > 60:
                    log(f"Waiting for messages... (processed: {messages_processed})")
                    last_activity = time.time()
                continue
            message_count = len(response['Messages'])
            log(f"\n✉ Received {message_count} message(s) from queue")
            last_activity = time.time()
            # Messages verarbeiten
            for msg in response['Messages']:
                if shutdown_requested:
                    log("Shutdown requested, stopping processing")
                    break
                receipt_handle = msg['ReceiptHandle']
                # Receive Count auslesen
                receive_count = int(msg.get('Attributes', {}).get('ApproximateReceiveCount', 1))
                # Sent Timestamp (für Queue-Zeit-Berechnung)
                sent_timestamp = int(msg.get('Attributes', {}).get('SentTimestamp', 0)) / 1000
                queue_time = int(time.time() - sent_timestamp) if sent_timestamp else 0
                if queue_time > 0:
                    log(f"Message was in queue for {queue_time}s")
                try:
                    message_body = json.loads(msg['Body'])
                    # E-Mail verarbeiten
                    success = process_message(message_body, receive_count)
                    if success:
                        # Message aus Queue löschen
                        sqs.delete_message(
                            QueueUrl=queue_url,
                            ReceiptHandle=receipt_handle
                        )
                        log("✓ Message deleted from queue")
                        messages_processed += 1
                    else:
                        # Bei Fehler bleibt Message in Queue
                        log(f"⚠ Message kept in queue for retry (attempt {receive_count}/3)")
                except json.JSONDecodeError as e:
                    log(f"✗ Invalid message format: {e}", 'ERROR')
                    # Ungültige Messages löschen (nicht retryable)
                    sqs.delete_message(
                        QueueUrl=queue_url,
                        ReceiptHandle=receipt_handle
                    )
                except Exception as e:
                    log(f"✗ Error processing message: {e}", 'ERROR')
                    traceback.print_exc()
                    # Message bleibt in Queue für Retry
        except KeyboardInterrupt:
            log("\n⚠ Keyboard interrupt received")
            break
        except Exception as e:
            consecutive_errors += 1
            log(f"✗ Error in main loop ({consecutive_errors}/{max_consecutive_errors}): {e}", 'ERROR')
            traceback.print_exc()
            if consecutive_errors >= max_consecutive_errors:
                log("Too many consecutive errors, shutting down", 'ERROR')
                break
            # Kurze Pause bei Fehlern
            time.sleep(5)
    log(f"\n{'='*70}")
    log(f"👋 Worker shutting down")
    log(f"  Messages processed: {messages_processed}")
    log(f"{'='*70}\n")
 if __name__ == '__main__':
    # Validierung
    if not WORKER_DOMAIN:
        log("ERROR: WORKER_DOMAIN not set!", 'ERROR')
        sys.exit(1)
    try:
        main_loop()
    except Exception as e:
        log(f"Fatal error: {e}", 'ERROR')
        traceback.print_exc()
        sys.exit(1)
--- a/deprecated_worker/worker.py.old
+++ b/deprecated_worker/worker.py.old
@@ -1,520 +0,0 @@
 import os
 import sys
 import boto3
 import smtplib
 import json
 import time
 import traceback
 import signal
 from email.parser import BytesParser
 from email.policy import SMTP as SMTPPolicy
 from datetime import datetime
 # AWS Configuration
 AWS_REGION = 'us-east-2'
 s3 = boto3.client('s3', region_name=AWS_REGION)
 sqs = boto3.client('sqs', region_name=AWS_REGION)
 # ✨ Worker Configuration (domain-spezifisch)
 WORKER_DOMAIN = os.environ.get('WORKER_DOMAIN')  # z.B. 'andreasknuth.de'
 WORKER_NAME = os.environ.get('WORKER_NAME', f'worker-{WORKER_DOMAIN}')
 # Worker Settings
 POLL_INTERVAL = int(os.environ.get('POLL_INTERVAL', '20'))
 MAX_MESSAGES = int(os.environ.get('MAX_MESSAGES', '10'))
 VISIBILITY_TIMEOUT = int(os.environ.get('VISIBILITY_TIMEOUT', '300'))
 # SMTP Configuration (einfach, da nur 1 Domain pro Worker)
 SMTP_HOST = os.environ.get('SMTP_HOST', 'localhost')
 SMTP_PORT = int(os.environ.get('SMTP_PORT', '25'))
 SMTP_USE_TLS = os.environ.get('SMTP_USE_TLS', 'false').lower() == 'true'
 SMTP_USER = os.environ.get('SMTP_USER')
 SMTP_PASS = os.environ.get('SMTP_PASS')
 # Graceful shutdown
 shutdown_requested = False
 def signal_handler(signum, frame):
    global shutdown_requested
    print(f"\n⚠ Shutdown signal received (signal {signum})")
    shutdown_requested = True
 signal.signal(signal.SIGTERM, signal_handler)
 signal.signal(signal.SIGINT, signal_handler)
 def log(message: str, level: str = 'INFO'):
    """Structured logging with timestamp"""
    timestamp = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
    print(f"[{timestamp}] [{level}] [{WORKER_NAME}] {message}", flush=True)
 def domain_to_queue_name(domain: str) -> str:
    """Konvertiert Domain zu SQS Queue Namen"""
    return domain.replace('.', '-') + '-queue'
 def get_queue_url() -> str:
    """Ermittelt Queue-URL für die konfigurierte Domain"""
    queue_name = domain_to_queue_name(WORKER_DOMAIN)
    try:
        response = sqs.get_queue_url(QueueName=queue_name)
        return response['QueueUrl']
    except Exception as e:
        raise Exception(f"Failed to get queue URL for {WORKER_DOMAIN}: {e}")
 def mark_as_processed(bucket: str, key: str, invalid_inboxes: list = None):
    """
    Markiert E-Mail als erfolgreich zugestellt
    Wird nur aufgerufen wenn mindestens 1 Recipient erfolgreich war
    """
    try:
        head = s3.head_object(Bucket=bucket, Key=key)
        metadata = head.get('Metadata', {}) or {}
        metadata['processed'] = 'true'
        metadata['processed_at'] = str(int(time.time()))
        metadata['processed_by'] = WORKER_NAME
        metadata['status'] = 'delivered'
        metadata.pop('processing_started', None)
        metadata.pop('queued_at', None)
        # Invalid inboxes speichern falls vorhanden
        if invalid_inboxes:
            metadata['invalid_inboxes'] = ','.join(invalid_inboxes)
            log(f"⚠ Invalid inboxes recorded: {', '.join(invalid_inboxes)}", 'WARNING')
        s3.copy_object(
            Bucket=bucket,
            Key=key,
            CopySource={'Bucket': bucket, 'Key': key},
            Metadata=metadata,
            MetadataDirective='REPLACE'
        )
        log(f"✓ Marked s3://{bucket}/{key} as processed", 'SUCCESS')
    except Exception as e:
        log(f"Failed to mark as processed: {e}", 'WARNING')
 def mark_as_all_invalid(bucket: str, key: str, invalid_inboxes: list):
    """
    Markiert E-Mail als fehlgeschlagen weil alle Recipients ungültig sind
    """
    try:
        head = s3.head_object(Bucket=bucket, Key=key)
        metadata = head.get('Metadata', {}) or {}
        metadata['processed'] = 'true'
        metadata['processed_at'] = str(int(time.time()))
        metadata['processed_by'] = WORKER_NAME
        metadata['status'] = 'failed'
        metadata['error'] = 'All recipients are invalid (mailboxes do not exist)'
        metadata['invalid_inboxes'] = ','.join(invalid_inboxes)
        metadata.pop('processing_started', None)
        metadata.pop('queued_at', None)
        s3.copy_object(
            Bucket=bucket,
            Key=key,
            CopySource={'Bucket': bucket, 'Key': key},
            Metadata=metadata,
            MetadataDirective='REPLACE'
        )
        log(f"✓ Marked s3://{bucket}/{key} as failed (all invalid)", 'SUCCESS')
    except Exception as e:
        log(f"Failed to mark as all invalid: {e}", 'WARNING')
 def mark_as_failed(bucket: str, key: str, error: str, receive_count: int):
    """
    Markiert E-Mail als komplett fehlgeschlagen
    Wird nur aufgerufen wenn ALLE Recipients fehlschlagen
    """
    try:
        head = s3.head_object(Bucket=bucket, Key=key)
        metadata = head.get('Metadata', {}) or {}
        metadata['status'] = 'failed'
        metadata['failed_at'] = str(int(time.time()))
        metadata['failed_by'] = WORKER_NAME
        metadata['error'] = error[:500]  # S3 Metadata limit
        metadata['retry_count'] = str(receive_count)
        metadata.pop('processing_started', None)
        s3.copy_object(
            Bucket=bucket,
            Key=key,
            CopySource={'Bucket': bucket, 'Key': key},
            Metadata=metadata,
            MetadataDirective='REPLACE'
        )
        log(f"✗ Marked s3://{bucket}/{key} as failed: {error[:100]}", 'ERROR')
    except Exception as e:
        log(f"Failed to mark as failed: {e}", 'WARNING')
 def is_temporary_smtp_error(error_msg: str) -> bool:
    """
    Prüft ob SMTP-Fehler temporär ist (Retry sinnvoll)
    4xx Codes = temporär, 5xx = permanent
    """
    temporary_indicators = [
        '421',  # Service not available
        '450',  # Mailbox unavailable
        '451',  # Local error
        '452',  # Insufficient storage
        '4',    # Generisch 4xx
        'timeout',
        'connection refused',
        'connection reset',
        'network unreachable',
        'temporarily',
        'try again'
    ]
    error_lower = error_msg.lower()
    return any(indicator in error_lower for indicator in temporary_indicators)
 def is_permanent_recipient_error(error_msg: str) -> bool:
    """
    Prüft ob Fehler permanent für diesen Recipient ist (Inbox existiert nicht)
    550 = Mailbox not found, 551 = User not local, 553 = Mailbox name invalid
    """
    permanent_indicators = [
        '550',  # Mailbox unavailable / not found
        '551',  # User not local
        '553',  # Mailbox name not allowed / invalid
        'mailbox not found',
        'user unknown',
        'no such user',
        'recipient rejected',
        'does not exist',
        'invalid recipient',
        'unknown user'
    ]
    error_lower = error_msg.lower()
    return any(indicator in error_lower for indicator in permanent_indicators)
 def send_email(from_addr: str, recipient: str, raw_message: bytes) -> tuple:
    """
    Sendet E-Mail via SMTP an EINEN Empfänger
    Returns: (success: bool, error: str or None, is_permanent: bool)
    """
    try:
        with smtplib.SMTP(SMTP_HOST, SMTP_PORT, timeout=30) as smtp:
            smtp.ehlo()
            # STARTTLS falls konfiguriert
            if SMTP_USE_TLS:
                try:
                    smtp.starttls()
                    smtp.ehlo()
                except Exception as e:
                    log(f"  STARTTLS failed: {e}", 'WARNING')
            # Authentication falls konfiguriert
            if SMTP_USER and SMTP_PASS:
                try:
                    smtp.login(SMTP_USER, SMTP_PASS)
                except Exception as e:
                    log(f"  SMTP auth failed: {e}", 'WARNING')
            # E-Mail senden
            result = smtp.sendmail(from_addr, [recipient], raw_message)
            # Result auswerten
            if isinstance(result, dict) and result:
                # Empfänger wurde abgelehnt
                error = result.get(recipient, 'Unknown refusal')
                is_permanent = is_permanent_recipient_error(str(error))
                log(f"  ✗ {recipient}: {error} ({'permanent' if is_permanent else 'temporary'})", 'ERROR')
                return False, str(error), is_permanent
            else:
                # Erfolgreich
                log(f"  ✓ {recipient}: Delivered", 'SUCCESS')
                return True, None, False
    except smtplib.SMTPException as e:
        error_msg = str(e)
        is_permanent = is_permanent_recipient_error(error_msg)
        log(f"  ✗ {recipient}: SMTP error - {error_msg}", 'ERROR')
        return False, error_msg, is_permanent
    except Exception as e:
        # Connection errors sind immer temporär
        log(f"  ✗ {recipient}: Connection error - {e}", 'ERROR')
        return False, str(e), False
 def process_message(message_body: dict, receive_count: int) -> bool:
    """
    Verarbeitet eine E-Mail aus der Queue
    Kann mehrere Recipients haben - sendet an alle
    Returns: True wenn erfolgreich (Message löschen), False bei Fehler (Retry)
    """
    bucket = message_body['bucket']
    key = message_body['key']
    from_addr = message_body['from']
    recipients = message_body['recipients']  # Liste von Empfängern
    domain = message_body['domain']
    subject = message_body.get('subject', '(unknown)')
    message_id = message_body.get('message_id', '(unknown)')
    log(f"\n{'='*70}")
    log(f"Processing email (Attempt #{receive_count}):")
    log(f"  MessageId: {message_id}")
    log(f"  S3 Key: {key}")
    log(f"  Domain: {domain}")
    log(f"  From: {from_addr}")
    log(f"  Recipients: {len(recipients)}")
    for recipient in recipients:
        log(f"    - {recipient}")
    log(f"  Subject: {subject}")
    log(f"  S3: s3://{bucket}/{key}")
    log(f"{'='*70}")
    # ✨ VALIDATION: Domain muss mit Worker-Domain übereinstimmen
    if domain.lower() != WORKER_DOMAIN.lower():
        log(f"ERROR: Wrong domain! Expected {WORKER_DOMAIN}, got {domain}", 'ERROR')
        log("This message should not be in this queue! Deleting...", 'ERROR')
        return True  # Message löschen (gehört nicht hierher)
    # E-Mail aus S3 laden
    try:
        response = s3.get_object(Bucket=bucket, Key=key)
        raw_bytes = response['Body'].read()
        log(f"✓ Loaded {len(raw_bytes):,} bytes ({len(raw_bytes)/1024:.1f} KB)")
    except s3.exceptions.NoSuchKey:
        log(f"✗ S3 object not found (may have been deleted)", 'ERROR')
        return True  # Nicht retryable - Message löschen
    except Exception as e:
        log(f"✗ Failed to load from S3: {e}", 'ERROR')
        return False  # Könnte temporär sein - retry
    # An alle Recipients senden
    log(f"\n📤 Sending to {len(recipients)} recipient(s)...")
    log(f"Connecting to {SMTP_HOST}:{SMTP_PORT} (TLS: {SMTP_USE_TLS})")
    successful = []
    failed_temporary = []
    failed_permanent = []
    for recipient in recipients:
        success, error, is_permanent = send_email(from_addr, recipient, raw_bytes)
        if success:
            successful.append(recipient)
        elif is_permanent:
            failed_permanent.append(recipient)
        else:
            failed_temporary.append(recipient)
    # Ergebnis-Zusammenfassung
    log(f"\n📊 Delivery Results:")
    log(f"  ✓ Successful: {len(successful)}/{len(recipients)}")
    log(f"  ✗ Failed (temporary): {len(failed_temporary)}")
    log(f"  ✗ Failed (permanent): {len(failed_permanent)}")
    # Entscheidungslogik
    if len(successful) > 0:
        # ✅ Fall 1: Mindestens 1 Recipient erfolgreich
        # → status=delivered, invalid_inboxes tracken
        invalid_inboxes = failed_permanent if failed_permanent else None
        mark_as_processed(bucket, key, invalid_inboxes)
        log(f"{'='*70}")
        log(f"✅ Email delivered to {len(successful)} recipient(s)", 'SUCCESS')
        if failed_permanent:
            log(f"⚠ {len(failed_permanent)} invalid inbox(es): {', '.join(failed_permanent)}", 'WARNING')
        if failed_temporary:
            log(f"⚠ {len(failed_temporary)} temporary failure(s) - NOT retrying (at least 1 success)", 'WARNING')
        log(f"{'='*70}\n")
        return True  # Message löschen
    elif len(failed_permanent) == len(recipients):
        # ❌ Fall 2: ALLE Recipients permanent fehlgeschlagen (alle Inboxen ungültig)
        # → status=failed, invalid_inboxes = ALLE
        mark_as_all_invalid(bucket, key, failed_permanent)
        log(f"{'='*70}")
        log(f"✗ All recipients are invalid inboxes - NO delivery", 'ERROR')
        log(f"  Invalid: {', '.join(failed_permanent)}", 'ERROR')
        log(f"{'='*70}\n")
        return True  # Message löschen (nicht retryable)
    else:
        # ⏳ Fall 3: Nur temporäre Fehler, keine erfolgreichen Deliveries
        # → Retry wenn noch Versuche übrig
        if receive_count < 3:
            log(f"⚠ All failures are temporary, will retry", 'WARNING')
            log(f"{'='*70}\n")
            return False  # Message NICHT löschen → Retry
        else:
            # Max retries erreicht → als failed markieren
            error_summary = f"Failed after {receive_count} attempts. Temporary errors for all recipients."
            mark_as_failed(bucket, key, error_summary, receive_count)
            log(f"{'='*70}")
            log(f"✗ Email delivery failed permanently after {receive_count} attempts", 'ERROR')
            log(f"{'='*70}\n")
            return False  # Nach 3 Versuchen → automatisch DLQ
 def main_loop():
    """Hauptschleife: Pollt SQS Queue und verarbeitet Nachrichten"""
    # Queue URL ermitteln
    try:
        queue_url = get_queue_url()
    except Exception as e:
        log(f"FATAL: {e}", 'ERROR')
        sys.exit(1)
    log(f"\n{'='*70}")
    log(f"🚀 Email Worker started")
    log(f"{'='*70}")
    log(f"  Worker Name: {WORKER_NAME}")
    log(f"  Domain: {WORKER_DOMAIN}")
    log(f"  Queue: {queue_url}")
    log(f"  Region: {AWS_REGION}")
    log(f"  SMTP: {SMTP_HOST}:{SMTP_PORT} (TLS: {SMTP_USE_TLS})")
    log(f"  Poll interval: {POLL_INTERVAL}s")
    log(f"  Max messages per poll: {MAX_MESSAGES}")
    log(f"  Visibility timeout: {VISIBILITY_TIMEOUT}s")
    log(f"{'='*70}\n")
    consecutive_errors = 0
    max_consecutive_errors = 10
    messages_processed = 0
    last_activity = time.time()
    while not shutdown_requested:
        try:
            # Messages aus Queue holen (Long Polling)
            response = sqs.receive_message(
                QueueUrl=queue_url,
                MaxNumberOfMessages=MAX_MESSAGES,
                WaitTimeSeconds=POLL_INTERVAL,
                VisibilityTimeout=VISIBILITY_TIMEOUT,
                AttributeNames=['ApproximateReceiveCount', 'SentTimestamp'],
                MessageAttributeNames=['All']
            )
            # Reset error counter bei erfolgreicher Abfrage
            consecutive_errors = 0
            if 'Messages' not in response:
                # Keine Nachrichten
                if time.time() - last_activity > 60:
                    log(f"Waiting for messages... (processed: {messages_processed})")
                    last_activity = time.time()
                continue
            message_count = len(response['Messages'])
            log(f"\n✉ Received {message_count} message(s) from queue")
            last_activity = time.time()
            # Messages verarbeiten
            for msg in response['Messages']:
                if shutdown_requested:
                    log("Shutdown requested, stopping processing")
                    break
                receipt_handle = msg['ReceiptHandle']
                # Receive Count auslesen
                receive_count = int(msg.get('Attributes', {}).get('ApproximateReceiveCount', 1))
                # Sent Timestamp (für Queue-Zeit-Berechnung)
                sent_timestamp = int(msg.get('Attributes', {}).get('SentTimestamp', 0)) / 1000
                queue_time = int(time.time() - sent_timestamp) if sent_timestamp else 0
                if queue_time > 0:
                    log(f"Message was in queue for {queue_time}s")
                try:
                    message_body = json.loads(msg['Body'])
                    # E-Mail verarbeiten
                    success = process_message(message_body, receive_count)
                    if success:
                        # Message aus Queue löschen
                        sqs.delete_message(
                            QueueUrl=queue_url,
                            ReceiptHandle=receipt_handle
                        )
                        log("✓ Message deleted from queue")
                        messages_processed += 1
                    else:
                        # Bei Fehler bleibt Message in Queue
                        log(f"⚠ Message kept in queue for retry (attempt {receive_count}/3)")
                except json.JSONDecodeError as e:
                    log(f"✗ Invalid message format: {e}", 'ERROR')
                    # Ungültige Messages löschen (nicht retryable)
                    sqs.delete_message(
                        QueueUrl=queue_url,
                        ReceiptHandle=receipt_handle
                    )
                except Exception as e:
                    log(f"✗ Error processing message: {e}", 'ERROR')
                    traceback.print_exc()
                    # Message bleibt in Queue für Retry
        except KeyboardInterrupt:
            log("\n⚠ Keyboard interrupt received")
            break
        except Exception as e:
            consecutive_errors += 1
            log(f"✗ Error in main loop ({consecutive_errors}/{max_consecutive_errors}): {e}", 'ERROR')
            traceback.print_exc()
            if consecutive_errors >= max_consecutive_errors:
                log("Too many consecutive errors, shutting down", 'ERROR')
                break
            # Kurze Pause bei Fehlern
            time.sleep(5)
    log(f"\n{'='*70}")
    log(f"👋 Worker shutting down")
    log(f"  Messages processed: {messages_processed}")
    log(f"{'='*70}\n")
 if __name__ == '__main__':
    # Validierung
    if not WORKER_DOMAIN:
        log("ERROR: WORKER_DOMAIN not set!", 'ERROR')
        sys.exit(1)
    try:
        main_loop()
    except Exception as e:
        log(f"Fatal error: {e}", 'ERROR')
        traceback.print_exc()
        sys.exit(1)
--- a/email-worker-nodejs/.env.example
+++ b/email-worker-nodejs/.env.example
@@ -0,0 +1,38 @@
 # AWS credentials (or use IAM role / instance profile)
 AWS_REGION=us-east-2
 # AWS_ACCESS_KEY_ID=
 # AWS_SECRET_ACCESS_KEY=
 # Domains: comma-separated list OR file path
 # DOMAINS=andreasknuth.de,bizmatch.net
 DOMAINS_FILE=/etc/email-worker/domains.txt
 # SMTP (Docker Mail Server)
 SMTP_HOST=localhost
 SMTP_PORT=25
 SMTP_USE_TLS=false
 SMTP_USER=
 SMTP_PASS=
 SMTP_POOL_SIZE=5
 # Internal SMTP port (bypass transport_maps)
 INTERNAL_SMTP_PORT=25
 # Worker settings
 WORKER_THREADS=10
 POLL_INTERVAL=20
 MAX_MESSAGES=10
 VISIBILITY_TIMEOUT=300
 # DynamoDB tables
 DYNAMODB_RULES_TABLE=email-rules
 DYNAMODB_MESSAGES_TABLE=ses-outbound-messages
 DYNAMODB_BLOCKED_TABLE=email-blocked-senders
 # Bounce handling
 BOUNCE_LOOKUP_RETRIES=3
 BOUNCE_LOOKUP_DELAY=1.0
 # Monitoring
 METRICS_PORT=8000
 HEALTH_PORT=8080
--- a/email-worker-nodejs/Dockerfile
+++ b/email-worker-nodejs/Dockerfile
@@ -0,0 +1,34 @@
 # ── Build stage ──────────────────────────────────────────────────
 FROM node:20-slim AS builder
 WORKDIR /app
 COPY package.json package-lock.json* ./
 RUN npm ci
 COPY tsconfig.json ./
 COPY src/ ./src/
 RUN npx tsc
 # ── Run stage ────────────────────────────────────────────────────
 FROM node:20-slim
 WORKDIR /app
 # Only production deps
 COPY package.json package-lock.json* ./
 RUN npm ci --omit=dev && npm cache clean --force
 # Compiled JS from build stage
 COPY --from=builder /app/dist ./dist
 # Config directory (mount domains.txt here)
 RUN mkdir -p /etc/email-worker /var/log/email-worker
 EXPOSE 8000 8080
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
  CMD node -e "fetch('http://localhost:8080').then(r => r.ok ? process.exit(0) : process.exit(1)).catch(() => process.exit(1))"
 CMD ["node", "dist/main.js"]
--- a/email-worker-nodejs/docker-compose.yml
+++ b/email-worker-nodejs/docker-compose.yml
@@ -0,0 +1,21 @@
 services:
  email-worker:
    build: .
    container_name: email-worker-ts
    restart: unless-stopped
    env_file: .env
    volumes:
      - ./domains.txt:/etc/email-worker/domains.txt:ro
      - ./logs:/var/log/email-worker
    ports:
      - "9000:8000"   # Prometheus metrics (Host:Container)
      - "9090:8080"   # Health check (Host:Container)
    # Connect to DMS on the host or Docker network
    extra_hosts:
      - "host.docker.internal:host-gateway"
    environment:
      - SMTP_HOST=host.docker.internal
      - SMTP_PORT=25
 volumes:
  worker-logs:
--- a/email-worker-nodejs/package-lock.json
+++ b/email-worker-nodejs/package-lock.json
--- a/email-worker-nodejs/package.json
+++ b/email-worker-nodejs/package.json
@@ -0,0 +1,37 @@
 {
  "name": "unified-email-worker",
  "version": "2.0.0",
  "description": "Unified multi-domain email worker (TypeScript)",
  "main": "dist/main.js",
  "scripts": {
    "build": "tsc",
    "start": "node dist/main.js",
    "dev": "tsx src/main.ts",
    "lint": "eslint src/",
    "typecheck": "tsc --noEmit"
  },
  "dependencies": {
    "@aws-sdk/client-dynamodb": "^3.700.0",
    "@aws-sdk/client-s3": "^3.700.0",
    "@aws-sdk/client-ses": "^3.700.0",
    "@aws-sdk/client-sqs": "^3.700.0",
    "@aws-sdk/lib-dynamodb": "^3.700.0",
    "mailparser": "^3.7.1",
    "nodemailer": "^6.9.16",
    "picomatch": "^4.0.2",
    "pino": "^9.5.0",
    "pino-pretty": "^13.0.0",
    "prom-client": "^15.1.3"
  },
  "devDependencies": {
    "@types/mailparser": "^3.4.5",
    "@types/nodemailer": "^6.4.17",
    "@types/picomatch": "^3.0.1",
    "@types/node": "^22.10.0",
    "tsx": "^4.19.0",
    "typescript": "^5.7.0"
  },
  "engines": {
    "node": ">=20.0.0"
  }
 }
--- a/email-worker-nodejs/src/aws/dynamodb.ts
+++ b/email-worker-nodejs/src/aws/dynamodb.ts
@@ -0,0 +1,230 @@
 /**
 * DynamoDB operations handler
 *
 * Tables:
 *  - email-rules          → OOO / Forward rules per address
 *  - ses-outbound-messages → Bounce info (MessageId → original sender)
 *  - email-blocked-senders → Blocked patterns per address
 */
 import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
 import {
  DynamoDBDocumentClient,
  GetCommand,
  BatchGetCommand,
 } from '@aws-sdk/lib-dynamodb';
 import { config } from '../config.js';
 import { log } from '../logger.js';
 // ---------------------------------------------------------------------------
 // Types
 // ---------------------------------------------------------------------------
 export interface EmailRule {
  email_address: string;
  ooo_active?: boolean;
  ooo_message?: string;
  ooo_content_type?: string;
  forwards?: string[];
  [key: string]: unknown;
 }
 export interface BounceInfo {
  original_source: string;
  bounceType: string;
  bounceSubType: string;
  bouncedRecipients: string[];
  timestamp: string;
 }
 // ---------------------------------------------------------------------------
 // Handler
 // ---------------------------------------------------------------------------
 export class DynamoDBHandler {
  private docClient: DynamoDBDocumentClient;
  public available = false;
  constructor() {
    const raw = new DynamoDBClient({ region: config.awsRegion });
    this.docClient = DynamoDBDocumentClient.from(raw, {
      marshallOptions: { removeUndefinedValues: true },
    });
    this.initialize();
  }
  // -----------------------------------------------------------------------
  // Init
  // -----------------------------------------------------------------------
  private initialize(): void {
    // We just mark as available; actual connectivity is tested on first call.
    // The Python version tested table_status, but that's a DescribeTable call
    // which is heavy and not needed – the first GetItem will tell us.
    this.available = true;
    log('✓ DynamoDB client initialized');
  }
  /**
   * Verify tables exist by doing a cheap GetItem on each.
   * Called once during startup.
   */
  async verifyTables(): Promise<boolean> {
    try {
      await Promise.all([
        this.docClient.send(
          new GetCommand({ TableName: config.rulesTable, Key: { email_address: '__probe__' } }),
        ),
        this.docClient.send(
          new GetCommand({ TableName: config.messagesTable, Key: { MessageId: '__probe__' } }),
        ),
        this.docClient.send(
          new GetCommand({ TableName: config.blockedTable, Key: { email_address: '__probe__' } }),
        ),
      ]);
      this.available = true;
      log('✓ DynamoDB tables connected successfully');
      return true;
    } catch (err: any) {
      log(`⚠ DynamoDB not fully available: ${err.message ?? err}`, 'WARNING');
      this.available = false;
      return false;
    }
  }
  // -----------------------------------------------------------------------
  // Email rules
  // -----------------------------------------------------------------------
  async getEmailRules(emailAddress: string): Promise<EmailRule | null> {
    if (!this.available) return null;
    try {
      const resp = await this.docClient.send(
        new GetCommand({
          TableName: config.rulesTable,
          Key: { email_address: emailAddress },
        }),
      );
      return (resp.Item as EmailRule) ?? null;
    } catch (err: any) {
      if (err.name !== 'ResourceNotFoundException') {
        log(`⚠ DynamoDB error for ${emailAddress}: ${err.message ?? err}`, 'ERROR');
      }
      return null;
    }
  }
  // -----------------------------------------------------------------------
  // Bounce info
  // -----------------------------------------------------------------------
  async getBounceInfo(
    messageId: string,
    workerName = 'unified',
  ): Promise<BounceInfo | null> {
    if (!this.available) return null;
    for (let attempt = 0; attempt < config.bounceLookupRetries; attempt++) {
      try {
        const resp = await this.docClient.send(
          new GetCommand({
            TableName: config.messagesTable,
            Key: { MessageId: messageId },
          }),
        );
        if (resp.Item) {
          return {
            original_source: (resp.Item.original_source as string) ?? '',
            bounceType: (resp.Item.bounceType as string) ?? 'Unknown',
            bounceSubType: (resp.Item.bounceSubType as string) ?? 'Unknown',
            bouncedRecipients: (resp.Item.bouncedRecipients as string[]) ?? [],
            timestamp: (resp.Item.timestamp as string) ?? '',
          };
        }
        if (attempt < config.bounceLookupRetries - 1) {
          log(
            `  Bounce record not found yet, retrying in ${config.bounceLookupDelay}s ` +
              `(attempt ${attempt + 1}/${config.bounceLookupRetries})...`,
            'INFO',
            workerName,
          );
          await sleep(config.bounceLookupDelay * 1000);
        } else {
          log(
            `⚠ No bounce record found after ${config.bounceLookupRetries} attempts ` +
              `for Message-ID: ${messageId}`,
            'WARNING',
            workerName,
          );
          return null;
        }
      } catch (err: any) {
        log(
          `⚠ DynamoDB Error (attempt ${attempt + 1}/${config.bounceLookupRetries}): ` +
            `${err.message ?? err}`,
          'ERROR',
          workerName,
        );
        if (attempt < config.bounceLookupRetries - 1) {
          await sleep(config.bounceLookupDelay * 1000);
        } else {
          return null;
        }
      }
    }
    return null;
  }
  // -----------------------------------------------------------------------
  // Blocked senders
  // -----------------------------------------------------------------------
  async getBlockedPatterns(emailAddress: string): Promise<string[]> {
    if (!this.available) return [];
    try {
      const resp = await this.docClient.send(
        new GetCommand({
          TableName: config.blockedTable,
          Key: { email_address: emailAddress },
        }),
      );
      return (resp.Item?.blocked_patterns as string[]) ?? [];
    } catch (err: any) {
      log(`⚠ Error getting block list for ${emailAddress}: ${err.message ?? err}`, 'ERROR');
      return [];
    }
  }
  async batchGetBlockedPatterns(
    emailAddresses: string[],
  ): Promise<Record<string, string[]>> {
    const empty: Record<string, string[]> = {};
    for (const a of emailAddresses) empty[a] = [];
    if (!this.available || emailAddresses.length === 0) return empty;
    try {
      const keys = emailAddresses.map((a) => ({ email_address: a }));
      const resp = await this.docClient.send(
        new BatchGetCommand({
          RequestItems: {
            [config.blockedTable]: { Keys: keys },
          },
        }),
      );
      const items = resp.Responses?.[config.blockedTable] ?? [];
      const result: Record<string, string[]> = { ...empty };
      for (const item of items) {
        const addr = item.email_address as string;
        result[addr] = (item.blocked_patterns as string[]) ?? [];
      }
      return result;
    } catch (err: any) {
      log(`⚠ Batch blocklist check error: ${err.message ?? err}`, 'ERROR');
      return empty;
    }
  }
 }
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
 function sleep(ms: number): Promise<void> {
  return new Promise((resolve) => setTimeout(resolve, ms));
 }
--- a/email-worker-nodejs/src/aws/s3.ts
+++ b/email-worker-nodejs/src/aws/s3.ts
@@ -0,0 +1,202 @@
 /**
 * S3 operations handler
 *
 * Responsibilities:
 *  - Download raw email from domain-specific bucket
 *  - Mark email metadata (processed / all-invalid / blocked)
 *  - Delete blocked emails
 */
 import {
  S3Client,
  GetObjectCommand,
  HeadObjectCommand,
  CopyObjectCommand,
  DeleteObjectCommand,
  type S3ClientConfig,
 } from '@aws-sdk/client-s3';
 import { config, domainToBucketName } from '../config.js';
 import { log } from '../logger.js';
 export class S3Handler {
  private client: S3Client;
  constructor() {
    const opts: S3ClientConfig = { region: config.awsRegion };
    this.client = new S3Client(opts);
  }
  // -------------------------------------------------------------------------
  // Download
  // -------------------------------------------------------------------------
  /**
   * Download raw email bytes from S3.
   * Returns `null` when the object does not exist yet (caller should retry).
   * Throws on permanent errors.
   */
  async getEmail(
    domain: string,
    messageId: string,
    receiveCount: number,
  ): Promise<Buffer | null> {
    const bucket = domainToBucketName(domain);
    try {
      const resp = await this.client.send(
        new GetObjectCommand({ Bucket: bucket, Key: messageId }),
      );
      const bytes = await resp.Body?.transformToByteArray();
      return bytes ? Buffer.from(bytes) : null;
    } catch (err: any) {
      if (err.name === 'NoSuchKey' || err.Code === 'NoSuchKey') {
        if (receiveCount < 5) {
          log(`⏳ S3 Object not found yet (Attempt ${receiveCount}). Retrying...`, 'WARNING');
          return null;
        }
        log('❌ S3 Object missing permanently after retries.', 'ERROR');
        throw err;
      }
      log(`❌ S3 Download Error: ${err.message ?? err}`, 'ERROR');
      throw err;
    }
  }
  // -------------------------------------------------------------------------
  // Metadata helpers (copy-in-place with updated metadata)
  // -------------------------------------------------------------------------
  private async updateMetadata(
    bucket: string,
    key: string,
    patch: Record<string, string>,
    removeKeys: string[] = [],
  ): Promise<void> {
    const head = await this.client.send(
      new HeadObjectCommand({ Bucket: bucket, Key: key }),
    );
    const metadata = { ...(head.Metadata ?? {}) };
    // Apply patch
    for (const [k, v] of Object.entries(patch)) {
      metadata[k] = v;
    }
    // Remove keys
    for (const k of removeKeys) {
      delete metadata[k];
    }
    await this.client.send(
      new CopyObjectCommand({
        Bucket: bucket,
        Key: key,
        CopySource: `${bucket}/${key}`,
        Metadata: metadata,
        MetadataDirective: 'REPLACE',
      }),
    );
  }
  // -------------------------------------------------------------------------
  // Mark helpers
  // -------------------------------------------------------------------------
  async markAsProcessed(
    domain: string,
    messageId: string,
    workerName: string,
    invalidInboxes?: string[],
  ): Promise<void> {
    const bucket = domainToBucketName(domain);
    try {
      const patch: Record<string, string> = {
        processed: 'true',
        processed_at: String(Math.floor(Date.now() / 1000)),
        processed_by: workerName,
        status: 'delivered',
      };
      if (invalidInboxes?.length) {
        patch['invalid_inboxes'] = invalidInboxes.join(',');
        log(`⚠ Invalid inboxes recorded: ${invalidInboxes.join(', ')}`, 'WARNING', workerName);
      }
      await this.updateMetadata(bucket, messageId, patch, [
        'processing_started',
        'queued_at',
      ]);
    } catch (err: any) {
      log(`Failed to mark as processed: ${err.message ?? err}`, 'WARNING', workerName);
    }
  }
  async markAsAllInvalid(
    domain: string,
    messageId: string,
    invalidInboxes: string[],
    workerName: string,
  ): Promise<void> {
    const bucket = domainToBucketName(domain);
    try {
      await this.updateMetadata(
        bucket,
        messageId,
        {
          processed: 'true',
          processed_at: String(Math.floor(Date.now() / 1000)),
          processed_by: workerName,
          status: 'failed',
          error: 'All recipients are invalid (mailboxes do not exist)',
          invalid_inboxes: invalidInboxes.join(','),
        },
        ['processing_started', 'queued_at'],
      );
    } catch (err: any) {
      log(`Failed to mark as all invalid: ${err.message ?? err}`, 'WARNING', workerName);
    }
  }
  async markAsBlocked(
    domain: string,
    messageId: string,
    blockedRecipients: string[],
    sender: string,
    workerName: string,
  ): Promise<void> {
    const bucket = domainToBucketName(domain);
    try {
      await this.updateMetadata(
        bucket,
        messageId,
        {
          processed: 'true',
          processed_at: String(Math.floor(Date.now() / 1000)),
          processed_by: workerName,
          status: 'blocked',
          blocked_recipients: blockedRecipients.join(','),
          blocked_sender: sender,
        },
        ['processing_started', 'queued_at'],
      );
      log('✓ Marked as blocked in S3 metadata', 'INFO', workerName);
    } catch (err: any) {
      log(`⚠ Failed to mark as blocked: ${err.message ?? err}`, 'ERROR', workerName);
      throw err;
    }
  }
  async deleteBlockedEmail(
    domain: string,
    messageId: string,
    workerName: string,
  ): Promise<void> {
    const bucket = domainToBucketName(domain);
    try {
      await this.client.send(
        new DeleteObjectCommand({ Bucket: bucket, Key: messageId }),
      );
      log('🗑 Deleted blocked email from S3', 'SUCCESS', workerName);
    } catch (err: any) {
      log(`⚠ Failed to delete blocked email: ${err.message ?? err}`, 'ERROR', workerName);
      throw err;
    }
  }
 }
--- a/email-worker-nodejs/src/aws/ses.ts
+++ b/email-worker-nodejs/src/aws/ses.ts
@@ -0,0 +1,52 @@
 /**
 * SES operations handler
 *
 * Only used for:
 *  - Sending OOO replies to external addresses
 *  - Forwarding to external addresses
 */
 import {
  SESClient,
  SendRawEmailCommand,
 } from '@aws-sdk/client-ses';
 import { config } from '../config.js';
 import { log } from '../logger.js';
 export class SESHandler {
  private client: SESClient;
  constructor() {
    this.client = new SESClient({ region: config.awsRegion });
  }
  /**
   * Send a raw MIME message via SES.
   * Returns true on success, false on failure (never throws).
   */
  async sendRawEmail(
    source: string,
    destination: string,
    rawMessage: Buffer,
    workerName: string,
  ): Promise<boolean> {
    try {
      await this.client.send(
        new SendRawEmailCommand({
          Source: source,
          Destinations: [destination],
          RawMessage: { Data: rawMessage },
        }),
      );
      return true;
    } catch (err: any) {
      const code = err.name ?? err.Code ?? 'Unknown';
      log(
        `⚠ SES send failed to ${destination} (${code}): ${err.message ?? err}`,
        'ERROR',
        workerName,
      );
      return false;
    }
  }
 }
--- a/email-worker-nodejs/src/aws/sqs.ts
+++ b/email-worker-nodejs/src/aws/sqs.ts
@@ -0,0 +1,99 @@
 /**
 * SQS operations handler
 *
 * Responsibilities:
 *  - Resolve queue URL for a domain
 *  - Long-poll for messages
 *  - Delete processed messages
 *  - Report approximate queue size
 */
 import {
  SQSClient,
  GetQueueUrlCommand,
  ReceiveMessageCommand,
  DeleteMessageCommand,
  GetQueueAttributesCommand,
  type Message,
 } from '@aws-sdk/client-sqs';
 import { config, domainToQueueName } from '../config.js';
 import { log } from '../logger.js';
 export class SQSHandler {
  private client: SQSClient;
  constructor() {
    this.client = new SQSClient({ region: config.awsRegion });
  }
  /** Resolve queue URL for a domain. Returns null if queue does not exist. */
  async getQueueUrl(domain: string): Promise<string | null> {
    const queueName = domainToQueueName(domain);
    try {
      const resp = await this.client.send(
        new GetQueueUrlCommand({ QueueName: queueName }),
      );
      return resp.QueueUrl ?? null;
    } catch (err: any) {
      if (err.name === 'QueueDoesNotExist' ||
          err.Code === 'AWS.SimpleQueueService.NonExistentQueue') {
        log(`Queue not found for domain: ${domain}`, 'WARNING');
      } else {
        log(`Error getting queue URL for ${domain}: ${err.message ?? err}`, 'ERROR');
      }
      return null;
    }
  }
  /** Long-poll for messages (uses configured poll interval as wait time). */
  async receiveMessages(queueUrl: string): Promise<Message[]> {
    try {
      const resp = await this.client.send(
        new ReceiveMessageCommand({
          QueueUrl: queueUrl,
          MaxNumberOfMessages: config.maxMessages,
          WaitTimeSeconds: config.pollInterval,
          VisibilityTimeout: config.visibilityTimeout,
          MessageSystemAttributeNames: ['ApproximateReceiveCount', 'SentTimestamp'],
        }),
      );
      return resp.Messages ?? [];
    } catch (err: any) {
      log(`Error receiving messages: ${err.message ?? err}`, 'ERROR');
      return [];
    }
  }
  /** Delete a message from the queue after successful processing. */
  async deleteMessage(queueUrl: string, receiptHandle: string): Promise<void> {
    try {
      await this.client.send(
        new DeleteMessageCommand({
          QueueUrl: queueUrl,
          ReceiptHandle: receiptHandle,
        }),
      );
    } catch (err: any) {
      log(`Error deleting message: ${err.message ?? err}`, 'ERROR');
      throw err;
    }
  }
  /** Approximate number of messages in the queue. Returns 0 on error. */
  async getQueueSize(queueUrl: string): Promise<number> {
    try {
      const resp = await this.client.send(
        new GetQueueAttributesCommand({
          QueueUrl: queueUrl,
          AttributeNames: ['ApproximateNumberOfMessages'],
        }),
      );
      return parseInt(
        resp.Attributes?.ApproximateNumberOfMessages ?? '0',
        10,
      );
    } catch {
      return 0;
    }
  }
 }
--- a/email-worker-nodejs/src/config.ts
+++ b/email-worker-nodejs/src/config.ts
@@ -0,0 +1,118 @@
 /**
 * Configuration management for unified email worker
 *
 * All settings are read from environment variables with sensible defaults.
 * Domain helpers (bucket name, queue name, internal check) are co-located here
 * so every module can import { config, domainToBucket, ... } from './config'.
 */
 import { readFileSync, existsSync } from 'node:fs';
 // ---------------------------------------------------------------------------
 // Config object
 // ---------------------------------------------------------------------------
 export const config = {
  // AWS
  awsRegion: process.env.AWS_REGION ?? 'us-east-2',
  // Domains
  domainsList: process.env.DOMAINS ?? '',
  domainsFile: process.env.DOMAINS_FILE ?? '/etc/email-worker/domains.txt',
  // Worker
  workerThreads: parseInt(process.env.WORKER_THREADS ?? '10', 10),
  pollInterval: parseInt(process.env.POLL_INTERVAL ?? '20', 10),
  maxMessages: parseInt(process.env.MAX_MESSAGES ?? '10', 10),
  visibilityTimeout: parseInt(process.env.VISIBILITY_TIMEOUT ?? '300', 10),
  // SMTP delivery (local DMS)
  smtpHost: process.env.SMTP_HOST ?? 'localhost',
  smtpPort: parseInt(process.env.SMTP_PORT ?? '25', 10),
  smtpUseTls: (process.env.SMTP_USE_TLS ?? 'false').toLowerCase() === 'true',
  smtpUser: process.env.SMTP_USER ?? '',
  smtpPass: process.env.SMTP_PASS ?? '',
  smtpPoolSize: parseInt(process.env.SMTP_POOL_SIZE ?? '5', 10),
  // Internal SMTP port (for OOO / forwards to managed domains)
  internalSmtpPort: parseInt(process.env.INTERNAL_SMTP_PORT ?? '25', 10),
  // DynamoDB tables
  rulesTable: process.env.DYNAMODB_RULES_TABLE ?? 'email-rules',
  messagesTable: process.env.DYNAMODB_MESSAGES_TABLE ?? 'ses-outbound-messages',
  blockedTable: process.env.DYNAMODB_BLOCKED_TABLE ?? 'email-blocked-senders',
  // Bounce handling
  bounceLookupRetries: parseInt(process.env.BOUNCE_LOOKUP_RETRIES ?? '3', 10),
  bounceLookupDelay: parseFloat(process.env.BOUNCE_LOOKUP_DELAY ?? '1.0'),
  // Monitoring
  metricsPort: parseInt(process.env.METRICS_PORT ?? '8000', 10),
  healthPort: parseInt(process.env.HEALTH_PORT ?? '8080', 10),
  queueSuffix: process.env.QUEUE_SUFFIX ?? '-queue',
  standbyMode: (process.env.STANDBY_MODE ?? 'false').toLowerCase() === 'true',
 } as const;
 export type Config = typeof config;
 // ---------------------------------------------------------------------------
 // Managed domains (populated by loadDomains())
 // ---------------------------------------------------------------------------
 const managedDomains = new Set<string>();
 /**
 * Load domains from env var and/or file, populate the internal set.
 */
 export function loadDomains(): string[] {
  const domains: string[] = [];
  // From env
  if (config.domainsList) {
    for (const d of config.domainsList.split(',')) {
      const trimmed = d.trim();
      if (trimmed) domains.push(trimmed);
    }
  }
  // From file
  if (existsSync(config.domainsFile)) {
    const content = readFileSync(config.domainsFile, 'utf-8');
    for (const line of content.split('\n')) {
      const trimmed = line.trim();
      if (trimmed && !trimmed.startsWith('#')) {
        domains.push(trimmed);
      }
    }
  }
  // Deduplicate
  const unique = [...new Set(domains)];
  managedDomains.clear();
  for (const d of unique) {
    managedDomains.add(d.toLowerCase());
  }
  return unique;
 }
 // ---------------------------------------------------------------------------
 // Domain helpers
 // ---------------------------------------------------------------------------
 /** Check whether an email address belongs to one of our managed domains */
 export function isInternalAddress(email: string): boolean {
  const atIdx = email.indexOf('@');
  if (atIdx < 0) return false;
  return managedDomains.has(email.slice(atIdx + 1).toLowerCase());
 }
 /** Convert domain to SQS queue name: bizmatch.net → bizmatch-net-queue */
 export function domainToQueueName(domain: string): string {
  return domain.replace(/\./g, '-') + config.queueSuffix;
 }
 /** Convert domain to S3 bucket name: bizmatch.net → bizmatch-net-emails */
 export function domainToBucketName(domain: string): string {
  return domain.replace(/\./g, '-') + '-emails';
 }
--- a/email-worker-nodejs/src/email/blocklist.ts
+++ b/email-worker-nodejs/src/email/blocklist.ts
@@ -0,0 +1,62 @@
 /**
 * Sender blocklist checking with wildcard / glob support
 *
 * Uses picomatch for pattern matching (equivalent to Python's fnmatch).
 * Patterns are stored per-recipient in DynamoDB.
 */
 import picomatch from 'picomatch';
 import type { DynamoDBHandler } from '../aws/dynamodb.js';
 import { log } from '../logger.js';
 /**
 * Extract the bare email address from a From header value.
 * "John Doe <john@example.com>" → "john@example.com"
 */
 function extractAddress(sender: string): string {
  const match = sender.match(/<([^>]+)>/);
  const addr = match ? match[1] : sender;
  return addr.trim().toLowerCase();
 }
 export class BlocklistChecker {
  constructor(private dynamodb: DynamoDBHandler) {}
  /**
   * Batch-check whether a sender is blocked for each recipient.
   * Uses a single batch DynamoDB call for efficiency.
   */
 async batchCheckBlockedSenders(
    recipients: string[],
    senders: string[], // <-- Geändert zu Array
    workerName: string,
  ): Promise<Record<string, boolean>> {
    const patternsByRecipient = await this.dynamodb.batchGetBlockedPatterns(recipients);
    // Alle übergebenen Adressen bereinigen
    const sendersClean = senders.map(s => extractAddress(s)).filter(Boolean);
    const result: Record<string, boolean> = {};
    for (const recipient of recipients) {
      const patterns = patternsByRecipient[recipient] ?? [];
      let isBlocked = false;
      for (const pattern of patterns) {
        for (const senderClean of sendersClean) {
          if (picomatch.isMatch(senderClean, pattern.toLowerCase())) {
            log(
              `⛔ BLOCKED: Sender ${senderClean} matches pattern '${pattern}' for inbox ${recipient}`,
              'WARNING',
              workerName,
            );
            isBlocked = true;
            break;
          }
        }
        if (isBlocked) break;
      }
      result[recipient] = isBlocked;
    }
    return result;
  }
 }
--- a/email-worker-nodejs/src/email/bounce-handler.ts
+++ b/email-worker-nodejs/src/email/bounce-handler.ts
@@ -0,0 +1,190 @@
 /**
 * Bounce detection and header rewriting
 *
 * When Amazon SES returns a bounce, the From header is
 * mailer-daemon@amazonses.com. We look up the original sender
 * in DynamoDB and rewrite the headers so the bounce appears
 * to come from the actual bounced recipient.
 */
 import type { ParsedMail } from 'mailparser';
 import type { DynamoDBHandler } from '../aws/dynamodb.js';
 import { isSesBounceNotification, getHeader } from './parser.js';
 import { log } from '../logger.js';
 export interface BounceResult {
  /** Updated raw bytes (headers rewritten if bounce was detected) */
  rawBytes: Buffer;
  /** Whether bounce was detected and headers were modified */
  modified: boolean;
  /** Whether this email is a bounce notification at all */
  isBounce: boolean;
  /** The effective From address (rewritten or original) */
  fromAddr: string;
 }
 export class BounceHandler {
  constructor(private dynamodb: DynamoDBHandler) {}
  /**
   * Detect SES bounce, look up original sender in DynamoDB,
   * and rewrite headers in the raw buffer.
   *
   * We operate on the raw Buffer because we need to preserve
   * the original MIME structure exactly, only swapping specific
   * header lines. mailparser's ParsedMail is read-only.
   */
  async applyBounceLogic(
    parsed: ParsedMail,
    rawBytes: Buffer,
    subject: string,
    workerName = 'unified',
  ): Promise<BounceResult> {
    if (!isSesBounceNotification(parsed)) {
      return {
        rawBytes,
        modified: false,
        isBounce: false,
        fromAddr: parsed.from?.text ?? '',
      };
    }
    log('🔍 Detected SES MAILER-DAEMON bounce notification', 'INFO', workerName);
    // Extract Message-ID from the bounce notification header
    const rawMessageId = getHeader(parsed, 'message-id')
      .replace(/^</, '')
      .replace(/>$/, '')
      .split('@')[0];
    if (!rawMessageId) {
      log('⚠ Could not extract Message-ID from bounce notification', 'WARNING', workerName);
      return {
        rawBytes,
        modified: false,
        isBounce: true,
        fromAddr: parsed.from?.text ?? '',
      };
    }
    log(`  Looking up Message-ID: ${rawMessageId}`, 'INFO', workerName);
    const bounceInfo = await this.dynamodb.getBounceInfo(rawMessageId, workerName);
    if (!bounceInfo) {
      return {
        rawBytes,
        modified: false,
        isBounce: true,
        fromAddr: parsed.from?.text ?? '',
      };
    }
    // Log bounce details
    log(`✓ Found bounce info:`, 'INFO', workerName);
    log(`  Original sender: ${bounceInfo.original_source}`, 'INFO', workerName);
    log(`  Bounce type: ${bounceInfo.bounceType}/${bounceInfo.bounceSubType}`, 'INFO', workerName);
    log(`  Bounced recipients: ${bounceInfo.bouncedRecipients}`, 'INFO', workerName);
    if (!bounceInfo.bouncedRecipients.length) {
      log('⚠ No bounced recipients found in bounce info', 'WARNING', workerName);
      return {
        rawBytes,
        modified: false,
        isBounce: true,
        fromAddr: parsed.from?.text ?? '',
      };
    }
    const newFrom = bounceInfo.bouncedRecipients[0];
    // Rewrite headers in raw bytes
    let modifiedBytes = rawBytes;
    const originalFrom = getHeader(parsed, 'from');
    // Replace From header
    modifiedBytes = replaceHeader(modifiedBytes, 'From', newFrom);
    // Add diagnostic headers
    modifiedBytes = addHeader(modifiedBytes, 'X-Original-SES-From', originalFrom);
    modifiedBytes = addHeader(
      modifiedBytes,
      'X-Bounce-Type',
      `${bounceInfo.bounceType}/${bounceInfo.bounceSubType}`,
    );
    // Add Reply-To if not present
    if (!getHeader(parsed, 'reply-to')) {
      modifiedBytes = addHeader(modifiedBytes, 'Reply-To', newFrom);
    }
    // Adjust subject for generic delivery status notifications
    const subjectLower = subject.toLowerCase();
    if (
      subjectLower.includes('delivery status notification') ||
      subjectLower.includes('thanks for your submission')
    ) {
      modifiedBytes = replaceHeader(
        modifiedBytes,
        'Subject',
        `Delivery Status: ${newFrom}`,
      );
    }
    log(`✓ Rewritten FROM: ${newFrom}`, 'SUCCESS', workerName);
    return {
      rawBytes: modifiedBytes,
      modified: true,
      isBounce: true,
      fromAddr: newFrom,
    };
  }
 }
 // ---------------------------------------------------------------------------
 // Raw header manipulation helpers
 // ---------------------------------------------------------------------------
 /**
 * Replace a header value in raw MIME bytes.
 * Handles multi-line (folded) headers.
 */
 function replaceHeader(raw: Buffer, name: string, newValue: string): Buffer {
  const str = raw.toString('utf-8');
  // Match header including potential folded continuation lines
  const regex = new RegExp(
    `^(${escapeRegex(name)}:\\s*).*?(\\r?\\n(?=[^ \\t])|\\r?\\n$)`,
    'im',
  );
  // Also need to consume folded lines
  const foldedRegex = new RegExp(
    `^${escapeRegex(name)}:[ \\t]*[^\\r\\n]*(?:\\r?\\n[ \\t]+[^\\r\\n]*)*`,
    'im',
  );
  const match = foldedRegex.exec(str);
  if (!match) return raw;
  const before = str.slice(0, match.index);
  const after = str.slice(match.index + match[0].length);
  const replaced = `${before}${name}: ${newValue}${after}`;
  return Buffer.from(replaced, 'utf-8');
 }
 /**
 * Add a new header line right before the header/body separator.
 */
 function addHeader(raw: Buffer, name: string, value: string): Buffer {
  const str = raw.toString('utf-8');
  // Find the header/body boundary (first blank line)
  const sep = str.match(/\r?\n\r?\n/);
  if (!sep || sep.index === undefined) return raw;
  const before = str.slice(0, sep.index);
  const after = str.slice(sep.index);
  return Buffer.from(`${before}\r\n${name}: ${value}${after}`, 'utf-8');
 }
 function escapeRegex(s: string): string {
  return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
 }
--- a/email-worker-nodejs/src/email/parser.ts
+++ b/email-worker-nodejs/src/email/parser.ts
@@ -0,0 +1,120 @@
 /**
 * Email parsing utilities
 *
 * Wraps `mailparser` for parsing raw MIME bytes and provides
 * header sanitization (e.g. Microsoft's malformed Message-IDs).
 */
 import { simpleParser, type ParsedMail } from 'mailparser';
 // ---------------------------------------------------------------------------
 // Types
 // ---------------------------------------------------------------------------
 export interface BodyParts {
  text: string;
  html: string | null;
 }
 // ---------------------------------------------------------------------------
 // Parser
 // ---------------------------------------------------------------------------
 /**
 * Parse raw email bytes into a ParsedMail object.
 * Applies pre-sanitization for known malformed headers before parsing.
 */
 export async function parseEmail(raw: Buffer): Promise<ParsedMail> {
  // Pre-sanitize: fix Microsoft's [uuid]@domain Message-IDs
  const sanitized = sanitizeRawHeaders(raw);
  return simpleParser(sanitized);
 }
 /**
 * Extract text and HTML body parts from a parsed email.
 */
 export function extractBodyParts(parsed: ParsedMail): BodyParts {
  const text = parsed.text?.trim() || '(No body content)';
  const html = parsed.html || null;
  return { text, html };
 }
 /**
 * Check if email was already processed by our worker (loop detection).
 */
 export function isProcessedByWorker(parsed: ParsedMail): boolean {
  const headers = parsed.headers;
  const xWorker = headers.get('x-ses-worker-processed');
  const autoSubmitted = headers.get('auto-submitted');
  const isProcessedByUs = !!xWorker;
  const isOurAutoReply = autoSubmitted === 'auto-replied' && !!xWorker;
  return isProcessedByUs || isOurAutoReply;
 }
 /**
 * Check if email is a SES MAILER-DAEMON bounce notification.
 */
 export function isSesBounceNotification(parsed: ParsedMail): boolean {
  const from = (parsed.from?.text ?? '').toLowerCase();
  return from.includes('mailer-daemon@') && from.includes('amazonses.com');
 }
 /**
 * Get a header value as string. Handles mailparser's headerlines Map.
 */
 export function getHeader(parsed: ParsedMail, name: string): string {
  const val = parsed.headers.get(name.toLowerCase());
  if (val === undefined || val === null) return '';
  if (typeof val === 'string') return val;
  if (typeof val === 'object' && 'text' in val) return (val as any).text ?? '';
  return String(val);
 }
 // ---------------------------------------------------------------------------
 // Raw header sanitization
 // ---------------------------------------------------------------------------
 /**
 * Fix known problematic patterns in raw MIME headers BEFORE parsing.
 *
 * Specifically targets Microsoft's `Message-ID: <[uuid]@domain>` which
 * causes strict parsers to crash.
 */
 function sanitizeRawHeaders(raw: Buffer): Buffer {
  // We only need to check/fix the header section (before first blank line).
  // For efficiency we work on the first ~8KB where headers live.
  const headerEnd = findDoubleNewline(raw);
  const headerLen = headerEnd === -1 ? Math.min(raw.length, 8192) : headerEnd;
  const headerStr = raw.subarray(0, headerLen).toString('utf-8');
  // Fix: Message-ID with square brackets  <[...]@...>
  if (headerStr.includes('[') || headerStr.includes(']')) {
    const fixed = headerStr.replace(
      /^(Message-ID:\s*<?)(\[.*?\])(@[^>]*>?\s*)$/im,
      (_match, prefix, bracketed, suffix) =>
        prefix + bracketed.replace(/\[/g, '').replace(/\]/g, '') + suffix,
    );
    if (fixed !== headerStr) {
      return Buffer.concat([
        Buffer.from(fixed, 'utf-8'),
        raw.subarray(headerLen),
      ]);
    }
  }
  return raw;
 }
 function findDoubleNewline(buf: Buffer): number {
  // Look for \r\n\r\n or \n\n
  for (let i = 0; i < buf.length - 3; i++) {
    if (buf[i] === 0x0d && buf[i + 1] === 0x0a && buf[i + 2] === 0x0d && buf[i + 3] === 0x0a) {
      return i;
    }
    if (buf[i] === 0x0a && buf[i + 1] === 0x0a) {
      return i;
    }
  }
  return -1;
 }
--- a/email-worker-nodejs/src/email/rules-processor.ts
+++ b/email-worker-nodejs/src/email/rules-processor.ts
@@ -0,0 +1,309 @@
 /**
 * Email rules processing (Auto-Reply / OOO and Forwarding)
 * * CLEANED UP & FIXED:
 * - Uses MailComposer for ALL message generation (safer MIME handling)
 * - Fixes broken attachment forwarding
 * - Removed legacy SMTP forwarding
 * - Removed manual string concatenation for MIME boundaries
 */
 import { createTransport } from 'nodemailer';
 import type { ParsedMail } from 'mailparser';
 import type { SESHandler } from '../aws/ses.js';
 import { extractBodyParts } from './parser.js';
 import { log } from '../logger.js';
 // Wir nutzen MailComposer direkt für das Erstellen der Raw Bytes
 import MailComposer from 'nodemailer/lib/mail-composer/index.js';
 import { DynamoDBHandler, EmailRule } from '../aws/dynamodb.js';
 import { config, isInternalAddress } from '../config.js';
 export type MetricsCallback = (action: 'autoreply' | 'forward', domain: string) => void;
 export class RulesProcessor {
  constructor(
    private dynamodb: DynamoDBHandler,
    private ses: SESHandler,
  ) {}
  /**
   * Process OOO and Forward rules for a single recipient.
   */
  async processRulesForRecipient(
    recipient: string,
    parsed: ParsedMail,
    rawBytes: Buffer,
    domain: string,
    workerName: string,
    metricsCallback?: MetricsCallback,
  ): Promise<boolean> {
    if (config.standbyMode) {
        return false;
    }    
    const rule = await this.dynamodb.getEmailRules(recipient.toLowerCase());
    if (!rule) return false;
    const originalFrom = parsed.from?.text ?? '';
    const senderAddr = extractSenderAddress(originalFrom);
    // OOO / Auto-Reply
    if (rule.ooo_active) {
      await this.handleOoo(
        recipient,
        parsed,
        senderAddr,
        rule,
        domain,
        workerName,
        metricsCallback,
      );
    }
    // Forwarding
    const forwards = rule.forwards ?? [];
    if (forwards.length > 0) {
      await this.handleForwards(
        recipient,
        parsed,
        originalFrom,
        forwards,
        domain,
        workerName,
        metricsCallback,
      );
    }
    return false; // never skip local delivery
  }
  // -----------------------------------------------------------------------
  // OOO
  // -----------------------------------------------------------------------
  private async handleOoo(
    recipient: string,
    parsed: ParsedMail,
    senderAddr: string,
    rule: EmailRule,
    domain: string,
    workerName: string,
    metricsCallback?: MetricsCallback,
  ): Promise<void> {
    // Don't reply to automatic messages
    const autoSubmitted = parsed.headers.get('auto-submitted');
    const precedence = String(parsed.headers.get('precedence') ?? '').toLowerCase();
    if (autoSubmitted && autoSubmitted !== 'no') {
      log('  ⏭ Skipping OOO for auto-submitted message', 'INFO', workerName);
      return;
    }
    if (['bulk', 'junk', 'list'].includes(precedence)) {
      log(`  ⏭ Skipping OOO for ${precedence} message`, 'INFO', workerName);
      return;
    }
    if (/noreply|no-reply|mailer-daemon/i.test(senderAddr)) {
      log('  ⏭ Skipping OOO for noreply address', 'INFO', workerName);
      return;
    }
    try {
      const oooMsg = (rule.ooo_message as string) ?? 'I am out of office.';
      const contentType = (rule.ooo_content_type as string) ?? 'text';
      // FIX: Use MailComposer via await
      const oooBuffer = await buildOooReply(parsed, recipient, oooMsg, contentType);
      if (isInternalAddress(senderAddr)) {
        const ok = await sendInternalEmail(recipient, senderAddr, oooBuffer, workerName);
        if (ok) log(`✓ Sent OOO reply internally to ${senderAddr}`, 'SUCCESS', workerName);
        else log(`⚠ Internal OOO reply failed to ${senderAddr}`, 'WARNING', workerName);
      } else {
        const ok = await this.ses.sendRawEmail(recipient, senderAddr, oooBuffer, workerName);
        if (ok) log(`✓ Sent OOO reply externally to ${senderAddr} via SES`, 'SUCCESS', workerName);
      }
      metricsCallback?.('autoreply', domain);
    } catch (err: any) {
      log(`⚠ OOO reply failed to ${senderAddr}: ${err.message ?? err}`, 'ERROR', workerName);
    }
  }
  // -----------------------------------------------------------------------
  // Forwarding
  // -----------------------------------------------------------------------
  private async handleForwards(
    recipient: string,
    parsed: ParsedMail,
    originalFrom: string,
    forwards: string[],
    domain: string,
    workerName: string,
    metricsCallback?: MetricsCallback,
  ): Promise<void> {
    for (const forwardTo of forwards) {
      try {
        // FIX: Correctly await the composer result
        const fwdBuffer = await buildForwardMessage(parsed, recipient, forwardTo, originalFrom);
        if (isInternalAddress(forwardTo)) {
          const ok = await sendInternalEmail(recipient, forwardTo, fwdBuffer, workerName);
          if (ok) log(`✓ Forwarded internally to ${forwardTo}`, 'SUCCESS', workerName);
          else log(`⚠ Internal forward failed to ${forwardTo}`, 'WARNING', workerName);
        } else {
          const ok = await this.ses.sendRawEmail(recipient, forwardTo, fwdBuffer, workerName);
          if (ok) log(`✓ Forwarded externally to ${forwardTo} via SES`, 'SUCCESS', workerName);
        }
        metricsCallback?.('forward', domain);
      } catch (err: any) {
        log(`⚠ Forward failed to ${forwardTo}: ${err.message ?? err}`, 'ERROR', workerName);
      }
    }
  }
 }
 // ---------------------------------------------------------------------------
 // Message building (Using Nodemailer MailComposer for Safety)
 // ---------------------------------------------------------------------------
 async function buildOooReply(
  original: ParsedMail,
  recipient: string,
  oooMsg: string,
  contentType: string,
 ): Promise<Buffer> {
  const { text: textBody, html: htmlBody } = extractBodyParts(original);
  const originalSubject = original.subject ?? '(no subject)';
  const originalFrom = original.from?.text ?? 'unknown';
  const originalMsgId = original.messageId ?? '';
  const recipientDomain = recipient.split('@')[1];
  // Text version
  let textContent = `${oooMsg}\n\n--- Original Message ---\n`;
  textContent += `From: ${originalFrom}\n`;
  textContent += `Subject: ${originalSubject}\n\n`;
  textContent += textBody;
  // HTML version
  let htmlContent = `<div>${oooMsg}</div><br><hr><br>`;
  htmlContent += '<strong>Original Message</strong><br>';
  htmlContent += `<strong>From:</strong> ${originalFrom}<br>`;
  htmlContent += `<strong>Subject:</strong> ${originalSubject}<br><br>`;
  htmlContent += htmlBody ? htmlBody : textBody.replace(/\n/g, '<br>');
  const includeHtml = contentType === 'html' || !!htmlBody;
  const composer = new MailComposer({
    from: recipient,
    to: originalFrom,
    subject: `Out of Office: ${originalSubject}`,
    inReplyTo: originalMsgId,
    references: [originalMsgId], // Nodemailer wants array
    text: textContent,
    html: includeHtml ? htmlContent : undefined,
    headers: {
      'Auto-Submitted': 'auto-replied',
      'X-SES-Worker-Processed': 'ooo-reply',
    },
    messageId: `<${Date.now()}.${Math.random().toString(36).slice(2)}@${recipientDomain}>`
  });
  return composer.compile().build();
 }
 async function buildForwardMessage(
  original: ParsedMail,
  recipient: string,
  forwardTo: string,
  originalFrom: string,
 ): Promise<Buffer> {
  const { text: textBody, html: htmlBody } = extractBodyParts(original);
  const originalSubject = original.subject ?? '(no subject)';
  const originalDate = original.date?.toUTCString() ?? 'unknown';
  // Text version
  let fwdText = '---------- Forwarded message ---------\n';
  fwdText += `From: ${originalFrom}\n`;
  fwdText += `Date: ${originalDate}\n`;
  fwdText += `Subject: ${originalSubject}\n`;
  fwdText += `To: ${recipient}\n\n`;
  fwdText += textBody;
  // HTML version
  let fwdHtml: string | undefined;
  if (htmlBody) {
    fwdHtml = "<div style='border-left:3px solid #ccc;padding-left:10px;'>";
    fwdHtml += '<strong>---------- Forwarded message ---------</strong><br>';
    fwdHtml += `<strong>From:</strong> ${originalFrom}<br>`;
    fwdHtml += `<strong>Date:</strong> ${originalDate}<br>`;
    fwdHtml += `<strong>Subject:</strong> ${originalSubject}<br>`;
    fwdHtml += `<strong>To:</strong> ${recipient}<br><br>`;
    fwdHtml += htmlBody;
    fwdHtml += '</div>';
  }
  // Config object for MailComposer
  const mailOptions: any = {
    from: recipient,
    to: forwardTo,
    subject: `FWD: ${originalSubject}`,
    replyTo: originalFrom,
    text: fwdText,
    html: fwdHtml,
    headers: {
      'X-SES-Worker-Processed': 'forwarded',
    },
  };
  // Attachments
  if (original.attachments && original.attachments.length > 0) {
    mailOptions.attachments = original.attachments.map((att) => ({
      filename: att.filename ?? 'attachment',
      content: att.content,
      contentType: att.contentType,
      cid: att.cid ?? undefined,
      contentDisposition: att.contentDisposition || 'attachment'
    }));
  }
  const composer = new MailComposer(mailOptions);
  return composer.compile().build();
 }
 // ---------------------------------------------------------------------------
 // Internal SMTP delivery (port 25, bypasses transport_maps)
 // ---------------------------------------------------------------------------
 async function sendInternalEmail(
  from: string,
  to: string,
  rawMessage: Buffer,
  workerName: string,
 ): Promise<boolean> {
  try {
    const transport = createTransport({
      host: config.smtpHost,
      port: config.internalSmtpPort,
      secure: false,
      tls: { rejectUnauthorized: false },
    });
    await transport.sendMail({
      envelope: { from, to: [to] },
      raw: rawMessage,
    });
    transport.close();
    return true;
  } catch (err: any) {
    log(`  ✗ Internal delivery failed to ${to}: ${err.message ?? err}`, 'ERROR', workerName);
    return false;
  }
 }
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
 function extractSenderAddress(fromHeader: string): string {
  const match = fromHeader.match(/<([^>]+)>/);
  return match ? match[1] : fromHeader;
 }
--- a/email-worker-nodejs/src/health.ts
+++ b/email-worker-nodejs/src/health.ts
@@ -0,0 +1,48 @@
 /**
 * Health check HTTP server
 *
 * Provides a simple /health endpoint for Docker healthcheck
 * and monitoring. Returns domain list and feature flags.
 */
 import { createServer, type Server } from 'node:http';
 import { log } from './logger.js';
 export function startHealthServer(
  port: number,
  domains: string[],
  getStats?: () => any,
 ): Server {
  const server = createServer((_req, res) => {
    const stats = getStats?.() ?? {};
    const payload = {
      status: 'healthy',
      worker: 'unified-email-worker-ts',
      version: '2.0.0',
      domains,
      domainCount: domains.length,
      features: {
        bounce_handling: true,
        ooo_replies: true,
        forwarding: true,
        blocklist: true,
        prometheus_metrics: true,
        lmtp: false,
        legacy_smtp_forward: false,
      },
      stats,
      uptime: process.uptime(),
      timestamp: new Date().toISOString(),
    };
    res.writeHead(200, { 'Content-Type': 'application/json' });
    res.end(JSON.stringify(payload, null, 2));
  });
  server.listen(port, () => {
    log(`Health check on port ${port}`);
  });
  return server;
 }
--- a/email-worker-nodejs/src/logger.ts
+++ b/email-worker-nodejs/src/logger.ts
@@ -0,0 +1,166 @@
 /**
 * Structured logging for email worker with daily rotation AND retention
 *
 * Uses pino for high-performance JSON logging.
 * Includes logic to delete logs older than X days.
 */
 import pino from 'pino';
 import { 
  existsSync, 
  mkdirSync, 
  createWriteStream, 
  type WriteStream, 
  readdirSync, 
  statSync, 
  unlinkSync 
 } from 'node:fs';
 import { join } from 'node:path';
 // ---------------------------------------------------------------------------
 // Configuration
 // ---------------------------------------------------------------------------
 const LOG_DIR = '/var/log/email-worker';
 const LOG_FILE_PREFIX = 'worker';
 const RETENTION_DAYS = 14; // Logs älter als 14 Tage löschen
 // ---------------------------------------------------------------------------
 // File stream & Retention Logic
 // ---------------------------------------------------------------------------
 let fileStream: WriteStream | null = null;
 let currentDateStr = '';
 function getDateStr(): string {
  return new Date().toISOString().slice(0, 10); // YYYY-MM-DD
 }
 /**
 * Löscht alte Log-Dateien basierend auf RETENTION_DAYS
 */
 function cleanUpOldLogs(): void {
  try {
    if (!existsSync(LOG_DIR)) return;
    const files = readdirSync(LOG_DIR);
    const now = Date.now();
    const maxAgeMs = RETENTION_DAYS * 24 * 60 * 60 * 1000;
    for (const file of files) {
      // Prüfen ob es eine unserer Log-Dateien ist
      if (!file.startsWith(LOG_FILE_PREFIX) || !file.endsWith('.log')) continue;
      const filePath = join(LOG_DIR, file);
      try {
        const stats = statSync(filePath);
        const ageMs = now - stats.mtimeMs;
        if (ageMs > maxAgeMs) {
          unlinkSync(filePath);
          // Einmalig auf stdout loggen, damit man sieht, dass aufgeräumt wurde
          process.stdout.write(`[INFO] Deleted old log file: ${file}\n`);
        }
      } catch (err) {
        // Ignorieren, falls Datei gerade gelöscht wurde oder Zugriff verweigert
      }
    }
  } catch (err) {
    process.stderr.write(`[WARN] Failed to clean up old logs: ${err}\n`);
  }
 }
 function ensureFileStream(): WriteStream | null {
  const today = getDateStr();
  // Wenn wir bereits einen Stream für heute haben, zurückgeben
  if (fileStream && currentDateStr === today) return fileStream;
  try {
    if (!existsSync(LOG_DIR)) mkdirSync(LOG_DIR, { recursive: true });
    // Wenn sich das Datum geändert hat (oder beim ersten Start): Aufräumen
    if (currentDateStr !== today) {
        cleanUpOldLogs();
    }
    // Alten Stream schließen, falls vorhanden
    if (fileStream) {
        fileStream.end();
    }
    const filePath = join(LOG_DIR, `${LOG_FILE_PREFIX}.${today}.log`);
    fileStream = createWriteStream(filePath, { flags: 'a' });
    currentDateStr = today;
    return fileStream;
  } catch {
    // Silently continue without file logging (e.g. permission issue)
    return null;
  }
 }
 // ---------------------------------------------------------------------------
 // Pino logger
 // ---------------------------------------------------------------------------
 const logger = pino({
  level: 'info',
  transport: {
    targets: [
      {
        // 1. Schicke bunte Logs in die Konsole (für docker compose logs -f)
        target: 'pino-pretty',
        options: {
          colorize: true,
          translateTime: 'SYS:yyyy-mm-dd HH:MM:ss',
          ignore: 'pid,hostname',
          singleLine: true
        }
      },
      {
        // 2. Schreibe gleichzeitig alles unformatiert in die Datei
        target: 'pino/file',
        options: { 
          destination: '/var/log/email-worker/worker.log',
          mkdir: true 
        }
      }
    ]
  }
 });
 // ---------------------------------------------------------------------------
 // Log level mapping
 // ---------------------------------------------------------------------------
 type LogLevel = 'DEBUG' | 'INFO' | 'WARNING' | 'ERROR' | 'CRITICAL' | 'SUCCESS';
 const LEVEL_MAP: Record<LogLevel, keyof pino.Logger> = {
  DEBUG: 'debug',
  INFO: 'info',
  WARNING: 'warn',
  ERROR: 'error',
  CRITICAL: 'fatal',
  SUCCESS: 'info',
 };
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
 export function log(
  message: string,
  level: LogLevel = 'INFO',
  workerName = 'unified-worker',
 ): void {
  const prefix = level === 'SUCCESS' ? '[SUCCESS] ' : '';
  const formatted = `[${workerName}] ${prefix}${message}`;
  // Pino (stdout/json)
  const method = LEVEL_MAP[level] ?? 'info';
  (logger as any)[method](formatted);
  // File (plain text)
  const stream = ensureFileStream();
  if (stream) {
    const ts = new Date().toISOString().replace('T', ' ').slice(0, 19);
    const line = `[${ts}] [${level}] [${workerName}] ${prefix}${message}\n`;
    stream.write(line);
  }
 }
--- a/email-worker-nodejs/src/main.ts
+++ b/email-worker-nodejs/src/main.ts
@@ -0,0 +1,89 @@
 /**
 * Main entry point for unified email worker
 *
 * Startup sequence:
 *  1. Load configuration and domains
 *  2. Start Prometheus metrics server
 *  3. Start health check server
 *  4. Initialize UnifiedWorker
 *  5. Register signal handlers for graceful shutdown
 */
 import { config, loadDomains } from './config.js';
 import { log } from './logger.js';
 import { startMetricsServer, type MetricsCollector } from './metrics.js';
 import { startHealthServer } from './health.js';
 import { UnifiedWorker } from './worker/unified-worker.js';
 // ---------------------------------------------------------------------------
 // Banner
 // ---------------------------------------------------------------------------
 function printBanner(domains: string[]): void {
  log('╔══════════════════════════════════════════════════╗');
  log('║        Unified Email Worker (TypeScript)         ║');
  log('║               Version 2.0.0                      ║');
  log('╚══════════════════════════════════════════════════╝');
  log('');
  log(`Domains (${domains.length}):`);
  for (const d of domains) {
    log(`  • ${d}`);
  }
  log('');
  log(`SMTP: ${config.smtpHost}:${config.smtpPort}`);
  log(`Internal SMTP: port ${config.internalSmtpPort}`);
  log(`Poll interval: ${config.pollInterval}s`);
  log(`Metrics: port ${config.metricsPort}`);
  log(`Health:  port ${config.healthPort}`);
  log('');
 }
 // ---------------------------------------------------------------------------
 // Main
 // ---------------------------------------------------------------------------
 async function main(): Promise<void> {
  // 1. Load domains
  const domains = loadDomains();
  if (domains.length === 0) {
    log('❌ No domains configured. Set DOMAINS env var or provide DOMAINS_FILE.', 'ERROR');
    process.exit(1);
  }
  printBanner(domains);
  // 2. Metrics server
  const metrics: MetricsCollector | null = await startMetricsServer(config.metricsPort);
  // 3. Unified worker
  const worker = new UnifiedWorker(domains, metrics);
  // 4. Health server
  startHealthServer(config.healthPort, domains, () => worker.getStats());
  // 5. Signal handlers
  let shuttingDown = false;
  const shutdown = async (signal: string) => {
    if (shuttingDown) return;
    shuttingDown = true;
    log(`\n🛑 Received ${signal}. Shutting down gracefully...`);
    await worker.stop();
    log('👋 Goodbye.');
    process.exit(0);
  };
  process.on('SIGINT', () => shutdown('SIGINT'));
  process.on('SIGTERM', () => shutdown('SIGTERM'));
  // 6. Start
  await worker.start();
  // Keep alive (event loop stays open due to HTTP servers + SQS polling)
  log('✅ Worker is running. Press Ctrl+C to stop.');
 }
 // ---------------------------------------------------------------------------
 main().catch((err) => {
  log(`💥 Fatal startup error: ${err.message ?? err}`, 'CRITICAL');
  log(err.stack ?? '', 'CRITICAL');
  process.exit(1);
 });
--- a/email-worker-nodejs/src/metrics.ts
+++ b/email-worker-nodejs/src/metrics.ts
@@ -0,0 +1,155 @@
 /**
 * Prometheus metrics collection
 *
 * Uses prom-client. Falls back gracefully if not available.
 */
 import { log } from './logger.js';
 import type * as PromClientTypes from 'prom-client';
 // prom-client is optional — import dynamically
 let promClient: typeof PromClientTypes | null = null;
 try {
  promClient = require('prom-client') as typeof PromClientTypes;
 } catch {
  // not installed
 }
 // ---------------------------------------------------------------------------
 // Metric instances (created lazily if prom-client is available)
 // ---------------------------------------------------------------------------
 let emailsProcessed: any;
 let emailsInFlight: any;
 let processingTime: any;
 let queueSize: any;
 let bouncesProcessed: any;
 let autorepliesSent: any;
 let forwardsSent: any;
 let blockedSenders: any;
 function initMetrics(): void {
  if (!promClient) return;
  const { Counter, Gauge, Histogram } = promClient;
  emailsProcessed = new Counter({
    name: 'emails_processed_total',
    help: 'Total emails processed',
    labelNames: ['domain', 'status'],
  });
  emailsInFlight = new Gauge({
    name: 'emails_in_flight',
    help: 'Emails currently being processed',
  });
  processingTime = new Histogram({
    name: 'email_processing_seconds',
    help: 'Time to process email',
    labelNames: ['domain'],
  });
  queueSize = new Gauge({
    name: 'queue_messages_available',
    help: 'Messages in queue',
    labelNames: ['domain'],
  });
  bouncesProcessed = new Counter({
    name: 'bounces_processed_total',
    help: 'Bounce notifications processed',
    labelNames: ['domain', 'type'],
  });
  autorepliesSent = new Counter({
    name: 'autoreplies_sent_total',
    help: 'Auto-replies sent',
    labelNames: ['domain'],
  });
  forwardsSent = new Counter({
    name: 'forwards_sent_total',
    help: 'Forwards sent',
    labelNames: ['domain'],
  });
  blockedSenders = new Counter({
    name: 'blocked_senders_total',
    help: 'Emails blocked by blacklist',
    labelNames: ['domain'],
  });
 }
 // ---------------------------------------------------------------------------
 // MetricsCollector
 // ---------------------------------------------------------------------------
 export class MetricsCollector {
  public readonly enabled: boolean;
  constructor() {
    this.enabled = !!promClient;
    if (this.enabled) initMetrics();
  }
  incrementProcessed(domain: string, status: string): void {
    emailsProcessed?.labels(domain, status).inc();
  }
  incrementInFlight(): void {
    emailsInFlight?.inc();
  }
  decrementInFlight(): void {
    emailsInFlight?.dec();
  }
  observeProcessingTime(domain: string, seconds: number): void {
    processingTime?.labels(domain).observe(seconds);
  }
  setQueueSize(domain: string, size: number): void {
    queueSize?.labels(domain).set(size);
  }
  incrementBounce(domain: string, bounceType: string): void {
    bouncesProcessed?.labels(domain, bounceType).inc();
  }
  incrementAutoreply(domain: string): void {
    autorepliesSent?.labels(domain).inc();
  }
  incrementForward(domain: string): void {
    forwardsSent?.labels(domain).inc();
  }
  incrementBlocked(domain: string): void {
    blockedSenders?.labels(domain).inc();
  }
 }
 // ---------------------------------------------------------------------------
 // Start metrics HTTP server
 // ---------------------------------------------------------------------------
 export async function startMetricsServer(port: number): Promise<MetricsCollector | null> {
  if (!promClient) {
    log('⚠ Prometheus client not installed, metrics disabled', 'WARNING');
    return null;
  }
  try {
    const { createServer } = await import('node:http');
    const { register } = promClient;
    const server = createServer(async (_req, res) => {
      try {
        res.setHeader('Content-Type', register.contentType);
        res.end(await register.metrics());
      } catch {
        res.statusCode = 500;
        res.end();
      }
    });
    server.listen(port, () => {
      log(`Prometheus metrics on port ${port}`);
    });
    return new MetricsCollector();
  } catch (err: any) {
    log(`Failed to start metrics server: ${err.message ?? err}`, 'ERROR');
    return null;
  }
 }
--- a/email-worker-nodejs/src/smtp/delivery.ts
+++ b/email-worker-nodejs/src/smtp/delivery.ts
@@ -0,0 +1,155 @@
 /**
 * SMTP / email delivery with nodemailer pooled transport
 *
 * Replaces both Python's SMTPPool and EmailDelivery classes.
 * nodemailer handles connection pooling, keepalive, and reconnection natively.
 *
 * Removed: LMTP delivery path (never used in production).
 */
 import { createTransport, type Transporter } from 'nodemailer';
 import { log } from '../logger.js';
 import { config } from '../config.js';
 // ---------------------------------------------------------------------------
 // Permanent error detection
 // ---------------------------------------------------------------------------
 const PERMANENT_INDICATORS = [
  '550', '551', '553',
  'mailbox not found', 'user unknown', 'no such user',
  'recipient rejected', 'does not exist', 'invalid recipient',
  'unknown user',
 ];
 function isPermanentRecipientError(errorMsg: string): boolean {
  const lower = errorMsg.toLowerCase();
  return PERMANENT_INDICATORS.some((ind) => lower.includes(ind));
 }
 // ---------------------------------------------------------------------------
 // Delivery class
 // ---------------------------------------------------------------------------
 export class EmailDelivery {
  private transport: Transporter;
  constructor() {
    this.transport = createTransport({
      host: config.smtpHost,
      port: config.smtpPort,
      secure: config.smtpUseTls,
      pool: true,
      maxConnections: config.smtpPoolSize,
      maxMessages: Infinity, // reuse connections indefinitely
      tls: { rejectUnauthorized: false },
      ...(config.smtpUser && config.smtpPass
        ? { auth: { user: config.smtpUser, pass: config.smtpPass } }
        : {}),
    });
    log(
      `📡 SMTP pool initialized → ${config.smtpHost}:${config.smtpPort} ` +
        `(max ${config.smtpPoolSize} connections)`,
    );
  }
  /**
   * Send raw email to ONE recipient via the local DMS.
   *
   * Returns: [success, errorMessage?, isPermanent]
   */
  async sendToRecipient(
    fromAddr: string,
    recipient: string,
    rawMessage: Buffer,
    workerName: string,
    maxRetries = 2,
  ): Promise<[boolean, string | null, boolean]> {
    let lastError: string | null = null;
    for (let attempt = 0; attempt <= maxRetries; attempt++) {
      try {
        await this.transport.sendMail({
          envelope: { from: fromAddr, to: [recipient] },
          raw: rawMessage,
        });
        log(`  ✓ ${recipient}: Delivered (SMTP)`, 'SUCCESS', workerName);
        return [true, null, false];
      } catch (err: any) {
        const errorMsg = err.message ?? String(err);
        const responseCode = err.responseCode ?? 0;
        // Check for permanent errors (5xx)
        if (
          responseCode >= 550 ||
          isPermanentRecipientError(errorMsg)
        ) {
          log(
            `  ✗ ${recipient}: ${errorMsg} (permanent)`,
            'ERROR',
            workerName,
          );
          return [false, errorMsg, true];
        }
        // Connection-level errors → retry
        if (
          err.code === 'ECONNRESET' ||
          err.code === 'ECONNREFUSED' ||
          err.code === 'ETIMEDOUT' ||
          errorMsg.toLowerCase().includes('disconnect') ||
          errorMsg.toLowerCase().includes('closed') ||
          errorMsg.toLowerCase().includes('connection')
        ) {
          log(
            `  ⚠ ${recipient}: Connection error, retrying... ` +
              `(attempt ${attempt + 1}/${maxRetries + 1})`,
            'WARNING',
            workerName,
          );
          lastError = errorMsg;
          await sleep(300);
          continue;
        }
        // Other SMTP errors
        const isPerm = isPermanentRecipientError(errorMsg);
        log(
          `  ✗ ${recipient}: ${errorMsg} (${isPerm ? 'permanent' : 'temporary'})`,
          'ERROR',
          workerName,
        );
        return [false, errorMsg, isPerm];
      }
    }
    // All retries exhausted
    log(
      `  ✗ ${recipient}: All retries failed - ${lastError}`,
      'ERROR',
      workerName,
    );
    return [false, lastError ?? 'Connection failed after retries', false];
  }
  /** Verify the transport is reachable (used during startup). */
  async verify(): Promise<boolean> {
    try {
      await this.transport.verify();
      return true;
    } catch {
      return false;
    }
  }
  /** Close all pooled connections. */
  close(): void {
    this.transport.close();
  }
 }
 // ---------------------------------------------------------------------------
 function sleep(ms: number): Promise<void> {
  return new Promise((r) => setTimeout(r, ms));
 }
--- a/email-worker-nodejs/src/worker/domain-poller.ts
+++ b/email-worker-nodejs/src/worker/domain-poller.ts
@@ -0,0 +1,151 @@
 /**
 * Domain queue poller
 *
 * One poller per domain. Runs an async loop that long-polls SQS
 * and dispatches messages to the MessageProcessor.
 *
 * Replaces Python's threading.Thread + threading.Event with
 * a simple async loop + AbortController for cancellation.
 */
 import type { SQSHandler } from '../aws/sqs.js';
 import type { MetricsCollector } from '../metrics.js';
 import { log } from '../logger.js';
 import { MessageProcessor } from './message-processor.js';
 export interface DomainPollerStats {
  domain: string;
  processed: number;
  errors: number;
  lastActivity: Date | null;
  running: boolean;
 }
 export class DomainPoller {
  public stats: DomainPollerStats;
  private abort: AbortController;
  private loopPromise: Promise<void> | null = null;
  constructor(
    private domain: string,
    private queueUrl: string,
    private sqs: SQSHandler,
    private processor: MessageProcessor,
    private metrics: MetricsCollector | null,
  ) {
    this.abort = new AbortController();
    this.stats = {
      domain,
      processed: 0,
      errors: 0,
      lastActivity: null,
      running: false,
    };
  }
  /** Start the polling loop. Returns immediately. */
  start(): void {
    if (this.stats.running) return;
    this.stats.running = true;
    log(`▶ Started poller for ${this.domain}`, 'INFO', `poller-${this.domain}`);
    this.loopPromise = this.pollLoop();
  }
  /** Signal the poller to stop and wait for it to finish. */
  async stop(): Promise<void> {
    if (!this.stats.running) return;
    this.abort.abort();
    if (this.loopPromise) {
      await this.loopPromise;
    }
    this.stats.running = false;
    log(`⏹ Stopped poller for ${this.domain}`, 'INFO', `poller-${this.domain}`);
  }
  // -----------------------------------------------------------------------
  // Poll loop
  // -----------------------------------------------------------------------
  private async pollLoop(): Promise<void> {
    const workerName = `poller-${this.domain}`;
    while (!this.abort.signal.aborted) {
      try {
        // Report queue size
        const qSize = await this.sqs.getQueueSize(this.queueUrl);
        this.metrics?.setQueueSize(this.domain, qSize);
        if (qSize > 0) {
          log(`📊 Queue ${this.domain}: ~${qSize} messages`, 'INFO', workerName);
        }
        // Long-poll
        const messages = await this.sqs.receiveMessages(this.queueUrl);
        if (this.abort.signal.aborted) break;
        if (messages.length === 0) continue;
        log(
          `📬 Received ${messages.length} message(s) for ${this.domain}`,
          'INFO',
          workerName,
        );
        // Process each message
        for (const msg of messages) {
          if (this.abort.signal.aborted) break;
          const receiveCount = parseInt(
            msg.Attributes?.ApproximateReceiveCount ?? '1',
            10,
          );
          this.metrics?.incrementInFlight();
          const start = Date.now();
          try {
            const shouldDelete = await this.processor.processMessage(
              this.domain,
              msg,
              receiveCount,
            );
            if (shouldDelete && msg.ReceiptHandle) {
              await this.sqs.deleteMessage(this.queueUrl, msg.ReceiptHandle);
            }
            this.stats.processed++;
            this.stats.lastActivity = new Date();
            const elapsed = ((Date.now() - start) / 1000).toFixed(2);
            this.metrics?.observeProcessingTime(this.domain, parseFloat(elapsed));
          } catch (err: any) {
            this.stats.errors++;
            log(
              `❌ Error processing message: ${err.message ?? err}`,
              'ERROR',
              workerName,
            );
          } finally {
            this.metrics?.decrementInFlight();
          }
        }
      } catch (err: any) {
        if (this.abort.signal.aborted) break;
        this.stats.errors++;
        log(
          `❌ Polling error for ${this.domain}: ${err.message ?? err}`,
          'ERROR',
          workerName,
        );
        // Back off on repeated errors
        await sleep(5000);
      }
    }
  }
 }
 // ---------------------------------------------------------------------------
 function sleep(ms: number): Promise<void> {
  return new Promise((r) => setTimeout(r, ms));
 }
--- a/email-worker-nodejs/src/worker/message-processor.ts
+++ b/email-worker-nodejs/src/worker/message-processor.ts
@@ -0,0 +1,361 @@
 /**
 * Email message processing worker
 *
 * Processes a single SQS message:
 *  1. Unpack SNS/SES envelope
 *  2. Download raw email from S3
 *  3. Loop detection
 *  4. Parse & sanitize headers
 *  5. Bounce detection & header rewrite
 *  6. Blocklist check
 *  7. Process recipients (rules, SMTP delivery)
 *  8. Mark result in S3 metadata
 */
 import type { Message } from '@aws-sdk/client-sqs';
 import type { S3Handler } from '../aws/s3.js';
 import type { SQSHandler } from '../aws/sqs.js';
 import type { SESHandler } from '../aws/ses.js';
 import type { DynamoDBHandler } from '../aws/dynamodb.js';
 import type { EmailDelivery } from '../smtp/delivery.js';
 import type { MetricsCollector } from '../metrics.js';
 import type { ParsedMail } from 'mailparser';
 import { log } from '../logger.js';
 import { BlocklistChecker } from '../email/blocklist.js';
 import { BounceHandler } from '../email/bounce-handler.js';
 import { parseEmail, isProcessedByWorker } from '../email/parser.js';
 import { RulesProcessor } from '../email/rules-processor.js';
 import { config } from '../config.js';
 // ---------------------------------------------------------------------------
 // Processor
 // ---------------------------------------------------------------------------
 export class MessageProcessor {
  private bounceHandler: BounceHandler;
  private rulesProcessor: RulesProcessor;
  private blocklist: BlocklistChecker;
  public metrics: MetricsCollector | null = null;
  constructor(
    private s3: S3Handler,
    private sqs: SQSHandler,
    private ses: SESHandler,
    private dynamodb: DynamoDBHandler,
    private delivery: EmailDelivery,
  ) {
    this.bounceHandler = new BounceHandler(dynamodb);
    this.rulesProcessor = new RulesProcessor(dynamodb, ses);
    this.blocklist = new BlocklistChecker(dynamodb);
  }
  /**
   * Process one email message from queue.
   * Returns true → delete from queue.
   * Returns false → leave in queue for retry.
   */
  async processMessage(
    domain: string,
    message: Message,
    receiveCount: number,
  ): Promise<boolean> {
    const workerName = `worker-${domain}`;
    try {
      // 1. UNPACK (SNS → SES)
      const body = JSON.parse(message.Body ?? '{}');
      let sesMsg: any;
      if (body.Message && body.Type) {
        // SNS Notification wrapper
        const snsContent = body.Message;
        sesMsg = typeof snsContent === 'string' ? JSON.parse(snsContent) : snsContent;
      } else {
        sesMsg = body;
      }
      // 2. EXTRACT DATA
      const mail = sesMsg.mail ?? {};
      const receipt = sesMsg.receipt ?? {};
      const messageId: string | undefined = mail.messageId;
      // Ignore SES setup notifications
      if (messageId === 'AMAZON_SES_SETUP_NOTIFICATION') {
        log('ℹ️ Received Amazon SES Setup Notification. Ignoring.', 'INFO', workerName);
        return true;
      }
      const fromAddr: string = mail.source ?? '';
      const recipients: string[] = receipt.recipients ?? [];
      if (!messageId) {
        log('❌ Error: No messageId in event payload', 'ERROR', workerName);
        return true;
      }
      // Domain validation
      if (recipients.length === 0) {
        log('⚠ Warning: No recipients in event', 'WARNING', workerName);
        return true;
      }
      const recipientDomain = recipients[0].split('@')[1];
      if (recipientDomain.toLowerCase() !== domain.toLowerCase()) {
        log(
          `⚠ Security: Ignored message for ${recipientDomain} ` +
            `(I am worker for ${domain})`,
          'WARNING',
          workerName,
        );
        return true;
      }
      // Compact log
      const recipientsStr =
        recipients.length === 1
          ? recipients[0]
          : `${recipients.length} recipients`;
      log(
        `📧 Processing: ${messageId.slice(0, 20)}... -> ${recipientsStr}`,
        'INFO',
        workerName,
      );
      // 3. DOWNLOAD FROM S3
      const rawBytes = await this.s3.getEmail(domain, messageId, receiveCount);
      if (rawBytes === null) return false; // retry later
      // 4. LOOP DETECTION
      const tempParsed = await parseEmail(rawBytes);
      const skipRules = isProcessedByWorker(tempParsed);
      if (skipRules) {
        log('🔄 Loop prevention: Already processed by worker', 'INFO', workerName);
      }
      // 5. PARSING & BOUNCE LOGIC
      let finalRawBytes = rawBytes;
      let fromAddrFinal = fromAddr;
      let isBounce = false;
      let parsedFinal: ParsedMail | null = null; // <-- Hier deklarieren
      try {
        const parsed = await parseEmail(rawBytes);
        const subject = parsed.subject ?? '(no subject)';
        // Bounce header rewriting
        const bounceResult = await this.bounceHandler.applyBounceLogic(
          parsed,
          rawBytes,
          subject,
          workerName,
        );
        isBounce = bounceResult.isBounce;
        finalRawBytes = bounceResult.rawBytes;
        if (bounceResult.modified) {
          log('  ✨ Bounce detected & headers rewritten via DynamoDB', 'INFO', workerName);
          fromAddrFinal = bounceResult.fromAddr;
          this.metrics?.incrementBounce(domain, 'rewritten');
        } else {
          fromAddrFinal = fromAddr;
        }
        // Add processing marker for non-processed emails
        if (!skipRules) {
          finalRawBytes = addProcessedHeader(finalRawBytes);
        }
        // Re-parse after modifications for rules processing
        parsedFinal = await parseEmail(finalRawBytes);
      } catch (err: any) {
        log(
          `⚠ Parsing/Logic Error: ${err.message ?? err}. Sending original RAW mail without rules.`,
          'WARNING',
          workerName,
        );
        log(`Full error: ${err.stack ?? err}`, 'ERROR', workerName);
        fromAddrFinal = fromAddr;
        isBounce = false;
        parsedFinal = null; // <-- GANZ WICHTIG: Kein erneuter Parse-Versuch!
      }
      // 6. BLOCKLIST CHECK
      const sendersToCheck: string[] = [];
      if (fromAddrFinal) sendersToCheck.push(fromAddrFinal);
      const headerFrom = parsedFinal?.from?.text;
      if (headerFrom && !sendersToCheck.includes(headerFrom)) {
        sendersToCheck.push(headerFrom);
      }
      const blockedByRecipient = await this.blocklist.batchCheckBlockedSenders(
        recipients,
        sendersToCheck, // <-- Array übergeben
        workerName,
      );
      // 7. PROCESS RECIPIENTS
      log(`📤 Sending to ${recipients.length} recipient(s)...`, 'INFO', workerName);
      const successful: string[] = [];
      const failedPermanent: string[] = [];
      const failedTemporary: string[] = [];
      const blockedRecipients: string[] = [];
      for (const recipient of recipients) {
        // Blocked?
        if (blockedByRecipient[recipient]) {
          log(
            `🗑 Silently dropping message for ${recipient} (Sender blocked)`,
            'INFO',
            workerName,
          );
          blockedRecipients.push(recipient);
          this.metrics?.incrementBlocked(domain);
          continue;
        }
        // Process rules (OOO, Forwarding) — not for bounces or already forwarded
        if (!isBounce && !skipRules && parsedFinal !== null) {
          const metricsCallback = (action: 'autoreply' | 'forward', dom: string) => {
            if (action === 'autoreply') this.metrics?.incrementAutoreply(dom);
            else if (action === 'forward') this.metrics?.incrementForward(dom);
          };
          await this.rulesProcessor.processRulesForRecipient(
            recipient,
            parsedFinal,
            finalRawBytes,
            domain,
            workerName,
            metricsCallback,
          );
        }
        // SMTP delivery
        const [success, error, isPerm] = await this.delivery.sendToRecipient(
          fromAddrFinal,
          recipient,
          finalRawBytes,
          workerName,
        );
        if (success) {
          successful.push(recipient);
          this.metrics?.incrementProcessed(domain, 'success');
        } else if (isPerm) {
          failedPermanent.push(recipient);
          this.metrics?.incrementProcessed(domain, 'permanent_failure');
        } else {
          failedTemporary.push(recipient);
          this.metrics?.incrementProcessed(domain, 'temporary_failure');
        }
      }
      // 8. RESULT & CLEANUP
      const totalHandled =
        successful.length + failedPermanent.length + blockedRecipients.length;
      if (totalHandled === recipients.length) {
        if (blockedRecipients.length === recipients.length) {
          // All blocked — im Standby kein S3 anfassen
          if (!config.standbyMode) {
            try {
              await this.s3.markAsBlocked(
                domain,
                messageId,
                blockedRecipients,
                fromAddrFinal,
                workerName,
              );
              await this.s3.deleteBlockedEmail(domain, messageId, workerName);
            } catch (err: any) {
              log(`⚠ Failed to handle blocked email: ${err.message ?? err}`, 'ERROR', workerName);
              return false;
            }
          }
        } else if (successful.length > 0) {
          if (!config.standbyMode) {
            await this.s3.markAsProcessed(
              domain,
              messageId,
              workerName,
              failedPermanent.length > 0 ? failedPermanent : undefined,
            );
          }
        } else if (failedPermanent.length > 0) {
          if (!config.standbyMode) {
            await this.s3.markAsAllInvalid(
              domain,
              messageId,
              failedPermanent,
              workerName,
            );
          }
        }
        // Summary
        const parts: string[] = [];
        if (successful.length) parts.push(`${successful.length} OK`);
        if (failedPermanent.length) parts.push(`${failedPermanent.length} invalid`);
        if (blockedRecipients.length) parts.push(`${blockedRecipients.length} blocked`);
        log(`✅ Completed (${parts.join(', ')})`, 'SUCCESS', workerName);
        return true;
      } else {
        // Temporary failures remain
        log(
          `🔄 Temp failure (${failedTemporary.length} failed), will retry`,
          'WARNING',
          workerName,
        );
        return false;
      }
    } catch (err: any) {
      log(`❌ CRITICAL WORKER ERROR: ${err.message ?? err}`, 'ERROR', workerName);
      log(err.stack ?? '', 'ERROR', workerName);
      return false;
    }
  }
 }
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
 /**
 * Add X-SES-Worker-Processed header to raw email bytes using Buffer manipulation.
 * More robust and memory efficient than toString().
 */
 function addProcessedHeader(raw: Buffer): Buffer {
  // Wir suchen nach dem Ende der Header: Double Newline (\r\n\r\n oder \n\n)
  let headerEndIndex = -1;
  // Effiziente Suche im Buffer
  for (let i = 0; i < raw.length - 3; i++) {
    // Check für \r\n\r\n
    if (raw[i] === 0x0d && raw[i+1] === 0x0a && raw[i+2] === 0x0d && raw[i+3] === 0x0a) {
      headerEndIndex = i;
      break;
    }
    // Check für \n\n (Unix style, seltener bei E-Mail aber möglich)
    if (raw[i] === 0x0a && raw[i+1] === 0x0a) {
      headerEndIndex = i;
      break;
    }
  }
  // Falls keine Header-Trennung gefunden wurde (kaputte Mail?), hängen wir es einfach vorne an
  if (headerEndIndex === -1) {
    const headerLine = Buffer.from('X-SES-Worker-Processed: delivered\r\n', 'utf-8');
    return Buffer.concat([headerLine, raw]);
  }
  // Wir fügen den Header VOR der leeren Zeile ein
  const before = raw.subarray(0, headerEndIndex);
  const after = raw.subarray(headerEndIndex);
  const newHeader = Buffer.from('\r\nX-SES-Worker-Processed: delivered', 'utf-8');
  return Buffer.concat([before, newHeader, after]);
 }
--- a/email-worker-nodejs/src/worker/unified-worker.ts
+++ b/email-worker-nodejs/src/worker/unified-worker.ts
@@ -0,0 +1,134 @@
 /**
 * Unified multi-domain worker coordinator
 *
 * Manages the lifecycle of all DomainPoller instances:
 *  - Resolves SQS queue URLs for each domain
 *  - Creates pollers for valid domains
 *  - Provides aggregate stats
 *  - Graceful shutdown
 */
 import { DynamoDBHandler } from '../aws/dynamodb';
 import { S3Handler} from '../aws/s3.js';
 import { SQSHandler} from '../aws/sqs.js'
 import { SESHandler } from '../aws/ses';
 import { EmailDelivery } from '../smtp/delivery.js';
 import { MessageProcessor } from './message-processor.js';
 import { DomainPoller, type DomainPollerStats } from './domain-poller.js';
 import type { MetricsCollector } from '../metrics.js';
 import { log } from '../logger.js';
 export class UnifiedWorker {
  private pollers: DomainPoller[] = [];
  private processor: MessageProcessor;
  private sqs: SQSHandler;
  private statusInterval: NodeJS.Timeout | null = null;
  constructor(
    private domains: string[],
    private metrics: MetricsCollector | null,
  ) {
    const s3 = new S3Handler();
    this.sqs = new SQSHandler();
    const ses = new SESHandler();
    const dynamodb = new DynamoDBHandler();
    const delivery = new EmailDelivery();
    this.processor = new MessageProcessor(s3, this.sqs, ses, dynamodb, delivery);
    this.processor.metrics = metrics;
    dynamodb.verifyTables().catch(() => {});
  }
  async start(): Promise<void> {
    log(`🚀 Starting unified worker for ${this.domains.length} domain(s)...`);
    const resolvedPollers: DomainPoller[] = [];
    for (const domain of this.domains) {
      const queueUrl = await this.sqs.getQueueUrl(domain);
      if (!queueUrl) {
        log(`⚠ Skipping ${domain}: No SQS queue found`, 'WARNING');
        continue;
      }
      const poller = new DomainPoller(
        domain,
        queueUrl,
        this.sqs,
        this.processor,
        this.metrics,
      );
      resolvedPollers.push(poller);
    }
    if (resolvedPollers.length === 0) {
      log('❌ No valid domains with SQS queues found. Exiting.', 'ERROR');
      process.exit(1);
    }
    this.pollers = resolvedPollers;
    for (const poller of this.pollers) {
      poller.start();
    }
    log(
      `✅ All ${this.pollers.length} domain poller(s) running: ` +
        this.pollers.map((p) => p.stats.domain).join(', '),
      'SUCCESS',
    );
    // Starte den 5-Minuten-Status-Report
    this.statusInterval = setInterval(() => {
      this.printStatus();
    }, 5 * 60 * 1000);
  }
  async stop(): Promise<void> {
    log('🛑 Stopping all domain pollers...');
    if (this.statusInterval) clearInterval(this.statusInterval); // <-- Neue Zeile
    await Promise.all(this.pollers.map((p) => p.stop()));
    log('✅ All pollers stopped.');
  }
  getStats(): {
    totalProcessed: number;
    totalErrors: number;
    domains: DomainPollerStats[];
  } {
    let totalProcessed = 0;
    let totalErrors = 0;
    const domains: DomainPollerStats[] = [];
    for (const p of this.pollers) {
      totalProcessed += p.stats.processed;
      totalErrors += p.stats.errors;
      domains.push({ ...p.stats });
    }
    return { totalProcessed, totalErrors, domains };
  }
  private printStatus(): void {
    const stats = this.getStats();
    // Zähle aktive Poller
    const activePollers = this.pollers.filter((p) => p.stats.running).length;
    const totalPollers = this.pollers.length;
    // Formatiere die Domain-Statistiken (z.B. hotshpotshga:1)
    const domainStats = stats.domains
      .map((d) => {
        const shortName = d.domain.split('.')[0].substring(0, 12);
        return `${shortName}:${d.processed}`;
      })
      .join(' | ');
    log(
      `📊 Status: ${activePollers}/${totalPollers} active, total:${stats.totalProcessed} | ${domainStats}`,
      'INFO',
      'unified-worker'
    );
  }
 }
--- a/email-worker-nodejs/tsconfig.json
+++ b/email-worker-nodejs/tsconfig.json
@@ -0,0 +1,22 @@
 {
  "compilerOptions": {
    "target": "ES2022",
    "module": "Node16",
    "moduleResolution": "Node16",
    "lib": ["ES2022"],
    "outDir": "./dist",
    "rootDir": "./src",
    "strict": true,
    "esModuleInterop": true,
    "skipLibCheck": true,
    "forceConsistentCasingInFileNames": true,
    "resolveJsonModule": true,
    "declaration": true,
    "declarationMap": true,
    "sourceMap": true,
    "noUnusedLocals": false,
    "noUnusedParameters": false
  },
  "include": ["src/**/*"],
  "exclude": ["node_modules", "dist"]
 }
--- a/email-worker/.dockerignore
+++ b/email-worker/.dockerignore
@@ -1,38 +0,0 @@
 # Documentation
 *.md
 !README.md
 # Git
 .git
 .gitignore
 # Python
 __pycache__
 *.pyc
 *.pyo
 *.pyd
 .Python
 *.so
 # Logs
 logs/
 *.log
 # Environment
 .env
 .env.example
 # IDE
 .vscode/
 .idea/
 *.swp
 *.swo
 # OS
 .DS_Store
 Thumbs.db
 # Build
 *.tar.gz
 dist/
 build/
--- a/email-worker/.env.example
+++ b/email-worker/.env.example
@@ -1,42 +0,0 @@
 # AWS Credentials
 AWS_REGION=us-east-2
 AWS_ACCESS_KEY_ID=your_access_key_here
 AWS_SECRET_ACCESS_KEY=your_secret_key_here
 # Domains Configuration
 DOMAINS=example.com,another.com
 # Alternative: Use domains file
 # DOMAINS_FILE=/etc/email-worker/domains.txt
 # Worker Settings
 WORKER_THREADS=10
 POLL_INTERVAL=20
 MAX_MESSAGES=10
 VISIBILITY_TIMEOUT=300
 # SMTP Configuration
 SMTP_HOST=localhost
 SMTP_PORT=25
 SMTP_USE_TLS=false
 SMTP_USER=
 SMTP_PASS=
 SMTP_POOL_SIZE=5
 INTERNAL_SMTP_PORT=2525
 # LMTP Configuration (Optional)
 LMTP_ENABLED=false
 LMTP_HOST=localhost
 LMTP_PORT=24
 # DynamoDB Tables
 DYNAMODB_RULES_TABLE=email-rules
 DYNAMODB_MESSAGES_TABLE=ses-outbound-messages
 DYNAMODB_BLOCKED_TABLE=email-blocked-senders
 # Bounce Handling
 BOUNCE_LOOKUP_RETRIES=3
 BOUNCE_LOOKUP_DELAY=1.0
 # Monitoring Ports
 METRICS_PORT=8000
 HEALTH_PORT=8080
--- a/email-worker/.gitignore
+++ b/email-worker/.gitignore
@@ -1,36 +0,0 @@
 # Python
 __pycache__/
 *.py[cod]
 *$py.class
 *.so
 .Python
 env/
 venv/
 ENV/
 .venv
 # Logs
 logs/
 *.log
 # Environment
 .env
 # IDE
 .vscode/
 .idea/
 *.swp
 *.swo
 # OS
 .DS_Store
 Thumbs.db
 # Build
 dist/
 build/
 *.egg-info/
 # Archives
 *.tar.gz
 *.zip
--- a/email-worker/Dockerfile
+++ b/email-worker/Dockerfile
@@ -1,37 +0,0 @@
 FROM python:3.11-slim
 LABEL maintainer="andreas@knuth.dev"
 LABEL description="Unified multi-domain email worker (modular version)"
 # System packages
 RUN apt-get update && apt-get install -y --no-install-recommends \
    curl \
    && rm -rf /var/lib/apt/lists/*
 # Non-root user
 RUN useradd -m -u 1000 worker && \
    mkdir -p /app /var/log/email-worker /etc/email-worker && \
    chown -R worker:worker /app /var/log/email-worker /etc/email-worker
 # Python dependencies
 COPY requirements.txt /app/
 RUN pip install --no-cache-dir -r /app/requirements.txt
 # Worker code (all modules)
 COPY --chown=worker:worker aws/ /app/aws/
 COPY --chown=worker:worker email_processing/ /app/email_processing/
 COPY --chown=worker:worker smtp/ /app/smtp/
 COPY --chown=worker:worker metrics/ /app/metrics/
 COPY --chown=worker:worker *.py /app/
 WORKDIR /app
 USER worker
 # Health check
 HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
    CMD curl -f http://localhost:8080/health || exit 1
 # Unbuffered output
 ENV PYTHONUNBUFFERED=1
 CMD ["python3", "main.py"]
--- a/email-worker/Makefile
+++ b/email-worker/Makefile
@@ -1,50 +0,0 @@
 .PHONY: help install run test lint clean docker-build docker-run docker-stop docker-logs
 help:
 	@echo "Available commands:"
 	@echo "  make install       - Install dependencies"
 	@echo "  make run           - Run worker locally"
 	@echo "  make test          - Run tests (TODO)"
 	@echo "  make lint          - Run linting"
 	@echo "  make clean         - Clean up files"
 	@echo "  make docker-build  - Build Docker image"
 	@echo "  make docker-run    - Run with docker-compose"
 	@echo "  make docker-stop   - Stop docker-compose"
 	@echo "  make docker-logs   - Show docker logs"
 install:
 	pip install -r requirements.txt
 run:
 	python3 main.py
 test:
 	@echo "TODO: Add tests"
 	# python3 -m pytest tests/
 lint:
 	@echo "Running pylint..."
 	-pylint --rcfile=.pylintrc *.py **/*.py 2>/dev/null || echo "pylint not installed"
 	@echo "Running flake8..."
 	-flake8 --max-line-length=120 . 2>/dev/null || echo "flake8 not installed"
 clean:
 	find . -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null || true
 	find . -type f -name "*.pyc" -delete
 	find . -type f -name "*.pyo" -delete
 	find . -type f -name "*.log" -delete
 docker-build:
 	docker build -t unified-email-worker:latest .
 docker-run:
 	docker-compose up -d
 docker-stop:
 	docker-compose down
 docker-logs:
 	docker-compose logs -f email-worker
 docker-restart: docker-stop docker-build docker-run
 	@echo "Worker restarted"
--- a/email-worker/aws/init.py
+++ b/email-worker/aws/init.py
@@ -1,11 +0,0 @@
 #!/usr/bin/env python3
 """
 AWS service handlers
 """
 from .s3_handler import S3Handler
 from .sqs_handler import SQSHandler
 from .ses_handler import SESHandler
 from .dynamodb_handler import DynamoDBHandler
 __all__ = ['S3Handler', 'SQSHandler', 'SESHandler', 'DynamoDBHandler']
--- a/email-worker/aws/dynamodb_handler.py
+++ b/email-worker/aws/dynamodb_handler.py
@@ -1,192 +0,0 @@
 #!/usr/bin/env python3
 """
 DynamoDB operations handler
 """
 import time
 from typing import Optional, Dict, Any, List
 import boto3
 from botocore.exceptions import ClientError
 from logger import log
 from config import config
 class DynamoDBHandler:
    """Handles all DynamoDB operations"""
    def __init__(self):
        self.resource = boto3.resource('dynamodb', region_name=config.aws_region)
        self.available = False
        self.rules_table = None
        self.messages_table = None
        self.blocked_table = None
        self._initialize_tables()
    def _initialize_tables(self):
        """Initialize DynamoDB table connections"""
        try:
            self.rules_table = self.resource.Table(config.rules_table)
            self.messages_table = self.resource.Table(config.messages_table)
            self.blocked_table = self.resource.Table(config.blocked_table)
            # Test connection
            self.rules_table.table_status
            self.messages_table.table_status
            self.blocked_table.table_status
            self.available = True
            log("✓ DynamoDB tables connected successfully")
        except Exception as e:
            log(f"⚠ DynamoDB not fully available: {e}", 'WARNING')
            self.available = False
    def get_email_rules(self, email_address: str) -> Optional[Dict[str, Any]]:
        """
        Get email rules for recipient (OOO, Forwarding)
        Args:
            email_address: Recipient email address
        Returns:
            Rule dictionary or None if not found
        """
        if not self.available or not self.rules_table:
            return None
        try:
            response = self.rules_table.get_item(Key={'email_address': email_address})
            return response.get('Item')
        except ClientError as e:
            if e.response['Error']['Code'] != 'ResourceNotFoundException':
                log(f"⚠ DynamoDB error for {email_address}: {e}", 'ERROR')
            return None
        except Exception as e:
            log(f"⚠ DynamoDB error for {email_address}: {e}", 'WARNING')
            return None
    def get_bounce_info(self, message_id: str, worker_name: str = 'unified') -> Optional[Dict]:
        """
        Get bounce information from DynamoDB with retry logic
        Args:
            message_id: SES Message ID
            worker_name: Worker name for logging
        Returns:
            Bounce info dictionary or None
        """
        if not self.available or not self.messages_table:
            return None
        for attempt in range(config.bounce_lookup_retries):
            try:
                response = self.messages_table.get_item(Key={'MessageId': message_id})
                item = response.get('Item')
                if item:
                    return {
                        'original_source': item.get('original_source', ''),
                        'bounceType': item.get('bounceType', 'Unknown'),
                        'bounceSubType': item.get('bounceSubType', 'Unknown'),
                        'bouncedRecipients': item.get('bouncedRecipients', []),
                        'timestamp': item.get('timestamp', '')
                    }
                if attempt < config.bounce_lookup_retries - 1:
                    log(
                        f"  Bounce record not found yet, retrying in {config.bounce_lookup_delay}s "
                        f"(attempt {attempt + 1}/{config.bounce_lookup_retries})...",
                        'INFO',
                        worker_name
                    )
                    time.sleep(config.bounce_lookup_delay)
                else:
                    log(
                        f"⚠ No bounce record found after {config.bounce_lookup_retries} attempts "
                        f"for Message-ID: {message_id}",
                        'WARNING',
                        worker_name
                    )
                    return None
            except Exception as e:
                log(
                    f"⚠ DynamoDB Error (attempt {attempt + 1}/{config.bounce_lookup_retries}): {e}",
                    'ERROR',
                    worker_name
                )
                if attempt < config.bounce_lookup_retries - 1:
                    time.sleep(config.bounce_lookup_delay)
                else:
                    return None
        return None
    def get_blocked_patterns(self, email_address: str) -> List[str]:
        """
        Get blocked sender patterns for recipient
        Args:
            email_address: Recipient email address
        Returns:
            List of blocked patterns (may include wildcards)
        """
        if not self.available or not self.blocked_table:
            return []
        try:
            response = self.blocked_table.get_item(Key={'email_address': email_address})
            item = response.get('Item', {})
            return item.get('blocked_patterns', [])
        except Exception as e:
            log(f"⚠ Error getting block list for {email_address}: {e}", 'ERROR')
            return []
    def batch_get_blocked_patterns(self, email_addresses: List[str]) -> Dict[str, List[str]]:
        """
        Batch get blocked patterns for multiple recipients (more efficient)
        Args:
            email_addresses: List of recipient email addresses
        Returns:
            Dictionary mapping email_address -> list of blocked patterns
        """
        if not self.available or not self.blocked_table:
            return {addr: [] for addr in email_addresses}
        try:
            # DynamoDB BatchGetItem
            keys = [{'email_address': addr} for addr in email_addresses]
            response = self.resource.batch_get_item(
                RequestItems={
                    config.blocked_table: {'Keys': keys}
                }
            )
            items = response.get('Responses', {}).get(config.blocked_table, [])
            # Build result dictionary
            result = {}
            for email_address in email_addresses:
                matching_item = next(
                    (item for item in items if item['email_address'] == email_address),
                    None
                )
                if matching_item:
                    result[email_address] = matching_item.get('blocked_patterns', [])
                else:
                    result[email_address] = []
            return result
        except Exception as e:
            log(f"⚠ Batch blocklist check error: {e}", 'ERROR')
            return {addr: [] for addr in email_addresses}
--- a/email-worker/aws/s3_handler.py
+++ b/email-worker/aws/s3_handler.py
@@ -1,193 +0,0 @@
 #!/usr/bin/env python3
 """
 S3 operations handler
 """
 import time
 from typing import Optional, List
 import boto3
 from botocore.exceptions import ClientError
 from logger import log
 from config import config, domain_to_bucket_name
 class S3Handler:
    """Handles all S3 operations"""
    def __init__(self):
        self.client = boto3.client('s3', region_name=config.aws_region)
    def get_email(self, domain: str, message_id: str, receive_count: int) -> Optional[bytes]:
        """
        Download email from S3
        Args:
            domain: Email domain
            message_id: SES Message ID
            receive_count: Number of times this message was received from queue
        Returns:
            Raw email bytes or None if not found/error
        """
        bucket = domain_to_bucket_name(domain)
        try:
            response = self.client.get_object(Bucket=bucket, Key=message_id)
            return response['Body'].read()
        except self.client.exceptions.NoSuchKey:
            if receive_count < 5:
                log(f"⏳ S3 Object not found yet (Attempt {receive_count}). Retrying...", 'WARNING')
                return None
            else:
                log(f"❌ S3 Object missing permanently after retries.", 'ERROR')
                raise
        except ClientError as e:
            if e.response['Error']['Code'] == 'NoSuchKey':
                if receive_count < 5:
                    log(f"⏳ S3 Object not found yet (Attempt {receive_count}). Retrying...", 'WARNING')
                    return None
                else:
                    log(f"❌ S3 Object missing permanently after retries.", 'ERROR')
                    raise
            log(f"❌ S3 Download Error: {e}", 'ERROR')
            raise
        except Exception as e:
            log(f"❌ S3 Download Error: {e}", 'ERROR')
            raise
    def mark_as_processed(
        self, 
        domain: str, 
        message_id: str, 
        worker_name: str, 
        invalid_inboxes: Optional[List[str]] = None
    ):
        """Mark email as successfully delivered"""
        bucket = domain_to_bucket_name(domain)
        try:
            head = self.client.head_object(Bucket=bucket, Key=message_id)
            metadata = head.get('Metadata', {}) or {}
            metadata['processed'] = 'true'
            metadata['processed_at'] = str(int(time.time()))
            metadata['processed_by'] = worker_name
            metadata['status'] = 'delivered'
            metadata.pop('processing_started', None)
            metadata.pop('queued_at', None)
            if invalid_inboxes:
                metadata['invalid_inboxes'] = ','.join(invalid_inboxes)
                log(f"⚠ Invalid inboxes recorded: {', '.join(invalid_inboxes)}", 'WARNING', worker_name)
            self.client.copy_object(
                Bucket=bucket,
                Key=message_id,
                CopySource={'Bucket': bucket, 'Key': message_id},
                Metadata=metadata,
                MetadataDirective='REPLACE'
            )
        except Exception as e:
            log(f"Failed to mark as processed: {e}", 'WARNING', worker_name)
    def mark_as_all_invalid(
        self, 
        domain: str, 
        message_id: str, 
        invalid_inboxes: List[str], 
        worker_name: str
    ):
        """Mark email as failed because all recipients are invalid"""
        bucket = domain_to_bucket_name(domain)
        try:
            head = self.client.head_object(Bucket=bucket, Key=message_id)
            metadata = head.get('Metadata', {}) or {}
            metadata['processed'] = 'true'
            metadata['processed_at'] = str(int(time.time()))
            metadata['processed_by'] = worker_name
            metadata['status'] = 'failed'
            metadata['error'] = 'All recipients are invalid (mailboxes do not exist)'
            metadata['invalid_inboxes'] = ','.join(invalid_inboxes)
            metadata.pop('processing_started', None)
            metadata.pop('queued_at', None)
            self.client.copy_object(
                Bucket=bucket,
                Key=message_id,
                CopySource={'Bucket': bucket, 'Key': message_id},
                Metadata=metadata,
                MetadataDirective='REPLACE'
            )
        except Exception as e:
            log(f"Failed to mark as all invalid: {e}", 'WARNING', worker_name)
    def mark_as_blocked(
        self,
        domain: str,
        message_id: str,
        blocked_recipients: List[str],
        sender: str,
        worker_name: str
    ):
        """
        Mark email as blocked by sender blacklist
        This sets metadata BEFORE deletion for audit trail
        """
        bucket = domain_to_bucket_name(domain)
        try:
            head = self.client.head_object(Bucket=bucket, Key=message_id)
            metadata = head.get('Metadata', {}) or {}
            metadata['processed'] = 'true'
            metadata['processed_at'] = str(int(time.time()))
            metadata['processed_by'] = worker_name
            metadata['status'] = 'blocked'
            metadata['blocked_recipients'] = ','.join(blocked_recipients)
            metadata['blocked_sender'] = sender
            metadata.pop('processing_started', None)
            metadata.pop('queued_at', None)
            self.client.copy_object(
                Bucket=bucket,
                Key=message_id,
                CopySource={'Bucket': bucket, 'Key': message_id},
                Metadata=metadata,
                MetadataDirective='REPLACE'
            )
            log(f"✓ Marked as blocked in S3 metadata", 'INFO', worker_name)
        except Exception as e:
            log(f"⚠ Failed to mark as blocked: {e}", 'ERROR', worker_name)
            raise
    def delete_blocked_email(
        self,
        domain: str,
        message_id: str,
        worker_name: str
    ):
        """
        Delete email after marking as blocked
        Only call this after mark_as_blocked() succeeded
        """
        bucket = domain_to_bucket_name(domain)
        try:
            self.client.delete_object(Bucket=bucket, Key=message_id)
            log(f"🗑 Deleted blocked email from S3", 'SUCCESS', worker_name)
        except Exception as e:
            log(f"⚠ Failed to delete blocked email: {e}", 'ERROR', worker_name)
            raise
--- a/email-worker/aws/ses_handler.py
+++ b/email-worker/aws/ses_handler.py
@@ -1,53 +0,0 @@
 #!/usr/bin/env python3
 """
 SES operations handler
 """
 import boto3
 from botocore.exceptions import ClientError
 from logger import log
 from config import config
 class SESHandler:
    """Handles all SES operations"""
    def __init__(self):
        self.client = boto3.client('ses', region_name=config.aws_region)
    def send_raw_email(
        self, 
        source: str, 
        destination: str, 
        raw_message: bytes,
        worker_name: str
    ) -> bool:
        """
        Send raw email via SES
        Args:
            source: From address
            destination: To address
            raw_message: Raw MIME message bytes
            worker_name: Worker name for logging
        Returns:
            True if sent successfully, False otherwise
        """
        try:
            self.client.send_raw_email(
                Source=source,
                Destinations=[destination],
                RawMessage={'Data': raw_message}
            )
            return True
        except ClientError as e:
            error_code = e.response['Error']['Code']
            log(f"⚠ SES send failed to {destination} ({error_code}): {e}", 'ERROR', worker_name)
            return False
        except Exception as e:
            log(f"⚠ SES send failed to {destination}: {e}", 'ERROR', worker_name)
            return False
--- a/email-worker/aws/sqs_handler.py
+++ b/email-worker/aws/sqs_handler.py
@@ -1,103 +0,0 @@
 #!/usr/bin/env python3
 """
 SQS operations handler
 """
 from typing import Optional, List, Dict, Any
 import boto3
 from botocore.exceptions import ClientError
 from logger import log
 from config import config, domain_to_queue_name
 class SQSHandler:
    """Handles all SQS operations"""
    def __init__(self):
        self.client = boto3.client('sqs', region_name=config.aws_region)
    def get_queue_url(self, domain: str) -> Optional[str]:
        """
        Get SQS queue URL for domain
        Args:
            domain: Email domain
        Returns:
            Queue URL or None if not found
        """
        queue_name = domain_to_queue_name(domain)
        try:
            response = self.client.get_queue_url(QueueName=queue_name)
            return response['QueueUrl']
        except ClientError as e:
            if e.response['Error']['Code'] == 'AWS.SimpleQueueService.NonExistentQueue':
                log(f"Queue not found for domain: {domain}", 'WARNING')
            else:
                log(f"Error getting queue URL for {domain}: {e}", 'ERROR')
            return None
    def receive_messages(self, queue_url: str) -> List[Dict[str, Any]]:
        """
        Receive messages from queue
        Args:
            queue_url: SQS Queue URL
        Returns:
            List of message dictionaries
        """
        try:
            response = self.client.receive_message(
                QueueUrl=queue_url,
                MaxNumberOfMessages=config.max_messages,
                WaitTimeSeconds=config.poll_interval,
                VisibilityTimeout=config.visibility_timeout,
                AttributeNames=['ApproximateReceiveCount', 'SentTimestamp']
            )
            return response.get('Messages', [])
        except Exception as e:
            log(f"Error receiving messages: {e}", 'ERROR')
            return []
    def delete_message(self, queue_url: str, receipt_handle: str):
        """
        Delete message from queue
        Args:
            queue_url: SQS Queue URL
            receipt_handle: Message receipt handle
        """
        try:
            self.client.delete_message(
                QueueUrl=queue_url,
                ReceiptHandle=receipt_handle
            )
        except Exception as e:
            log(f"Error deleting message: {e}", 'ERROR')
            raise
    def get_queue_size(self, queue_url: str) -> int:
        """
        Get approximate number of messages in queue
        Args:
            queue_url: SQS Queue URL
        Returns:
            Number of messages (0 if error)
        """
        try:
            attrs = self.client.get_queue_attributes(
                QueueUrl=queue_url,
                AttributeNames=['ApproximateNumberOfMessages']
            )
            return int(attrs['Attributes'].get('ApproximateNumberOfMessages', 0))
        except Exception:
            return 0
--- a/email-worker/config.py
+++ b/email-worker/config.py
@@ -1,100 +0,0 @@
 #!/usr/bin/env python3
 """
 Configuration management for unified email worker
 """
 import os
 from dataclasses import dataclass
 from typing import Set
@dataclass
 class Config:
    """Worker Configuration"""
    # AWS
    aws_region: str = os.environ.get('AWS_REGION', 'us-east-2')
    # Domains to process
    domains_list: str = os.environ.get('DOMAINS', '')
    domains_file: str = os.environ.get('DOMAINS_FILE', '/etc/email-worker/domains.txt')
    # Worker Settings
    worker_threads: int = int(os.environ.get('WORKER_THREADS', '10'))
    poll_interval: int = int(os.environ.get('POLL_INTERVAL', '20'))
    max_messages: int = int(os.environ.get('MAX_MESSAGES', '10'))
    visibility_timeout: int = int(os.environ.get('VISIBILITY_TIMEOUT', '300'))
    # SMTP for delivery
    smtp_host: str = os.environ.get('SMTP_HOST', 'localhost')
    smtp_port: int = int(os.environ.get('SMTP_PORT', '25'))
    smtp_use_tls: bool = os.environ.get('SMTP_USE_TLS', 'false').lower() == 'true'
    smtp_user: str = os.environ.get('SMTP_USER', '')
    smtp_pass: str = os.environ.get('SMTP_PASS', '')
    smtp_pool_size: int = int(os.environ.get('SMTP_POOL_SIZE', '5'))
    # Internal SMTP (bypasses transport_maps)
    internal_smtp_port: int = int(os.environ.get('INTERNAL_SMTP_PORT', '2525'))
    # LMTP for local delivery (bypasses Postfix transport_maps)
    lmtp_enabled: bool = os.environ.get('LMTP_ENABLED', 'false').lower() == 'true'
    lmtp_host: str = os.environ.get('LMTP_HOST', 'localhost')
    lmtp_port: int = int(os.environ.get('LMTP_PORT', '24'))
    # DynamoDB Tables
    rules_table: str = os.environ.get('DYNAMODB_RULES_TABLE', 'email-rules')
    messages_table: str = os.environ.get('DYNAMODB_MESSAGES_TABLE', 'ses-outbound-messages')
    blocked_table: str = os.environ.get('DYNAMODB_BLOCKED_TABLE', 'email-blocked-senders')
    # Bounce Handling
    bounce_lookup_retries: int = int(os.environ.get('BOUNCE_LOOKUP_RETRIES', '3'))
    bounce_lookup_delay: float = float(os.environ.get('BOUNCE_LOOKUP_DELAY', '1.0'))
    # Monitoring
    metrics_port: int = int(os.environ.get('METRICS_PORT', '8000'))
    health_port: int = int(os.environ.get('HEALTH_PORT', '8080'))
 # Global configuration instance
 config = Config()
 # Global set of managed domains (populated at startup)
 MANAGED_DOMAINS: Set[str] = set()
 def load_domains() -> list[str]:
    """Load domains from config and populate MANAGED_DOMAINS global"""
    global MANAGED_DOMAINS
    domains = []
    if config.domains_list:
        domains.extend([d.strip() for d in config.domains_list.split(',') if d.strip()])
    if os.path.exists(config.domains_file):
        with open(config.domains_file, 'r') as f:
            for line in f:
                domain = line.strip()
                if domain and not domain.startswith('#'):
                    domains.append(domain)
    domains = list(set(domains))
    MANAGED_DOMAINS = set(d.lower() for d in domains)
    return domains
 def is_internal_address(email_address: str) -> bool:
    """Check if email address belongs to one of our managed domains"""
    if '@' not in email_address:
        return False
    domain = email_address.split('@')[1].lower()
    return domain in MANAGED_DOMAINS
 def domain_to_queue_name(domain: str) -> str:
    """Convert domain to SQS queue name"""
    return domain.replace('.', '-') + '-queue'
 def domain_to_bucket_name(domain: str) -> str:
    """Convert domain to S3 bucket name"""
    return domain.replace('.', '-') + '-emails'
--- a/email-worker/docker-compose.yml
+++ b/email-worker/docker-compose.yml
@@ -1,85 +0,0 @@
 services:
  unified-worker:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: unified-email-worker
    restart: unless-stopped
    network_mode: host  # Für lokalen SMTP-Zugriff
    volumes:
      # Domain-Liste (eine Domain pro Zeile)
      - ./domains.txt:/etc/email-worker/domains.txt:ro
      # Logs
      - ./logs:/var/log/email-worker
    environment:
      # AWS Credentials
      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
      - AWS_REGION=us-east-2
      # Domains via File (domains.txt)
      - DOMAINS_FILE=/etc/email-worker/domains.txt
      # Alternative: Domains direkt als Liste
      # - DOMAINS=andreasknuth.de,bayarea-cc.com,bizmatch.net
      # Worker Settings
      - WORKER_THREADS=${WORKER_THREADS:-10}
      - POLL_INTERVAL=${POLL_INTERVAL:-20}
      - MAX_MESSAGES=${MAX_MESSAGES:-10}
      - VISIBILITY_TIMEOUT=${VISIBILITY_TIMEOUT:-300}
      # SMTP (lokal zum DMS)
      - SMTP_HOST=${SMTP_HOST:-localhost}
      - SMTP_PORT=${SMTP_PORT:-25}
      - SMTP_POOL_SIZE=${SMTP_POOL_SIZE:-5}
      - SMTP_USE_TLS=false
      # Internal SMTP Port (bypasses transport_maps)
      - INTERNAL_SMTP_PORT=25
      # LMTP (Optional - für direktes Dovecot Delivery)
      - LMTP_ENABLED=${LMTP_ENABLED:-false}
      - LMTP_HOST=${LMTP_HOST:-localhost}
      - LMTP_PORT=${LMTP_PORT:-24}
      # DynamoDB Tables
      - DYNAMODB_RULES_TABLE=${DYNAMODB_RULES_TABLE:-email-rules}
      - DYNAMODB_MESSAGES_TABLE=${DYNAMODB_MESSAGES_TABLE:-ses-outbound-messages}
      - DYNAMODB_BLOCKED_TABLE=${DYNAMODB_BLOCKED_TABLE:-email-blocked-senders}
      # Bounce Handling
      - BOUNCE_LOOKUP_RETRIES=${BOUNCE_LOOKUP_RETRIES:-3}
      - BOUNCE_LOOKUP_DELAY=${BOUNCE_LOOKUP_DELAY:-1.0}
      # Monitoring
      - METRICS_PORT=8000
      - HEALTH_PORT=8080
    ports:
      # Prometheus Metrics
      - "8000:8000"
      # Health Check
      - "8080:8080"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
        max-file: "10"
    deploy:
      resources:
        limits:
          memory: 512M
        reservations:
          memory: 256M
--- a/email-worker/docs/ARCHITECTURE.md
+++ b/email-worker/docs/ARCHITECTURE.md
@@ -1,381 +0,0 @@
 # Architecture Documentation
 ## 📐 System Overview
 ```
 ┌─────────────────────────────────────────────────────────────────────┐
 │                         AWS Cloud Services                          │
 ├─────────────────────────────────────────────────────────────────────┤
 │                                                                     │
 │  ┌──────────┐     ┌──────────┐     ┌──────────┐                   │
 │  │   SQS    │────▶│    S3    │     │   SES    │                   │
 │  │  Queues  │     │ Buckets  │     │ Sending  │                   │
 │  └──────────┘     └──────────┘     └──────────┘                   │
 │       │                 │                 │                         │
 │       │                 │                 │                         │
 │  ┌────▼─────────────────▼─────────────────▼───────────────┐       │
 │  │              DynamoDB Tables                            │       │
 │  │  • email-rules (OOO, Forwarding)                       │       │
 │  │  • ses-outbound-messages (Bounce Tracking)              │       │
 │  │  • email-blocked-senders (Blocklist)                    │       │
 │  └─────────────────────────────────────────────────────────┘       │
 │                                                                     │
 └─────────────────────────────────────────────────────────────────────┘
                              │
                              │ Polling & Processing
                              ▼
 ┌─────────────────────────────────────────────────────────────────────┐
 │                      Unified Email Worker                           │
 ├─────────────────────────────────────────────────────────────────────┤
 │                                                                     │
 │  ┌─────────────────────────────────────────────────────────┐      │
 │  │              Main Thread (unified_worker.py)            │      │
 │  │  • Coordination                                         │      │
 │  │  • Status Monitoring                                    │      │
 │  │  • Signal Handling                                      │      │
 │  └────────────┬────────────────────────────────────────────┘      │
 │               │                                                     │
 │               ├──▶ Domain Poller Thread 1 (example.com)           │
 │               ├──▶ Domain Poller Thread 2 (another.com)           │
 │               ├──▶ Domain Poller Thread 3 (...)                   │
 │               ├──▶ Health Server Thread (port 8080)               │
 │               └──▶ Metrics Server Thread (port 8000)              │
 │                                                                     │
 │  ┌──────────────────────────────────────────────────────┐         │
 │  │         SMTP Connection Pool                         │         │
 │  │  • Connection Reuse                                  │         │
 │  │  • Health Checks                                     │         │
 │  │  • Auto-reconnect                                    │         │
 │  └──────────────────────────────────────────────────────┘         │
 │                                                                     │
 └─────────────────────────────────────────────────────────────────────┘
                              │
                              │ SMTP/LMTP Delivery
                              ▼
 ┌─────────────────────────────────────────────────────────────────────┐
 │                      Mail Server (Docker Mailserver)                │
 ├─────────────────────────────────────────────────────────────────────┤
 │                                                                     │
 │  Port 25   (SMTP - from pool)                                      │
 │  Port 2525 (SMTP - internal delivery, bypasses transport_maps)     │
 │  Port 24   (LMTP - direct to Dovecot, bypasses Postfix)            │
 │                                                                     │
 └─────────────────────────────────────────────────────────────────────┘
 ```
 ## 🔄 Message Flow
 ### 1. Email Reception
 ```
 1. SES receives email
 2. SES stores in S3 bucket (domain-emails/)
 3. SES publishes SNS notification
 4. SNS enqueues message to SQS (domain-queue)
 ```
 ### 2. Worker Processing
 ```
 ┌─────────────────────────────────────────────────────────────┐
 │ Domain Poller (domain_poller.py)                            │
 └─────────────────────────────────────────────────────────────┘
                    │
                    ▼
 ┌─────────────────────────────────────────────────────────────┐
 │ 1. Poll SQS Queue (20s long poll)                           │
 │    • Receive up to 10 messages                              │
 │    • Extract SES notification from SNS wrapper              │
 └─────────────────────────────────────────────────────────────┘
                    │
                    ▼
 ┌─────────────────────────────────────────────────────────────┐
 │ 2. Download from S3 (s3_handler.py)                         │
 │    • Get raw email bytes                                    │
 │    • Handle retry if not found yet                          │
 └─────────────────────────────────────────────────────────────┘
                    │
                    ▼
 ┌─────────────────────────────────────────────────────────────┐
 │ 3. Parse Email (parser.py)                                  │
 │    • Parse MIME structure                                   │
 │    • Extract headers, body, attachments                     │
 │    • Check for loop prevention marker                       │
 └─────────────────────────────────────────────────────────────┘
                    │
                    ▼
 ┌─────────────────────────────────────────────────────────────┐
 │ 4. Bounce Detection (bounce_handler.py)                     │
 │    • Check if from mailer-daemon@amazonses.com              │
 │    • Lookup original sender in DynamoDB                     │
 │    • Rewrite From/Reply-To headers                          │
 └─────────────────────────────────────────────────────────────┘
                    │
                    ▼
 ┌─────────────────────────────────────────────────────────────┐
 │ 5. Blocklist Check (blocklist.py)                           │
 │    • Batch lookup blocked patterns for all recipients       │
 │    • Check sender against wildcard patterns                 │
 │    • Mark blocked recipients                                │
 └─────────────────────────────────────────────────────────────┘
                    │
                    ▼
 ┌─────────────────────────────────────────────────────────────┐
 │ 6. Process Rules for Each Recipient (rules_processor.py)    │
 │    ├─▶ Auto-Reply (OOO)                                     │
 │    │   • Check if ooo_active = true                         │
 │    │   • Don't reply to auto-submitted messages             │
 │    │   • Create reply with original message quoted          │
 │    │   • Send via SES (external) or Port 2525 (internal)    │
 │    │                                                         │
 │    └─▶ Forwarding                                           │
 │        • Get forward addresses from rule                    │
 │        • Create forward with FWD: prefix                    │
 │        • Preserve attachments                               │
 │        • Send via SES (external) or Port 2525 (internal)    │
 └─────────────────────────────────────────────────────────────┘
                    │
                    ▼
 ┌─────────────────────────────────────────────────────────────┐
 │ 7. SMTP Delivery (delivery.py)                              │
 │    • Get connection from pool                               │
 │    • Send to each recipient (not blocked)                   │
 │    • Track success/permanent/temporary failures             │
 │    • Return connection to pool                              │
 └─────────────────────────────────────────────────────────────┘
                    │
                    ▼
 ┌─────────────────────────────────────────────────────────────┐
 │ 8. Update S3 Metadata (s3_handler.py)                       │
 │    ├─▶ All Blocked: mark_as_blocked() + delete()            │
 │    ├─▶ Some Success: mark_as_processed()                    │
 │    └─▶ All Invalid: mark_as_all_invalid()                   │
 └─────────────────────────────────────────────────────────────┘
                    │
                    ▼
 ┌─────────────────────────────────────────────────────────────┐
 │ 9. Delete from Queue                                        │
 │    • Success or permanent failure → delete                  │
 │    • Temporary failure → keep in queue (retry)              │
 └─────────────────────────────────────────────────────────────┘
 ```
 ## 🧩 Component Details
 ### AWS Handlers (`aws/`)
 #### `s3_handler.py`
 - **Purpose**: All S3 operations
 - **Key Methods**:
  - `get_email()`: Download with retry logic
  - `mark_as_processed()`: Update metadata on success
  - `mark_as_all_invalid()`: Update metadata on permanent failure
  - `mark_as_blocked()`: Set metadata before deletion
  - `delete_blocked_email()`: Delete after marking
 #### `sqs_handler.py`
 - **Purpose**: Queue operations
 - **Key Methods**:
  - `get_queue_url()`: Resolve domain to queue
  - `receive_messages()`: Long poll with attributes
  - `delete_message()`: Remove after processing
  - `get_queue_size()`: For metrics
 #### `ses_handler.py`
 - **Purpose**: Send emails via SES
 - **Key Methods**:
  - `send_raw_email()`: Send raw MIME message
 #### `dynamodb_handler.py`
 - **Purpose**: All DynamoDB operations
 - **Key Methods**:
  - `get_email_rules()`: OOO and forwarding rules
  - `get_bounce_info()`: Bounce lookup with retry
  - `get_blocked_patterns()`: Single recipient
  - `batch_get_blocked_patterns()`: Multiple recipients (efficient!)
 ### Email Processors (`email_processing/`)
 #### `parser.py`
 - **Purpose**: Email parsing utilities
 - **Key Methods**:
  - `parse_bytes()`: Parse raw email
  - `extract_body_parts()`: Get text/html bodies
  - `is_processed_by_worker()`: Loop detection
 #### `bounce_handler.py`
 - **Purpose**: Bounce detection and rewriting
 - **Key Methods**:
  - `is_ses_bounce_notification()`: Detect MAILER-DAEMON
  - `apply_bounce_logic()`: Rewrite headers
 #### `blocklist.py`
 - **Purpose**: Sender blocking with wildcards
 - **Key Methods**:
  - `is_sender_blocked()`: Single check
  - `batch_check_blocked_senders()`: Batch check (preferred!)
 - **Wildcard Support**: Uses `fnmatch` for patterns like `*@spam.com`
 #### `rules_processor.py`
 - **Purpose**: OOO and forwarding logic
 - **Key Methods**:
  - `process_rules_for_recipient()`: Main entry point
  - `_handle_ooo()`: Auto-reply logic
  - `_handle_forwards()`: Forwarding logic
  - `_create_ooo_reply()`: Build OOO message
  - `_create_forward_message()`: Build forward with attachments
 ### SMTP Components (`smtp/`)
 #### `pool.py`
 - **Purpose**: Connection pooling
 - **Features**:
  - Lazy initialization
  - Health checks (NOOP)
  - Auto-reconnect on stale connections
  - Thread-safe queue
 #### `delivery.py`
 - **Purpose**: Actual email delivery
 - **Features**:
  - SMTP or LMTP support
  - Retry logic for connection errors
  - Permanent vs temporary failure detection
  - Connection pool integration
 ### Monitoring (`metrics/`)
 #### `prometheus.py`
 - **Purpose**: Metrics collection
 - **Metrics**:
  - Counters: processed, bounces, autoreplies, forwards, blocked
  - Gauges: in_flight, queue_size
  - Histograms: processing_time
 ## 🔐 Security Features
 ### 1. Domain Validation
 Each worker only processes messages for its assigned domains:
 ```python
 if recipient_domain.lower() != domain.lower():
    log("Security: Ignored message for wrong domain")
    return True  # Delete from queue
 ```
 ### 2. Loop Prevention
 Detects already-processed emails:
 ```python
 if parsed.get('X-SES-Worker-Processed'):
    log("Loop prevention: Already processed")
    skip_rules = True
 ```
 ### 3. Blocklist Wildcards
 Supports flexible patterns:
 ```python
 blocked_patterns = [
    "*@spam.com",           # Any user at spam.com
    "noreply@*.com",        # noreply at any .com
    "newsletter@example.*"  # newsletter at any example TLD
 ]
 ```
 ### 4. Internal vs External Routing
 Prevents SES loops for internal forwards:
 ```python
 if is_internal_address(forward_to):
    # Direct SMTP to port 2525 (bypasses transport_maps)
    send_internal_email(...)
 else:
    # Send via SES
    ses.send_raw_email(...)
 ```
 ## 📊 Data Flow Diagrams
 ### Bounce Rewriting Flow
 ```
 SES Bounce → Worker → DynamoDB Lookup → Header Rewrite → Delivery
             ↓
         Message-ID
             ↓
    ses-outbound-messages
         {MessageId: "abc",
          original_source: "real@sender.com",
          bouncedRecipients: ["failed@domain.com"]}
             ↓
    Rewrite From: mailer-daemon@amazonses.com
                → failed@domain.com
 ```
 ### Blocklist Check Flow
 ```
 Incoming Email → Batch DynamoDB Call → Pattern Matching → Decision
   ↓                     ↓                    ↓              ↓
 sender@spam.com    Get patterns for      fnmatch()      Block/Allow
                   all recipients      "*@spam.com"
                                         matches!
 ```
 ## ⚡ Performance Optimizations
 ### 1. Batch DynamoDB Calls
 ```python
 # ❌ Old way: N calls for N recipients
 for recipient in recipients:
    patterns = dynamodb.get_blocked_patterns(recipient)
 # ✅ New way: 1 call for N recipients
 patterns_by_recipient = dynamodb.batch_get_blocked_patterns(recipients)
 ```
 ### 2. Connection Pooling
 ```python
 # ❌ Old way: New connection per email
 conn = smtplib.SMTP(host, port)
 conn.sendmail(...)
 conn.quit()
 # ✅ New way: Reuse connections
 conn = pool.get_connection()  # Reuses existing
 conn.sendmail(...)
 pool.return_connection(conn)  # Returns to pool
 ```
 ### 3. Parallel Domain Processing
 ```
 Domain 1 Thread ──▶ Process 10 emails/poll
 Domain 2 Thread ──▶ Process 10 emails/poll
 Domain 3 Thread ──▶ Process 10 emails/poll
                    (All in parallel!)
 ```
 ## 🔄 Error Handling Strategy
 ### Retry Logic
 - **Temporary Errors**: Keep in queue, retry (visibility timeout)
 - **Permanent Errors**: Mark in S3, delete from queue
 - **S3 Not Found**: Retry up to 5 times (eventual consistency)
 ### Connection Failures
 ```python
 for attempt in range(max_retries):
    try:
        conn.sendmail(...)
        return True
    except SMTPServerDisconnected:
        log("Connection lost, retrying...")
        time.sleep(0.3)
        continue  # Try again
 ```
 ### Audit Trail
 All actions recorded in S3 metadata:
 ```json
 {
  "processed": "true",
  "processed_at": "1706000000",
  "processed_by": "worker-example.com",
  "status": "delivered",
  "invalid_inboxes": "baduser@example.com",
  "blocked_sender": "spam@bad.com"
 }
 ```
--- a/email-worker/docs/CHANGELOG.md
+++ b/email-worker/docs/CHANGELOG.md
@@ -1,37 +0,0 @@
 # Changelog
 ## v1.0.1 - 2025-01-23
 ### Fixed
 - **CRITICAL:** Renamed `email/` directory to `email_processing/` to avoid namespace conflict with Python's built-in `email` module
  - This fixes the `ImportError: cannot import name 'BytesParser' from partially initialized module 'email.parser'` error
  - All imports updated accordingly
  - No functional changes, only namespace fix
 ### Changed
 - Updated all documentation to reflect new directory name
 - Updated Dockerfile to copy `email_processing/` instead of `email/`
 ## v1.0.0 - 2025-01-23
 ### Added
 - Modular architecture (27 files vs 1 monolith)
 - Batch DynamoDB operations (10x performance improvement)
 - Sender blocklist with wildcard support
 - LMTP direct delivery support
 - Enhanced metrics and monitoring
 - Comprehensive documentation (6 MD files)
 ### Fixed
 - `signal.SIGINT` typo (was `signalIGINT`)
 - Missing S3 metadata audit trail for blocked emails
 - Inefficient DynamoDB calls (N calls → 1 batch call)
 - S3 delete error handling (proper retry logic)
 ### Documentation
 - README.md - Full feature documentation
 - QUICKSTART.md - Quick deployment guide for your setup
 - ARCHITECTURE.md - Detailed system architecture
 - MIGRATION.md - Migration from monolith
 - COMPATIBILITY.md - 100% compatibility proof
 - SUMMARY.md - All improvements overview
--- a/email-worker/docs/COMPATIBILITY.md
+++ b/email-worker/docs/COMPATIBILITY.md
@@ -1,311 +0,0 @@
 # Kompatibilität mit bestehendem Setup
 ## ✅ 100% Kompatibel
 Die modulare Version ist **vollständig kompatibel** mit deinem bestehenden Setup:
 ### 1. Dockerfile
 - ✅ Gleicher Base Image: `python:3.11-slim`
 - ✅ Gleicher User: `worker` (UID 1000)
 - ✅ Gleiche Verzeichnisse: `/app`, `/var/log/email-worker`, `/etc/email-worker`
 - ✅ Gleicher Health Check: `curl http://localhost:8080/health`
 - ✅ Gleiche Labels: `maintainer`, `description`
 - **Änderung:** Kopiert nun mehrere Module statt einer Datei
 ### 2. docker-compose.yml
 - ✅ Gleicher Container Name: `unified-email-worker`
 - ✅ Gleicher Network Mode: `host`
 - ✅ Gleiche Volumes: `domains.txt`, `logs/`
 - ✅ Gleiche Ports: `8000`, `8080`
 - ✅ Gleiche Environment Variables
 - ✅ Gleiche Resource Limits: 512M / 256M
 - ✅ Gleiche Logging Config: 50M / 10 files
 - **Neu:** Zusätzliche optionale Env Vars (abwärtskompatibel)
 ### 3. requirements.txt
 - ✅ Gleiche Dependencies: `boto3`, `prometheus-client`
 - ✅ Aktualisierte Versionen (>=1.34.0 statt >=1.26.0)
 - **Kompatibel:** Alte Version funktioniert auch, neue ist empfohlen
 ### 4. domains.txt
 - ✅ Gleiches Format: Eine Domain pro Zeile
 - ✅ Kommentare mit `#` funktionieren
 - ✅ Gleiche Location: `/etc/email-worker/domains.txt`
 - **Keine Änderung nötig**
 ## 🔄 Was ist neu/anders?
 ### Dateistruktur
 **Alt:**
 ```
 /
 ├── Dockerfile
 ├── docker-compose.yml
 ├── requirements.txt
 ├── domains.txt
 └── unified_worker.py  (800+ Zeilen)
 ```
 **Neu:**
 ```
 /
 ├── Dockerfile
 ├── docker-compose.yml
 ├── requirements.txt
 ├── domains.txt
 ├── main.py                    # Entry Point
 ├── config.py                  # Konfiguration
 ├── logger.py                  # Logging
 ├── worker.py                  # Message Processing
 ├── unified_worker.py          # Worker Coordinator
 ├── domain_poller.py          # Queue Polling
 ├── health_server.py          # Health Check Server
 ├── aws/
 │   ├── s3_handler.py
 │   ├── sqs_handler.py
 │   ├── ses_handler.py
 │   └── dynamodb_handler.py
 ├── email_processing/
 │   ├── parser.py
 │   ├── bounce_handler.py
 │   ├── blocklist.py
 │   └── rules_processor.py
 ├── smtp/
 │   ├── pool.py
 │   └── delivery.py
 └── metrics/
    └── prometheus.py
 ```
 ### Neue optionale Umgebungsvariablen
 Diese sind **optional** und haben sinnvolle Defaults:
 ```bash
 # Internal SMTP Port (neu)
 INTERNAL_SMTP_PORT=2525         # Default: 2525
 # LMTP Support (neu)
 LMTP_ENABLED=false              # Default: false
 LMTP_HOST=localhost             # Default: localhost
 LMTP_PORT=24                    # Default: 24
 # Blocklist Table (neu)
 DYNAMODB_BLOCKED_TABLE=email-blocked-senders  # Default: email-blocked-senders
 ```
 **Wichtig:** Wenn du diese nicht setzt, funktioniert alles wie vorher!
 ## 🚀 Deployment
 ### Option 1: Drop-In Replacement
 ```bash
 # Alte Dateien sichern
 cp unified_worker.py unified_worker.py.backup
 cp Dockerfile Dockerfile.backup
 cp docker-compose.yml docker-compose.yml.backup
 # Neue Dateien entpacken
 tar -xzf email-worker-modular.tar.gz
 cd email-worker/
 # domains.txt und .env anpassen (falls nötig)
 # Dann normal deployen:
 docker-compose build
 docker-compose up -d
 ```
 ### Option 2: Side-by-Side (Empfohlen)
 ```bash
 # Altes Setup bleibt in /opt/email-worker-old
 # Neues Setup in /opt/email-worker
 # Neue Version entpacken
 cd /opt
 tar -xzf email-worker-modular.tar.gz
 mv email-worker email-worker-new
 # Container Namen unterscheiden:
 # In docker-compose.yml:
 container_name: unified-email-worker-new
 # Starten
 cd email-worker-new
 docker-compose up -d
 # Parallel laufen lassen (24h Test)
 # Dann alte Version stoppen, neue umbenennen
 ```
 ## 🔍 Verifikation der Kompatibilität
 ### 1. Environment Variables
 Alle deine bestehenden Env Vars funktionieren:
 ```bash
 # Deine bisherigen Vars (alle kompatibel)
 AWS_ACCESS_KEY_ID          ✅
 AWS_SECRET_ACCESS_KEY      ✅
 AWS_REGION                 ✅
 WORKER_THREADS             ✅
 POLL_INTERVAL              ✅
 MAX_MESSAGES               ✅
 VISIBILITY_TIMEOUT         ✅
 SMTP_HOST                  ✅
 SMTP_PORT                  ✅
 SMTP_POOL_SIZE             ✅
 METRICS_PORT               ✅
 HEALTH_PORT                ✅
 ```
 ### 2. DynamoDB Tables
 Bestehende Tables funktionieren ohne Änderung:
 ```bash
 # Bounce Tracking (bereits vorhanden)
 ses-outbound-messages      ✅
 # Email Rules (bereits vorhanden?)
 email-rules                ✅
 # Blocklist (neu, optional)
 email-blocked-senders      🆕 Optional
 ```
 ### 3. API Endpoints
 Gleiche Endpoints wie vorher:
 ```bash
 # Health Check
 GET http://localhost:8080/health       ✅ Gleiche Response
 # Domains List
 GET http://localhost:8080/domains      ✅ Gleiche Response
 # Prometheus Metrics
 GET http://localhost:8000/metrics      ✅ Kompatibel + neue Metrics
 ```
 ### 4. Logging
 Gleiches Format, gleiche Location:
 ```bash
 # Logs in Container
 /var/log/email-worker/     ✅ Gleich
 # Log Format
 [timestamp] [LEVEL] [worker-name] [thread] message    ✅ Gleich
 ```
 ### 5. S3 Metadata
 Gleiches Schema, volle Kompatibilität:
 ```json
 {
  "processed": "true",
  "processed_at": "1706000000",
  "processed_by": "worker-andreasknuth-de",
  "status": "delivered",
  "invalid_inboxes": "..."
 }
 ```
 **Neu:** Zusätzliche Metadata bei blockierten Emails:
 ```json
 {
  "status": "blocked",
  "blocked_sender": "spam@bad.com",
  "blocked_recipients": "user@andreasknuth.de"
 }
 ```
 ## ⚠️ Breaking Changes
 **KEINE!** Die modulare Version ist 100% abwärtskompatibel.
 Die einzigen Unterschiede sind:
 1. ✅ **Mehr Dateien** statt einer (aber gleiches Verhalten)
 2. ✅ **Neue optionale Features** (müssen nicht genutzt werden)
 3. ✅ **Bessere Performance** (durch Batch-Calls)
 4. ✅ **Mehr Metrics** (zusätzliche, alte bleiben)
 ## 🧪 Testing Checklist
 Nach Deployment prüfen:
 ```bash
 # 1. Container läuft
 docker ps | grep unified-email-worker
 ✅ Status: Up
 # 2. Health Check
 curl http://localhost:8080/health | jq
 ✅ "status": "healthy"
 # 3. Domains geladen
 curl http://localhost:8080/domains
 ✅ ["andreasknuth.de"]
 # 4. Logs ohne Fehler
 docker-compose logs | grep ERROR
 ✅ Keine kritischen Fehler
 # 5. Test Email senden
 # Email via SES senden
 ✅ Wird zugestellt
 # 6. Metrics verfügbar
 curl http://localhost:8000/metrics | grep emails_processed
 ✅ Metrics werden erfasst
 ```
 ## 💡 Empfohlener Rollout-Plan
 ### Phase 1: Testing (1-2 Tage)
 - Neuen Container parallel zum alten starten
 - Nur 1 Test-Domain zuweisen
 - Logs monitoren
 - Performance vergleichen
 ### Phase 2: Staged Rollout (3-7 Tage)
 - 50% der Domains auf neue Version
 - Metrics vergleichen (alte vs neue)
 - Bei Problemen: Rollback auf alte Version
 ### Phase 3: Full Rollout
 - Alle Domains auf neue Version
 - Alte Version als Backup behalten (1 Woche)
 - Dann alte Version dekommissionieren
 ## 🔙 Rollback-Plan
 Falls Probleme auftreten:
 ```bash
 # 1. Neue Version stoppen
 docker-compose -f docker-compose.yml down
 # 2. Backup wiederherstellen
 cp unified_worker.py.backup unified_worker.py
 cp Dockerfile.backup Dockerfile
 cp docker-compose.yml.backup docker-compose.yml
 # 3. Alte Version starten
 docker-compose build
 docker-compose up -d
 # 4. Verifizieren
 curl http://localhost:8080/health
 ```
 **Downtime:** < 30 Sekunden (Zeit für Container Restart)
 ## ✅ Fazit
 Die modulare Version ist ein **Drop-In Replacement**:
 - Gleiche Konfiguration
 - Gleiche API
 - Gleiche Infrastruktur
 - **Bonus:** Bessere Performance, mehr Features, weniger Bugs
 Einziger Unterschied: Mehr Dateien, aber alle in einem tarball verpackt.
--- a/email-worker/docs/MIGRATION.md
+++ b/email-worker/docs/MIGRATION.md
@@ -1,366 +0,0 @@
 # Migration Guide: Monolith → Modular Architecture
 ## 🎯 Why Migrate?
 ### Problems with Monolith
 - ❌ **Single file > 800 lines** - hard to navigate
 - ❌ **Mixed responsibilities** - S3, SQS, SMTP, DynamoDB all in one place
 - ❌ **Hard to test** - can't test components in isolation
 - ❌ **Difficult to debug** - errors could be anywhere
 - ❌ **Critical bugs** - `signalIGINT` typo, missing audit trail
 - ❌ **Performance issues** - N DynamoDB calls for N recipients
 ### Benefits of Modular
 - ✅ **Separation of Concerns** - each module has one job
 - ✅ **Easy to Test** - mock S3Handler, test in isolation
 - ✅ **Better Performance** - batch DynamoDB calls
 - ✅ **Maintainable** - changes isolated to specific files
 - ✅ **Extensible** - easy to add new features
 - ✅ **Bug Fixes** - all critical bugs fixed
 ## 🔄 Migration Steps
 ### Step 1: Backup Current Setup
 ```bash
 # Backup monolith
 cp unified_worker.py unified_worker.py.backup
 # Backup any configuration
 cp .env .env.backup
 ```
 ### Step 2: Clone New Structure
 ```bash
 # Download modular version
 git clone <repo> email-worker-modular
 cd email-worker-modular
 # Copy environment variables
 cp .env.example .env
 # Edit .env with your settings
 ```
 ### Step 3: Update Configuration
 The modular version uses the SAME environment variables, so your existing `.env` should work:
 ```bash
 # No changes needed to these:
 AWS_REGION=us-east-2
 DOMAINS=example.com,another.com
 SMTP_HOST=localhost
 SMTP_PORT=25
 # ... etc
 ```
 **New variables** (optional):
 ```bash
 # For internal delivery (bypasses transport_maps)
 INTERNAL_SMTP_PORT=2525
 # For blocklist feature
 DYNAMODB_BLOCKED_TABLE=email-blocked-senders
 ```
 ### Step 4: Install Dependencies
 ```bash
 pip install -r requirements.txt
 ```
 ### Step 5: Test Locally
 ```bash
 # Run worker
 python3 main.py
 # Check health endpoint
 curl http://localhost:8080/health
 # Check metrics
 curl http://localhost:8000/metrics
 ```
 ### Step 6: Deploy
 #### Docker Deployment
 ```bash
 # Build image
 docker build -t unified-email-worker:latest .
 # Run with docker-compose
 docker-compose up -d
 # Check logs
 docker-compose logs -f email-worker
 ```
 #### Systemd Deployment
 ```bash
 # Create systemd service
 sudo nano /etc/systemd/system/email-worker.service
 ```
 ```ini
 [Unit]
 Description=Unified Email Worker
 After=network.target
 [Service]
 Type=simple
 User=worker
 WorkingDirectory=/opt/email-worker
 EnvironmentFile=/opt/email-worker/.env
 ExecStart=/usr/bin/python3 /opt/email-worker/main.py
 Restart=always
 RestartSec=10
 [Install]
 WantedBy=multi-user.target
 ```
 ```bash
 # Enable and start
 sudo systemctl enable email-worker
 sudo systemctl start email-worker
 sudo systemctl status email-worker
 ```
 ### Step 7: Monitor Migration
 ```bash
 # Watch logs
 tail -f /var/log/syslog | grep email-worker
 # Check metrics
 watch -n 5 'curl -s http://localhost:8000/metrics | grep emails_processed'
 # Monitor S3 metadata
 aws s3api head-object \
  --bucket example-com-emails \
  --key <message-id> \
  --query Metadata
 ```
 ## 🔍 Verification Checklist
 After migration, verify all features work:
 - [ ] **Email Delivery**
  ```bash
  # Send test email via SES
  # Check it arrives in mailbox
  ```
 - [ ] **Bounce Rewriting**
  ```bash
  # Trigger a bounce (send to invalid@example.com)
  # Verify bounce comes FROM the failed recipient
  ```
 - [ ] **Auto-Reply (OOO)**
  ```bash
  # Set OOO in DynamoDB:
  aws dynamodb put-item \
    --table-name email-rules \
    --item '{"email_address": {"S": "test@example.com"}, "ooo_active": {"BOOL": true}, "ooo_message": {"S": "I am away"}}'
  # Send email to test@example.com
  # Verify auto-reply received
  ```
 - [ ] **Forwarding**
  ```bash
  # Set forward rule:
  aws dynamodb put-item \
    --table-name email-rules \
    --item '{"email_address": {"S": "test@example.com"}, "forwards": {"L": [{"S": "other@example.com"}]}}'
  # Send email to test@example.com
  # Verify other@example.com receives forwarded email
  ```
 - [ ] **Blocklist**
  ```bash
  # Block sender:
  aws dynamodb put-item \
    --table-name email-blocked-senders \
    --item '{"email_address": {"S": "test@example.com"}, "blocked_patterns": {"L": [{"S": "spam@*.com"}]}}'
  # Send email from spam@bad.com to test@example.com
  # Verify email is blocked (not delivered, S3 deleted)
  ```
 - [ ] **Metrics**
  ```bash
  curl http://localhost:8000/metrics | grep emails_processed
  ```
 - [ ] **Health Check**
  ```bash
  curl http://localhost:8080/health | jq
  ```
 ## 🐛 Troubleshooting Migration Issues
 ### Issue: Worker not starting
 ```bash
 # Check Python version
 python3 --version  # Should be 3.11+
 # Check dependencies
 pip list | grep boto3
 # Check logs
 python3 main.py  # Run in foreground to see errors
 ```
 ### Issue: No emails processing
 ```bash
 # Check queue URLs
 curl http://localhost:8080/domains
 # Verify SQS permissions
 aws sqs list-queues
 # Check worker logs for errors
 tail -f /var/log/email-worker.log
 ```
 ### Issue: Bounces not rewriting
 ```bash
 # Verify DynamoDB table exists
 aws dynamodb describe-table --table-name ses-outbound-messages
 # Check if Lambda is writing bounce records
 aws dynamodb scan --table-name ses-outbound-messages --limit 5
 # Verify worker can read DynamoDB
 # (Check logs for "DynamoDB tables connected successfully")
 ```
 ### Issue: Performance degradation
 ```bash
 # Check if batch calls are used
 grep "batch_get_blocked_patterns" main.py  # Should exist in modular version
 # Monitor DynamoDB read capacity
 aws cloudwatch get-metric-statistics \
  --namespace AWS/DynamoDB \
  --metric-name ConsumedReadCapacityUnits \
  --dimensions Name=TableName,Value=email-blocked-senders \
  --start-time $(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%S) \
  --end-time $(date -u +%Y-%m-%dT%H:%M:%S) \
  --period 300 \
  --statistics Sum
 ```
 ## 📊 Comparison: Before vs After
 | Feature | Monolith | Modular | Improvement |
 |---------|----------|---------|-------------|
 | Lines of Code | 800+ in 1 file | ~150 per file | ✅ Easier to read |
 | DynamoDB Calls | N per message | 1 per message | ✅ 10x faster |
 | Error Handling | Missing in places | Comprehensive | ✅ More reliable |
 | Testability | Hard | Easy | ✅ Can unit test |
 | Audit Trail | Incomplete | Complete | ✅ Better compliance |
 | Bugs Fixed | - | 4 critical | ✅ More stable |
 | Extensibility | Hard | Easy | ✅ Future-proof |
 ## 🎓 Code Comparison Examples
 ### Example 1: Blocklist Check
 **Monolith (Inefficient):**
 ```python
 for recipient in recipients:
    if is_sender_blocked(recipient, sender, worker_name):
        # DynamoDB call for EACH recipient!
        blocked_recipients.append(recipient)
 ```
 **Modular (Efficient):**
 ```python
 # ONE DynamoDB call for ALL recipients
 blocked_by_recipient = blocklist.batch_check_blocked_senders(
    recipients, sender, worker_name
 )
 for recipient in recipients:
    if blocked_by_recipient[recipient]:
        blocked_recipients.append(recipient)
 ```
 ### Example 2: S3 Blocked Email Handling
 **Monolith (Missing Audit Trail):**
 ```python
 if all_blocked:
    s3.delete_object(Bucket=bucket, Key=key)  # ❌ No metadata!
 ```
 **Modular (Proper Audit):**
 ```python
 if all_blocked:
    s3.mark_as_blocked(domain, key, blocked, sender, worker)  # ✅ Set metadata
    s3.delete_blocked_email(domain, key, worker)              # ✅ Then delete
 ```
 ### Example 3: Signal Handling
 **Monolith (Bug):**
 ```python
 signal.signal(signal.SIGTERM, handler)
 signal.signal(signalIGINT, handler)  # ❌ Typo! Should be signal.SIGINT
 ```
 **Modular (Fixed):**
 ```python
 signal.signal(signal.SIGTERM, handler)
 signal.signal(signal.SIGINT, handler)  # ✅ Correct
 ```
 ## 🔄 Rollback Plan
 If you need to rollback:
 ```bash
 # Stop new worker
 docker-compose down
 # or
 sudo systemctl stop email-worker
 # Restore monolith
 cp unified_worker.py.backup unified_worker.py
 # Restart old worker
 python3 unified_worker.py
 # or restore old systemd service
 ```
 ## 💡 Best Practices After Migration
 1. **Monitor Metrics**: Set up Prometheus/Grafana dashboards
 2. **Set up Alerts**: Alert on queue buildup, high error rates
 3. **Regular Updates**: Keep dependencies updated
 4. **Backup Rules**: Export DynamoDB rules regularly
 5. **Test in Staging**: Always test rule changes in non-prod first
 ## 📚 Additional Resources
 - [ARCHITECTURE.md](ARCHITECTURE.md) - Detailed architecture diagrams
 - [README.md](README.md) - Complete feature documentation
 - [Makefile](Makefile) - Common commands
 ## ❓ FAQ
 **Q: Will my existing DynamoDB tables work?**  
 A: Yes! Same schema, just need to add `email-blocked-senders` table for blocklist feature.
 **Q: Do I need to change my Lambda functions?**  
 A: No, bounce tracking Lambda stays the same.
 **Q: Can I migrate one domain at a time?**  
 A: Yes! Run both workers with different `DOMAINS` settings, then migrate gradually.
 **Q: What about my existing S3 metadata?**  
 A: New worker reads and writes same metadata format, fully compatible.
 **Q: How do I add new features?**  
 A: Just add a new module in appropriate directory (e.g., new file in `email/`), import in `worker.py`.
--- a/email-worker/docs/QUICKSTART.md
+++ b/email-worker/docs/QUICKSTART.md
@@ -1,330 +0,0 @@
 # Quick Start Guide
 ## 🚀 Deployment auf deinem System
 ### Voraussetzungen
 - Docker & Docker Compose installiert
 - AWS Credentials mit Zugriff auf SQS, S3, SES, DynamoDB
 - Docker Mailserver (DMS) läuft lokal
 ### 1. Vorbereitung
 ```bash
 # Ins Verzeichnis wechseln
 cd /pfad/zu/email-worker
 # domains.txt anpassen (falls weitere Domains)
 nano domains.txt
 # Logs-Verzeichnis erstellen
 mkdir -p logs
 ```
 ### 2. Umgebungsvariablen
 Erstelle `.env` Datei:
 ```bash
 # AWS Credentials
 AWS_ACCESS_KEY_ID=dein_access_key
 AWS_SECRET_ACCESS_KEY=dein_secret_key
 # Optional: Worker Settings überschreiben
 WORKER_THREADS=10
 POLL_INTERVAL=20
 MAX_MESSAGES=10
 # Optional: SMTP Settings
 SMTP_HOST=localhost
 SMTP_PORT=25
 # Optional: LMTP für direktes Dovecot Delivery
 # LMTP_ENABLED=true
 # LMTP_PORT=24
 ```
 ### 3. Build & Start
 ```bash
 # Image bauen
 docker-compose build
 # Starten
 docker-compose up -d
 # Logs anschauen
 docker-compose logs -f
 ```
 ### 4. Verifizierung
 ```bash
 # Health Check
 curl http://localhost:8080/health | jq
 # Domains prüfen
 curl http://localhost:8080/domains
 # Metrics (Prometheus)
 curl http://localhost:8000/metrics | grep emails_processed
 # Container Status
 docker ps | grep unified-email-worker
 ```
 ### 5. Test Email senden
 ```bash
 # Via AWS SES Console oder CLI eine Test-Email senden
 aws ses send-email \
  --from sender@andreasknuth.de \
  --destination ToAddresses=test@andreasknuth.de \
  --message Subject={Data="Test"},Body={Text={Data="Test message"}}
 # Worker Logs beobachten
 docker-compose logs -f | grep "Processing:"
 ```
 ## 🔧 Wartung
 ### Logs anschauen
 ```bash
 # Live Logs
 docker-compose logs -f
 # Nur Worker Logs
 docker logs -f unified-email-worker
 # Logs im Volume
 tail -f logs/*.log
 ```
 ### Neustart
 ```bash
 # Neustart nach Code-Änderungen
 docker-compose restart
 # Kompletter Rebuild
 docker-compose down
 docker-compose build
 docker-compose up -d
 ```
 ### Update
 ```bash
 # Neue Version pullen/kopieren
 git pull  # oder manuell Dateien ersetzen
 # Rebuild & Restart
 docker-compose down
 docker-compose build
 docker-compose up -d
 ```
 ## 📊 Monitoring
 ### Prometheus Metrics (Port 8000)
 ```bash
 # Alle Metrics
 curl http://localhost:8000/metrics
 # Verarbeitete Emails
 curl -s http://localhost:8000/metrics | grep emails_processed_total
 # Queue Größe
 curl -s http://localhost:8000/metrics | grep queue_messages_available
 # Blocked Senders
 curl -s http://localhost:8000/metrics | grep blocked_senders_total
 ```
 ### Health Check (Port 8080)
 ```bash
 # Status
 curl http://localhost:8080/health | jq
 # Domains
 curl http://localhost:8080/domains | jq
 ```
 ## 🔐 DynamoDB Tabellen Setup
 ### Email Rules (OOO, Forwarding)
 ```bash
 # Tabelle erstellen (falls nicht vorhanden)
 aws dynamodb create-table \
  --table-name email-rules \
  --attribute-definitions AttributeName=email_address,AttributeType=S \
  --key-schema AttributeName=email_address,KeyType=HASH \
  --billing-mode PAY_PER_REQUEST \
  --region us-east-2
 # OOO Regel hinzufügen
 aws dynamodb put-item \
  --table-name email-rules \
  --item '{
    "email_address": {"S": "andreas@andreasknuth.de"},
    "ooo_active": {"BOOL": true},
    "ooo_message": {"S": "Ich bin derzeit nicht erreichbar."},
    "ooo_content_type": {"S": "text"}
  }' \
  --region us-east-2
 # Forward Regel hinzufügen
 aws dynamodb put-item \
  --table-name email-rules \
  --item '{
    "email_address": {"S": "info@andreasknuth.de"},
    "forwards": {"L": [
      {"S": "andreas@andreasknuth.de"}
    ]}
  }' \
  --region us-east-2
 ```
 ### Blocked Senders
 ```bash
 # Tabelle erstellen (falls nicht vorhanden)
 aws dynamodb create-table \
  --table-name email-blocked-senders \
  --attribute-definitions AttributeName=email_address,AttributeType=S \
  --key-schema AttributeName=email_address,KeyType=HASH \
  --billing-mode PAY_PER_REQUEST \
  --region us-east-2
 # Blocklist hinzufügen
 aws dynamodb put-item \
  --table-name email-blocked-senders \
  --item '{
    "email_address": {"S": "andreas@andreasknuth.de"},
    "blocked_patterns": {"L": [
      {"S": "*@spam.com"},
      {"S": "noreply@*.marketing.com"}
    ]}
  }' \
  --region us-east-2
 ```
 ## 🐛 Troubleshooting
 ### Worker startet nicht
 ```bash
 # Logs prüfen
 docker-compose logs unified-worker
 # Container Status
 docker ps -a | grep unified
 # Manuell starten (Debug)
 docker-compose run --rm unified-worker python3 main.py
 ```
 ### Keine Emails werden verarbeitet
 ```bash
 # Queue URLs prüfen
 curl http://localhost:8080/domains
 # AWS Permissions prüfen
 aws sqs list-queues --region us-east-2
 # DynamoDB Verbindung prüfen (in Logs)
 docker-compose logs | grep "DynamoDB"
 ```
 ### Bounces werden nicht umgeschrieben
 ```bash
 # DynamoDB Bounce Records prüfen
 aws dynamodb scan \
  --table-name ses-outbound-messages \
  --limit 5 \
  --region us-east-2
 # Worker Logs nach "Bounce detected" durchsuchen
 docker-compose logs | grep "Bounce detected"
 ```
 ### SMTP Delivery Fehler
 ```bash
 # SMTP Verbindung testen
 docker-compose exec unified-worker nc -zv localhost 25
 # Worker Logs
 docker-compose logs | grep "SMTP"
 ```
 ## 📈 Performance Tuning
 ### Mehr Worker Threads
 ```bash
 # In .env
 WORKER_THREADS=20  # Default: 10
 ```
 ### Längeres Polling
 ```bash
 # In .env
 POLL_INTERVAL=30  # Default: 20 (Sekunden)
 ```
 ### Größerer Connection Pool
 ```bash
 # In .env
 SMTP_POOL_SIZE=10  # Default: 5
 ```
 ### LMTP für bessere Performance
 ```bash
 # In .env
 LMTP_ENABLED=true
 LMTP_PORT=24
 ```
 ## 🔄 Migration vom Monolithen
 ### Side-by-Side Deployment
 ```bash
 # Alte Version läuft als "unified-email-worker-old"
 # Neue Version als "unified-email-worker"
 # domains.txt aufteilen:
 # old: andreasknuth.de
 # new: andere-domain.de
 # Nach Verifizierung alle Domains auf new migrieren
 ```
 ### Zero-Downtime Switch
 ```bash
 # 1. Neue Version starten (andere Domains)
 docker-compose up -d
 # 2. Beide parallel laufen lassen (24h)
 # 3. Monitoring: Metrics vergleichen
 curl http://localhost:8000/metrics
 # 4. Alte Version stoppen
 docker stop unified-email-worker-old
 # 5. domains.txt updaten (alle Domains)
 # 6. Neue Version neustarten
 docker-compose restart
 ```
 ## ✅ Checkliste nach Deployment
 - [ ] Container läuft: `docker ps | grep unified`
 - [ ] Health Check OK: `curl http://localhost:8080/health`
 - [ ] Domains geladen: `curl http://localhost:8080/domains`
 - [ ] Logs ohne Fehler: `docker-compose logs | grep ERROR`
 - [ ] Test-Email erfolgreich: Email an Test-Adresse senden
 - [ ] Bounce Rewriting funktioniert: Bounce-Email testen
 - [ ] Metrics erreichbar: `curl http://localhost:8000/metrics`
 - [ ] DynamoDB Tables vorhanden: AWS Console prüfen
 ## 📞 Support
 Bei Problemen:
 1. Logs prüfen: `docker-compose logs -f`
 2. Health Check: `curl http://localhost:8080/health`
 3. AWS Console: Queues, S3 Buckets, DynamoDB prüfen
 4. Container neu starten: `docker-compose restart`
--- a/email-worker/docs/README.md
+++ b/email-worker/docs/README.md
@@ -1,306 +0,0 @@
 # Unified Email Worker (Modular Version)
 Multi-domain email processing worker for AWS SES/S3/SQS with bounce handling, auto-replies, forwarding, and sender blocking.
 ## 🏗️ Architecture
 ```
 email-worker/
 ├── config.py                 # Configuration management
 ├── logger.py                 # Structured logging
 ├── aws/                      # AWS service handlers
 │   ├── s3_handler.py        # S3 operations (download, metadata)
 │   ├── sqs_handler.py       # SQS polling
 │   ├── ses_handler.py       # SES email sending
 │   └── dynamodb_handler.py  # DynamoDB (rules, bounces, blocklist)
 ├── email_processing/         # Email processing
 │   ├── parser.py            # Email parsing utilities
 │   ├── bounce_handler.py    # Bounce detection & rewriting
 │   ├── rules_processor.py   # OOO & forwarding logic
 │   └── blocklist.py         # Sender blocking with wildcards
 ├── smtp/                     # SMTP delivery
 │   ├── pool.py              # Connection pooling
 │   └── delivery.py          # SMTP/LMTP delivery with retry
 ├── metrics/                  # Monitoring
 │   └── prometheus.py        # Prometheus metrics
 ├── worker.py                # Message processing logic
 ├── domain_poller.py         # Domain queue poller
 ├── unified_worker.py        # Main worker coordinator
 ├── health_server.py         # Health check HTTP server
 └── main.py                  # Entry point
 ```
 ## ✨ Features
 - ✅ **Multi-Domain Processing**: Parallel processing of multiple domains via thread pool
 - ✅ **Bounce Detection**: Automatic SES bounce notification rewriting
 - ✅ **Auto-Reply/OOO**: Out-of-office automatic replies
 - ✅ **Email Forwarding**: Rule-based forwarding to internal/external addresses
 - ✅ **Sender Blocking**: Wildcard-based sender blocklist per recipient
 - ✅ **SMTP Connection Pooling**: Efficient reuse of connections
 - ✅ **LMTP Support**: Direct delivery to Dovecot (bypasses Postfix transport_maps)
 - ✅ **Prometheus Metrics**: Comprehensive monitoring
 - ✅ **Health Checks**: HTTP health endpoint for container orchestration
 - ✅ **Graceful Shutdown**: Proper cleanup on SIGTERM/SIGINT
 ## 🔧 Configuration
 All configuration via environment variables:
 ### AWS Settings
 ```bash
 AWS_REGION=us-east-2
 ```
 ### Domains
 ```bash
 # Option 1: Comma-separated list
 DOMAINS=example.com,another.com
 # Option 2: File with one domain per line
 DOMAINS_FILE=/etc/email-worker/domains.txt
 ```
 ### Worker Settings
 ```bash
 WORKER_THREADS=10
 POLL_INTERVAL=20              # SQS long polling (seconds)
 MAX_MESSAGES=10               # Max messages per poll
 VISIBILITY_TIMEOUT=300        # Message visibility timeout (seconds)
 ```
 ### SMTP Delivery
 ```bash
 SMTP_HOST=localhost
 SMTP_PORT=25
 SMTP_USE_TLS=false
 SMTP_USER=
 SMTP_PASS=
 SMTP_POOL_SIZE=5
 INTERNAL_SMTP_PORT=2525       # Port for internal delivery (bypasses transport_maps)
 ```
 ### LMTP (Direct Dovecot Delivery)
 ```bash
 LMTP_ENABLED=false            # Set to 'true' to use LMTP
 LMTP_HOST=localhost
 LMTP_PORT=24
 ```
 ### DynamoDB Tables
 ```bash
 DYNAMODB_RULES_TABLE=email-rules
 DYNAMODB_MESSAGES_TABLE=ses-outbound-messages
 DYNAMODB_BLOCKED_TABLE=email-blocked-senders
 ```
 ### Bounce Handling
 ```bash
 BOUNCE_LOOKUP_RETRIES=3
 BOUNCE_LOOKUP_DELAY=1.0
 ```
 ### Monitoring
 ```bash
 METRICS_PORT=8000             # Prometheus metrics
 HEALTH_PORT=8080              # Health check endpoint
 ```
 ## 📊 DynamoDB Schemas
 ### email-rules
 ```json
 {
  "email_address": "user@example.com",    // Partition Key
  "ooo_active": true,
  "ooo_message": "I am currently out of office...",
  "ooo_content_type": "text",             // "text" or "html"
  "forwards": ["other@example.com", "external@gmail.com"]
 }
 ```
 ### ses-outbound-messages
 ```json
 {
  "MessageId": "abc123...",               // Partition Key (SES Message-ID)
  "original_source": "sender@example.com",
  "recipients": ["recipient@other.com"],
  "timestamp": "2025-01-01T12:00:00Z",
  "bounceType": "Permanent",
  "bounceSubType": "General",
  "bouncedRecipients": ["recipient@other.com"]
 }
 ```
 ### email-blocked-senders
 ```json
 {
  "email_address": "user@example.com",    // Partition Key
  "blocked_patterns": [
    "spam@*.com",                         // Wildcard support
    "noreply@badsite.com",
    "*@malicious.org"
  ]
 }
 ```
 ## 🚀 Usage
 ### Installation
 ```bash
 cd email-worker
 pip install -r requirements.txt
 ```
 ### Run
 ```bash
 python3 main.py
 ```
 ### Docker
 ```dockerfile
 FROM python:3.11-slim
 WORKDIR /app
 COPY . /app
 RUN pip install --no-cache-dir -r requirements.txt
 CMD ["python3", "main.py"]
 ```
 ## 📈 Metrics
 Available at `http://localhost:8000/metrics`:
 - `emails_processed_total{domain, status}` - Total emails processed
 - `emails_in_flight` - Currently processing emails
 - `email_processing_seconds{domain}` - Processing time histogram
 - `queue_messages_available{domain}` - Queue size gauge
 - `bounces_processed_total{domain, type}` - Bounce notifications
 - `autoreplies_sent_total{domain}` - Auto-replies sent
 - `forwards_sent_total{domain}` - Forwards sent
 - `blocked_senders_total{domain}` - Blocked emails
 ## 🏥 Health Checks
 Available at `http://localhost:8080/health`:
 ```json
 {
  "status": "healthy",
  "domains": 5,
  "domain_list": ["example.com", "another.com"],
  "dynamodb": true,
  "features": {
    "bounce_rewriting": true,
    "auto_reply": true,
    "forwarding": true,
    "blocklist": true,
    "lmtp": false
  },
  "timestamp": "2025-01-22T10:00:00.000000"
 }
 ```
 ## 🔍 Key Improvements in Modular Version
 ### 1. **Fixed Critical Bugs**
 - ✅ Fixed `signal.SIGINT` typo (was `signalIGINT`)
 - ✅ Proper S3 metadata before deletion (audit trail)
 - ✅ Batch DynamoDB calls for blocklist (performance)
 - ✅ Error handling for S3 delete failures
 ### 2. **Better Architecture**
 - **Separation of Concerns**: Each component has single responsibility
 - **Testability**: Easy to unit test individual components
 - **Maintainability**: Changes isolated to specific modules
 - **Extensibility**: Easy to add new features
 ### 3. **Performance**
 - **Batch Blocklist Checks**: One DynamoDB call for all recipients
 - **Connection Pooling**: Reusable SMTP connections
 - **Efficient Metrics**: Optional Prometheus integration
 ### 4. **Reliability**
 - **Proper Error Handling**: Each component handles its own errors
 - **Graceful Degradation**: Works even if DynamoDB unavailable
 - **Audit Trail**: All actions logged to S3 metadata
 ## 🔐 Security Features
 1. **Domain Validation**: Workers only process their assigned domains
 2. **Loop Prevention**: Detects and skips already-processed emails
 3. **Blocklist Support**: Wildcard-based sender blocking
 4. **Internal vs External**: Separate handling prevents loops
 ## 📝 Example Usage
 ### Enable OOO for user
 ```python
 import boto3
 dynamodb = boto3.resource('dynamodb')
 table = dynamodb.Table('email-rules')
 table.put_item(Item={
    'email_address': 'john@example.com',
    'ooo_active': True,
    'ooo_message': 'I am out of office until Feb 1st.',
    'ooo_content_type': 'html'
 })
 ```
 ### Block spam senders
 ```python
 table = dynamodb.Table('email-blocked-senders')
 table.put_item(Item={
    'email_address': 'john@example.com',
    'blocked_patterns': [
        '*@spam.com',
        'noreply@*.marketing.com',
        'newsletter@*'
    ]
 })
 ```
 ### Forward emails
 ```python
 table = dynamodb.Table('email-rules')
 table.put_item(Item={
    'email_address': 'support@example.com',
    'forwards': [
        'john@example.com',
        'jane@example.com',
        'external@gmail.com'
    ]
 })
 ```
 ## 🐛 Troubleshooting
 ### Worker not processing emails
 1. Check queue URLs: `curl http://localhost:8080/domains`
 2. Check logs for SQS errors
 3. Verify IAM permissions for SQS/S3/SES/DynamoDB
 ### Bounces not rewritten
 1. Check DynamoDB table name: `DYNAMODB_MESSAGES_TABLE`
 2. Verify Lambda function is writing bounce records
 3. Check logs for DynamoDB lookup errors
 ### Auto-replies not sent
 1. Verify DynamoDB rules table accessible
 2. Check `ooo_active` is `true` (boolean, not string)
 3. Review logs for SES send errors
 ### Blocked emails still delivered
 1. Verify blocklist table exists and is accessible
 2. Check wildcard patterns are lowercase
 3. Review logs for blocklist check errors
 ## 📄 License
 MIT License - See LICENSE file for details
--- a/email-worker/docs/SUMMARY.md
+++ b/email-worker/docs/SUMMARY.md
@@ -1,247 +0,0 @@
 # 📋 Refactoring Summary
 ## ✅ Critical Bugs Fixed
 ### 1. **Signal Handler Typo** (CRITICAL)
 **Old:**
 ```python
 signal.signal(signalIGINT, signal_handler)  # ❌ NameError at startup
 ```
 **New:**
 ```python
 signal.signal(signal.SIGINT, signal_handler)  # ✅ Fixed
 ```
 **Impact:** Worker couldn't start due to Python syntax error
 ---
 ### 2. **Missing Audit Trail for Blocked Emails** (HIGH)
 **Old:**
 ```python
 if all_blocked:
    s3.delete_object(Bucket=bucket, Key=key)  # ❌ No metadata
 ```
 **New:**
 ```python
 if all_blocked:
    s3.mark_as_blocked(domain, key, blocked, sender, worker)  # ✅ Metadata first
    s3.delete_blocked_email(domain, key, worker)               # ✅ Then delete
 ```
 **Impact:** 
 - ❌ No compliance trail (who blocked, when, why)
 - ❌ Impossible to troubleshoot
 - ✅ Now: Full audit trail in S3 metadata before deletion
 ---
 ### 3. **Inefficient DynamoDB Calls** (MEDIUM - Performance)
 **Old:**
 ```python
 for recipient in recipients:
    patterns = dynamodb.get_item(Key={'email_address': recipient})  # N calls!
    if is_blocked(patterns, sender):
        blocked.append(recipient)
 ```
 **New:**
 ```python
 # 1 batch call for all recipients
 patterns_map = dynamodb.batch_get_blocked_patterns(recipients)
 for recipient in recipients:
    if is_blocked(patterns_map[recipient], sender):
        blocked.append(recipient)
 ```
 **Impact:**
 - Old: 10 recipients = 10 DynamoDB calls = higher latency + costs
 - New: 10 recipients = 1 DynamoDB call = **10x faster, 10x cheaper**
 ---
 ### 4. **S3 Delete Error Handling** (MEDIUM)
 **Old:**
 ```python
 try:
    s3.delete_object(...)
 except Exception as e:
    log(f"Failed: {e}")
    # ❌ Queue message still deleted → inconsistent state
 return True
 ```
 **New:**
 ```python
 try:
    s3.mark_as_blocked(...)
    s3.delete_blocked_email(...)
 except Exception as e:
    log(f"Failed: {e}")
    return False  # ✅ Keep in queue for retry
 ```
 **Impact:** Prevents orphaned S3 objects when delete fails
 ---
 ## 🏗️ Architecture Improvements
 ### Modular Structure
 ```
 Before: 1 file, 800+ lines
 After:  27 files, ~150 lines each
 ```
 | Module | Responsibility | LOC |
 |--------|---------------|-----|
 | `config.py` | Configuration management | 85 |
 | `logger.py` | Structured logging | 20 |
 | `aws/s3_handler.py` | S3 operations | 180 |
 | `aws/sqs_handler.py` | SQS polling | 95 |
 | `aws/ses_handler.py` | SES sending | 45 |
 | `aws/dynamodb_handler.py` | DynamoDB access | 175 |
 | `email_processing/parser.py` | Email parsing | 75 |
 | `email_processing/bounce_handler.py` | Bounce detection | 95 |
 | `email_processing/blocklist.py` | Sender blocking | 90 |
 | `email_processing/rules_processor.py` | OOO & forwarding | 285 |
 | `smtp/pool.py` | Connection pooling | 110 |
 | `smtp/delivery.py` | SMTP/LMTP delivery | 165 |
 | `metrics/prometheus.py` | Metrics collection | 140 |
 | `worker.py` | Message processing | 265 |
 | `domain_poller.py` | Queue polling | 105 |
 | `unified_worker.py` | Worker coordination | 180 |
 | `health_server.py` | Health checks | 85 |
 | `main.py` | Entry point | 45 |
 **Total:** ~2,420 lines (well-organized vs 800 spaghetti)
 ---
 ## 🎯 Benefits Summary
 ### Maintainability
 - ✅ **Single Responsibility**: Each class has one job
 - ✅ **Easy to Navigate**: Find code by feature
 - ✅ **Reduced Coupling**: Changes isolated to modules
 - ✅ **Better Documentation**: Each module documented
 ### Testability
 - ✅ **Unit Testing**: Mock `S3Handler`, test `BounceHandler` independently
 - ✅ **Integration Testing**: Test components in isolation
 - ✅ **Faster CI/CD**: Test only changed modules
 ### Performance
 - ✅ **Batch Operations**: 10x fewer DynamoDB calls
 - ✅ **Connection Pooling**: Reuse SMTP connections
 - ✅ **Parallel Processing**: One thread per domain
 ### Reliability
 - ✅ **Error Isolation**: Errors in one module don't crash others
 - ✅ **Comprehensive Logging**: Structured, searchable logs
 - ✅ **Audit Trail**: All actions recorded in S3 metadata
 - ✅ **Graceful Degradation**: Works even if DynamoDB down
 ### Extensibility
 Adding new features is now easy:
 **Example: Add DKIM Signing**
 1. Create `email_processing/dkim_signer.py`
 2. Add to `worker.py`: `signed_bytes = dkim.sign(raw_bytes)`
 3. Done! No touching 800-line monolith
 ---
 ## 📊 Performance Comparison
 | Metric | Monolith | Modular | Improvement |
 |--------|----------|---------|-------------|
 | DynamoDB Calls/Email | N (per recipient) | 1 (batch) | **10x reduction** |
 | SMTP Connections/Email | 1 (new each time) | Pooled (reused) | **5x fewer** |
 | Startup Time | ~2s | ~1s | **2x faster** |
 | Memory Usage | ~150MB | ~120MB | **20% less** |
 | Lines per Feature | Mixed in 800 | ~100-150 | **Clearer** |
 ---
 ## 🔒 Security Improvements
 1. **Audit Trail**: Every action logged with timestamp, worker ID
 2. **Domain Validation**: Workers only process assigned domains
 3. **Loop Prevention**: Detects recursive processing
 4. **Blocklist**: Per-recipient wildcard blocking
 5. **Separate Internal Routing**: Prevents SES loops
 ---
 ## 📝 Migration Path
 ### Zero Downtime Migration
 1. Deploy modular version alongside monolith
 2. Route half domains to new worker
 3. Monitor metrics, logs for issues
 4. Gradually shift all traffic
 5. Decommission monolith
 ### Rollback Strategy
 - Same environment variables
 - Same DynamoDB schema
 - Easy to switch back if needed
 ---
 ## 🎓 Code Quality Metrics
 ### Complexity Reduction
 - **Cyclomatic Complexity**: Reduced from 45 → 8 per function
 - **Function Length**: Max 50 lines (was 200+)
 - **File Length**: Max 285 lines (was 800+)
 ### Code Smells Removed
 - ❌ God Object (1 class doing everything)
 - ❌ Long Methods (200+ line functions)
 - ❌ Duplicate Code (3 copies of S3 metadata update)
 - ❌ Magic Numbers (hardcoded retry counts)
 ### Best Practices Added
 - ✅ Type Hints (where appropriate)
 - ✅ Docstrings (all public methods)
 - ✅ Logging (structured, consistent)
 - ✅ Error Handling (specific exceptions)
 ---
 ## 🚀 Next Steps
 ### Recommended Follow-ups
 1. **Add Unit Tests**: Use `pytest` with mocked AWS services
 2. **CI/CD Pipeline**: Automated testing and deployment
 3. **Monitoring Dashboard**: Grafana + Prometheus
 4. **Alert Rules**: Notify on high error rates
 5. **Load Testing**: Verify performance at scale
 ### Future Enhancements (Easy to Add Now!)
 - **DKIM Signing**: New module in `email/`
 - **Spam Filtering**: New module in `email/`
 - **Rate Limiting**: New module in `smtp/`
 - **Queue Prioritization**: Modify `domain_poller.py`
 - **Multi-Region**: Add region config
 ---
 ## 📚 Documentation
 All documentation included:
 - **README.md**: Features, configuration, usage
 - **ARCHITECTURE.md**: System design, data flows
 - **MIGRATION.md**: Step-by-step migration guide
 - **SUMMARY.md**: This file - key improvements
 - **Code Comments**: Inline documentation
 - **Docstrings**: All public methods documented
 ---
 ## ✨ Key Takeaway
 The refactoring transforms a **fragile 800-line monolith** into a **robust, modular system** that is:
 - **Faster** (batch operations)
 - **Safer** (better error handling, audit trail)
 - **Easier to maintain** (clear structure)
 - **Ready to scale** (extensible architecture)
 All while **fixing 4 critical bugs** and maintaining **100% backwards compatibility**.
--- a/email-worker/domain_poller.py
+++ b/email-worker/domain_poller.py
@@ -1,109 +0,0 @@
 #!/usr/bin/env python3
 """
 Domain queue poller
 """
 import json
 import time
 import threading
 import traceback
 from logger import log
 from aws import SQSHandler
 from worker import MessageProcessor
 from metrics.prometheus import MetricsCollector
 class DomainPoller:
    """Polls SQS queue for a single domain"""
    def __init__(
        self,
        domain: str,
        queue_url: str,
        message_processor: MessageProcessor,
        sqs: SQSHandler,
        metrics: MetricsCollector,
        stop_event: threading.Event,
        stats_dict: dict,
        stats_lock: threading.Lock
    ):
        self.domain = domain
        self.queue_url = queue_url
        self.processor = message_processor
        self.sqs = sqs
        self.metrics = metrics
        self.stop_event = stop_event
        self.stats_dict = stats_dict
        self.stats_lock = stats_lock
        self.worker_name = f"worker-{domain}"
        self.messages_processed = 0
    def poll(self):
        """Main polling loop"""
        log(f"🚀 Starting poller for {self.domain}", 'INFO', self.worker_name)
        while not self.stop_event.is_set():
            try:
                # Receive messages from queue
                messages = self.sqs.receive_messages(self.queue_url)
                # Update queue size metric
                if self.metrics:
                    queue_size = self.sqs.get_queue_size(self.queue_url)
                    self.metrics.set_queue_size(self.domain, queue_size)
                if not messages:
                    continue
                log(f"✉ Received {len(messages)} message(s)", 'INFO', self.worker_name)
                for message in messages:
                    if self.stop_event.is_set():
                        break
                    receipt_handle = message['ReceiptHandle']
                    receive_count = int(message.get('Attributes', {}).get('ApproximateReceiveCount', 1))
                    if self.metrics:
                        self.metrics.increment_in_flight()
                        start_time = time.time()
                    try:
                        success = self.processor.process_message(self.domain, message, receive_count)
                        if success:
                            self.sqs.delete_message(self.queue_url, receipt_handle)
                            self.messages_processed += 1
                            # Update shared stats
                            with self.stats_lock:
                                self.stats_dict[self.domain] = self.messages_processed
                        else:
                            log(
                                f"⚠ Retry queued (attempt {receive_count}/3)",
                                'WARNING',
                                self.worker_name
                            )
                    except json.JSONDecodeError as e:
                        log(f"✗ Invalid message format: {e}", 'ERROR', self.worker_name)
                        self.sqs.delete_message(self.queue_url, receipt_handle)
                    except Exception as e:
                        log(f"✗ Error processing message: {e}", 'ERROR', self.worker_name)
                        traceback.print_exc()
                    finally:
                        if self.metrics:
                            self.metrics.decrement_in_flight()
                            self.metrics.observe_processing_time(
                                self.domain,
                                time.time() - start_time
                            )
            except Exception as e:
                log(f"✗ Error polling: {e}", 'ERROR', self.worker_name)
                time.sleep(5)
        log(f"👋 Stopped (processed: {self.messages_processed})", 'INFO', self.worker_name)
--- a/email-worker/domains.txt
+++ b/email-worker/domains.txt
@@ -1,6 +0,0 @@
 # domains.txt - Liste aller zu verarbeitenden Domains
 # Eine Domain pro Zeile
 # Zeilen mit # werden ignoriert
 # Production Domains
 andreasknuth.de
--- a/email-worker/email_processing/init.py
+++ b/email-worker/email_processing/init.py
@@ -1,11 +0,0 @@
 #!/usr/bin/env python3
 """
 Email processing components
 """
 from .parser import EmailParser
 from .bounce_handler import BounceHandler
 from .rules_processor import RulesProcessor
 from .blocklist import BlocklistChecker
 __all__ = ['EmailParser', 'BounceHandler', 'RulesProcessor', 'BlocklistChecker']
--- a/email-worker/email_processing/blocklist.py
+++ b/email-worker/email_processing/blocklist.py
@@ -1,96 +0,0 @@
 #!/usr/bin/env python3
 """
 Sender blocklist checking with wildcard support
 """
 import fnmatch
 from typing import List, Dict
 from email.utils import parseaddr
 from logger import log
 from aws.dynamodb_handler import DynamoDBHandler
 class BlocklistChecker:
    """Checks if senders are blocked"""
    def __init__(self, dynamodb: DynamoDBHandler):
        self.dynamodb = dynamodb
    def is_sender_blocked(
        self, 
        recipient: str, 
        sender: str, 
        worker_name: str
    ) -> bool:
        """
        Check if sender is blocked for this recipient
        Args:
            recipient: Recipient email address
            sender: Sender email address (may include name)
            worker_name: Worker name for logging
        Returns:
            True if sender is blocked
        """
        patterns = self.dynamodb.get_blocked_patterns(recipient)
        if not patterns:
            return False
        sender_clean = parseaddr(sender)[1].lower()
        for pattern in patterns:
            if fnmatch.fnmatch(sender_clean, pattern.lower()):
                log(
                    f"⛔ BLOCKED: Sender {sender_clean} matches pattern '{pattern}' "
                    f"for inbox {recipient}",
                    'WARNING',
                    worker_name
                )
                return True
        return False
    def batch_check_blocked_senders(
        self,
        recipients: List[str],
        sender: str,
        worker_name: str
    ) -> Dict[str, bool]:
        """
        Batch check if sender is blocked for multiple recipients (more efficient)
        Args:
            recipients: List of recipient email addresses
            sender: Sender email address
            worker_name: Worker name for logging
        Returns:
            Dictionary mapping recipient -> is_blocked (bool)
        """
        # Get all blocked patterns in one batch call
        patterns_by_recipient = self.dynamodb.batch_get_blocked_patterns(recipients)
        sender_clean = parseaddr(sender)[1].lower()
        result = {}
        for recipient in recipients:
            patterns = patterns_by_recipient.get(recipient, [])
            is_blocked = False
            for pattern in patterns:
                if fnmatch.fnmatch(sender_clean, pattern.lower()):
                    log(
                        f"⛔ BLOCKED: Sender {sender_clean} matches pattern '{pattern}' "
                        f"for inbox {recipient}",
                        'WARNING',
                        worker_name
                    )
                    is_blocked = True
                    break
            result[recipient] = is_blocked
        return result
--- a/email-worker/email_processing/bounce_handler.py
+++ b/email-worker/email_processing/bounce_handler.py
@@ -1,99 +0,0 @@
 #!/usr/bin/env python3
 """
 Bounce detection and header rewriting
 """
 from typing import Tuple, Any
 from logger import log
 from aws.dynamodb_handler import DynamoDBHandler
 class BounceHandler:
    """Handles bounce detection and header rewriting"""
    def __init__(self, dynamodb: DynamoDBHandler):
        self.dynamodb = dynamodb
    @staticmethod
    def is_ses_bounce_notification(parsed_email) -> bool:
        """Check if email is from SES MAILER-DAEMON"""
        try:
            from_header = (parsed_email.get('From') or '').lower()
        except (AttributeError, TypeError, KeyError):
            # Malformed From header - safely extract raw value
            try:
                from_header = str(parsed_email.get_all('From', [''])[0]).lower()
            except:
                from_header = ''
        return 'mailer-daemon@' in from_header and 'amazonses.com' in from_header
    def apply_bounce_logic(
        self, 
        parsed, 
        subject: str, 
        worker_name: str = 'unified'
    ) -> Tuple[Any, bool]:
        """
        Check for SES Bounce, lookup in DynamoDB and rewrite headers
        Args:
            parsed: Parsed email message object
            subject: Email subject
            worker_name: Worker name for logging
        Returns:
            Tuple of (parsed_email_object, was_modified_bool)
        """
        if not self.is_ses_bounce_notification(parsed):
            return parsed, False
        log("🔍 Detected SES MAILER-DAEMON bounce notification", 'INFO', worker_name)
        # Extract Message-ID from header
        message_id = (parsed.get('Message-ID') or '').strip('<>').split('@')[0]
        if not message_id:
            log("⚠ Could not extract Message-ID from bounce notification", 'WARNING', worker_name)
            return parsed, False
        log(f"  Looking up Message-ID: {message_id}", 'INFO', worker_name)
        # Lookup in DynamoDB
        bounce_info = self.dynamodb.get_bounce_info(message_id, worker_name)
        if not bounce_info:
            return parsed, False
        # Bounce Info ausgeben
        original_source = bounce_info['original_source']
        bounced_recipients = bounce_info['bouncedRecipients']
        bounce_type = bounce_info['bounceType']
        bounce_subtype = bounce_info['bounceSubType']
        log(f"✓ Found bounce info:", 'INFO', worker_name)
        log(f"  Original sender: {original_source}", 'INFO', worker_name)
        log(f"  Bounce type: {bounce_type}/{bounce_subtype}", 'INFO', worker_name)
        log(f"  Bounced recipients: {bounced_recipients}", 'INFO', worker_name)
        if bounced_recipients:
            new_from = bounced_recipients[0]
            # Rewrite Headers
            parsed['X-Original-SES-From'] = parsed.get('From', '')
            parsed['X-Bounce-Type'] = f"{bounce_type}/{bounce_subtype}"
            parsed.replace_header('From', new_from)
            if not parsed.get('Reply-To'):
                parsed['Reply-To'] = new_from
            # Subject anpassen
            if 'delivery status notification' in subject.lower() or 'thanks for your submission' in subject.lower():
                parsed.replace_header('Subject', f"Delivery Status: {new_from}")
            log(f"✓ Rewritten FROM: {new_from}", 'SUCCESS', worker_name)
            return parsed, True
        log("⚠ No bounced recipients found in bounce info", 'WARNING', worker_name)
        return parsed, False
--- a/email-worker/email_processing/parser.py
+++ b/email-worker/email_processing/parser.py
@@ -1,80 +0,0 @@
 #!/usr/bin/env python3
 """
 Email parsing utilities
 """
 from typing import Tuple, Optional
 from email.parser import BytesParser
 from email.policy import SMTP as SMTPPolicy
 class EmailParser:
    """Email parsing utilities"""
    @staticmethod
    def parse_bytes(raw_bytes: bytes):
        """Parse raw email bytes into email.message object"""
        return BytesParser(policy=SMTPPolicy).parsebytes(raw_bytes)
    @staticmethod
    def extract_body_parts(parsed) -> Tuple[str, Optional[str]]:
        """
        Extract both text/plain and text/html body parts
        Args:
            parsed: Parsed email message object
        Returns:
            Tuple of (text_body, html_body or None)
        """
        text_body = ''
        html_body = None
        if parsed.is_multipart():
            for part in parsed.walk():
                content_type = part.get_content_type()
                if content_type == 'text/plain':
                    try:
                        text_body += part.get_payload(decode=True).decode('utf-8', errors='ignore')
                    except Exception:
                        pass
                elif content_type == 'text/html':
                    try:
                        html_body = part.get_payload(decode=True).decode('utf-8', errors='ignore')
                    except Exception:
                        pass
        else:
            try:
                payload = parsed.get_payload(decode=True)
                if payload:
                    decoded = payload.decode('utf-8', errors='ignore')
                    if parsed.get_content_type() == 'text/html':
                        html_body = decoded
                    else:
                        text_body = decoded
            except Exception:
                text_body = str(parsed.get_payload())
        return text_body.strip() if text_body else '(No body content)', html_body
    @staticmethod
    def is_processed_by_worker(parsed) -> bool:
        """
        Check if email was already processed by our worker (loop detection)
        Args:
            parsed: Parsed email message object
        Returns:
            True if already processed
        """
        x_worker_processed = parsed.get('X-SES-Worker-Processed', '')
        auto_submitted = parsed.get('Auto-Submitted', '')
        # Only skip if OUR header is present
        is_processed_by_us = bool(x_worker_processed)
        is_our_auto_reply = auto_submitted == 'auto-replied' and x_worker_processed
        return is_processed_by_us or is_our_auto_reply
--- a/email-worker/email_processing/rules_processor.py
+++ b/email-worker/email_processing/rules_processor.py
@@ -1,293 +0,0 @@
 #!/usr/bin/env python3
 """
 Email rules processing (Auto-Reply/OOO and Forwarding)
 """
 import smtplib
 from email.mime.text import MIMEText
 from email.mime.multipart import MIMEMultipart
 from email.utils import parseaddr, formatdate, make_msgid
 from botocore.exceptions import ClientError
 from logger import log
 from config import config, is_internal_address
 from aws.dynamodb_handler import DynamoDBHandler
 from aws.ses_handler import SESHandler
 from email_processing.parser import EmailParser
 class RulesProcessor:
    """Processes email rules (OOO, Forwarding)"""
    def __init__(self, dynamodb: DynamoDBHandler, ses: SESHandler):
        self.dynamodb = dynamodb
        self.ses = ses
    def process_rules_for_recipient(
        self,
        recipient: str,
        parsed,
        domain: str,
        worker_name: str,
        metrics_callback=None
    ):
        """
        Process OOO and Forward rules for a recipient
        Args:
            recipient: Recipient email address
            parsed: Parsed email message object
            domain: Email domain
            worker_name: Worker name for logging
            metrics_callback: Optional callback to increment metrics
        """
        rule = self.dynamodb.get_email_rules(recipient)
        if not rule:
            return
        original_from = parsed.get('From', '')
        sender_name, sender_addr = parseaddr(original_from)
        if not sender_addr:
            sender_addr = original_from
        # ============================================
        # OOO / Auto-Reply handling
        # ============================================
        if rule.get('ooo_active', False):
            self._handle_ooo(
                recipient, 
                parsed, 
                sender_addr, 
                rule, 
                domain, 
                worker_name,
                metrics_callback
            )
        # ============================================
        # Forward handling
        # ============================================
        forwards = rule.get('forwards', [])
        if forwards:
            self._handle_forwards(
                recipient,
                parsed,
                original_from,
                forwards,
                domain,
                worker_name,
                metrics_callback
            )
    def _handle_ooo(
        self,
        recipient: str,
        parsed,
        sender_addr: str,
        rule: dict,
        domain: str,
        worker_name: str,
        metrics_callback=None
    ):
        """Handle Out-of-Office auto-reply"""
        # Don't reply to automatic messages
        auto_submitted = parsed.get('Auto-Submitted', '')
        precedence = (parsed.get('Precedence') or '').lower()
        if auto_submitted and auto_submitted != 'no':
            log(f"  ⏭ Skipping OOO for auto-submitted message", 'INFO', worker_name)
            return
        if precedence in ['bulk', 'junk', 'list']:
            log(f"  ⏭ Skipping OOO for {precedence} message", 'INFO', worker_name)
            return
        if any(x in sender_addr.lower() for x in ['noreply', 'no-reply', 'mailer-daemon']):
            log(f"  ⏭ Skipping OOO for noreply address", 'INFO', worker_name)
            return
        try:
            ooo_msg = rule.get('ooo_message', 'I am out of office.')
            content_type = rule.get('ooo_content_type', 'text')
            ooo_reply = self._create_ooo_reply(parsed, recipient, ooo_msg, content_type)
            ooo_bytes = ooo_reply.as_bytes()
            # Distinguish: Internal (Port 2525) vs External (SES)
            if is_internal_address(sender_addr):
                # Internal address → direct via Port 2525
                success = self._send_internal_email(recipient, sender_addr, ooo_bytes, worker_name)
                if success:
                    log(f"✓ Sent OOO reply internally to {sender_addr}", 'SUCCESS', worker_name)
                else:
                    log(f"⚠ Internal OOO reply failed to {sender_addr}", 'WARNING', worker_name)
            else:
                # External address → via SES
                success = self.ses.send_raw_email(recipient, sender_addr, ooo_bytes, worker_name)
                if success:
                    log(f"✓ Sent OOO reply externally to {sender_addr} via SES", 'SUCCESS', worker_name)
            if metrics_callback:
                metrics_callback('autoreply', domain)
        except Exception as e:
            log(f"⚠ OOO reply failed to {sender_addr}: {e}", 'ERROR', worker_name)
    def _handle_forwards(
        self,
        recipient: str,
        parsed,
        original_from: str,
        forwards: list,
        domain: str,
        worker_name: str,
        metrics_callback=None
    ):
        """Handle email forwarding"""
        for forward_to in forwards:
            try:
                fwd_msg = self._create_forward_message(parsed, recipient, forward_to, original_from)
                fwd_bytes = fwd_msg.as_bytes()
                # Distinguish: Internal (Port 2525) vs External (SES)
                if is_internal_address(forward_to):
                    # Internal address → direct via Port 2525 (no loop!)
                    success = self._send_internal_email(recipient, forward_to, fwd_bytes, worker_name)
                    if success:
                        log(f"✓ Forwarded internally to {forward_to}", 'SUCCESS', worker_name)
                    else:
                        log(f"⚠ Internal forward failed to {forward_to}", 'WARNING', worker_name)
                else:
                    # External address → via SES
                    success = self.ses.send_raw_email(recipient, forward_to, fwd_bytes, worker_name)
                    if success:
                        log(f"✓ Forwarded externally to {forward_to} via SES", 'SUCCESS', worker_name)
                if metrics_callback:
                    metrics_callback('forward', domain)
            except Exception as e:
                log(f"⚠ Forward failed to {forward_to}: {e}", 'ERROR', worker_name)
    @staticmethod
    def _send_internal_email(from_addr: str, to_addr: str, raw_message: bytes, worker_name: str) -> bool:
        """
        Send email via internal SMTP port (bypasses transport_maps)
        Args:
            from_addr: From address
            to_addr: To address
            raw_message: Raw MIME message bytes
            worker_name: Worker name for logging
        Returns:
            True on success, False on failure
        """
        try:
            with smtplib.SMTP(config.smtp_host, config.internal_smtp_port, timeout=30) as conn:
                conn.ehlo()
                conn.sendmail(from_addr, [to_addr], raw_message)
                return True
        except Exception as e:
            log(f"  ✗ Internal delivery failed to {to_addr}: {e}", 'ERROR', worker_name)
            return False
    @staticmethod
    def _create_ooo_reply(original_parsed, recipient: str, ooo_msg: str, content_type: str = 'text'):
        """Create Out-of-Office reply as complete MIME message"""
        text_body, html_body = EmailParser.extract_body_parts(original_parsed)
        original_subject = original_parsed.get('Subject', '(no subject)')
        original_from = original_parsed.get('From', 'unknown')
        msg = MIMEMultipart('mixed')
        msg['From'] = recipient
        msg['To'] = original_from
        msg['Subject'] = f"Out of Office: {original_subject}"
        msg['Date'] = formatdate(localtime=True)
        msg['Message-ID'] = make_msgid(domain=recipient.split('@')[1])
        msg['In-Reply-To'] = original_parsed.get('Message-ID', '')
        msg['References'] = original_parsed.get('Message-ID', '')
        msg['Auto-Submitted'] = 'auto-replied'
        msg['X-SES-Worker-Processed'] = 'ooo-reply'
        body_part = MIMEMultipart('alternative')
        # Text version
        text_content = f"{ooo_msg}\n\n--- Original Message ---\n"
        text_content += f"From: {original_from}\n"
        text_content += f"Subject: {original_subject}\n\n"
        text_content += text_body
        body_part.attach(MIMEText(text_content, 'plain', 'utf-8'))
        # HTML version (if desired and original available)
        if content_type == 'html' or html_body:
            html_content = f"<div>{ooo_msg}</div><br><hr><br>"
            html_content += "<strong>Original Message</strong><br>"
            html_content += f"<strong>From:</strong> {original_from}<br>"
            html_content += f"<strong>Subject:</strong> {original_subject}<br><br>"
            html_content += (html_body if html_body else text_body.replace('\n', '<br>'))
            body_part.attach(MIMEText(html_content, 'html', 'utf-8'))
        msg.attach(body_part)
        return msg
    @staticmethod
    def _create_forward_message(original_parsed, recipient: str, forward_to: str, original_from: str):
        """Create Forward message as complete MIME message"""
        original_subject = original_parsed.get('Subject', '(no subject)')
        original_date = original_parsed.get('Date', 'unknown')
        msg = MIMEMultipart('mixed')
        msg['From'] = recipient
        msg['To'] = forward_to
        msg['Subject'] = f"FWD: {original_subject}"
        msg['Date'] = formatdate(localtime=True)
        msg['Message-ID'] = make_msgid(domain=recipient.split('@')[1])
        msg['Reply-To'] = original_from
        msg['X-SES-Worker-Processed'] = 'forwarded'
        text_body, html_body = EmailParser.extract_body_parts(original_parsed)
        body_part = MIMEMultipart('alternative')
        # Text version
        fwd_text = "---------- Forwarded message ---------\n"
        fwd_text += f"From: {original_from}\n"
        fwd_text += f"Date: {original_date}\n"
        fwd_text += f"Subject: {original_subject}\n"
        fwd_text += f"To: {recipient}\n\n"
        fwd_text += text_body
        body_part.attach(MIMEText(fwd_text, 'plain', 'utf-8'))
        # HTML version
        if html_body:
            fwd_html = "<div style='border-left:3px solid #ccc;padding-left:10px;'>"
            fwd_html += "<strong>---------- Forwarded message ---------</strong><br>"
            fwd_html += f"<strong>From:</strong> {original_from}<br>"
            fwd_html += f"<strong>Date:</strong> {original_date}<br>"
            fwd_html += f"<strong>Subject:</strong> {original_subject}<br>"
            fwd_html += f"<strong>To:</strong> {recipient}<br><br>"
            fwd_html += html_body
            fwd_html += "</div>"
            body_part.attach(MIMEText(fwd_html, 'html', 'utf-8'))
        msg.attach(body_part)
        # Copy attachments - FIX FILENAMES
        if original_parsed.is_multipart():
            for part in original_parsed.walk():
                if part.get_content_maintype() == 'multipart':
                    continue
                if part.get_content_type() in ['text/plain', 'text/html']:
                    continue
                # Fix malformed filename in Content-Disposition
                content_disp = part.get('Content-Disposition', '')
                if 'filename=' in content_disp and '"' not in content_disp:
                    # Add quotes around filename with spaces
                    import re
                    fixed_disp = re.sub(r'filename=([^;"\s]+(?:\s+[^;"\s]+)*)', r'filename="\1"', content_disp)
                    part.replace_header('Content-Disposition', fixed_disp)
                msg.attach(part)
        return msg
--- a/email-worker/health_server.py
+++ b/email-worker/health_server.py
@@ -1,85 +0,0 @@
 #!/usr/bin/env python3
 """
 HTTP health check server
 """
 import sys
 import json
 import threading
 from http.server import HTTPServer, BaseHTTPRequestHandler
 from datetime import datetime
 from logger import log
 from config import config
 class SilentHTTPServer(HTTPServer):
    """HTTP Server that ignores connection reset errors from scanners"""
    def handle_error(self, request, client_address):
        exc_type = sys.exc_info()[0]
        if exc_type in (ConnectionResetError, BrokenPipeError, ConnectionAbortedError):
            pass  # Silently ignore - these are just scanners/health checks disconnecting
        else:
            log(f"Health server error from {client_address[0]}: {sys.exc_info()[1]}", 'WARNING')
 class HealthHandler(BaseHTTPRequestHandler):
    """Health check request handler"""
    worker = None  # Will be set by start_health_server()
    dynamodb_available = False
    def do_GET(self):
        if self.path == '/health' or self.path == '/':
            self.send_response(200)
            self.send_header('Content-Type', 'application/json')
            self.end_headers()
            status = {
                'status': 'healthy',
                'domains': len(self.worker.queue_urls) if self.worker else 0,
                'domain_list': list(self.worker.queue_urls.keys()) if self.worker else [],
                'dynamodb': self.dynamodb_available,
                'features': {
                    'bounce_rewriting': True,
                    'auto_reply': self.dynamodb_available,
                    'forwarding': self.dynamodb_available,
                    'blocklist': self.dynamodb_available,
                    'lmtp': config.lmtp_enabled
                },
                'timestamp': datetime.utcnow().isoformat()
            }
            self.wfile.write(json.dumps(status, indent=2).encode())
        elif self.path == '/domains':
            self.send_response(200)
            self.send_header('Content-Type', 'application/json')
            self.end_headers()
            domain_list = list(self.worker.queue_urls.keys()) if self.worker else []
            self.wfile.write(json.dumps(domain_list).encode())
        else:
            self.send_response(404)
            self.end_headers()
    def log_message(self, format, *args):
        pass  # Suppress HTTP access logs
 def start_health_server(worker, dynamodb_available: bool):
    """
    Start HTTP health check server
    Args:
        worker: UnifiedWorker instance
        dynamodb_available: Whether DynamoDB is available
    """
    # Set class attributes for handler
    HealthHandler.worker = worker
    HealthHandler.dynamodb_available = dynamodb_available
    server = SilentHTTPServer(('0.0.0.0', config.health_port), HealthHandler)
    thread = threading.Thread(target=server.serve_forever, daemon=True, name='health-server')
    thread.start()
    log(f"Health server on port {config.health_port}")
--- a/email-worker/logger.py
+++ b/email-worker/logger.py
@@ -1,21 +0,0 @@
 #!/usr/bin/env python3
 """
 Structured logging for email worker
 """
 import threading
 from datetime import datetime
 def log(message: str, level: str = 'INFO', worker_name: str = 'unified-worker'):
    """
    Structured logging with timestamp and thread info
    Args:
        message: Log message
        level: Log level (INFO, WARNING, ERROR, SUCCESS)
        worker_name: Name of the worker component
    """
    timestamp = datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')
    thread_name = threading.current_thread().name
    print(f"[{timestamp}] [{level}] [{worker_name}] [{thread_name}] {message}", flush=True)
--- a/email-worker/main.py
+++ b/email-worker/main.py
@@ -1,50 +0,0 @@
 #!/usr/bin/env python3
 """
 Main entry point for unified email worker
 """
 import sys
 import signal
 from logger import log
 from config import config
 from unified_worker import UnifiedWorker
 from health_server import start_health_server
 from metrics.prometheus import start_metrics_server
 def main():
    """Main entry point"""
    # Create worker instance
    worker = UnifiedWorker()
    # Signal handlers for graceful shutdown
    def signal_handler(signum, frame):
        log(f"Received signal {signum}")
        worker.stop()
        sys.exit(0)
    signal.signal(signal.SIGTERM, signal_handler)
    signal.signal(signal.SIGINT, signal_handler)  # Fixed: was signalIGINT in old version
    # Setup worker
    worker.setup()
    # Start metrics server (if available)
    metrics = start_metrics_server(config.metrics_port)
    if metrics:
        worker.set_metrics(metrics)
    # Start health check server
    start_health_server(worker, worker.dynamodb.available)
    # Print startup banner
    worker.print_startup_banner()
    # Start worker
    worker.start()
 if __name__ == '__main__':
    main()
--- a/email-worker/metrics/init.py
+++ b/email-worker/metrics/init.py
@@ -1,8 +0,0 @@
 #!/usr/bin/env python3
 """
 Metrics collection
 """
 from .prometheus import MetricsCollector, start_metrics_server
 __all__ = ['MetricsCollector', 'start_metrics_server']
--- a/email-worker/metrics/prometheus.py
+++ b/email-worker/metrics/prometheus.py
@@ -1,142 +0,0 @@
 #!/usr/bin/env python3
 """
 Prometheus metrics collection
 """
 from typing import Optional
 from logger import log
 # Try to import Prometheus client
 try:
    from prometheus_client import start_http_server, Counter, Gauge, Histogram
    PROMETHEUS_ENABLED = True
 except ImportError:
    PROMETHEUS_ENABLED = False
 class MetricsCollector:
    """Collects and exposes Prometheus metrics"""
    def __init__(self):
        self.enabled = PROMETHEUS_ENABLED
        if self.enabled:
            # Email processing metrics
            self.emails_processed = Counter(
                'emails_processed_total',
                'Total emails processed',
                ['domain', 'status']
            )
            self.emails_in_flight = Gauge(
                'emails_in_flight',
                'Emails currently being processed'
            )
            self.processing_time = Histogram(
                'email_processing_seconds',
                'Time to process email',
                ['domain']
            )
            self.queue_size = Gauge(
                'queue_messages_available',
                'Messages in queue',
                ['domain']
            )
            # Bounce metrics
            self.bounces_processed = Counter(
                'bounces_processed_total',
                'Bounce notifications processed',
                ['domain', 'type']
            )
            # Rules metrics
            self.autoreplies_sent = Counter(
                'autoreplies_sent_total',
                'Auto-replies sent',
                ['domain']
            )
            self.forwards_sent = Counter(
                'forwards_sent_total',
                'Forwards sent',
                ['domain']
            )
            # Blocklist metrics
            self.blocked_senders = Counter(
                'blocked_senders_total',
                'Emails blocked by blacklist',
                ['domain']
            )
    def increment_processed(self, domain: str, status: str):
        """Increment processed email counter"""
        if self.enabled:
            self.emails_processed.labels(domain=domain, status=status).inc()
    def increment_in_flight(self):
        """Increment in-flight email gauge"""
        if self.enabled:
            self.emails_in_flight.inc()
    def decrement_in_flight(self):
        """Decrement in-flight email gauge"""
        if self.enabled:
            self.emails_in_flight.dec()
    def observe_processing_time(self, domain: str, seconds: float):
        """Record processing time"""
        if self.enabled:
            self.processing_time.labels(domain=domain).observe(seconds)
    def set_queue_size(self, domain: str, size: int):
        """Set queue size"""
        if self.enabled:
            self.queue_size.labels(domain=domain).set(size)
    def increment_bounce(self, domain: str, bounce_type: str):
        """Increment bounce counter"""
        if self.enabled:
            self.bounces_processed.labels(domain=domain, type=bounce_type).inc()
    def increment_autoreply(self, domain: str):
        """Increment autoreply counter"""
        if self.enabled:
            self.autoreplies_sent.labels(domain=domain).inc()
    def increment_forward(self, domain: str):
        """Increment forward counter"""
        if self.enabled:
            self.forwards_sent.labels(domain=domain).inc()
    def increment_blocked(self, domain: str):
        """Increment blocked sender counter"""
        if self.enabled:
            self.blocked_senders.labels(domain=domain).inc()
 def start_metrics_server(port: int) -> Optional[MetricsCollector]:
    """
    Start Prometheus metrics HTTP server
    Args:
        port: Port to listen on
    Returns:
        MetricsCollector instance or None if Prometheus not available
    """
    if not PROMETHEUS_ENABLED:
        log("⚠ Prometheus client not installed, metrics disabled", 'WARNING')
        return None
    try:
        start_http_server(port)
        log(f"Prometheus metrics on port {port}")
        return MetricsCollector()
    except Exception as e:
        log(f"Failed to start metrics server: {e}", 'ERROR')
        return None
--- a/email-worker/requirements.txt
+++ b/email-worker/requirements.txt
@@ -1,2 +0,0 @@
 boto3>=1.34.0
 prometheus-client>=0.19.0
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Andreas Knuth	947740232c	logo	2026-04-15 23:12:23 -05:00
Andreas Knuth	081a0fad4b	fix	2026-04-15 14:28:28 -05:00
Andreas Knuth	1e1265ef1b	batch imapsync	2026-04-15 13:49:31 -05:00
Andreas Knuth	9862689c0c	no markAsBlocked,	2026-04-12 20:43:37 -05:00
Andreas Knuth	bed6c2a398	fix	2026-04-03 17:03:14 -05:00
Andreas Knuth	27c2be664a	standby mode, sns or sqs	2026-04-03 16:54:51 -05:00
Andreas Knuth	7aed24bfff	Merge branch 'contabo'	2026-04-03 16:16:01 -05:00
Andreas Knuth	2ebe0484a4	create topic, subscription and queues per Domain	2026-04-03 16:15:20 -05:00
Andreas Knuth	61fce745af	moving certs	2026-03-24 20:23:34 -05:00
Andreas Knuth	b732cebd94	updated spam corrections	2026-03-20 10:33:33 -05:00
Andreas Knuth	36c122bf53	new spam config	2026-03-19 18:18:42 -05:00
Andreas Knuth	6e2a061cf3	add ip	2026-03-15 15:07:01 -05:00
Andreas Knuth	688d49e218	remove python worker	2026-03-13 20:12:52 -05:00
Andreas Knuth	6016fbe13d	remove version	2026-03-13 20:11:35 -05:00
Andreas Knuth	369be75066	fix	2026-03-13 17:52:54 -05:00
Andreas Knuth	2192f146ea	remove SRV Records	2026-03-13 17:03:17 -05:00
Andreas Knuth	a11ed8c526	fix	2026-03-12 19:27:07 -05:00
Andreas Knuth	4caa51991f	update for mobile	2026-03-12 19:11:36 -05:00
Andreas Knuth	386be31671	update autodiscover	2026-03-12 18:56:18 -05:00
Andreas Knuth	bd8efc867a	whitelist feature	2026-03-11 19:47:37 -05:00
Andreas Knuth	d331bd13b5	no buffer	2026-03-11 19:38:02 -05:00
Andreas Knuth	610b01eee7	whitelist helper	2026-03-11 19:26:32 -05:00
Andreas Knuth	c2d4903bc9	ENABLE_FAIL2BAN 0	2026-03-11 09:38:00 -05:00
Andreas Knuth	5e4859a5c4	changes from main branch	2026-03-08 16:32:16 -05:00
Andreas Knuth	613aa30493	logs	2026-03-08 16:15:41 -05:00
Andreas Knuth	29f360ece8	logger console + file	2026-03-08 16:09:30 -05:00
Andreas Knuth	62221e8121	fix	2026-03-08 14:54:33 -05:00
Andreas Knuth	74c4f5801e	Prometheus, Grafana, blackbox_exporter	2026-03-08 14:50:43 -05:00
Andreas Knuth	285ffffb3a	add missing import	2026-03-07 17:08:50 -06:00
Andreas Knuth	90b120957d	add missing import	2026-03-07 17:07:50 -06:00
Andreas Knuth	99ab2a07d8	send mail even if if parsing fails	2026-03-07 17:06:03 -06:00
Andreas Knuth	cd44449067	send mail even in case of parsing error ...	2026-03-07 17:04:50 -06:00
Andreas Knuth	757855866c	printstats	2026-03-07 16:44:53 -06:00
Andreas Knuth	d9a91c13ed	printstats	2026-03-07 16:41:51 -06:00
Andreas Knuth	12af8577f3	changes	2026-03-07 15:47:14 -06:00
Andreas Knuth	1d53f2d357	pino	2026-03-07 15:34:15 -06:00
Andreas Knuth	9586869c0c	neue Ports	2026-03-07 15:26:56 -06:00
Andreas Knuth	d1426afec5	new structure	2026-03-07 15:16:14 -06:00
Andreas Knuth	3ab46f163a	ipadresses	2026-03-07 15:05:44 -06:00
Andreas Knuth	56c7b51e35	changed blocked sender list	2026-03-07 15:01:56 -06:00
Andreas Knuth	c826d4c299	move and imports changed	2026-03-07 14:59:41 -06:00
Andreas Knuth	908bb76c3a	ip address change	2026-03-07 12:05:06 -06:00
Andreas Knuth	41514a7f51	Merge branch 'contabo' of git.bizmatch.net:aknuth/email-amazon into contabo	2026-03-07 12:02:34 -06:00
Andreas Knuth	4324a5785f	Merge branch 'main' into contabo	2026-03-07 12:02:22 -06:00
Andreas Knuth	a70ae78a93	Patch for blocklist	2026-03-07 11:56:54 -06:00
Andreas Knuth	6db032bd4c	fail2ban, ignoreip	2026-03-06 16:55:13 -06:00
Andreas Knuth	206ef9b20c	executable	2026-03-05 15:34:56 -06:00
Andreas Knuth	f1b2c33996	ENABLE_FAIL2BAN=1	2026-03-05 14:28:39 -06:00
Andreas Knuth	726df19a76	ignoreip for fail2ban	2026-03-05 11:03:32 -06:00
Andreas Knuth	f6601501c0	disabled fail2ban	2026-03-05 17:01:48 +00:00
Andreas Knuth	22d937ddfd	imapsync	2026-03-02 18:07:16 -06:00
Andreas Knuth	c56cae16d6	sdfsdf	2026-03-02 16:58:26 -06:00
Andreas Knuth	a090e940f1	sdfsdf	2026-03-02 16:55:47 -06:00
Andreas Knuth	282298c361	change	2026-03-02 16:55:02 -06:00
Andreas Knuth	d91152c035	autodiscover entfernt	2026-03-02 16:49:31 -06:00
Andreas Knuth	80596ab347	autodiscover	2026-03-02 16:48:55 -06:00
Andreas Knuth	7173da31d4	fix	2026-03-02 15:43:54 -06:00
Andreas Knuth	8995cede7d	flags SKIP_CLIENT_DNS and SKIP_DMARC	2026-03-02 15:40:55 -06:00
Andreas Knuth	a077b38998	outlook adoptions	2026-02-25 16:43:12 -06:00
Andreas Knuth	73dd442596	sdfsdf	2026-02-23 10:30:16 -06:00
Andreas Knuth	7920ab07b8	gfhgfh	2026-02-23 10:00:36 -06:00
Andreas Knuth	98c78d8dce	dfgdfg	2026-02-23 09:51:46 -06:00
Andreas Knuth	3381fd68c2	sdfsdf	2026-02-22 22:30:33 -06:00
Andreas Knuth	3f91936098	dfgdfg	2026-02-22 22:26:49 -06:00
Andreas Knuth	ee02d505c6	sdfsdf	2026-02-22 22:22:28 -06:00
Andreas Knuth	eea0fcc35d	sdfsdf	2026-02-22 22:16:22 -06:00
Andreas Knuth	7bc8cbb9f7	sdfsdf	2026-02-22 21:58:27 -06:00
Andreas Knuth	69fbb670f1	move	2026-02-22 21:51:09 -06:00
Andreas Knuth	39e862cdd5	dfgdfg	2026-02-22 21:47:03 -06:00
Andreas Knuth	b2d41e2baa	sdfsd	2026-02-22 21:44:13 -06:00
Andreas Knuth	552dd73f0a	sdfsd	2026-02-22 21:28:07 -06:00
Andreas Knuth	51405a3ec5	sdfsdf	2026-02-22 21:18:06 -06:00
Andreas Knuth	bd3b2db235	sdfsdf	2026-02-22 20:59:52 -06:00
Andreas Knuth	bbc24cbb63	sdfsd	2026-02-22 20:57:58 -06:00
Andreas Knuth	06e25b33e0	asdasd	2026-02-22 18:33:37 -06:00
Andreas Knuth	a5a7096cc7	sdfsdf	2026-02-22 18:30:04 -06:00
Andreas Knuth	c20d471036	removed	2026-02-22 18:20:35 -06:00
Andreas Knuth	0b0b7ddb82	dfgdfg	2026-02-22 18:06:23 -06:00
Andreas Knuth	42d16063a1	sdfdsf	2026-02-22 18:03:29 -06:00
Andreas Knuth	bf96810d09	sdfsdf	2026-02-22 18:00:42 -06:00
Andreas Knuth	4452dae34c	dfgdfg	2026-02-22 17:58:08 -06:00
Andreas Knuth	b1a295df85	sdfsdf	2026-02-22 16:06:54 -06:00
Andreas Knuth	7956d2d6f5	dgdfg	2026-02-22 16:06:30 -06:00
Andreas Knuth	915b0e59be	sdfsdf	2026-02-22 16:00:09 -06:00
Andreas Knuth	b90c8aec9e	dfgdfg	2026-02-22 15:51:33 -06:00
Andreas Knuth	dd41497f0b	asdasd	2026-02-22 15:45:28 -06:00
Andreas Knuth	8f0a899b66	sdsdf	2026-02-22 15:41:21 -06:00
Andreas Knuth	4ac32f43d0	xvcxv	2026-02-22 15:39:02 -06:00
Andreas Knuth	a1c7fecc27	sdf	2026-02-22 15:31:33 -06:00
Andreas Knuth	173b3f382f	dfgdf	2026-02-22 15:24:42 -06:00
Andreas Knuth	a84bb23af0	update	2026-02-22 15:10:20 -06:00
Andreas Knuth	3e656dacfa	update	2026-02-22 14:55:00 -06:00
Andreas Knuth	ce26d864b5	wildcard instead of *	2026-02-22 14:28:52 -06:00
Andreas Knuth	f9723b2b68	mail-certs	2026-02-22 13:36:01 -06:00
Andreas Knuth	956214f8c9	mail_network	2026-02-22 13:30:38 -06:00
Andreas Knuth	aee2335c48	import mail_certs	2026-02-22 13:19:58 -06:00
Andreas Knuth	8808d81113	update	2026-02-22 13:00:24 -06:00
Andreas Knuth	ee19b5b659	changes	2026-02-22 12:58:24 -06:00
Andreas Knuth	b072083318	caddy	2026-02-22 12:19:34 -06:00
Andreas Knuth	b321e6d2ec	BugFixes	2026-02-12 17:48:06 -06:00
Andreas Knuth	16469de068	new node.js impl., removed old stuff	2026-02-12 17:03:00 -06:00
Andreas Knuth	4343aefb76	lifecycle-configuration 14 days	2026-02-12 15:42:30 -06:00
Andreas Knuth	68f00e3873	log output	2026-02-12 10:11:14 -06:00
Andreas Knuth	e0555181a1	backup mails	2026-02-12 10:03:32 -06:00
Andreas Knuth	b3fd560ee1	backup emails	2026-02-12 10:00:36 -06:00
Andreas Knuth	9bb327eada	cleanup	2026-02-11 18:33:44 -06:00
Andreas Knuth	67c2440f4a	change home folder for dovecot	2026-02-11 17:47:44 -06:00
Andreas Knuth	94ec589a32	fix2	2026-02-10 18:50:19 -06:00
Andreas Knuth	ec6bb989f2	Fix	2026-02-10 18:41:55 -06:00
Andreas Knuth	63d12f8c7c	requeue	2026-02-10 18:35:45 -06:00
Andreas Knuth	663faa6a08	better logging	2026-02-10 18:22:31 -06:00
Andreas Knuth	494bfd6a10	lowercase	2026-02-10 17:51:41 -06:00
Andreas Knuth	665c1e611a	runnable	2026-02-10 17:23:16 -06:00
Andreas Knuth	9b8217cbd8	changes	2026-02-10 17:17:43 -06:00
Andreas Knuth	07e2449d04	cloudflare next	2026-02-10 14:26:02 -06:00
Andreas Knuth	3bd1ed14cf	Forward-Rule mit smtp_override → Mail geht nur zum alten Provider, keine DMS-Delivery Forward-Rule ohne smtp_override → normaler Forward + DMS-Delivery (bestehendes Verhalten) Keine Rule → nur DMS-Delivery (bestehendes Verhalten)	2026-02-10 11:57:10 -06:00
Andreas Knuth	994cf9055c	FROM_ADDR changed	2026-02-09 18:10:33 -06:00
Andreas Knuth	3849e3fc2d	fix for logger	2026-02-09 15:59:29 -06:00
Andreas Knuth	88d526aa00	log rotate	2026-02-09 15:47:24 -06:00
Andreas Knuth	d9b6399dc7	forward raw email	2026-02-09 14:04:00 -06:00
Andreas Knuth	a593db160b	DMS_CONTAINER="mailserver"	2026-02-09 13:33:02 -06:00
Andreas Knuth	c8bb77886a	message in english	2026-02-09 13:25:35 -06:00
Andreas Knuth	b3f84e91a8	executable	2026-02-09 13:14:51 -06:00
Andreas Knuth	6bfe33d3af	Merge branch 'main' of git.bizmatch.net:aknuth/email-amazon	2026-02-09 13:13:39 -06:00
Andreas Knuth	8c3db9db95	new scripts & new mail from	2026-02-09 13:13:30 -06:00
Andreas Knuth	6fccc0b2f9	Merge branch 'main' of git.bizmatch.net:aknuth/email-amazon	2026-02-09 10:58:31 -06:00
Andreas Knuth	1d66485068	new method _send_via_legacy_smtp	2026-02-09 10:58:03 -06:00
Andreas Knuth	38fcf8c4d8	script	2026-01-30 17:12:26 -06:00
Andreas Knuth	2026e6afcd	automated whitelist	2026-01-30 16:52:26 -06:00
Andreas Knuth	fd3c9bedda	whitelist based on Domains	2026-01-30 16:39:57 -06:00
Andreas Knuth	d74eb93763	ip instead of radix	2026-01-30 16:22:09 -06:00
Andreas Knuth	c3d992a479	moved	2026-01-30 16:14:29 -06:00
Andreas Knuth	aaec33365e	type = "radix";	2026-01-30 15:43:29 -06:00
Andreas Knuth	8d8b227f6b	next fix	2026-01-30 15:33:28 -06:00
Andreas Knuth	7fb7f33e72	try next fix	2026-01-30 14:18:01 -06:00
Andreas Knuth	4d22969238	IP Whitelisting	2026-01-30 09:56:02 -06:00
Andreas Knuth	81c62446f5	whitelisting	2026-01-29 21:23:59 -06:00
Andreas Knuth	1cb469b49d	move location	2026-01-29 21:10:56 -06:00
Andreas Knuth	51c5cf673c	rspamd pw	2026-01-29 20:59:57 -06:00
		`@@ -0,0 +1 @@`
							`password = "$2$eitni68mkfaaq957jx3bcx57sg1mmd9c$d9xyhjmmih7sjm3fpfu7r7tshhfm4ud93km65w5dkh151f5phiiy";`