check

DMS/batch_imapsync.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+# batch_imapsync.sh - Führt IMAP-Sync für alle User im Hintergrund aus
+# Format der CSV: email@domain.com,SecretPassword123
+
+HOST1=$1
+HOST2=$2
+CSV_FILE=$3
+
+if [ -z "$HOST1" ] || [ -z "$HOST2" ] || [ -z "$CSV_FILE" ]; then
+    echo "Usage: $0 <source-host> <target-host> <users.csv>"
+    echo "Beispiel: $0 secure.emailsrvr.com 147.93.132.244 stxmaterials.csv"
+    exit 1
+fi
+
+# ======================================================================
+# Die eigentliche Sync-Funktion (wird in den Hintergrund geschickt)
+# ======================================================================
+run_sync_jobs() {
+    TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+    LOG_DIR="sync_logs_$TIMESTAMP"
+    mkdir -p "$LOG_DIR"
+    
+    echo "Beginne Sync-Lauf am $(date)" > "batch_master_${TIMESTAMP}.log"
+
+    while IFS=, read -r email password; do
+        email=$(echo "$email" | tr -d '\r' | xargs)
+        password=$(echo "$password" | tr -d '\r' | xargs)
+        
+        [ -z "$email" ] && continue
+        
+        LOGFILE="$LOG_DIR/imapsync_${email}.log"
+        echo "[$(date)] Syncing $email -> $LOGFILE" >> "batch_master_${TIMESTAMP}.log"
+        
+        # Führe Docker imapsync für den aktuellen User aus
+        docker run --rm gilleslamiral/imapsync imapsync \
+            --host1 "$HOST1" --user1 "$email" --password1 "$password" --ssl1 \
+            --host2 "$HOST2" --user2 "$email" --password2 "$password" --ssl2 \
+            --automap > "$LOGFILE" 2>&1 < /dev/null
+            
+    done < "$CSV_FILE"
+    
+    echo "Alle Sync-Jobs beendet am $(date)" >> "batch_master_${TIMESTAMP}.log"
+}
+
+# ======================================================================
+# Skript-Start: Entkopplung vom Terminal
+# ======================================================================
+echo "🚀 Starte Batch-IMAP-Sync im Hintergrund..."
+
+# Rufe die Funktion auf, leite alle restlichen Ausgaben ins Nichts und schicke sie in den Hintergrund (&)
+run_sync_jobs </dev/null >/dev/null 2>&1 &
+
+echo "✅ Der Job läuft jetzt autark im Hintergrund (sequenziell)."
+echo "Du kannst das SSH-Terminal jetzt bedenkenlos schließen!"
+echo "Überwache den Gesamtfortschritt mit:"
+echo "  tail -f batch_master_*.log"
+echo "Oder die Details eines einzelnen Postfachs mit:"
+echo "  tail -f sync_logs_*/imapsync_<email>.log"

DMS/docker-compose.yml

@@ -9,10 +9,10 @@ services:
 
     # Node-spezifischer Hostname - A-Record zeigt auf DIESEN Server.
     # email-srvr.com selbst zeigt auf einen anderen Server und wird hier NICHT verwendet.
-    hostname: node1.email-srvr.com
+    hostname: ${NODE_HOSTNAME}
 
     ports:
-      - "25:25"
+      - "127.0.0.1:25:25"
       - "587:587"
       - "465:465"
       - "143:143"
@@ -61,8 +61,8 @@ services:
       # Kundendomain-SNI wird über postfix-main.cf + dovecot-sni.cf gesteuert.
       # -------------------------------------------------------
       - SSL_TYPE=manual
-      - SSL_CERT_PATH=/etc/mail/certs/node1.email-srvr.com/node1.email-srvr.com.crt
-      - SSL_KEY_PATH=/etc/mail/certs/node1.email-srvr.com/node1.email-srvr.com.key
+      - SSL_CERT_PATH=/etc/mail/certs/${NODE_HOSTNAME}/${NODE_HOSTNAME}.crt
+      - SSL_KEY_PATH=/etc/mail/certs/${NODE_HOSTNAME}/${NODE_HOSTNAME}.key
 
       # SPAM / Rspamd
       - ENABLE_OPENDKIM=1
@@ -107,7 +107,7 @@ services:
       # Postfix
       # POSTFIX_OVERRIDE_HOSTNAME: Was Postfix im EHLO/HELO Banner sendet.
       # node1.email-srvr.com passt zum TLS-Cert und ist der echte Hostname.
-      - POSTFIX_OVERRIDE_HOSTNAME=node1.email-srvr.com
+      - POSTFIX_OVERRIDE_HOSTNAME=${NODE_HOSTNAME}
       - POSTFIX_MYNETWORKS=172.16.0.0/12 172.17.0.0/12 172.18.0.0/12 [::1]/128 [fe80::]/64
       - POSTFIX_MAILBOX_SIZE_LIMIT=0
       - POSTFIX_MESSAGE_SIZE_LIMIT=0
@@ -120,7 +120,7 @@ services:
       mail_network:
         aliases:
           - mailserver
-          - node1.email-srvr.com
+          - ${NODE_HOSTNAME}
 
   roundcube:
     image: roundcube/roundcubemail:latest
@@ -136,10 +136,10 @@ services:
       - ROUNDCUBEMAIL_DB_USER=roundcube
       - ROUNDCUBEMAIL_DB_PASSWORD=${ROUNDCUBE_DB_PASSWORD}
       # Roundcube verbindet intern über den Docker-Alias
-      - ROUNDCUBEMAIL_DEFAULT_HOST=ssl://node1.email-srvr.com
+      - ROUNDCUBEMAIL_DEFAULT_HOST=ssl://${NODE_HOSTNAME}
       - ROUNDCUBEMAIL_DEFAULT_PORT=993
       # Interner Traffic ohne TLS
-      - ROUNDCUBEMAIL_SMTP_SERVER=ssl://node1.email-srvr.com
+      - ROUNDCUBEMAIL_SMTP_SERVER=ssl://${NODE_HOSTNAME}
       - ROUNDCUBEMAIL_SMTP_PORT=465
       
       # WICHTIG: Variablen LEER lassen, damit Roundcube keine Authentifizierung versucht!

basic_setup/check_logins.py

@@ -0,0 +1,90 @@
+#!/usr/bin/env python3
+import csv
+import imaplib
+import sys
+import time
+
+# Konfiguration
+IMAP_SERVER = "secure.emailsrvr.com"
+IMAP_PORT = 993
+DELAY_SECONDS = 1  # Kurze Pause, um Rate-Limiting oder Fail2Ban zu vermeiden
+
+def check_imap_login(email, password):
+    try:
+        # Verbindung zum IMAP-Server via SSL herstellen
+        mail = imaplib.IMAP4_SSL(IMAP_SERVER, IMAP_PORT)
+        mail.login(email, password)
+        mail.logout()
+        return True
+    except imaplib.IMAP4.error:
+        # Login fehlgeschlagen (falsches Passwort/User)
+        return False
+    except Exception as e:
+        print(f"  [!] Netzwerk- oder Serverfehler bei {email}: {e}")
+        return False
+
+def main(csv_filepath):
+    erfolgreich = []
+    fehlgeschlagen = []
+    uebersprungen = []
+
+    try:
+        with open(csv_filepath, mode='r', encoding='utf-8') as f:
+            # Nutze csv.reader für sauberes Parsing der Kommas
+            reader = csv.reader(f)
+            for row_num, row in enumerate(reader, start=1):
+                if not row:
+                    continue
+
+                email = row[0].strip()
+                # Prüfen, ob ein zweites Feld (Passwort) existiert und nicht leer ist
+                password = row[1].strip() if len(row) > 1 else ""
+
+                if not password:
+                    print(f"[{row_num}] Überspringe {email} (Kein Passwort)")
+                    uebersprungen.append(email)
+                    continue
+
+                print(f"[{row_num}] Prüfe {email}... ", end="", flush=True)
+
+                if check_imap_login(email, password):
+                    print("OK")
+                    erfolgreich.append(email)
+                else:
+                    print("FEHLGESCHLAGEN")
+                    fehlgeschlagen.append(email)
+
+                # Kurze Pause einlegen, um den Mailserver nicht zu fluten
+                time.sleep(DELAY_SECONDS)
+
+    except FileNotFoundError:
+        print(f"\nFehler: Die Datei '{csv_filepath}' wurde nicht gefunden.")
+        sys.exit(1)
+    except Exception as e:
+        print(f"\nEin unerwarteter Fehler ist aufgetreten: {e}")
+        sys.exit(1)
+
+    # Ausgabe der Zusammenfassung
+    print("\n" + "="*40)
+    print("ZUSAMMENFASSUNG DER PRÜFUNG")
+    print("="*40)
+
+    print(f"\nErfolgreich ({len(erfolgreich)}):")
+    for e in erfolgreich:
+        print(f"  - {e}")
+
+    print(f"\nFehlgeschlagen ({len(fehlgeschlagen)}):")
+    for e in fehlgeschlagen:
+        print(f"  - {e}")
+
+    print(f"\nÜbersprungen (kein Passwort) ({len(uebersprungen)}):")
+    for e in uebersprungen:
+        print(f"  - {e}")
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print("Verwendung: ./check_logins.py <pfad_zur_datei.csv>")
+        sys.exit(1)
+
+    csv_file = sys.argv[1]
+    main(csv_file)

basic_setup/create-queue.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # create-queue.sh (v2 — mit SNS Fan-Out + Standby Queue)
-# Usage: DOMAIN=andreasknuth.de ./create-queue.sh
+# Usage: DOMAIN_NAME=andreasknuth.de ./create-queue.sh
 #
 # Erstellt pro Domain:
 #   - Primary Queue + DLQ          (wie bisher, für Contabo)
@@ -12,13 +12,13 @@ set -e
 
 AWS_REGION="us-east-2"
 
-if [ -z "$DOMAIN" ]; then
-    echo "Error: DOMAIN environment variable not set"
-    echo "Usage: DOMAIN=andreasknuth.de $0"
+if [ -z "$DOMAIN_NAME" ]; then
+    echo "Error: DOMAIN_NAME environment variable not set"
+    echo "Usage: DOMAIN_NAME=andreasknuth.de $0"
     exit 1
 fi
 
-DOMAIN_SLUG="${DOMAIN//./-}"
+DOMAIN_SLUG="${DOMAIN_NAME//./-}"
 QUEUE_NAME="${DOMAIN_SLUG}-queue"
 DLQ_NAME="${QUEUE_NAME}-dlq"
 STANDBY_QUEUE_NAME="${DOMAIN_SLUG}-standby-queue"
@@ -31,9 +31,9 @@ echo "========================================"
 echo "Creating SQS + SNS for Email Delivery"
 echo "========================================"
 echo ""
-echo "📧 Domain:         $DOMAIN"
-echo "   Region:         $AWS_REGION"
-echo "   Account:        $ACCOUNT_ID"
+echo "📧 Domain:        $DOMAIN_NAME"
+echo "   Region:        $AWS_REGION"
+echo "   Account:       $ACCOUNT_ID"
 echo ""
 
 # ============================================================
@@ -184,7 +184,7 @@ echo ""
 # Zusammenfassung
 # ============================================================
 echo "========================================"
-echo "✅ Setup complete for $DOMAIN"
+echo "✅ Setup complete for $DOMAIN_NAME"
 echo "========================================"
 echo ""
 echo "Primary (Contabo):"

basic_setup/ses_sns_shim_global.py

@@ -8,24 +8,38 @@ from botocore.exceptions import ClientError
 import time
 import random
 
-# Logging konfigurieren
 logger = logging.getLogger()
 logger.setLevel(logging.INFO)
 
 sqs = boto3.client('sqs')
+sns = boto3.client('sns')
+sts_account_id = None
 
-# Retry-Konfiguration
 MAX_RETRIES = 3
-BASE_BACKOFF = 1  # Sekunden
+BASE_BACKOFF = 1
 
 def exponential_backoff(attempt):
-    """Exponential Backoff mit Jitter"""
     return BASE_BACKOFF * (2 ** attempt) + random.uniform(0, 1)
 
+def get_account_id():
+    global sts_account_id
+    if sts_account_id is None:
+        sts_account_id = boto3.client('sts').get_caller_identity()['Account']
+    return sts_account_id
+
+def get_topic_arn(domain):
+    """
+    Generiert Topic-ARN aus Domain.
+    Konvention: domain.tld -> domain-tld-topic
+    """
+    topic_name = domain.replace('.', '-') + '-topic'
+    region = os.environ.get('AWS_REGION', 'us-east-2')
+    account_id = get_account_id()
+    return f"arn:aws:sns:{region}:{account_id}:{topic_name}"
+
 def get_queue_url(domain):
     """
-    Generiert Queue-Namen aus Domain und holt URL.
-    Konvention: domain.tld -> domain-tld-queue
+    Fallback: Direkter SQS-Send für Domains ohne SNS-Topic.
     """
     queue_name = domain.replace('.', '-') + '-queue'
     try:
@@ -38,11 +52,53 @@ def get_queue_url(domain):
         else:
             raise
 
+def publish_to_sns(topic_arn, message_body, msg_id):
+    attempt = 0
+    while attempt < MAX_RETRIES:
+        try:
+            sns.publish(
+                TopicArn=topic_arn,
+                Message=message_body
+            )
+            logger.info(f"✅ Published {msg_id} to SNS: {topic_arn}")
+            return True
+        except ClientError as e:
+            error_code = e.response['Error']['Code']
+            # Fallback auf SQS bei Topic-nicht-gefunden ODER fehlender Berechtigung
+            if error_code in ('NotFound', 'NotFoundException', 'AuthorizationError'):
+                logger.info(f"ℹ️ SNS unavailable for {topic_arn} ({error_code}) — falling back to SQS")
+                return False
+            attempt += 1
+            logger.warning(f"Retry {attempt}/{MAX_RETRIES} SNS: {error_code}")
+            if attempt == MAX_RETRIES:
+                raise
+            time.sleep(exponential_backoff(attempt))
+    return False
+
+def send_to_sqs(queue_url, message_body, msg_id):
+    """Fallback: Direkter SQS-Send (wie bisher)."""
+    attempt = 0
+    while attempt < MAX_RETRIES:
+        try:
+            sqs.send_message(
+                QueueUrl=queue_url,
+                MessageBody=message_body
+            )
+            logger.info(f"✅ Sent {msg_id} to SQS: {queue_url}")
+            return
+        except ClientError as e:
+            attempt += 1
+            error_code = e.response['Error']['Code']
+            logger.warning(f"Retry {attempt}/{MAX_RETRIES} SQS: {error_code}")
+            if attempt == MAX_RETRIES:
+                raise
+            time.sleep(exponential_backoff(attempt))
+
 def lambda_handler(event, context):
     """
-    Nimmt SES Event entgegen, extrahiert Domain dynamisch,
-    verpackt Metadaten als 'Fake SNS' und sendet an die domain-spezifische SQS.
-    Mit integrierter Retry-Logik für SQS-Send.
+    Nimmt SES Event entgegen, extrahiert Domain dynamisch.
+    Strategie: SNS Publish (Fan-Out an Primary + Standby Queue).
+    Fallback: Direkter SQS-Send falls kein SNS-Topic existiert.
     """
     try:
         records = event.get('Records', [])
@@ -51,13 +107,12 @@ def lambda_handler(event, context):
         for record in records:
             ses_data = record.get('ses', {})
             if not ses_data:
-                logger.warning(f"Invalid SES event: Missing 'ses' in record: {record}")
+                logger.warning(f"Invalid SES event: Missing 'ses' in record")
                 continue
 
             mail = ses_data.get('mail', {})
             receipt = ses_data.get('receipt', {})
 
-            # Domain extrahieren (aus erstem Recipient)
             recipients = receipt.get('recipients', []) or mail.get('destination', [])
             if not recipients:
                 logger.warning("No recipients in event - skipping")
@@ -69,23 +124,19 @@ def lambda_handler(event, context):
                 logger.error("Could not extract domain from recipient")
                 continue
 
-            # Wichtige Metadaten loggen
             msg_id = mail.get('messageId', 'unknown')
             source = mail.get('source', 'unknown')
             logger.info(f"Processing Message-ID: {msg_id} for domain: {domain}")
-            logger.info(f" From: {source}")
-            logger.info(f" To: {recipients}")
+            logger.info(f"  From: {source}")
+            logger.info(f"  To: {recipients}")
 
-            # SES JSON als String serialisieren
             ses_json_string = json.dumps(ses_data)
 
-            # Payload Größe loggen und checken (Safeguard)
             payload_size = len(ses_json_string.encode('utf-8'))
-            logger.info(f" Metadata Payload Size: {payload_size} bytes")
-            if payload_size > 200000:  # Arbitrary Limit < SQS 256KB
-                raise ValueError("Payload too large for SQS")
+            logger.info(f"  Metadata Payload Size: {payload_size} bytes")
+            if payload_size > 200000:
+                raise ValueError("Payload too large")
 
-            # Fake SNS Payload
             fake_sns_payload = {
                 "Type": "Notification",
                 "MessageId": str(uuid.uuid4()),
@@ -95,26 +146,16 @@ def lambda_handler(event, context):
                 "Timestamp": datetime.utcnow().isoformat() + "Z"
             }
 
-            # Queue URL dynamisch holen
-            queue_url = get_queue_url(domain)
+            message_body = json.dumps(fake_sns_payload)
 
-            # SQS Send mit Retries
-            attempt = 0
-            while attempt < MAX_RETRIES:
-                try:
-                    sqs.send_message(
-                        QueueUrl=queue_url,
-                        MessageBody=json.dumps(fake_sns_payload)
-                    )
-                    logger.info(f"✅ Successfully forwarded {msg_id} to SQS: {queue_url}")
-                    break
-                except ClientError as e:
-                    attempt += 1
-                    error_code = e.response['Error']['Code']
-                    logger.warning(f"Retry {attempt}/{MAX_RETRIES} for SQS send: {error_code} - {str(e)}")
-                    if attempt == MAX_RETRIES:
-                        raise
-                    time.sleep(exponential_backoff(attempt))
+            # Strategie: SNS zuerst, SQS als Fallback
+            topic_arn = get_topic_arn(domain)
+            sns_success = publish_to_sns(topic_arn, message_body, msg_id)
+
+            if not sns_success:
+                # Kein SNS-Topic für diese Domain → direkt in SQS (wie bisher)
+                queue_url = get_queue_url(domain)
+                send_to_sqs(queue_url, message_body, msg_id)
 
         return {'status': 'ok'}
 

caddy/Dockerfile.caddy

@@ -7,7 +7,16 @@ RUN xcaddy build ${CADDY_VERSION} \
   --with github.com/caddy-dns/cloudflare \
   --with github.com/caddyserver/replace-response
 
+# Autodiscover Handler in Go bauen (Go ist im Builder-Image bereits verfügbar)
+COPY autodiscover-handler.go /src/autodiscover-handler.go
+WORKDIR /src
+RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o /usr/bin/autodiscover-handler autodiscover-handler.go
+
 FROM caddy:${CADDY_VERSION}
 COPY --from=builder /usr/bin/caddy /usr/bin/caddy
-RUN mkdir -p /var/log/caddy
+COPY --from=builder /usr/bin/autodiscover-handler /usr/local/bin/autodiscover-handler
+COPY start.sh /usr/local/bin/start.sh
+RUN chmod +x /usr/local/bin/start.sh /usr/local/bin/autodiscover-handler \
+    && mkdir -p /var/log/caddy
 
+CMD ["/usr/local/bin/start.sh"]

caddy/autodiscover-handler.go

@@ -0,0 +1,109 @@
+package main
+
+import (
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"regexp"
+	"strings"
+)
+
+const port = "8280"
+
+var emailRegex = regexp.MustCompile(`(?i)<EMailAddress>([^<]+)</EMailAddress>`)
+
+func main() {
+	http.HandleFunc("/health", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprint(w, "OK")
+	})
+
+	http.HandleFunc("/autodiscover/autodiscover.xml", handleAutodiscover)
+	// Outlook sendet manchmal mit Großbuchstaben
+	http.HandleFunc("/Autodiscover/Autodiscover.xml", handleAutodiscover)
+	http.HandleFunc("/AutoDiscover/AutoDiscover.xml", handleAutodiscover)
+
+	log.Printf("[autodiscover] Listening on port %s", port)
+	if err := http.ListenAndServe(":"+port, nil); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func handleAutodiscover(w http.ResponseWriter, r *http.Request) {
+	var email string
+
+	if r.Method == http.MethodPost {
+		body, err := io.ReadAll(r.Body)
+		if err == nil {
+			if match := emailRegex.FindStringSubmatch(string(body)); len(match) > 1 {
+				email = strings.TrimSpace(match[1])
+			}
+		}
+		r.Body.Close()
+	}
+
+	var domain string
+	if email != "" {
+		parts := strings.SplitN(email, "@", 2)
+		if len(parts) == 2 {
+			domain = parts[1]
+		}
+	}
+	if domain == "" {
+		domain = extractDomainFromHost(r.Host)
+	}
+
+	log.Printf("[autodiscover] %s from %s - email=%q domain=%s", r.Method, r.RemoteAddr, email, domain)
+
+	w.Header().Set("Content-Type", "application/xml")
+	w.WriteHeader(http.StatusOK)
+	fmt.Fprint(w, buildResponse(domain, email))
+}
+
+func extractDomainFromHost(host string) string {
+	// Strip port
+	if idx := strings.Index(host, ":"); idx >= 0 {
+		host = host[:idx]
+	}
+	parts := strings.Split(host, ".")
+	if len(parts) >= 3 && strings.EqualFold(parts[0], "autodiscover") {
+		return strings.Join(parts[1:], ".")
+	}
+	if len(parts) >= 2 {
+		return strings.Join(parts[len(parts)-2:], ".")
+	}
+	return host
+}
+
+func buildResponse(domain, loginName string) string {
+	return fmt.Sprintf(`<?xml version="1.0" encoding="utf-8"?>
+<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
+  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
+    <Account>
+      <AccountType>email</AccountType>
+      <Action>settings</Action>
+      <Protocol>
+        <Type>IMAP</Type>
+        <Server>imap.%s</Server>
+        <Port>993</Port>
+        <DomainRequired>off</DomainRequired>
+        <LoginName>%s</LoginName>
+        <SPA>off</SPA>
+        <SSL>on</SSL>
+        <AuthRequired>on</AuthRequired>
+      </Protocol>
+      <Protocol>
+        <Type>SMTP</Type>
+        <Server>smtp.%s</Server>
+        <Port>465</Port>
+        <DomainRequired>off</DomainRequired>
+        <LoginName>%s</LoginName>
+        <SPA>off</SPA>
+        <SSL>on</SSL>
+        <AuthRequired>on</AuthRequired>
+      </Protocol>
+    </Account>
+  </Response>
+</Autodiscover>`, domain, loginName, domain, loginName)
+}

caddy/email-setup/setup.html

@@ -35,7 +35,7 @@
 <body>
 
 <div class="card">
-    <img src="/logo.png" alt="Logo" class="logo">
+    <img src="/email-setup/logo.png" alt="Logo" class="logo">
     
     <div id="input-section">
         <h1>Email Setup</h1>

caddy/start.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+# Autodiscover handler im Hintergrund starten
+/usr/local/bin/autodiscover-handler &
+
+# Caddy im Vordergrund
+exec caddy run --config /etc/caddy/Caddyfile --adapter caddyfile

caddy/update-caddy-certs.sh

@@ -78,36 +78,7 @@ OUTPUT="${OUTPUT}(email_settings) {\n"
 # --- 1. Outlook Classic Autodiscover (POST + GET XML) ---
 OUTPUT="${OUTPUT}    # Outlook Autodiscover (XML) - POST und GET\n"
 OUTPUT="${OUTPUT}    route /autodiscover/autodiscover.xml {\n"
-OUTPUT="${OUTPUT}        header Content-Type \"application/xml\"\n"
-OUTPUT="${OUTPUT}        respond \`<?xml version=\"1.0\" encoding=\"utf-8\"?>\n"
-OUTPUT="${OUTPUT}<Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006\">\n"
-OUTPUT="${OUTPUT}  <Response xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a\">\n"
-OUTPUT="${OUTPUT}    <Account>\n"
-OUTPUT="${OUTPUT}      <AccountType>email</AccountType>\n"
-OUTPUT="${OUTPUT}      <Action>settings</Action>\n"
-OUTPUT="${OUTPUT}      <Protocol>\n"
-OUTPUT="${OUTPUT}        <Type>IMAP</Type>\n"
-OUTPUT="${OUTPUT}        <Server>imap.{labels.1}.{labels.0}</Server>\n"
-OUTPUT="${OUTPUT}        <Port>993</Port>\n"
-OUTPUT="${OUTPUT}        <DomainRequired>off</DomainRequired>\n"
-OUTPUT="${OUTPUT}        <LoginName></LoginName>\n"
-OUTPUT="${OUTPUT}        <SPA>off</SPA>\n"
-OUTPUT="${OUTPUT}        <SSL>on</SSL>\n"
-OUTPUT="${OUTPUT}        <AuthRequired>on</AuthRequired>\n"
-OUTPUT="${OUTPUT}      </Protocol>\n"
-OUTPUT="${OUTPUT}      <Protocol>\n"
-OUTPUT="${OUTPUT}        <Type>SMTP</Type>\n"
-OUTPUT="${OUTPUT}        <Server>smtp.{labels.1}.{labels.0}</Server>\n"
-OUTPUT="${OUTPUT}        <Port>465</Port>\n"
-OUTPUT="${OUTPUT}        <DomainRequired>off</DomainRequired>\n"
-OUTPUT="${OUTPUT}        <LoginName></LoginName>\n"
-OUTPUT="${OUTPUT}        <SPA>off</SPA>\n"
-OUTPUT="${OUTPUT}        <SSL>on</SSL>\n"
-OUTPUT="${OUTPUT}        <AuthRequired>on</AuthRequired>\n"
-OUTPUT="${OUTPUT}      </Protocol>\n"
-OUTPUT="${OUTPUT}    </Account>\n"
-OUTPUT="${OUTPUT}  </Response>\n"
-OUTPUT="${OUTPUT}</Autodiscover>\` 200\n"
+OUTPUT="${OUTPUT}      reverse_proxy localhost:8280\n"
 OUTPUT="${OUTPUT}    }\n"
 OUTPUT="${OUTPUT}\n"
 
@@ -135,14 +106,14 @@ OUTPUT="${OUTPUT}      <hostname>imap.{labels.1}.{labels.0}</hostname>\n"
 OUTPUT="${OUTPUT}      <port>993</port>\n"
 OUTPUT="${OUTPUT}      <socketType>SSL</socketType>\n"
 OUTPUT="${OUTPUT}      <authentication>password-cleartext</authentication>\n"
-OUTPUT="${OUTPUT}      <username>%%EMAILADDRESS%%</username>\n"
+OUTPUT="${OUTPUT}      <username>%EMAILADDRESS%</username>\n"
 OUTPUT="${OUTPUT}    </incomingServer>\n"
 OUTPUT="${OUTPUT}    <outgoingServer type=\"smtp\">\n"
 OUTPUT="${OUTPUT}      <hostname>smtp.{labels.1}.{labels.0}</hostname>\n"
 OUTPUT="${OUTPUT}      <port>465</port>\n"
 OUTPUT="${OUTPUT}      <socketType>SSL</socketType>\n"
 OUTPUT="${OUTPUT}      <authentication>password-cleartext</authentication>\n"
-OUTPUT="${OUTPUT}      <username>%%EMAILADDRESS%%</username>\n"
+OUTPUT="${OUTPUT}      <username>%EMAILADDRESS%</username>\n"
 OUTPUT="${OUTPUT}    </outgoingServer>\n"
 OUTPUT="${OUTPUT}  </emailProvider>\n"
 OUTPUT="${OUTPUT}</clientConfig>\` 200\n"

email-worker-nodejs/docker-compose.yml

@@ -10,12 +10,14 @@ services:
     ports:
       - "9000:8000"   # Prometheus metrics (Host:Container)
       - "9090:8080"   # Health check (Host:Container)
-    # Connect to DMS on the host or Docker network
-    extra_hosts:
-      - "host.docker.internal:host-gateway"
     environment:
-      - SMTP_HOST=host.docker.internal
+      - SMTP_HOST=mailserver
       - SMTP_PORT=25
+    networks:
+      - mail_network      
 
 volumes:
   worker-logs:
+networks:
+  mail_network:
+    external: true

email-worker-nodejs/src/config.ts

@@ -48,6 +48,9 @@ export const config = {
   // Monitoring
   metricsPort: parseInt(process.env.METRICS_PORT ?? '8000', 10),
   healthPort: parseInt(process.env.HEALTH_PORT ?? '8080', 10),
+
+  queueSuffix: process.env.QUEUE_SUFFIX ?? '-queue',
+  standbyMode: (process.env.STANDBY_MODE ?? 'false').toLowerCase() === 'true',
 } as const;
 
 export type Config = typeof config;
@@ -106,7 +109,7 @@ export function isInternalAddress(email: string): boolean {
 
 /** Convert domain to SQS queue name: bizmatch.net → bizmatch-net-queue */
 export function domainToQueueName(domain: string): string {
-  return domain.replace(/\./g, '-') + '-queue';
+  return domain.replace(/\./g, '-') + config.queueSuffix;
 }
 
 /** Convert domain to S3 bucket name: bizmatch.net → bizmatch-net-emails */

email-worker-nodejs/src/email/rules-processor.ts

@@ -36,6 +36,9 @@ export class RulesProcessor {
     workerName: string,
     metricsCallback?: MetricsCallback,
   ): Promise<boolean> {
+    if (config.standbyMode) {
+        return false;
+    }    
     const rule = await this.dynamodb.getEmailRules(recipient.toLowerCase());
     if (!rule) return false;
 

email-worker-nodejs/src/worker/message-processor.ts

@@ -26,7 +26,7 @@ import { BlocklistChecker } from '../email/blocklist.js';
 import { BounceHandler } from '../email/bounce-handler.js';
 import { parseEmail, isProcessedByWorker } from '../email/parser.js';
 import { RulesProcessor } from '../email/rules-processor.js';
-
+import { config } from '../config.js';
 // ---------------------------------------------------------------------------
 // Processor
 // ---------------------------------------------------------------------------
@@ -258,34 +258,40 @@ export class MessageProcessor {
 
       if (totalHandled === recipients.length) {
         if (blockedRecipients.length === recipients.length) {
-          // All blocked
-          try {
-            await this.s3.markAsBlocked(
-              domain,
-              messageId,
-              blockedRecipients,
-              fromAddrFinal,
-              workerName,
-            );
-            await this.s3.deleteBlockedEmail(domain, messageId, workerName);
-          } catch (err: any) {
-            log(`⚠ Failed to handle blocked email: ${err.message ?? err}`, 'ERROR', workerName);
-            return false;
+          // All blocked — im Standby kein S3 anfassen
+          if (!config.standbyMode) {
+            try {
+              await this.s3.markAsBlocked(
+                domain,
+                messageId,
+                blockedRecipients,
+                fromAddrFinal,
+                workerName,
+              );
+              await this.s3.deleteBlockedEmail(domain, messageId, workerName);
+            } catch (err: any) {
+              log(`⚠ Failed to handle blocked email: ${err.message ?? err}`, 'ERROR', workerName);
+              return false;
+            }
           }
         } else if (successful.length > 0) {
-          await this.s3.markAsProcessed(
-            domain,
-            messageId,
-            workerName,
-            failedPermanent.length > 0 ? failedPermanent : undefined,
-          );
+          if (!config.standbyMode) {
+            await this.s3.markAsProcessed(
+              domain,
+              messageId,
+              workerName,
+              failedPermanent.length > 0 ? failedPermanent : undefined,
+            );
+          }
         } else if (failedPermanent.length > 0) {
-          await this.s3.markAsAllInvalid(
-            domain,
-            messageId,
-            failedPermanent,
-            workerName,
-          );
+          if (!config.standbyMode) {
+            await this.s3.markAsAllInvalid(
+              domain,
+              messageId,
+              failedPermanent,
+              workerName,
+            );
+          }
         }
 
         // Summary