Smtp Network Filter in contrib

api/contrib/envoy/extensions/filters/network/smtp_proxy/v3alpha/BUILD

@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"]) # Apache 2
+
+api_proto_package(
+ deps = [
+ "//envoy/config/accesslog/v3:pkg",
+ "@com_github_cncf_udpa//udpa/annotations:pkg",
+ ],
+)

api/contrib/envoy/extensions/filters/network/smtp_proxy/v3alpha/smtp_proxy.proto

@@ -0,0 +1,47 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.network.smtp_proxy.v3alpha;
+
+import "envoy/config/accesslog/v3/accesslog.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.network.smtp_proxy.v3alpha";
+option java_outer_classname = "SmtpProxyProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/smtp_proxy/v3alpha";
+option (udpa.annotations.file_status).work_in_progress = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: SMTP Proxy]
+// SMTP Proxy :ref:`configuration overview
+// <config_network_filters_smtp_proxy>`.
+// [#extension: envoy.filters.network.smtp_proxy]
+
+message SmtpProxy {
+ // Upstream TLS operational modes.
+ enum UpstreamTLSMode {
+ // Do not encrypt upstream connection to the server.
+ DISABLE = 0;
+
+ // Establish upstream TLS connection to the server. If the server does not
+ // accept the request for TLS connection, the session is terminated.
+ REQUIRE = 1;
+ }
+
+ // The human readable prefix to use when emitting :ref:`statistics
+ // <config_network_filters_smtp_proxy_stats>`.
+ string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
+
+ // If enabled, filter will generate x-req-id to identify smtp session/transaction and send it to upstream.
+ bool tracing = 2;
+
+ // Controls whether to establish upstream TLS connection to the server.
+ // Defaults to DISABLE.
+ UpstreamTLSMode upstream_tls = 3;
+
+ // Configuration for :ref:`access logs <arch_overview_access_logs>`
+ // emitted by the SMTP Filter.
+ repeated config.accesslog.v3.AccessLog access_log = 4;
+}

api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto

@@ -391,8 +391,7 @@ message FilterStateRule {
 
  // A map of string keys to requirements. The string key is the string value
  // in the FilterState with the name specified in the *name* field above.
- map<string, JwtRequirement>
- requires = 3;
+ map<string, JwtRequirement> requires = 3;
 }
 
 // This is the Envoy HTTP filter config for JWT authentication.

api/envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -611,8 +611,7 @@ message FilterStateRule {
 
  // A map of string keys to requirements. The string key is the string value
  // in the FilterState with the name specified in the ``name`` field above.
- map<string, JwtRequirement>
- requires = 3;
+ map<string, JwtRequirement> requires = 3;
 }
 
 // This is the Envoy HTTP filter config for JWT authentication.

api/versioning/BUILD

@@ -29,6 +29,7 @@ proto_library(
  "//contrib/envoy/extensions/filters/network/sip_proxy/router/v3alpha:pkg",
  "//contrib/envoy/extensions/filters/network/sip_proxy/tra/v3alpha:pkg",
  "//contrib/envoy/extensions/filters/network/sip_proxy/v3alpha:pkg",
+ "//contrib/envoy/extensions/filters/network/smtp_proxy/v3alpha:pkg",
  "//contrib/envoy/extensions/matching/input_matchers/hyperscan/v3alpha:pkg",
  "//contrib/envoy/extensions/network/connection_balance/dlb/v3alpha:pkg",
  "//contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha:pkg",

contrib/contrib_build_config.bzl

@@ -4,71 +4,71 @@ CONTRIB_EXTENSIONS = {
  # HTTP filters
  #
 
- "envoy.filters.http.dynamo": "//contrib/dynamo/filters/http/source:config",
- "envoy.filters.http.golang": "//contrib/golang/filters/http/source:config",
- "envoy.filters.http.language": "//contrib/language/filters/http/source:config_lib",
- "envoy.filters.http.squash": "//contrib/squash/filters/http/source:config",
- "envoy.filters.http.sxg": "//contrib/sxg/filters/http/source:config",
+ # "envoy.filters.http.dynamo": "//contrib/dynamo/filters/http/source:config",
+ # "envoy.filters.http.golang": "//contrib/golang/filters/http/source:config",
+ # "envoy.filters.http.language": "//contrib/language/filters/http/source:config_lib",
+ # "envoy.filters.http.squash": "//contrib/squash/filters/http/source:config",
+ # "envoy.filters.http.sxg": "//contrib/sxg/filters/http/source:config",
 
  #
  # Network filters
  #
 
- "envoy.filters.network.client_ssl_auth": "//contrib/client_ssl_auth/filters/network/source:config",
- "envoy.filters.network.kafka_broker": "//contrib/kafka/filters/network/source:kafka_broker_config_lib",
- "envoy.filters.network.kafka_mesh": "//contrib/kafka/filters/network/source/mesh:config_lib",
- "envoy.filters.network.mysql_proxy": "//contrib/mysql_proxy/filters/network/source:config",
- "envoy.filters.network.postgres_proxy": "//contrib/postgres_proxy/filters/network/source:config",
- "envoy.filters.network.rocketmq_proxy": "//contrib/rocketmq_proxy/filters/network/source:config",
+ # "envoy.filters.network.client_ssl_auth": "//contrib/client_ssl_auth/filters/network/source:config",
+ # "envoy.filters.network.kafka_broker": "//contrib/kafka/filters/network/source:kafka_broker_config_lib",
+ # "envoy.filters.network.kafka_mesh": "//contrib/kafka/filters/network/source/mesh:config_lib",
+ # "envoy.filters.network.mysql_proxy": "//contrib/mysql_proxy/filters/network/source:config",
+ # "envoy.filters.network.postgres_proxy": "//contrib/postgres_proxy/filters/network/source:config",
+ # "envoy.filters.network.rocketmq_proxy": "//contrib/rocketmq_proxy/filters/network/source:config",
  "envoy.filters.network.generic_proxy": "//contrib/generic_proxy/filters/network/source:config",
-
+ "envoy.filters.network.smtp_proxy": "//contrib/smtp_proxy/filters/network/source:config",
  #
  # Sip proxy
  #
 
- "envoy.filters.network.sip_proxy": "//contrib/sip_proxy/filters/network/source:config",
- "envoy.filters.sip.router": "//contrib/sip_proxy/filters/network/source/router:config",
+ # "envoy.filters.network.sip_proxy": "//contrib/sip_proxy/filters/network/source:config",
+ # "envoy.filters.sip.router": "//contrib/sip_proxy/filters/network/source/router:config",
 
  #
  # Private key providers
  #
 
- "envoy.tls.key_providers.cryptomb": "//contrib/cryptomb/private_key_providers/source:config",
- "envoy.tls.key_providers.qat": "//contrib/qat/private_key_providers/source:config",
+ # "envoy.tls.key_providers.cryptomb": "//contrib/cryptomb/private_key_providers/source:config",
+ # "envoy.tls.key_providers.qat": "//contrib/qat/private_key_providers/source:config",
 
  #
  # Socket interface extensions
  #
 
- "envoy.bootstrap.vcl": "//contrib/vcl/source:config",
+ # "envoy.bootstrap.vcl": "//contrib/vcl/source:config",
 
  #
  # Input matchers
  #
 
- "envoy.matching.input_matchers.hyperscan": "//contrib/hyperscan/matching/input_matchers/source:config",
+ # "envoy.matching.input_matchers.hyperscan": "//contrib/hyperscan/matching/input_matchers/source:config",
 
  #
  # Connection Balance extensions
  #
 
- "envoy.network.connection_balance.dlb": "//contrib/network/connection_balance/dlb/source:connection_balancer",
+ # "envoy.network.connection_balance.dlb": "//contrib/network/connection_balance/dlb/source:connection_balancer",
 
  #
  # Regex engines
  #
 
- "envoy.regex_engines.hyperscan": "//contrib/hyperscan/regex_engines/source:config",
+ # "envoy.regex_engines.hyperscan": "//contrib/hyperscan/regex_engines/source:config",
 
  #
  # Extensions for generic proxy
  #
- "envoy.filters.generic.router": "//contrib/generic_proxy/filters/network/source/router:config",
- "envoy.generic_proxy.codecs.dubbo": "//contrib/generic_proxy/filters/network/source/codecs/dubbo:config",
+ # "envoy.filters.generic.router": "//contrib/generic_proxy/filters/network/source/router:config",
+ # "envoy.generic_proxy.codecs.dubbo": "//contrib/generic_proxy/filters/network/source/codecs/dubbo:config",
 
  #
  # xDS delegates
  #
 
- "envoy.xds_delegates.kv_store": "//contrib/config/source:kv_store_xds_delegate",
+ # "envoy.xds_delegates.kv_store": "//contrib/config/source:kv_store_xds_delegate",
 }

contrib/extensions_metadata.yaml

@@ -117,3 +117,8 @@ envoy.generic_proxy.codecs.dubbo:
  status: wip
  type_urls:
  - envoy.extensions.filters.network.generic_proxy.codecs.dubbo.v3.DubboCodecConfig
+envoy.filters.network.smtp_proxy:
+ categories:
+ - envoy.filters.network
+ security_posture: requires_trusted_downstream_and_upstream
+ status: alpha

contrib/smtp_proxy/filters/network/source/BUILD

@@ -0,0 +1,109 @@
+load(
+ "//bazel:envoy_build_system.bzl",
+ "envoy_cc_contrib_extension",
+ "envoy_cc_library",
+ "envoy_contrib_package",
+)
+
+licenses(["notice"]) # Apache 2
+
+envoy_contrib_package()
+
+#package(default_visibility = ["//visibility:public"])
+
+# SMTP proxy L7 network filter.
+# Public docs: https://envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/smtp_proxy_filter
+
+envoy_cc_library(
+ name = "filter",
+ srcs = [
+ "smtp_filter.cc",
+ ],
+ hdrs = [
+ "smtp_filter.h",
+ ],
+ repository = "@envoy",
+ deps = [
+ "smtp_decoder_lib",
+ "//envoy/access_log:access_log_interface",
+ "//envoy/network:filter_interface",
+ "//envoy/server:filter_config_interface",
+ "//envoy/stats:stats_interface",
+ "//envoy/stats:stats_macros",
+ "//source/common/buffer:buffer_lib",
+ "//source/common/network:filter_lib",
+ "//source/extensions/filters/network:well_known_names",
+ "@envoy_api//contrib/envoy/extensions/filters/network/smtp_proxy/v3alpha:pkg_cc_proto",
+ ],
+)
+
+envoy_cc_library(
+ name = "smtp_decoder_lib",
+ srcs = ["smtp_decoder_impl.cc"],
+ hdrs = [
+ "smtp_decoder.h",
+ "smtp_decoder_impl.h",
+ ],
+ deps = [
+ "smtp_session_lib",
+ "//source/common/buffer:buffer_lib",
+ "//source/extensions/filters/network:well_known_names",
+ ],
+)
+
+envoy_cc_library(
+ name = "smtp_session_lib",
+ srcs = ["smtp_session.cc"],
+ hdrs = [
+ "smtp_command.h",
+ "smtp_decoder.h",
+ "smtp_handler.h",
+ "smtp_session.h",
+ ],
+ deps = [
+ "smtp_transaction_lib",
+ "//source/common/buffer:buffer_lib",
+ "//source/extensions/filters/network:well_known_names",
+ ],
+)
+
+envoy_cc_library(
+ name = "smtp_transaction_lib",
+ srcs = ["smtp_transaction.cc"],
+ hdrs = [
+ "smtp_command.h",
+ "smtp_decoder.h",
+ "smtp_transaction.h",
+ ],
+ deps = [
+ "smtp_utils_lib",
+ "//envoy/stream_info:stream_info_interface",
+ "//source/common/buffer:buffer_lib",
+ "//source/common/protobuf:utility_lib",
+ "//source/common/stream_info:stream_info_lib",
+ "//source/extensions/filters/network:well_known_names",
+ ],
+)
+
+envoy_cc_library(
+ name = "smtp_utils_lib",
+ srcs = ["smtp_utils.cc"],
+ hdrs = ["smtp_utils.h"],
+ deps = [],
+)
+
+envoy_cc_contrib_extension(
+ name = "config",
+ srcs = ["config.cc"],
+ hdrs = ["config.h"],
+ repository = "@envoy",
+ deps = [
+ ":filter",
+ "//envoy/access_log:access_log_interface",
+ "//source/common/access_log:access_log_lib",
+ "//source/extensions/filters/network:well_known_names",
+ "//source/extensions/filters/network/common:factory_base_lib",
+ "@envoy_api//contrib/envoy/extensions/filters/network/smtp_proxy/v3alpha:pkg_cc_proto",
+ "@envoy_api//envoy/config/accesslog/v3:pkg_cc_proto",
+ ],
+)

contrib/smtp_proxy/filters/network/source/config.cc

@@ -0,0 +1,48 @@
+#include "contrib/smtp_proxy/filters/network/source/config.h"
+
+#include "envoy/config/accesslog/v3/accesslog.pb.h"
+
+#include "source/common/access_log/access_log_impl.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace NetworkFilters {
+namespace SmtpProxy {
+
+/**
+ * Config registration for the SMTP Proxy filter. @see NamedNetworkFilterConfigFactory.
+ */
+Network::FilterFactoryCb
+NetworkFilters::SmtpProxy::SmtpConfigFactory::createFilterFactoryFromProtoTyped(
+ const envoy::extensions::filters::network::smtp_proxy::v3alpha::SmtpProxy& proto_config,
+ Server::Configuration::FactoryContext& context) {
+ ASSERT(!proto_config.stat_prefix().empty());
+
+ SmtpFilterConfig::SmtpFilterConfigOptions config_options;
+ config_options.stats_prefix_ = fmt::format("smtp.{}", proto_config.stat_prefix());
+ config_options.upstream_tls_ = proto_config.upstream_tls();
+ config_options.tracing_ = proto_config.tracing();
+ for (const envoy::config::accesslog::v3::AccessLog& log_config : proto_config.access_log()) {
+ config_options.access_logs_.emplace_back(
+ AccessLog::AccessLogFactory::fromProto(log_config, context));
+ }
+
+ SmtpFilterConfigSharedPtr filter_config(
+ std::make_shared<SmtpFilterConfig>(config_options, context.scope()));
+
+ auto& time_source = context.mainThreadDispatcher().timeSource();
+ return [filter_config, &time_source, &context](Network::FilterManager& filter_manager) -> void {
+ filter_manager.addFilter(
+ std::make_shared<SmtpFilter>(filter_config, time_source, context.api().randomGenerator()));
+ };
+}
+
+/**
+ * Static registration for the SMTP Proxy filter. @see RegisterFactory.
+ */
+REGISTER_FACTORY(SmtpConfigFactory, Server::Configuration::NamedNetworkFilterConfigFactory);
+
+} // namespace SmtpProxy
+} // namespace NetworkFilters
+} // namespace Extensions
+} // namespace Envoy

contrib/smtp_proxy/filters/network/source/config.h

@@ -0,0 +1,35 @@
+#pragma once
+
+#include "source/extensions/filters/network/common/factory_base.h"
+#include "source/extensions/filters/network/well_known_names.h"
+
+#include "contrib/envoy/extensions/filters/network/smtp_proxy/v3alpha/smtp_proxy.pb.h"
+#include "contrib/envoy/extensions/filters/network/smtp_proxy/v3alpha/smtp_proxy.pb.validate.h"
+#include "contrib/smtp_proxy/filters/network/source/smtp_filter.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace NetworkFilters {
+namespace SmtpProxy {
+
+/**
+ * Config registration for the smtp proxy filter. @see NamedNetworkFilterConfigFactory.
+ */
+
+class SmtpConfigFactory : public Common::FactoryBase<
+ envoy::extensions::filters::network::smtp_proxy::v3alpha::SmtpProxy> {
+public:
+ SmtpConfigFactory() : FactoryBase{NetworkFilterNames::get().SmtpProxy} {}
+
+private:
+ Network::FilterFactoryCb createFilterFactoryFromProtoTyped(
+ const envoy::extensions::filters::network::smtp_proxy::v3alpha::SmtpProxy& proto_config,
+ Server::Configuration::FactoryContext& context) override;
+
+ // std::vector<AccessLog::InstanceSharedPtr> access_logs_;
+};
+
+} // namespace SmtpProxy
+} // namespace NetworkFilters
+} // namespace Extensions
+} // namespace Envoy