Smtp proxy local

api/BUILD

@@ -91,6 +91,7 @@ proto_library(
  "//contrib/envoy/extensions/filters/network/sip_proxy/router/v3alpha:pkg",
  "//contrib/envoy/extensions/filters/network/sip_proxy/tra/v3alpha:pkg",
  "//contrib/envoy/extensions/filters/network/sip_proxy/v3alpha:pkg",
+ "//contrib/envoy/extensions/filters/network/smtp_proxy/v3alpha:pkg",
  "//contrib/envoy/extensions/matching/input_matchers/hyperscan/v3alpha:pkg",
  "//contrib/envoy/extensions/network/connection_balance/dlb/v3alpha:pkg",
  "//contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha:pkg",

api/contrib/envoy/extensions/filters/network/smtp_proxy/v3alpha/BUILD

@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"]) # Apache 2
+
+api_proto_package(
+ deps = [
+ "//envoy/config/accesslog/v3:pkg",
+ "@com_github_cncf_udpa//udpa/annotations:pkg",
+ ],
+)

api/contrib/envoy/extensions/filters/network/smtp_proxy/v3alpha/smtp_proxy.proto

@@ -0,0 +1,52 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.network.smtp_proxy.v3alpha;
+
+import "envoy/config/accesslog/v3/accesslog.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.network.smtp_proxy.v3alpha";
+option java_outer_classname = "SmtpProxyProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/smtp_proxy/v3alpha";
+option (udpa.annotations.file_status).work_in_progress = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: SMTP Proxy]
+// SMTP Proxy :ref:`configuration overview
+// <config_network_filters_smtp_proxy>`.
+// [#extension: envoy.filters.network.smtp_proxy]
+
+message SmtpProxy {
+ // TLS operational modes.
+ enum SSLMode {
+ // Filter does not switch connection to TLS even when STARTTLS command is received.
+ DISABLE = 0;
+
+ // If the filter receives STARTTLS command, it will switch the connection to TLS.
+ ENABLE = 1;
+
+ // STARTTLS command ( and hence TLS connection) is required.
+ REQUIRE = 2;
+ }
+
+ // The human readable prefix to use when emitting :ref:`statistics
+ // <config_network_filters_smtp_proxy_stats>`.
+ string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
+
+ // If enabled, filter will generate x-req-id to identify smtp session/transaction and send it to upstream.
+ bool tracing = 2;
+
+ // Controls whether to establish downstream TLS connection. Defaults to DISABLE.
+ SSLMode downstream_tls = 3;
+ // Controls whether to establish upstream TLS connection to the server. Defaults to DISABLE.
+ SSLMode upstream_tls = 4;
+ // Controls whether the smtp filter will operate in basic mode or it will perform protocol inspection for all commands.
+ bool protocol_inspection = 5;
+
+ // Configuration for :ref:`access logs <arch_overview_access_logs>`
+ // emitted by the SMTP Filter.
+ repeated config.accesslog.v3.AccessLog access_log = 6;
+}

api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto

@@ -391,8 +391,7 @@ message FilterStateRule {
 
  // A map of string keys to requirements. The string key is the string value
  // in the FilterState with the name specified in the *name* field above.
- map<string, JwtRequirement>
- requires = 3;
+ map<string, JwtRequirement> requires = 3;
 }
 
 // This is the Envoy HTTP filter config for JWT authentication.

api/envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -611,8 +611,7 @@ message FilterStateRule {
 
  // A map of string keys to requirements. The string key is the string value
  // in the FilterState with the name specified in the ``name`` field above.
- map<string, JwtRequirement>
- requires = 3;
+ map<string, JwtRequirement> requires = 3;
 }
 
 // This is the Envoy HTTP filter config for JWT authentication.

api/versioning/BUILD

@@ -29,6 +29,7 @@ proto_library(
  "//contrib/envoy/extensions/filters/network/sip_proxy/router/v3alpha:pkg",
  "//contrib/envoy/extensions/filters/network/sip_proxy/tra/v3alpha:pkg",
  "//contrib/envoy/extensions/filters/network/sip_proxy/v3alpha:pkg",
+ "//contrib/envoy/extensions/filters/network/smtp_proxy/v3alpha:pkg",
  "//contrib/envoy/extensions/matching/input_matchers/hyperscan/v3alpha:pkg",
  "//contrib/envoy/extensions/network/connection_balance/dlb/v3alpha:pkg",
  "//contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha:pkg",

contrib/contrib_build_config.bzl

@@ -4,71 +4,71 @@ CONTRIB_EXTENSIONS = {
  # HTTP filters
  #
 
- "envoy.filters.http.dynamo": "//contrib/dynamo/filters/http/source:config",
- "envoy.filters.http.golang": "//contrib/golang/filters/http/source:config",
- "envoy.filters.http.language": "//contrib/language/filters/http/source:config_lib",
- "envoy.filters.http.squash": "//contrib/squash/filters/http/source:config",
- "envoy.filters.http.sxg": "//contrib/sxg/filters/http/source:config",
+ # "envoy.filters.http.dynamo": "//contrib/dynamo/filters/http/source:config",
+ # "envoy.filters.http.golang": "//contrib/golang/filters/http/source:config",
+ # "envoy.filters.http.language": "//contrib/language/filters/http/source:config_lib",
+ # "envoy.filters.http.squash": "//contrib/squash/filters/http/source:config",
+ # "envoy.filters.http.sxg": "//contrib/sxg/filters/http/source:config",
 
  #
  # Network filters
  #
 
- "envoy.filters.network.client_ssl_auth": "//contrib/client_ssl_auth/filters/network/source:config",
- "envoy.filters.network.kafka_broker": "//contrib/kafka/filters/network/source:kafka_broker_config_lib",
- "envoy.filters.network.kafka_mesh": "//contrib/kafka/filters/network/source/mesh:config_lib",
- "envoy.filters.network.mysql_proxy": "//contrib/mysql_proxy/filters/network/source:config",
- "envoy.filters.network.postgres_proxy": "//contrib/postgres_proxy/filters/network/source:config",
- "envoy.filters.network.rocketmq_proxy": "//contrib/rocketmq_proxy/filters/network/source:config",
- "envoy.filters.network.generic_proxy": "//contrib/generic_proxy/filters/network/source:config",
-
+ # "envoy.filters.network.client_ssl_auth": "//contrib/client_ssl_auth/filters/network/source:config",
+ # "envoy.filters.network.kafka_broker": "//contrib/kafka/filters/network/source:kafka_broker_config_lib",
+ # "envoy.filters.network.kafka_mesh": "//contrib/kafka/filters/network/source/mesh:config_lib",
+ # "envoy.filters.network.mysql_proxy": "//contrib/mysql_proxy/filters/network/source:config",
+ # "envoy.filters.network.postgres_proxy": "//contrib/postgres_proxy/filters/network/source:config",
+ # "envoy.filters.network.rocketmq_proxy": "//contrib/rocketmq_proxy/filters/network/source:config",
+ # "envoy.filters.network.generic_proxy": "//contrib/generic_proxy/filters/network/source:config",
+ "envoy.filters.network.smtp_proxy": "//contrib/smtp_proxy/filters/network/source:config",
  #
  # Sip proxy
  #
 
- "envoy.filters.network.sip_proxy": "//contrib/sip_proxy/filters/network/source:config",
- "envoy.filters.sip.router": "//contrib/sip_proxy/filters/network/source/router:config",
+ # "envoy.filters.network.sip_proxy": "//contrib/sip_proxy/filters/network/source:config",
+ # "envoy.filters.sip.router": "//contrib/sip_proxy/filters/network/source/router:config",
 
  #
  # Private key providers
  #
 
- "envoy.tls.key_providers.cryptomb": "//contrib/cryptomb/private_key_providers/source:config",
- "envoy.tls.key_providers.qat": "//contrib/qat/private_key_providers/source:config",
+ # "envoy.tls.key_providers.cryptomb": "//contrib/cryptomb/private_key_providers/source:config",
+ # "envoy.tls.key_providers.qat": "//contrib/qat/private_key_providers/source:config",
 
  #
  # Socket interface extensions
  #
 
- "envoy.bootstrap.vcl": "//contrib/vcl/source:config",
+ # "envoy.bootstrap.vcl": "//contrib/vcl/source:config",
 
  #
  # Input matchers
  #
 
- "envoy.matching.input_matchers.hyperscan": "//contrib/hyperscan/matching/input_matchers/source:config",
+ # "envoy.matching.input_matchers.hyperscan": "//contrib/hyperscan/matching/input_matchers/source:config",
 
  #
  # Connection Balance extensions
  #
 
- "envoy.network.connection_balance.dlb": "//contrib/network/connection_balance/dlb/source:connection_balancer",
+ # "envoy.network.connection_balance.dlb": "//contrib/network/connection_balance/dlb/source:connection_balancer",
 
  #
  # Regex engines
  #
 
- "envoy.regex_engines.hyperscan": "//contrib/hyperscan/regex_engines/source:config",
+ # "envoy.regex_engines.hyperscan": "//contrib/hyperscan/regex_engines/source:config",
 
  #
  # Extensions for generic proxy
  #
- "envoy.filters.generic.router": "//contrib/generic_proxy/filters/network/source/router:config",
- "envoy.generic_proxy.codecs.dubbo": "//contrib/generic_proxy/filters/network/source/codecs/dubbo:config",
+ # "envoy.filters.generic.router": "//contrib/generic_proxy/filters/network/source/router:config",
+ # "envoy.generic_proxy.codecs.dubbo": "//contrib/generic_proxy/filters/network/source/codecs/dubbo:config",
 
  #
  # xDS delegates
  #
 
- "envoy.xds_delegates.kv_store": "//contrib/config/source:kv_store_xds_delegate",
+ # "envoy.xds_delegates.kv_store": "//contrib/config/source:kv_store_xds_delegate",
 }

contrib/extensions_metadata.yaml

@@ -117,3 +117,8 @@ envoy.generic_proxy.codecs.dubbo:
  status: wip
  type_urls:
  - envoy.extensions.filters.network.generic_proxy.codecs.dubbo.v3.DubboCodecConfig
+envoy.filters.network.smtp_proxy:
+ categories:
+ - envoy.filters.network
+ security_posture: requires_trusted_downstream_and_upstream
+ status: alpha

contrib/kafka/filters/network/source/broker/filter.cc

@@ -26,8 +26,8 @@ KafkaMetricsFacadeImpl::KafkaMetricsFacadeImpl(Stats::Scope& scope, TimeSource&
 KafkaMetricsFacadeImpl::KafkaMetricsFacadeImpl(TimeSource& time_source,
  RichRequestMetricsSharedPtr request_metrics,
  RichResponseMetricsSharedPtr response_metrics)
- : time_source_{time_source}, request_metrics_{request_metrics}, response_metrics_{
-  response_metrics} {};
+ : time_source_{time_source}, request_metrics_{request_metrics},
+ response_metrics_{response_metrics} {};
 
 // When request is successfully parsed, increase type count and store its arrival timestamp.
 void KafkaMetricsFacadeImpl::onMessage(AbstractRequestSharedPtr request) {

contrib/kafka/filters/network/source/kafka_request_parser.h

@@ -144,8 +144,8 @@ class RequestHeaderParser : public RequestParser {
  // Constructor visible for testing (allows for initial parser injection).
  RequestHeaderParser(const RequestParserResolver& parser_resolver, RequestContextSharedPtr context,
  RequestHeaderDeserializerPtr deserializer)
- : parser_resolver_{parser_resolver}, context_{context}, deserializer_{
-  std::move(deserializer)} {};
+ : parser_resolver_{parser_resolver}, context_{context},
+ deserializer_{std::move(deserializer)} {};
 
  /**
  * Uses data provided to compute request header.

contrib/kafka/filters/network/source/kafka_response_parser.h

@@ -109,8 +109,8 @@ class ResponseHeaderParser : public ResponseParser {
  */
  ResponseHeaderParser(ExpectedResponsesSharedPtr expected_responses,
  const ResponseParserResolver& parser_resolver)
- : expected_responses_{expected_responses},
- parser_resolver_{parser_resolver}, context_{std::make_shared<ResponseContext>()} {};
+ : expected_responses_{expected_responses}, parser_resolver_{parser_resolver},
+ context_{std::make_shared<ResponseContext>()} {};
 
  /**
  * Consumes 8 bytes (2 x INT32) as response length and correlation id.

contrib/kafka/filters/network/source/response_codec.h

@@ -66,8 +66,8 @@ class ResponseDecoder
  const ResponseParserResolver& response_parser_resolver,
  const std::vector<ResponseCallbackSharedPtr> callbacks)
 
- : AbstractMessageDecoder{callbacks}, factory_{factory}, response_parser_resolver_{
-  response_parser_resolver} {};
+ : AbstractMessageDecoder{callbacks}, factory_{factory},
+ response_parser_resolver_{response_parser_resolver} {};
 
  /**
  * Registers an expected message.

contrib/postgres_proxy/filters/network/test/postgres_decoder_test.cc

@@ -186,9 +186,9 @@ TEST_F(PostgresProxyDecoderTest, StartupMessageRandomData) {
  }
 }
 
-// Test processing messages which map 1:1 with buffer.
-// The buffer contains just a single entire message and
-// nothing more.
+//  Test processing messages which map 1:1 with buffer.
+//  The buffer contains just a single entire message and
+//  nothing more.
 TEST_F(PostgresProxyDecoderTest, ReadingBufferSingleMessages) {
  decoder_->state(DecoderImpl::State::InSyncState);
  // Feed empty buffer - should not crash.

contrib/smtp_proxy/filters/network/source/BUILD

@@ -0,0 +1,114 @@
+load(
+ "//bazel:envoy_build_system.bzl",
+ "envoy_cc_contrib_extension",
+ "envoy_cc_library",
+ "envoy_contrib_package",
+)
+
+licenses(["notice"]) # Apache 2
+
+envoy_contrib_package()
+
+#package(default_visibility = ["//visibility:public"])
+
+# SMTP proxy L7 network filter.
+# Public docs: https://envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/smtp_proxy_filter
+
+envoy_cc_library(
+ name = "filter",
+ srcs = [
+ "smtp_filter.cc",
+ ],
+ hdrs = [
+ "smtp_callbacks.h",
+ "smtp_filter.h",
+ "smtp_stats.h",
+ ],
+ repository = "@envoy",
+ deps = [
+ "smtp_decoder_lib",
+ "smtp_session_lib",
+ "//envoy/access_log:access_log_interface",
+ "//envoy/network:filter_interface",
+ "//envoy/server:filter_config_interface",
+ "//envoy/stats:stats_interface",
+ "//envoy/stats:stats_macros",
+ "//source/common/buffer:buffer_lib",
+ "//source/common/network:filter_lib",
+ "//source/extensions/filters/network:well_known_names",
+ "@envoy_api//contrib/envoy/extensions/filters/network/smtp_proxy/v3alpha:pkg_cc_proto",
+ ],
+)
+
+envoy_cc_library(
+ name = "smtp_decoder_lib",
+ srcs = ["smtp_decoder_impl.cc"],
+ hdrs = [
+ "smtp_decoder_impl.h",
+ ],
+ deps = [
+ "smtp_utils_lib",
+ "//source/common/buffer:buffer_lib",
+ "//source/common/common:utility_lib",
+ ],
+)
+
+envoy_cc_library(
+ name = "smtp_session_lib",
+ srcs = ["smtp_session.cc"],
+ hdrs = [
+ "smtp_callbacks.h",
+ "smtp_command.h",
+ "smtp_session.h",
+ "smtp_stats.h",
+ ],
+ deps = [
+ "smtp_transaction_lib",
+ "//source/common/buffer:buffer_lib",
+ "//source/extensions/filters/network:well_known_names",
+ ],
+)
+
+envoy_cc_library(
+ name = "smtp_transaction_lib",
+ srcs = ["smtp_transaction.cc"],
+ hdrs = [
+ "smtp_callbacks.h",
+ "smtp_command.h",
+ "smtp_stats.h",
+ "smtp_transaction.h",
+ ],
+ deps = [
+ "smtp_utils_lib",
+ "//envoy/stats:timespan_interface",
+ "//envoy/stream_info:stream_info_interface",
+ "//source/common/buffer:buffer_lib",
+ "//source/common/protobuf:utility_lib",
+ "//source/common/stats:timespan_lib",
+ "//source/common/stream_info:stream_info_lib",
+ "//source/extensions/filters/network:well_known_names",
+ ],
+)
+
+envoy_cc_library(
+ name = "smtp_utils_lib",
+ srcs = ["smtp_utils.cc"],
+ hdrs = ["smtp_utils.h"],
+ deps = [],
+)
+
+envoy_cc_contrib_extension(
+ name = "config",
+ srcs = ["config.cc"],
+ hdrs = ["config.h"],
+ repository = "@envoy",
+ deps = [
+ ":filter",
+ "//envoy/access_log:access_log_interface",
+ "//source/common/access_log:access_log_lib",
+ "//source/extensions/filters/network:well_known_names",
+ "//source/extensions/filters/network/common:factory_base_lib",
+ "@envoy_api//contrib/envoy/extensions/filters/network/smtp_proxy/v3alpha:pkg_cc_proto",
+ "@envoy_api//envoy/config/accesslog/v3:pkg_cc_proto",
+ ],
+)