Import Action Mailbox

20 files changed, 697 insertions, 0 deletions

diff --git a/actionmailbox/app/controllers/action_mailbox/base_controller.rb b/actionmailbox/app/controllers/action_mailbox/base_controller.rb
new file mode 100644
index 0000000000..d4169cc9bb
--- /dev/null
+++ b/actionmailbox/app/controllers/action_mailbox/base_controller.rb
@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+# The base class for all Active Mailbox ingress controllers.
+class ActionMailbox::BaseController < ActionController::Base
+  skip_forgery_protection
+
+  before_action :ensure_configured
+
+  def self.prepare
+    # Override in concrete controllers to run code on load.
+  end
+
+  private
+    def ensure_configured
+      unless ActionMailbox.ingress == ingress_name
+        head :not_found
+      end
+    end
+
+    def ingress_name
+      self.class.name.remove(/\AActionMailbox::Ingresses::/, /::InboundEmailsController\z/).underscore.to_sym
+    end
+
+
+    def authenticate_by_password
+      if password.present?
+        http_basic_authenticate_or_request_with name: "actionmailbox", password: password, realm: "Action Mailbox"
+      else
+        raise ArgumentError, "Missing required ingress credentials"
+      end
+    end
+
+    def password
+      Rails.application.credentials.dig(:action_mailbox, :ingress_password) || ENV["RAILS_INBOUND_EMAIL_PASSWORD"]
+    end
+end
diff --git a/actionmailbox/app/controllers/action_mailbox/ingresses/amazon/inbound_emails_controller.rb b/actionmailbox/app/controllers/action_mailbox/ingresses/amazon/inbound_emails_controller.rb
new file mode 100644
index 0000000000..2a8ec375c7
--- /dev/null
+++ b/actionmailbox/app/controllers/action_mailbox/ingresses/amazon/inbound_emails_controller.rb
@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+# Ingests inbound emails from Amazon's Simple Email Service (SES).
+#
+# Requires the full RFC 822 message in the +content+ parameter. Authenticates requests by validating their signatures.
+#
+# Returns:
+#
+# - <tt>204 No Content</tt> if an inbound email is successfully recorded and enqueued for routing to the appropriate mailbox
+# - <tt>401 Unauthorized</tt> if the request's signature could not be validated
+# - <tt>404 Not Found</tt> if Action Mailbox is not configured to accept inbound emails from SES
+# - <tt>422 Unprocessable Entity</tt> if the request is missing the required +content+ parameter
+# - <tt>500 Server Error</tt> if one of the Active Record database, the Active Storage service, or
+#   the Active Job backend is misconfigured or unavailable
+#
+# == Usage
+#
+# 1. Install the {aws-sdk-sns}[https://rubygems.org/gems/aws-sdk-sns] gem:
+#
+#        # Gemfile
+#        gem "aws-sdk-sns", ">= 1.9.0", require: false
+#
+# 2. Tell Action Mailbox to accept emails from SES:
+#
+#        # config/environments/production.rb
+#        config.action_mailbox.ingress = :amazon
+#
+# 3. {Configure SES}[https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-notifications.html]
+#    to deliver emails to your application via POST requests to +/rails/action_mailbox/amazon/inbound_emails+.
+#    If your application lived at <tt>https://example.com</tt>, you would specify the fully-qualified URL
+#    <tt>https://example.com/rails/action_mailbox/amazon/inbound_emails</tt>.
+class ActionMailbox::Ingresses::Amazon::InboundEmailsController < ActionMailbox::BaseController
+  before_action :authenticate
+
+  cattr_accessor :verifier
+
+  def self.prepare
+    self.verifier ||= begin
+      require "aws-sdk-sns/message_verifier"
+      Aws::SNS::MessageVerifier.new
+    end
+  end
+
+  def create
+    ActionMailbox::InboundEmail.create_and_extract_message_id! params.require(:content)
+  end
+
+  private
+    def authenticate
+      head :unauthorized unless verifier.authentic?(request.body)
+    end
+end
diff --git a/actionmailbox/app/controllers/action_mailbox/ingresses/mailgun/inbound_emails_controller.rb b/actionmailbox/app/controllers/action_mailbox/ingresses/mailgun/inbound_emails_controller.rb
new file mode 100644
index 0000000000..225bcc5565
--- /dev/null
+++ b/actionmailbox/app/controllers/action_mailbox/ingresses/mailgun/inbound_emails_controller.rb
@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+# Ingests inbound emails from Mailgun. Requires the following parameters:
+#
+# - +body-mime+: The full RFC 822 message
+# - +timestamp+: The current time according to Mailgun as the number of seconds passed since the UNIX epoch
+# - +token+: A randomly-generated, 50-character string
+# - +signature+: A hexadecimal HMAC-SHA256 of the timestamp concatenated with the token, generated using the Mailgun API key
+#
+# Authenticates requests by validating their signatures.
+#
+# Returns:
+#
+# - <tt>204 No Content</tt> if an inbound email is successfully recorded and enqueued for routing to the appropriate mailbox
+# - <tt>401 Unauthorized</tt> if the request's signature could not be validated, or if its timestamp is more than 2 minutes old
+# - <tt>404 Not Found</tt> if Action Mailbox is not configured to accept inbound emails from Mailgun
+# - <tt>422 Unprocessable Entity</tt> if the request is missing required parameters
+# - <tt>500 Server Error</tt> if the Mailgun API key is missing, or one of the Active Record database,
+#   the Active Storage service, or the Active Job backend is misconfigured or unavailable
+#
+# == Usage
+#
+# 1. Give Action Mailbox your {Mailgun API key}[https://help.mailgun.com/hc/en-us/articles/203380100-Where-can-I-find-my-API-key-and-SMTP-credentials-]
+#    so it can authenticate requests to the Mailgun ingress.
+#
+#    Use <tt>rails credentials:edit</tt> to add your API key to your application's encrypted credentials under
+#    +action_mailbox.mailgun_api_key+, where Action Mailbox will automatically find it:
+#
+#        action_mailbox:
+#          mailgun_api_key: ...
+#
+#    Alternatively, provide your API key in the +MAILGUN_INGRESS_API_KEY+ environment variable.
+#
+# 2. Tell Action Mailbox to accept emails from Mailgun:
+#
+#        # config/environments/production.rb
+#        config.action_mailbox.ingress = :mailgun
+#
+# 3. {Configure Mailgun}[https://documentation.mailgun.com/en/latest/user_manual.html#receiving-forwarding-and-storing-messages]
+#    to forward inbound emails to `/rails/action_mailbox/mailgun/inbound_emails/mime`.
+#
+#    If your application lived at <tt>https://example.com</tt>, you would specify the fully-qualified URL
+#    <tt>https://example.com/rails/action_mailbox/mailgun/inbound_emails/mime</tt>.
+class ActionMailbox::Ingresses::Mailgun::InboundEmailsController < ActionMailbox::BaseController
+  before_action :authenticate
+
+  def create
+    ActionMailbox::InboundEmail.create_and_extract_message_id! params.require("body-mime")
+  end
+
+  private
+    def authenticate
+      head :unauthorized unless authenticated?
+    end
+
+    def authenticated?
+      if key.present?
+        Authenticator.new(
+          key:       key,
+          timestamp: params.require(:timestamp),
+          token:     params.require(:token),
+          signature: params.require(:signature)
+        ).authenticated?
+      else
+        raise ArgumentError, <<~MESSAGE.squish
+          Missing required Mailgun API key. Set action_mailbox.mailgun_api_key in your application's
+          encrypted credentials or provide the MAILGUN_INGRESS_API_KEY environment variable.
+        MESSAGE
+      end
+    end
+
+    def key
+      Rails.application.credentials.dig(:action_mailbox, :mailgun_api_key) || ENV["MAILGUN_INGRESS_API_KEY"]
+    end
+
+    class Authenticator
+      attr_reader :key, :timestamp, :token, :signature
+
+      def initialize(key:, timestamp:, token:, signature:)
+        @key, @timestamp, @token, @signature = key, Integer(timestamp), token, signature
+      end
+
+      def authenticated?
+        signed? && recent?
+      end
+
+      private
+        def signed?
+          ActiveSupport::SecurityUtils.secure_compare signature, expected_signature
+        end
+
+        # Allow for 2 minutes of drift between Mailgun time and local server time.
+        def recent?
+          Time.at(timestamp) >= 2.minutes.ago
+        end
+
+        def expected_signature
+          OpenSSL::HMAC.hexdigest OpenSSL::Digest::SHA256.new, key, "#{timestamp}#{token}"
+        end
+    end
+end
diff --git a/actionmailbox/app/controllers/action_mailbox/ingresses/mandrill/inbound_emails_controller.rb b/actionmailbox/app/controllers/action_mailbox/ingresses/mandrill/inbound_emails_controller.rb
new file mode 100644
index 0000000000..5a85e6b7f0
--- /dev/null
+++ b/actionmailbox/app/controllers/action_mailbox/ingresses/mandrill/inbound_emails_controller.rb
@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+# Ingests inbound emails from Mandrill.
+#
+# Requires a +mandrill_events+ parameter containing a JSON array of Mandrill inbound email event objects.
+# Each event is expected to have a +msg+ object containing a full RFC 822 message in its +raw_msg+ property.
+#
+# Returns:
+#
+# - <tt>204 No Content</tt> if an inbound email is successfully recorded and enqueued for routing to the appropriate mailbox
+# - <tt>401 Unauthorized</tt> if the request's signature could not be validated
+# - <tt>404 Not Found</tt> if Action Mailbox is not configured to accept inbound emails from Mandrill
+# - <tt>422 Unprocessable Entity</tt> if the request is missing required parameters
+# - <tt>500 Server Error</tt> if the Mandrill API key is missing, or one of the Active Record database,
+#   the Active Storage service, or the Active Job backend is misconfigured or unavailable
+class ActionMailbox::Ingresses::Mandrill::InboundEmailsController < ActionMailbox::BaseController
+  before_action :authenticate
+
+  def create
+    raw_emails.each { |raw_email| ActionMailbox::InboundEmail.create_and_extract_message_id! raw_email }
+    head :ok
+  rescue JSON::ParserError => error
+    logger.error error.message
+    head :unprocessable_entity
+  end
+
+  private
+    def raw_emails
+      events.select { |event| event["event"] == "inbound" }.collect { |event| event.dig("msg", "raw_msg") }
+    end
+
+    def events
+      JSON.parse params.require(:mandrill_events)
+    end
+
+
+    def authenticate
+      head :unauthorized unless authenticated?
+    end
+
+    def authenticated?
+      if key.present?
+        Authenticator.new(request, key).authenticated?
+      else
+        raise ArgumentError, <<~MESSAGE.squish
+          Missing required Mandrill API key. Set action_mailbox.mandrill_api_key in your application's
+          encrypted credentials or provide the MANDRILL_INGRESS_API_KEY environment variable.
+        MESSAGE
+      end
+    end
+
+    def key
+      Rails.application.credentials.dig(:action_mailbox, :mandrill_api_key) || ENV["MANDRILL_INGRESS_API_KEY"]
+    end
+
+    class Authenticator
+      attr_reader :request, :key
+
+      def initialize(request, key)
+        @request, @key = request, key
+      end
+
+      def authenticated?
+        ActiveSupport::SecurityUtils.secure_compare given_signature, expected_signature
+      end
+
+      private
+        def given_signature
+          request.headers["X-Mandrill-Signature"]
+        end
+
+        def expected_signature
+          Base64.strict_encode64 OpenSSL::HMAC.digest(OpenSSL::Digest::SHA1.new, key, message)
+        end
+
+        def message
+          request.url + request.POST.sort.flatten.join
+        end
+    end
+end
diff --git a/actionmailbox/app/controllers/action_mailbox/ingresses/postfix/inbound_emails_controller.rb b/actionmailbox/app/controllers/action_mailbox/ingresses/postfix/inbound_emails_controller.rb
new file mode 100644
index 0000000000..a3b794c65b
--- /dev/null
+++ b/actionmailbox/app/controllers/action_mailbox/ingresses/postfix/inbound_emails_controller.rb
@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+# Ingests inbound emails relayed from Postfix.
+#
+# Authenticates requests using HTTP basic access authentication. The username is always +actionmailbox+, and the
+# password is read from the application's encrypted credentials or an environment variable. See the Usage section below.
+#
+# Note that basic authentication is insecure over unencrypted HTTP. An attacker that intercepts cleartext requests to
+# the Postfix ingress can learn its password. You should only use the Postfix ingress over HTTPS.
+#
+# Returns:
+#
+# - <tt>204 No Content</tt> if an inbound email is successfully recorded and enqueued for routing to the appropriate mailbox
+# - <tt>401 Unauthorized</tt> if the request could not be authenticated
+# - <tt>404 Not Found</tt> if Action Mailbox is not configured to accept inbound emails from Postfix
+# - <tt>415 Unsupported Media Type</tt> if the request does not contain an RFC 822 message
+# - <tt>500 Server Error</tt> if the ingress password is not configured, or if one of the Active Record database,
+#   the Active Storage service, or the Active Job backend is misconfigured or unavailable
+#
+# == Usage
+#
+# 1. Tell Action Mailbox to accept emails from Postfix:
+#
+#        # config/environments/production.rb
+#        config.action_mailbox.ingress = :postfix
+#
+# 2. Generate a strong password that Action Mailbox can use to authenticate requests to the Postfix ingress.
+#
+#    Use <tt>rails credentials:edit</tt> to add the password to your application's encrypted credentials under
+#    +action_mailbox.ingress_password+, where Action Mailbox will automatically find it:
+#
+#        action_mailbox:
+#          ingress_password: ...
+#
+#    Alternatively, provide the password in the +RAILS_INBOUND_EMAIL_PASSWORD+ environment variable.
+#
+# 3. {Configure Postfix}{https://serverfault.com/questions/258469/how-to-configure-postfix-to-pipe-all-incoming-email-to-a-script}
+#    to pipe inbound emails to <tt>bin/rails action_mailbox:ingress:postfix</tt>, providing the +URL+ of the Postfix
+#    ingress and the +INGRESS_PASSWORD+ you previously generated.
+#
+#    If your application lived at <tt>https://example.com</tt>, the full command would look like this:
+#
+#        URL=https://example.com/rails/action_mailbox/postfix/inbound_emails INGRESS_PASSWORD=... bin/rails action_mailbox:ingress:postfix
+class ActionMailbox::Ingresses::Postfix::InboundEmailsController < ActionMailbox::BaseController
+  before_action :authenticate_by_password, :require_valid_rfc822_message
+
+  def create
+    ActionMailbox::InboundEmail.create_and_extract_message_id! request.body.read
+  end
+
+  private
+    def require_valid_rfc822_message
+      unless request.content_type == "message/rfc822"
+        head :unsupported_media_type
+      end
+    end
+end
diff --git a/actionmailbox/app/controllers/action_mailbox/ingresses/sendgrid/inbound_emails_controller.rb b/actionmailbox/app/controllers/action_mailbox/ingresses/sendgrid/inbound_emails_controller.rb
new file mode 100644
index 0000000000..c48abae66c
--- /dev/null
+++ b/actionmailbox/app/controllers/action_mailbox/ingresses/sendgrid/inbound_emails_controller.rb
@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+# Ingests inbound emails from SendGrid. Requires an +email+ parameter containing a full RFC 822 message.
+#
+# Authenticates requests using HTTP basic access authentication. The username is always +actionmailbox+, and the
+# password is read from the application's encrypted credentials or an environment variable. See the Usage section below.
+#
+# Note that basic authentication is insecure over unencrypted HTTP. An attacker that intercepts cleartext requests to
+# the SendGrid ingress can learn its password. You should only use the SendGrid ingress over HTTPS.
+#
+# Returns:
+#
+# - <tt>204 No Content</tt> if an inbound email is successfully recorded and enqueued for routing to the appropriate mailbox
+# - <tt>401 Unauthorized</tt> if the request's signature could not be validated
+# - <tt>404 Not Found</tt> if Action Mailbox is not configured to accept inbound emails from SendGrid
+# - <tt>422 Unprocessable Entity</tt> if the request is missing the required +email+ parameter
+# - <tt>500 Server Error</tt> if the ingress password is not configured, or if one of the Active Record database,
+#   the Active Storage service, or the Active Job backend is misconfigured or unavailable
+#
+# == Usage
+#
+# 1. Tell Action Mailbox to accept emails from SendGrid:
+#
+#        # config/environments/production.rb
+#        config.action_mailbox.ingress = :sendgrid
+#
+# 2. Generate a strong password that Action Mailbox can use to authenticate requests to the SendGrid ingress.
+#
+#    Use <tt>rails credentials:edit</tt> to add the password to your application's encrypted credentials under
+#    +action_mailbox.ingress_password+, where Action Mailbox will automatically find it:
+#
+#        action_mailbox:
+#          ingress_password: ...
+#
+#    Alternatively, provide the password in the +RAILS_INBOUND_EMAIL_PASSWORD+ environment variable.
+#
+# 3. {Configure SendGrid Inbound Parse}{https://sendgrid.com/docs/for-developers/parsing-email/setting-up-the-inbound-parse-webhook/}
+#    to forward inbound emails to +/rails/action_mailbox/sendgrid/inbound_emails+ with the username +actionmailbox+ and
+#    the password you previously generated. If your application lived at <tt>https://example.com</tt>, you would
+#    configure SendGrid with the following fully-qualified URL:
+#
+#        https://actionmailbox:PASSWORD@example.com/rails/action_mailbox/sendgrid/inbound_emails
+#
+#    *NOTE:* When configuring your SendGrid Inbound Parse webhook, be sure to check the box labeled *"Post the raw,
+#    full MIME message."* Action Mailbox needs the raw MIME message to work.
+class ActionMailbox::Ingresses::Sendgrid::InboundEmailsController < ActionMailbox::BaseController
+  before_action :authenticate_by_password
+
+  def create
+    ActionMailbox::InboundEmail.create_and_extract_message_id! params.require(:email)
+  end
+end
diff --git a/actionmailbox/app/controllers/rails/conductor/action_mailbox/inbound_emails_controller.rb b/actionmailbox/app/controllers/rails/conductor/action_mailbox/inbound_emails_controller.rb
new file mode 100644
index 0000000000..7f7b0e004e
--- /dev/null
+++ b/actionmailbox/app/controllers/rails/conductor/action_mailbox/inbound_emails_controller.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+class Rails::Conductor::ActionMailbox::InboundEmailsController < Rails::Conductor::BaseController
+  def index
+    @inbound_emails = ActionMailbox::InboundEmail.order(created_at: :desc)
+  end
+
+  def new
+  end
+
+  def show
+    @inbound_email = ActionMailbox::InboundEmail.find(params[:id])
+  end
+
+  def create
+    inbound_email = create_inbound_email(new_mail)
+    redirect_to main_app.rails_conductor_inbound_email_url(inbound_email)
+  end
+
+  private
+    def new_mail
+      Mail.new params.require(:mail).permit(:from, :to, :cc, :bcc, :in_reply_to, :subject, :body).to_h
+    end
+
+    def create_inbound_email(mail)
+      ActionMailbox::InboundEmail.create! raw_email: \
+        { io: StringIO.new(mail.to_s), filename: "inbound.eml", content_type: "message/rfc822" }
+    end
+end
diff --git a/actionmailbox/app/controllers/rails/conductor/action_mailbox/reroutes_controller.rb b/actionmailbox/app/controllers/rails/conductor/action_mailbox/reroutes_controller.rb
new file mode 100644
index 0000000000..c53203049b
--- /dev/null
+++ b/actionmailbox/app/controllers/rails/conductor/action_mailbox/reroutes_controller.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+# Rerouting will run routing and processing on an email that has already been, or attempted to be, processed.
+class Rails::Conductor::ActionMailbox::ReroutesController < Rails::Conductor::BaseController
+  def create
+    inbound_email = ActionMailbox::InboundEmail.find(params[:inbound_email_id])
+    reroute inbound_email
+
+    redirect_to main_app.rails_conductor_inbound_email_url(inbound_email)
+  end
+
+  private
+    def reroute(inbound_email)
+      inbound_email.pending!
+      inbound_email.route_later
+    end
+end
diff --git a/actionmailbox/app/controllers/rails/conductor/base_controller.rb b/actionmailbox/app/controllers/rails/conductor/base_controller.rb
new file mode 100644
index 0000000000..c95a7f3b93
--- /dev/null
+++ b/actionmailbox/app/controllers/rails/conductor/base_controller.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# TODO: Move this to Rails::Conductor gem
+class Rails::Conductor::BaseController < ActionController::Base
+  layout "rails/conductor"
+  before_action :ensure_development_env
+
+  private
+    def ensure_development_env
+      head :forbidden unless Rails.env.development?
+    end
+end
diff --git a/actionmailbox/app/jobs/action_mailbox/incineration_job.rb b/actionmailbox/app/jobs/action_mailbox/incineration_job.rb
new file mode 100644
index 0000000000..b12ff6f88e
--- /dev/null
+++ b/actionmailbox/app/jobs/action_mailbox/incineration_job.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+# You can configure when this `IncinerationJob` will be run as a time-after-processing using the
+# `config.action_mailbox.incinerate_after` or `ActionMailbox.incinerate_after` setting.
+#
+# Since this incineration is set for the future, it'll automatically ignore any `InboundEmail`s
+# that have already been deleted and discard itself if so.
+class ActionMailbox::IncinerationJob < ActiveJob::Base
+  queue_as { ActionMailbox.queues[:incineration] }
+
+  discard_on ActiveRecord::RecordNotFound
+
+  def self.schedule(inbound_email)
+    set(wait: ActionMailbox.incinerate_after).perform_later(inbound_email)
+  end
+
+  def perform(inbound_email)
+    inbound_email.incinerate
+  end
+end
diff --git a/actionmailbox/app/jobs/action_mailbox/routing_job.rb b/actionmailbox/app/jobs/action_mailbox/routing_job.rb
new file mode 100644
index 0000000000..fc3388daff
--- /dev/null
+++ b/actionmailbox/app/jobs/action_mailbox/routing_job.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# Routing a new InboundEmail is an asynchronous operation, which allows the ingress controllers to quickly
+# accept new incoming emails without being burdened to hang while they're actually being processed.
+class ActionMailbox::RoutingJob < ActiveJob::Base
+  queue_as { ActionMailbox.queues[:routing] }
+
+  def perform(inbound_email)
+    inbound_email.route
+  end
+end
diff --git a/actionmailbox/app/models/action_mailbox/inbound_email.rb b/actionmailbox/app/models/action_mailbox/inbound_email.rb
new file mode 100644
index 0000000000..88df7a929a
--- /dev/null
+++ b/actionmailbox/app/models/action_mailbox/inbound_email.rb
@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require "mail"
+
+# The `InboundEmail` is an Active Record that keeps a reference to the raw email stored in Active Storage
+# and tracks the status of processing. By default, incoming emails will go through the following lifecycle:
+#
+# * Pending: Just received by one of the ingress controllers and scheduled for routing.
+# * Processing: During active processing, while a specific mailbox is running its #process method.
+# * Delivered: Successfully processed by the specific mailbox.
+# * Failed: An exception was raised during the specific mailbox's execution of the `#process` method.
+# * Bounced: Rejected processing by the specific mailbox and bounced to sender.
+#
+# Once the `InboundEmail` has reached the status of being either `delivered`, `failed`, or `bounced`,
+# it'll count as having been `#processed?`. Once processed, the `InboundEmail` will be scheduled for
+# automatic incineration at a later point.
+#
+# When working with an `InboundEmail`, you'll usually interact with the parsed version of the source,
+# which is available as a `Mail` object from `#mail`. But you can also access the raw source directly
+# using the `#source` method.
+#
+# Examples:
+#
+#   inbound_email.mail.from # => 'david@loudthinking.com'
+#   inbound_email.source # Returns the full rfc822 source of the email as text
+class ActionMailbox::InboundEmail < ActiveRecord::Base
+  self.table_name = "action_mailbox_inbound_emails"
+
+  include Incineratable, MessageId, Routable
+
+  has_one_attached :raw_email
+  enum status: %i[ pending processing delivered failed bounced ]
+
+  def mail
+    @mail ||= Mail.from_source(source)
+  end
+
+  def source
+    @source ||= raw_email.download
+  end
+
+  def processed?
+    delivered? || failed? || bounced?
+  end
+end
diff --git a/actionmailbox/app/models/action_mailbox/inbound_email/incineratable.rb b/actionmailbox/app/models/action_mailbox/inbound_email/incineratable.rb
new file mode 100644
index 0000000000..825e300648
--- /dev/null
+++ b/actionmailbox/app/models/action_mailbox/inbound_email/incineratable.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+# Ensure that the `InboundEmail` is automatically scheduled for later incineration if the status has been
+# changed to `processed`. The later incineration will be invoked at the time specified by the
+# `ActionMailbox.incinerate_after` time using the `IncinerationJob`.
+module ActionMailbox::InboundEmail::Incineratable
+  extend ActiveSupport::Concern
+
+  included do
+    after_update_commit :incinerate_later, if: -> { status_previously_changed? && processed? }
+  end
+
+  def incinerate_later
+    ActionMailbox::IncinerationJob.schedule self
+  end
+
+  def incinerate
+    Incineration.new(self).run
+  end
+end
diff --git a/actionmailbox/app/models/action_mailbox/inbound_email/incineratable/incineration.rb b/actionmailbox/app/models/action_mailbox/inbound_email/incineratable/incineration.rb
new file mode 100644
index 0000000000..4656f359bf
--- /dev/null
+++ b/actionmailbox/app/models/action_mailbox/inbound_email/incineratable/incineration.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+# Command class for carrying out the actual incineration of the `InboundMail` that's been scheduled
+# for removal. Before the incineration – which really is just a call to `#destroy!` – is run, we verify
+# that it's both eligible (by virtue of having already been processed) and time to do so (that is,
+# the `InboundEmail` was processed after the `incinerate_after` time).
+class ActionMailbox::InboundEmail::Incineratable::Incineration
+  def initialize(inbound_email)
+    @inbound_email = inbound_email
+  end
+
+  def run
+    @inbound_email.destroy! if due? && processed?
+  end
+
+  private
+    def due?
+      @inbound_email.updated_at < ActionMailbox.incinerate_after.ago.end_of_day
+    end
+
+    def processed?
+      @inbound_email.processed?
+    end
+end
diff --git a/actionmailbox/app/models/action_mailbox/inbound_email/message_id.rb b/actionmailbox/app/models/action_mailbox/inbound_email/message_id.rb
new file mode 100644
index 0000000000..244a2e439b
--- /dev/null
+++ b/actionmailbox/app/models/action_mailbox/inbound_email/message_id.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+# The `Message-ID` as specified by rfc822 is supposed to be a unique identifier for that individual email.
+# That makes it an ideal tracking token for debugging and forensics, just like `X-Request-Id` does for
+# web request.
+#
+# If an inbound email does not, against the rfc822 mandate, specify a Message-ID, one will be generated
+# using the approach from `Mail::MessageIdField`.
+module ActionMailbox::InboundEmail::MessageId
+  extend ActiveSupport::Concern
+
+  included do
+    before_save :generate_missing_message_id
+  end
+
+  class_methods do
+    # Create a new `InboundEmail` from the raw `source` of the email, which be uploaded as a Active Storage
+    # attachment called `raw_email`. Before the upload, extract the Message-ID from the `source` and set
+    # it as an attribute on the new `InboundEmail`.
+    def create_and_extract_message_id!(source, **options)
+      create! message_id: extract_message_id(source), **options do |inbound_email|
+        inbound_email.raw_email.attach io: StringIO.new(source), filename: "message.eml", content_type: "message/rfc822"
+      end
+    end
+
+    private
+      def extract_message_id(source)
+        Mail.from_source(source).message_id rescue nil
+      end
+  end
+
+  private
+    def generate_missing_message_id
+      self.message_id ||= Mail::MessageIdField.new.message_id.tap do |message_id|
+        logger.warn "Message-ID couldn't be parsed or is missing. Generated a new Message-ID: #{message_id}"
+      end
+    end
+end
diff --git a/actionmailbox/app/models/action_mailbox/inbound_email/routable.rb b/actionmailbox/app/models/action_mailbox/inbound_email/routable.rb
new file mode 100644
index 0000000000..58d67eb20c
--- /dev/null
+++ b/actionmailbox/app/models/action_mailbox/inbound_email/routable.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+# A newly received `InboundEmail` will not be routed synchronously as part of ingress controller's receival.
+# Instead, the routing will be done asynchronously, using a `RoutingJob`, to ensure maximum parallel capacity.
+#
+# By default, all newly created `InboundEmail` records that have the status of `pending`, which is the default,
+# will be scheduled for automatic, deferred routing.
+module ActionMailbox::InboundEmail::Routable
+  extend ActiveSupport::Concern
+
+  included do
+    after_create_commit :route_later, if: :pending?
+  end
+
+  # Enqueue a `RoutingJob` for this `InboundEmail`.
+  def route_later
+    ActionMailbox::RoutingJob.perform_later self
+  end
+
+  # Route this `InboundEmail` using the routing rules declared on the `ApplicationMailbox`.
+  def route
+    ApplicationMailbox.route self
+  end
+end
diff --git a/actionmailbox/app/views/layouts/rails/conductor.html.erb b/actionmailbox/app/views/layouts/rails/conductor.html.erb
new file mode 100644
index 0000000000..75157feb78
--- /dev/null
+++ b/actionmailbox/app/views/layouts/rails/conductor.html.erb
@@ -0,0 +1,7 @@
+<html>
+<head>
+  <title>Rails Conductor: <%= yield :title %></title>
+</head>
+<body>
+<%= yield %>
+</html>
diff --git a/actionmailbox/app/views/rails/conductor/action_mailbox/inbound_emails/index.html.erb b/actionmailbox/app/views/rails/conductor/action_mailbox/inbound_emails/index.html.erb
new file mode 100644
index 0000000000..19c53984e2
--- /dev/null
+++ b/actionmailbox/app/views/rails/conductor/action_mailbox/inbound_emails/index.html.erb
@@ -0,0 +1,15 @@
+<% provide :title, "Deliver new inbound email" %>
+
+<h1>All inbound emails</h1>
+
+<table>
+  <tr><th>Message ID</th><th>Status</th></tr>
+  <% @inbound_emails.each do |inbound_email| %>
+    <tr>
+      <td><%= link_to inbound_email.message_id, main_app.rails_conductor_inbound_email_path(inbound_email) %></td>
+      <td><%= inbound_email.status %></td>
+    </tr>
+  <% end %>
+</table>
+
+<%= link_to "Deliver new inbound email", main_app.new_rails_conductor_inbound_email_path %>
\ No newline at end of file
diff --git a/actionmailbox/app/views/rails/conductor/action_mailbox/inbound_emails/new.html.erb b/actionmailbox/app/views/rails/conductor/action_mailbox/inbound_emails/new.html.erb
new file mode 100644
index 0000000000..7f1ec74496
--- /dev/null
+++ b/actionmailbox/app/views/rails/conductor/action_mailbox/inbound_emails/new.html.erb
@@ -0,0 +1,42 @@
+<% provide :title, "Deliver new inbound email" %>
+
+<h1>Deliver new inbound email</h1>
+
+<%= form_with(url: main_app.rails_conductor_inbound_emails_path, scope: :mail, local: true) do |form| %>
+  <div>
+    <%= form.label :from, "From" %><br>
+    <%= form.text_field :from %>
+  </div>
+
+  <div>
+    <%= form.label :to, "To" %><br>
+    <%= form.text_field :to %>
+  </div>
+
+  <div>
+    <%= form.label :cc, "CC" %><br>
+    <%= form.text_field :cc %>
+  </div>
+
+  <div>
+    <%= form.label :bcc, "BCC" %><br>
+    <%= form.text_field :bcc %>
+  </div>
+
+  <div>
+    <%= form.label :in_reply_to, "In-Reply-To" %><br>
+    <%= form.text_field :in_reply_to %>
+  </div>
+
+  <div>
+    <%= form.label :subject, "Subject" %><br>
+    <%= form.text_field :subject %>
+  </div>
+
+  <div>
+    <%= form.label :body, "Body" %><br>
+    <%= form.text_area :body, size: "40x20" %>
+  </div>
+
+  <%= form.submit "Deliver inbound email" %>
+<% end %>
diff --git a/actionmailbox/app/views/rails/conductor/action_mailbox/inbound_emails/show.html.erb b/actionmailbox/app/views/rails/conductor/action_mailbox/inbound_emails/show.html.erb
new file mode 100644
index 0000000000..e761904196
--- /dev/null
+++ b/actionmailbox/app/views/rails/conductor/action_mailbox/inbound_emails/show.html.erb
@@ -0,0 +1,15 @@
+<% provide :title, @inbound_email.message_id %>
+
+<h1><%= @inbound_email.message_id %>: <%= @inbound_email.status %></h1>
+
+<ul>
+  <li><%= button_to "Route again", main_app.rails_conductor_inbound_email_reroute_path(@inbound_email), method: :post %></li>
+  <li>Incinerate</li>
+</ul>
+
+<details>
+  <summary>Full email source</summary>
+  <pre><%= @inbound_email.source %></pre>
+</details>
+
+<%= link_to "Back to all inbound emails", main_app.rails_conductor_inbound_emails_path %>
\ No newline at end of file