daaki-smtp 0.2.0

//! Integration tests for the SMTP client.
//!
//! These tests run against real SMTP servers in Docker.
//!
//! # Setup
//!
//! ```sh
//! docker compose up -d           # start Mailpit + GreenMail
//! cargo test -p daaki-smtp -- --ignored
//! docker compose down
//! ```
//!
//! # Servers under test
//!
//! - **Mailpit** (Go, test-oriented) — port 11025, HTTP API on 18025
//! - **`GreenMail`** (Java, test-oriented) — port 13025
//!
//! Both servers capture all mail without delivering, making them safe for testing.

#![allow(clippy::unwrap_used, clippy::expect_used)]

use std::sync::Arc;
use std::time::Duration;

use daaki_smtp::{
    AuthMechanism, BodyType, Error, ForwardPath, MailFromParams, Protocol, ReversePath,
    SmtpConnection, TlsMode,
};

const TIMEOUT: Duration = Duration::from_secs(10);

/// Minimal RFC 5322 message for send tests.
fn test_message(id: &str) -> Vec<u8> {
    format!(
        "From: sender@example.com\r\n\
         To: recipient@example.com\r\n\
         Subject: SMTP integration test {id}\r\n\
         Date: Sun, 15 Mar 2026 00:00:00 +0000\r\n\
         Message-ID: <{id}@daaki>\r\n\
         MIME-Version: 1.0\r\n\
         Content-Type: text/plain; charset=utf-8\r\n\
         \r\n\
         Hello from daaki SMTP integration tests.\r\n"
    )
    .into_bytes()
}

// ---------------------------------------------------------------------------
// Server configurations
// ---------------------------------------------------------------------------

mod mailpit {
    pub const HOST: &str = "127.0.0.1";
    pub const SMTP_PORT: u16 = 11025;
    pub const _HTTP_PORT: u16 = 18025;
    pub const USER: &str = "testuser";
    pub const PASS: &str = "testpass";
}

mod greenmail {
    pub const HOST: &str = "127.0.0.1";
    pub const SMTP_PORT: u16 = 13025;
    pub const SMTPS_PORT: u16 = 13465;
    // GreenMail SMTP AUTH requires the bare username (no @domain),
    // unlike IMAP LOGIN which uses the full "user@domain" form.
    pub const USER: &str = "testuser";
    pub const PASS: &str = "testpass";
}

// ==========================================================================
// Connection & Authentication (RFC 5321 Section 3.1, RFC 4954)
// ==========================================================================

// --- Mailpit ---

/// Connect to Mailpit and authenticate with PLAIN.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_connect_and_auth() {
    let conn = SmtpConnection::connect(mailpit::HOST, mailpit::SMTP_PORT, TlsMode::None, TIMEOUT)
        .await
        .unwrap();

    conn.auth_plain(mailpit::USER, mailpit::PASS, TIMEOUT)
        .await
        .unwrap();
    conn.quit(TIMEOUT).await.unwrap();
}

// --- GreenMail ---

/// Connect to `GreenMail` over plaintext and authenticate.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_connect_and_auth() {
    let conn = SmtpConnection::connect(
        greenmail::HOST,
        greenmail::SMTP_PORT,
        TlsMode::None,
        TIMEOUT,
    )
    .await
    .unwrap();

    conn.auth_plain(greenmail::USER, greenmail::PASS, TIMEOUT)
        .await
        .unwrap();
    conn.quit(TIMEOUT).await.unwrap();
}

/// Connect to `GreenMail` over implicit TLS (SMTPS, port 13465).
///
/// `GreenMail` uses self-signed certificates, so we need a danger TLS config.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_connect_implicit_tls() {
    let tls_config = build_danger_tls_config();
    let conn = SmtpConnection::connect_with_tls_config(
        greenmail::HOST,
        greenmail::SMTPS_PORT,
        TlsMode::Implicit,
        TIMEOUT,
        tls_config,
    )
    .await
    .unwrap();

    conn.auth_plain(greenmail::USER, greenmail::PASS, TIMEOUT)
        .await
        .unwrap();
    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Sending messages (RFC 5321 Section 3.3 — MAIL/RCPT/DATA sequence)
// ==========================================================================

/// Send a simple message through Mailpit.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_send_simple() {
    let conn = connect_mailpit().await;

    let msg = test_message("mailpit-simple");
    conn.send(
        &ReversePath::new("sender@example.com").unwrap(),
        &[ForwardPath::new("recipient@example.com").unwrap()],
        &msg,
        TIMEOUT,
    )
    .await
    .unwrap();

    conn.quit(TIMEOUT).await.unwrap();
}

/// Send a message to multiple recipients.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_send_multiple_recipients() {
    let conn = connect_mailpit().await;

    let msg = test_message("mailpit-multi");
    conn.send(
        &ReversePath::new("sender@example.com").unwrap(),
        &[
            ForwardPath::new("alice@example.com").unwrap(),
            ForwardPath::new("bob@example.com").unwrap(),
            ForwardPath::new("carol@example.com").unwrap(),
        ],
        &msg,
        TIMEOUT,
    )
    .await
    .unwrap();

    conn.quit(TIMEOUT).await.unwrap();
}

/// Send a simple message through `GreenMail`.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_send_simple() {
    let conn = connect_greenmail().await;

    let msg = test_message("greenmail-simple");
    conn.send(
        &ReversePath::new("sender@example.com").unwrap(),
        &[ForwardPath::new("recipient@example.com").unwrap()],
        &msg,
        TIMEOUT,
    )
    .await
    .unwrap();

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// 8-bit content (RFC 1652 8BITMIME)
// ==========================================================================

/// Send a message containing non-ASCII UTF-8 body content.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_send_8bit_content() {
    let conn = connect_mailpit().await;

    let msg = "From: sender@example.com\r\n\
               To: recipient@example.com\r\n\
               Subject: 8-bit test\r\n\
               Date: Sun, 15 Mar 2026 00:00:00 +0000\r\n\
               Message-ID: <8bit@daaki>\r\n\
               MIME-Version: 1.0\r\n\
               Content-Type: text/plain; charset=utf-8\r\n\
               Content-Transfer-Encoding: 8bit\r\n\
               \r\n\
               Héllo wörld! 你好世界 🌍\r\n";

    conn.send(
        &ReversePath::new("sender@example.com").unwrap(),
        &[ForwardPath::new("recipient@example.com").unwrap()],
        msg.as_bytes(),
        TIMEOUT,
    )
    .await
    .unwrap();

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Session management (RFC 5321 Section 4.1.1.5 RSET)
// ==========================================================================

/// RSET between sends — resets the mail transaction without disconnecting.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_rset_between_sends() {
    let conn = connect_mailpit().await;

    // First send.
    let msg1 = test_message("mailpit-rset-1");
    conn.send(
        &ReversePath::new("sender@example.com").unwrap(),
        &[ForwardPath::new("recipient@example.com").unwrap()],
        &msg1,
        TIMEOUT,
    )
    .await
    .unwrap();

    // Reset session state.
    conn.reset(TIMEOUT).await.unwrap();

    // Second send on same connection.
    let msg2 = test_message("mailpit-rset-2");
    conn.send(
        &ReversePath::new("sender@example.com").unwrap(),
        &[ForwardPath::new("other@example.com").unwrap()],
        &msg2,
        TIMEOUT,
    )
    .await
    .unwrap();

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Dot-stuffing edge case (RFC 5321 Section 4.5.2)
// ==========================================================================

/// Message body containing lines starting with "." — must be dot-stuffed.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_send_dot_stuffed() {
    let conn = connect_mailpit().await;

    let msg = "From: sender@example.com\r\n\
               To: recipient@example.com\r\n\
               Subject: dot-stuff test\r\n\
               Date: Sun, 15 Mar 2026 00:00:00 +0000\r\n\
               Message-ID: <dot-stuff@daaki>\r\n\
               MIME-Version: 1.0\r\n\
               Content-Type: text/plain\r\n\
               \r\n\
               Normal line.\r\n\
               .This line starts with a dot.\r\n\
               ..Two dots.\r\n\
               ...Three dots.\r\n\
               End.\r\n";

    conn.send(
        &ReversePath::new("sender@example.com").unwrap(),
        &[ForwardPath::new("recipient@example.com").unwrap()],
        msg.as_bytes(),
        TIMEOUT,
    )
    .await
    .unwrap();

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Empty / edge-case messages
// ==========================================================================

/// Minimal valid RFC 5322 message (headers only, empty body).
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_send_empty_body() {
    let conn = connect_mailpit().await;

    let msg = "From: sender@example.com\r\n\
               To: recipient@example.com\r\n\
               Subject: empty body\r\n\
               Date: Sun, 15 Mar 2026 00:00:00 +0000\r\n\
               Message-ID: <empty@daaki>\r\n\
               \r\n";

    conn.send(
        &ReversePath::new("sender@example.com").unwrap(),
        &[ForwardPath::new("recipient@example.com").unwrap()],
        msg.as_bytes(),
        TIMEOUT,
    )
    .await
    .unwrap();

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// QUIT without sending (RFC 5321 Section 4.1.1.10)
// ==========================================================================

/// Connect, authenticate, then immediately QUIT — no mail transaction.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_quit_immediately() {
    let conn = SmtpConnection::connect(mailpit::HOST, mailpit::SMTP_PORT, TlsMode::None, TIMEOUT)
        .await
        .unwrap();

    conn.auth_plain(mailpit::USER, mailpit::PASS, TIMEOUT)
        .await
        .unwrap();
    conn.quit(TIMEOUT).await.unwrap();
}

#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_quit_immediately() {
    let conn = SmtpConnection::connect(
        greenmail::HOST,
        greenmail::SMTP_PORT,
        TlsMode::None,
        TIMEOUT,
    )
    .await
    .unwrap();

    conn.auth_plain(greenmail::USER, greenmail::PASS, TIMEOUT)
        .await
        .unwrap();
    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// NOOP — keepalive probe (RFC 5321 Section 4.1.1.9)
// ==========================================================================

/// NOOP must return 250 OK and not affect session state.
///
/// RFC 5321 Section 4.1.1.9: "This command does not affect any
/// parameters or previously entered commands."
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_noop_keepalive() {
    let conn = connect_mailpit().await;

    // NOOP should succeed silently.
    conn.noop(TIMEOUT).await.unwrap();

    // Session must still be usable after NOOP.
    let msg = test_message("mailpit-noop");
    conn.send(
        &ReversePath::new("sender@example.com").unwrap(),
        &[ForwardPath::new("recipient@example.com").unwrap()],
        &msg,
        TIMEOUT,
    )
    .await
    .unwrap();

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Server capabilities (RFC 5321 Section 4.1.1.1)
// ==========================================================================

/// After connecting, the server's EHLO response must populate capabilities.
///
/// RFC 5321 Section 4.1.1.1: the server advertises extensions as EHLO
/// keyword lines following the greeting name.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_capabilities_advertised() {
    let conn = SmtpConnection::connect(mailpit::HOST, mailpit::SMTP_PORT, TlsMode::None, TIMEOUT)
        .await
        .unwrap();

    let caps = conn.capabilities().await;

    // The greeting name must be non-empty (RFC 5321 Section 4.1.1.1).
    assert!(
        !caps.greeting_name().is_empty(),
        "EHLO greeting name must not be empty"
    );

    // Mailpit is configured with MP_SMTP_AUTH, so AUTH must be advertised.
    assert!(
        caps.supports_auth_extension(),
        "server must advertise AUTH when authentication is configured"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Protocol accessor
// ==========================================================================

/// `protocol()` must return `Protocol::Smtp` for an SMTP connection.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_protocol_is_smtp() {
    let conn = SmtpConnection::connect(mailpit::HOST, mailpit::SMTP_PORT, TlsMode::None, TIMEOUT)
        .await
        .unwrap();

    assert_eq!(conn.protocol(), Protocol::Smtp);

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Authentication state tracking (RFC 4954 Section 3)
// ==========================================================================

/// `is_authenticated()` must transition from `false` to `true` after
/// a successful AUTH command.
///
/// RFC 4954 Section 3: "After an AUTH command has been successfully
/// completed, no more AUTH commands may be issued in the same session."
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_is_authenticated_transitions() {
    let conn = SmtpConnection::connect(mailpit::HOST, mailpit::SMTP_PORT, TlsMode::None, TIMEOUT)
        .await
        .unwrap();

    assert!(
        !conn.is_authenticated().await,
        "must not be authenticated before AUTH"
    );

    conn.auth_plain(mailpit::USER, mailpit::PASS, TIMEOUT)
        .await
        .unwrap();

    assert!(
        conn.is_authenticated().await,
        "must be authenticated after successful AUTH PLAIN"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// HELP command (RFC 5321 Section 4.1.1.8)
// ==========================================================================

/// HELP must return a valid SMTP response — either help text (211/214)
/// or "not implemented" (502).
///
/// RFC 5321 Section 4.1.1.8: "This command causes the server to send
/// helpful information to the client."
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_help_command() {
    let conn = connect_mailpit().await;

    let resp = conn.help(None, TIMEOUT).await.unwrap();

    // RFC 5321 Section 4.1.1.8: valid response codes are 211, 214, or 502.
    assert!(
        resp.code == 211 || resp.code == 214 || resp.code == 502,
        "HELP must return 211, 214, or 502; got {}",
        resp.code
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// VRFY command (RFC 5321 Section 4.1.1.6)
// ==========================================================================

/// VRFY must return a valid response — verified (250/251/252),
/// not implemented (502), or not found (550/553).
///
/// RFC 5321 Section 3.5.3 permits servers to disable VRFY with a 502
/// response, so both "verified" and "not implemented" are acceptable.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_vrfy_command() {
    let conn = connect_mailpit().await;

    let resp = conn.vrfy("testuser", TIMEOUT).await.unwrap();

    // RFC 5321 Section 4.1.1.6 / Section 3.5.3: valid responses.
    assert!(
        [250, 251, 252, 502, 550, 553].contains(&resp.code),
        "VRFY must return 250/251/252/502/550/553; got {}",
        resp.code
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// REHLO — capability refresh (RFC 5321 Section 4.1.1.1)
// ==========================================================================

/// `rehlo()` re-issues EHLO and refreshes the capability snapshot.
///
/// RFC 5321 Section 4.1.1.1: "An EHLO command MAY be issued by a
/// client later in the session."
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_rehlo_refreshes_capabilities() {
    let conn = connect_mailpit().await;

    let caps_before = conn.capabilities().await;

    // Re-issue EHLO.
    conn.rehlo(TIMEOUT).await.unwrap();

    // Capabilities must still be populated after REHLO.
    let caps_after = conn.capabilities().await;
    assert!(
        !caps_after.greeting_name().is_empty(),
        "greeting name must remain present after REHLO"
    );
    assert_eq!(
        caps_before.greeting_name(),
        caps_after.greeting_name(),
        "greeting name should be consistent across EHLO exchanges"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// AUTH LOGIN (draft-murchison-sasl-login)
// ==========================================================================

/// AUTH LOGIN succeeds against `GreenMail`.
///
/// AUTH LOGIN uses a two-step challenge-response: the server challenges
/// for the username, then the password, each base64-encoded.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_auth_login() {
    let conn = SmtpConnection::connect(
        greenmail::HOST,
        greenmail::SMTP_PORT,
        TlsMode::None,
        TIMEOUT,
    )
    .await
    .unwrap();

    // GreenMail should advertise AUTH LOGIN.
    let caps = conn.capabilities().await;
    if !caps.supports_auth(&AuthMechanism::Login) {
        eprintln!("skipping: GreenMail does not advertise AUTH LOGIN");
        conn.quit(TIMEOUT).await.unwrap();
        return;
    }

    conn.auth_login(greenmail::USER, greenmail::PASS, TIMEOUT)
        .await
        .unwrap();

    assert!(
        conn.is_authenticated().await,
        "must be authenticated after AUTH LOGIN"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Invalid credentials (RFC 4954 Section 4)
// ==========================================================================

/// AUTH PLAIN with wrong password must fail with `Error::Auth`.
///
/// RFC 4954 Section 4: "If the requested authentication identity is
/// unknown or the supplied credentials are invalid [...] a 535 reply
/// code SHOULD be used."
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_invalid_credentials_rejected() {
    let conn = SmtpConnection::connect(
        greenmail::HOST,
        greenmail::SMTP_PORT,
        TlsMode::None,
        TIMEOUT,
    )
    .await
    .unwrap();

    let result = conn
        .auth_plain(greenmail::USER, "wrong-password", TIMEOUT)
        .await;

    assert!(
        matches!(result, Err(Error::Auth { .. })),
        "bad credentials must produce Error::Auth, got {result:?}"
    );

    // Connection may still be usable after failed auth (RFC 4954 Section 6).
    let _ = conn.quit(TIMEOUT).await;
}

// ==========================================================================
// SendResult inspection (RFC 5321 Section 3.3)
// ==========================================================================

/// After a successful send to a valid recipient, `SendResult::all_accepted()`
/// must return `true` and `has_rejections()` must return `false`.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_send_result_all_accepted() {
    let conn = connect_mailpit().await;

    let msg = test_message("mailpit-sendresult");
    let result = conn
        .send(
            &ReversePath::new("sender@example.com").unwrap(),
            &[ForwardPath::new("recipient@example.com").unwrap()],
            &msg,
            TIMEOUT,
        )
        .await
        .unwrap();

    assert!(
        result.all_accepted(),
        "all recipients must be accepted; rejections: {:?}",
        result.rejected_recipients
    );
    assert!(
        !result.has_rejections(),
        "must have no rejections for a valid recipient"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Null reverse path — bounce/DSN messages (RFC 5321 Section 4.1.1.2)
// ==========================================================================

/// Sending with a null reverse path (MAIL FROM:<>) is valid for bounce
/// messages and delivery status notifications.
///
/// RFC 5321 Section 4.1.1.2: "The special case of 'MAIL FROM:<>'
/// indicates the envelope sender is a null address."
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_send_null_reverse_path() {
    let conn = connect_mailpit().await;

    let null_sender = ReversePath::new("").unwrap();

    let msg = test_message("mailpit-null-sender");
    let result = conn
        .send(
            &null_sender,
            &[ForwardPath::new("recipient@example.com").unwrap()],
            &msg,
            TIMEOUT,
        )
        .await
        .unwrap();

    assert!(
        result.all_accepted(),
        "null reverse-path send must be accepted; rejections: {:?}",
        result.rejected_recipients
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Large message (RFC 5321 Section 4.5.3.1.8)
// ==========================================================================

/// Send a ~100 KB message to verify large-message handling.
///
/// RFC 5321 Section 4.5.3.1.8: "The minimum maximum message size that
/// a server must be able to receive is 64K octets."  Mailpit has no
/// realistic size limit, so a 100 KB message should succeed.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_send_large_message() {
    let conn = connect_mailpit().await;

    // Build a ~100 KB message.
    let body_line =
        "This is a line of text for the large message test. ABCDEFGHIJKLMNOPQRSTUVWXYZ\r\n";
    let body = body_line.repeat(1300); // ~100 KB
    let msg = format!(
        "From: sender@example.com\r\n\
         To: recipient@example.com\r\n\
         Subject: large message test\r\n\
         Date: Sun, 15 Mar 2026 00:00:00 +0000\r\n\
         Message-ID: <large@daaki>\r\n\
         MIME-Version: 1.0\r\n\
         Content-Type: text/plain; charset=utf-8\r\n\
         \r\n\
         {body}"
    );

    let result = conn
        .send(
            &ReversePath::new("sender@example.com").unwrap(),
            &[ForwardPath::new("recipient@example.com").unwrap()],
            msg.as_bytes(),
            TIMEOUT,
        )
        .await
        .unwrap();

    assert!(
        result.all_accepted(),
        "large message send must be accepted; rejections: {:?}",
        result.rejected_recipients
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Multiple sends without RSET (RFC 5321 Section 3.3)
// ==========================================================================

/// The server must accept multiple MAIL/RCPT/DATA sequences on the same
/// connection without an explicit RSET between them.
///
/// RFC 5321 Section 3.3: after a successful DATA, the server resets
/// the mail transaction state automatically.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_multiple_sends_same_connection() {
    let conn = connect_mailpit().await;

    for i in 1..=3 {
        let msg = test_message(&format!("mailpit-multi-send-{i}"));
        let result = conn
            .send(
                &ReversePath::new("sender@example.com").unwrap(),
                &[ForwardPath::new("recipient@example.com").unwrap()],
                &msg,
                TIMEOUT,
            )
            .await
            .unwrap();

        assert!(
            result.all_accepted(),
            "send {i}/3 must be accepted; rejections: {:?}",
            result.rejected_recipients
        );
    }

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// STARTTLS upgrade (RFC 3207)
// ==========================================================================

/// Connect to `GreenMail` in cleartext and attempt STARTTLS upgrade.
///
/// RFC 3207 Section 4: after a successful STARTTLS, the connection
/// is upgraded and a fresh EHLO exchange occurs. If the server does
/// not advertise STARTTLS, the connection fails with
/// `Error::StartTlsUnavailable` — this is the expected behavior per
/// RFC 3207 Section 3.1.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_starttls_upgrade() {
    let tls_config = build_danger_tls_config();
    let result = SmtpConnection::connect_with_tls_config(
        greenmail::HOST,
        greenmail::SMTP_PORT,
        TlsMode::StartTls,
        TIMEOUT,
        tls_config,
    )
    .await;

    match result {
        Ok(conn) => {
            // STARTTLS succeeded — verify capabilities and auth.
            let caps = conn.capabilities().await;
            assert!(
                !caps.greeting_name().is_empty(),
                "greeting name must be present after STARTTLS EHLO"
            );
            conn.auth_plain(greenmail::USER, greenmail::PASS, TIMEOUT)
                .await
                .unwrap();
            conn.quit(TIMEOUT).await.unwrap();
        }
        Err(Error::StartTlsUnavailable) => {
            // GreenMail does not advertise STARTTLS on its plaintext
            // port — this is expected. The library correctly refuses
            // to upgrade when the extension is absent.
            eprintln!("skipping: GreenMail plaintext port does not advertise STARTTLS");
        }
        Err(e) => panic!("unexpected error: {e:?}"),
    }
}

// ==========================================================================
// EXPN — mailing list expansion (RFC 5321 Section 4.1.1.7)
// ==========================================================================

/// EXPN must return a valid SMTP response — expanded list (250),
/// not implemented (502), or not found (550).
///
/// RFC 5321 Section 4.1.1.7 / Section 3.5.3: servers MAY disable
/// EXPN with a 502 response.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_expn_command() {
    let conn = connect_mailpit().await;

    let resp = conn.expn("testlist", TIMEOUT).await.unwrap();

    // RFC 5321 Section 4.1.1.7 / Section 3.5.3: valid responses.
    assert!(
        [250, 502, 550].contains(&resp.code),
        "EXPN must return 250/502/550; got {}",
        resp.code
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// HELP with topic (RFC 5321 Section 4.1.1.8)
// ==========================================================================

/// HELP with a specific topic argument must return a valid SMTP response.
///
/// RFC 5321 Section 4.1.1.8: "HELP" [ SP String ] CRLF — the optional
/// argument requests topic-specific help text.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_help_with_topic() {
    let conn = connect_mailpit().await;

    let resp = conn.help(Some("MAIL"), TIMEOUT).await.unwrap();

    // RFC 5321 Section 4.1.1.8: valid response codes are 211, 214, or 502.
    assert!(
        resp.code == 211 || resp.code == 214 || resp.code == 502,
        "HELP MAIL must return 211, 214, or 502; got {}",
        resp.code
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// EHLO domain configuration (RFC 5321 Section 4.1.1.1)
// ==========================================================================

/// `set_ehlo_domain` followed by `rehlo` must send the new domain to the
/// server and refresh capabilities.
///
/// RFC 5321 Section 4.1.1.1: "An EHLO command MAY be issued by a client
/// later in the session" — this tests the domain-change + refresh path.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_set_ehlo_domain_and_rehlo() {
    let conn = SmtpConnection::connect(mailpit::HOST, mailpit::SMTP_PORT, TlsMode::None, TIMEOUT)
        .await
        .unwrap();

    // Set a custom EHLO domain.
    conn.set_ehlo_domain("test.example.com").await.unwrap();

    // Re-issue EHLO with the new domain.
    conn.rehlo(TIMEOUT).await.unwrap();

    // Capabilities must still be populated after REHLO with new domain.
    let caps = conn.capabilities().await;
    assert!(
        !caps.greeting_name().is_empty(),
        "greeting name must be present after REHLO with new domain"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// is_shutting_down accessor (RFC 5321 Section 3.8)
// ==========================================================================

/// `is_shutting_down()` must return `false` on a healthy connection that
/// has not received a 421 response.
///
/// RFC 5321 Section 3.8: the server sends 421 to signal channel shutdown.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_is_shutting_down_false() {
    let conn = connect_mailpit().await;

    assert!(
        !conn.is_shutting_down().await,
        "healthy connection must not report shutting down"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Capability introspection — pipelining (RFC 1854)
// ==========================================================================

/// Verify detailed capability inspection after EHLO — pipelining, SIZE,
/// and 8BITMIME are commonly advertised.
///
/// RFC 5321 Section 4.1.1.1: the server advertises extensions as EHLO
/// keyword lines following the greeting name.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_capabilities_size_and_8bitmime() {
    let conn = SmtpConnection::connect(mailpit::HOST, mailpit::SMTP_PORT, TlsMode::None, TIMEOUT)
        .await
        .unwrap();

    let caps = conn.capabilities().await;

    // SIZE extension (RFC 1870) should be advertised.
    assert!(
        caps.supports_size(),
        "Mailpit must advertise the SIZE extension (RFC 1870)"
    );

    // 8BITMIME (RFC 6152) should be advertised.
    assert!(
        caps.supports_8bitmime(),
        "Mailpit must advertise 8BITMIME (RFC 6152)"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Capability introspection — GreenMail extensions
// ==========================================================================

/// Inspect `GreenMail`'s capabilities on the plaintext port.
///
/// RFC 5321 Section 4.1.1.1: verify that AUTH and 8BITMIME are
/// advertised by `GreenMail`.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_capabilities_inspection() {
    let conn = SmtpConnection::connect(
        greenmail::HOST,
        greenmail::SMTP_PORT,
        TlsMode::None,
        TIMEOUT,
    )
    .await
    .unwrap();

    let caps = conn.capabilities().await;

    // GreenMail should advertise AUTH.
    assert!(
        caps.supports_auth_extension(),
        "GreenMail must advertise AUTH (RFC 4954)"
    );

    // GreenMail typically supports AUTH PLAIN.
    assert!(
        caps.supports_auth(&AuthMechanism::Plain),
        "GreenMail must advertise AUTH PLAIN"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Send over implicit TLS (RFC 8314 Section 3)
// ==========================================================================

/// Send a message through `GreenMail` over implicit TLS (SMTPS).
///
/// RFC 8314 Section 3: implicit TLS wraps the connection from the start.
/// This verifies the full send path works over TLS, not just plaintext.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_send_over_implicit_tls() {
    let tls_config = build_danger_tls_config();
    let conn = SmtpConnection::connect_with_tls_config(
        greenmail::HOST,
        greenmail::SMTPS_PORT,
        TlsMode::Implicit,
        TIMEOUT,
        tls_config,
    )
    .await
    .unwrap();

    conn.auth_plain(greenmail::USER, greenmail::PASS, TIMEOUT)
        .await
        .unwrap();

    let msg = test_message("greenmail-implicit-tls");
    let result = conn
        .send(
            &ReversePath::new("sender@example.com").unwrap(),
            &[ForwardPath::new("recipient@example.com").unwrap()],
            &msg,
            TIMEOUT,
        )
        .await
        .unwrap();

    assert!(
        result.all_accepted(),
        "send over implicit TLS must accept all recipients; rejections: {:?}",
        result.rejected_recipients
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// BDAT chunking (RFC 3030 Section 3)
// ==========================================================================

/// Send a message via BDAT/CHUNKING if the server supports it.
///
/// RFC 3030 Section 3: BDAT replaces DATA, avoids dot-stuffing, and
/// supports binary content. The CHUNKING extension must be advertised.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_send_bdat_if_chunking_supported() {
    let conn = connect_greenmail().await;

    let caps = conn.capabilities().await;
    if !caps.supports_chunking() {
        eprintln!("skipping: GreenMail does not advertise CHUNKING");
        conn.quit(TIMEOUT).await.unwrap();
        return;
    }

    let msg = test_message("greenmail-bdat");
    let result = conn
        .send_bdat(
            &ReversePath::new("sender@example.com").unwrap(),
            &[ForwardPath::new("recipient@example.com").unwrap()],
            &msg,
            None,
            TIMEOUT,
        )
        .await
        .unwrap();

    assert!(
        result.all_accepted(),
        "BDAT send must accept all recipients; rejections: {:?}",
        result.rejected_recipients
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// send_with_params — BODY=8BITMIME (RFC 1652 Section 3)
// ==========================================================================

/// Send a message with explicit BODY=8BITMIME MAIL FROM parameter.
///
/// RFC 1652 Section 3: the client declares the body type via the
/// BODY parameter on MAIL FROM. When the server advertises 8BITMIME,
/// this should succeed.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_send_with_body_8bitmime_param() {
    let conn = connect_mailpit().await;

    let caps = conn.capabilities().await;
    if !caps.supports_8bitmime() {
        eprintln!("skipping: Mailpit does not advertise 8BITMIME");
        conn.quit(TIMEOUT).await.unwrap();
        return;
    }

    let mut params = MailFromParams::default();
    params.body = Some(BodyType::EightBitMime);

    let msg = "From: sender@example.com\r\n\
               To: recipient@example.com\r\n\
               Subject: 8BITMIME param test\r\n\
               Date: Sun, 15 Mar 2026 00:00:00 +0000\r\n\
               Message-ID: <body-param@daaki>\r\n\
               MIME-Version: 1.0\r\n\
               Content-Type: text/plain; charset=utf-8\r\n\
               Content-Transfer-Encoding: 8bit\r\n\
               \r\n\
               Héllo wörld — explicit BODY=8BITMIME.\r\n";

    let result = conn
        .send_with_params(
            &ReversePath::new("sender@example.com").unwrap(),
            &[ForwardPath::new("recipient@example.com").unwrap()],
            msg.as_bytes(),
            Some(&params),
            TIMEOUT,
        )
        .await
        .unwrap();

    assert!(
        result.all_accepted(),
        "send_with_params(BODY=8BITMIME) must accept; rejections: {:?}",
        result.rejected_recipients
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Error classification (RFC 5321 Section 4.2.1)
// ==========================================================================

/// `Error::is_permanent()` must be true for permanent auth failures (535).
///
/// RFC 4954 Section 4: "If the requested authentication identity is
/// unknown or the supplied credentials are invalid [...] a 535 reply
/// code SHOULD be used."
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_auth_error_is_permanent() {
    let conn = SmtpConnection::connect(
        greenmail::HOST,
        greenmail::SMTP_PORT,
        TlsMode::None,
        TIMEOUT,
    )
    .await
    .unwrap();

    let result = conn
        .auth_plain(greenmail::USER, "wrong-password", TIMEOUT)
        .await;

    match result {
        Err(ref e) => {
            assert!(
                e.is_permanent(),
                "bad-credentials error must be permanent (535); got {e:?}"
            );
            assert!(
                !e.is_transient(),
                "bad-credentials error must not be transient; got {e:?}"
            );
        }
        Ok(()) => panic!("auth with bad password should fail"),
    }

    let _ = conn.quit(TIMEOUT).await;
}

// ==========================================================================
// Multiple NOOPs (RFC 5321 Section 4.1.1.9)
// ==========================================================================

/// Multiple NOOP commands in sequence must all succeed without
/// affecting session state.
///
/// RFC 5321 Section 4.1.1.9: "This command does not affect any
/// parameters or previously entered commands."
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_multiple_noops() {
    let conn = connect_mailpit().await;

    for _ in 0..5 {
        conn.noop(TIMEOUT).await.unwrap();
    }

    // Session must still be usable after multiple NOOPs.
    let msg = test_message("mailpit-multi-noop");
    conn.send(
        &ReversePath::new("sender@example.com").unwrap(),
        &[ForwardPath::new("recipient@example.com").unwrap()],
        &msg,
        TIMEOUT,
    )
    .await
    .unwrap();

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// GreenMail multiple sends on same connection (RFC 5321 Section 3.3)
// ==========================================================================

/// Multiple MAIL/RCPT/DATA sequences on the same `GreenMail` connection must
/// succeed, verifying state reset after each DATA completion.
///
/// RFC 5321 Section 3.3: after a successful DATA, the server resets the
/// mail transaction state automatically.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_multiple_sends_same_connection() {
    let conn = connect_greenmail().await;

    for i in 1..=3 {
        let msg = test_message(&format!("greenmail-multi-send-{i}"));
        let result = conn
            .send(
                &ReversePath::new("sender@example.com").unwrap(),
                &[ForwardPath::new("recipient@example.com").unwrap()],
                &msg,
                TIMEOUT,
            )
            .await
            .unwrap();

        assert!(
            result.all_accepted(),
            "GreenMail send {i}/3 must be accepted; rejections: {:?}",
            result.rejected_recipients
        );
    }

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Connection usable after failed auth (RFC 4954 Section 6)
// ==========================================================================

/// After a failed AUTH attempt the session must remain usable — the client
/// can retry with correct credentials.
///
/// RFC 4954 Section 6: "The SMTP client may try another authentication
/// mechanism or provide corrected credentials by issuing another AUTH
/// command."
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_retry_auth_after_failure() {
    let conn = SmtpConnection::connect(
        greenmail::HOST,
        greenmail::SMTP_PORT,
        TlsMode::None,
        TIMEOUT,
    )
    .await
    .unwrap();

    // First attempt with wrong password.
    let bad_result = conn
        .auth_plain(greenmail::USER, "wrong-password", TIMEOUT)
        .await;
    assert!(bad_result.is_err(), "auth with wrong password must fail");
    assert!(
        !conn.is_authenticated().await,
        "must not be authenticated after failed auth"
    );

    // Retry with correct credentials on the same connection.
    conn.auth_plain(greenmail::USER, greenmail::PASS, TIMEOUT)
        .await
        .unwrap();
    assert!(
        conn.is_authenticated().await,
        "must be authenticated after successful retry"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// send_with_all_params (RFC 5321 Section 3.3, RFC 3461)
// ==========================================================================

/// `send_with_all_params` rejects mismatched `rcpt_params` length.
///
/// RFC 3461 Sections 4.1-4.2: each recipient must have a corresponding
/// `RcptToParams` entry. Passing an empty slice when there are recipients
/// must return a protocol error.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_send_with_all_params_rejects_length_mismatch() {
    use daaki_smtp::RcptToParams;

    let conn = connect_greenmail().await;

    let from = ReversePath::new("sender@example.com").unwrap();
    let to = vec![ForwardPath::new("recipient@example.com").unwrap()];
    let msg = test_message("all-params-mismatch");

    // Empty rcpt_params with 1 recipient → protocol error.
    let result = conn
        .send_with_all_params(&from, &to, &msg, None, &[], TIMEOUT)
        .await;

    assert!(
        result.is_err(),
        "send_with_all_params must reject length mismatch (0 params, 1 recipient)"
    );

    // Matching length with default params should succeed.
    let rcpt_params = vec![RcptToParams::default()];
    let msg2 = test_message("all-params-default-rcpt");
    let result2 = conn
        .send_with_all_params(&from, &to, &msg2, None, &rcpt_params, TIMEOUT)
        .await
        .unwrap();

    assert!(
        result2.all_accepted(),
        "send with matching default RcptToParams should succeed"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// auth_plain_with_authzid (RFC 4616 Section 2)
// ==========================================================================

/// Authenticate with an explicit authorization identity equal to the user.
///
/// RFC 4616 Section 2: the PLAIN SASL mechanism encodes
/// `[authzid] NUL authcid NUL passwd`. When authzid equals authcid the
/// server should treat it the same as omitting authzid.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_auth_plain_with_authzid_same_as_user() {
    let conn = SmtpConnection::connect(
        greenmail::HOST,
        greenmail::SMTP_PORT,
        TlsMode::None,
        TIMEOUT,
    )
    .await
    .unwrap();

    // authzid == authcid should be accepted.
    conn.auth_plain_with_authzid(greenmail::USER, greenmail::USER, greenmail::PASS, TIMEOUT)
        .await
        .unwrap();

    assert!(
        conn.is_authenticated().await,
        "auth_plain_with_authzid should authenticate successfully"
    );

    // Verify connection is usable post-auth.
    let from = ReversePath::new("sender@example.com").unwrap();
    let to = vec![ForwardPath::new("recipient@example.com").unwrap()];
    let msg = test_message("authzid-send");
    let result = conn.send(&from, &to, &msg, TIMEOUT).await.unwrap();
    assert!(result.all_accepted());

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// ForwardPath::Postmaster (RFC 5321 Section 4.1.1.3)
// ==========================================================================

/// Send to the POSTMASTER address.
///
/// RFC 5321 Section 4.1.1.3: "RCPT TO:<Postmaster>" (without a domain)
/// MUST be accepted by every SMTP server. However, test servers may not
/// deliver to it — we only verify the RCPT TO is accepted.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_send_to_postmaster() {
    let conn = connect_greenmail().await;

    let from = ReversePath::new("sender@example.com").unwrap();
    let to = vec![ForwardPath::Postmaster];
    let msg = test_message("postmaster-send");

    let result = conn.send(&from, &to, &msg, TIMEOUT).await;

    // RFC 5321 requires Postmaster to be accepted, but test servers
    // may reject it. We accept server-level rejections (5xx/4xx) but
    // NOT library-internal errors (Io, Parse, Protocol, Closed), which
    // would indicate a bug in ForwardPath::Postmaster serialization.
    match result {
        Ok(send_result) => {
            assert!(
                send_result.all_accepted(),
                "Postmaster should be accepted if the server handles it"
            );
        }
        Err(
            Error::Permanent { .. } | Error::Transient { .. } | Error::AllRecipientsFailed { .. },
        ) => {
            // Server-level rejection — acceptable for a test server.
        }
        Err(e) => {
            panic!("unexpected error sending to Postmaster (library bug?): {e:?}");
        }
    }

    let _ = conn.quit(TIMEOUT).await;
}

// ==========================================================================
// Send after QUIT (RFC 5321 Section 4.1.1.10)
// ==========================================================================

/// Sending after QUIT must fail.
///
/// RFC 5321 Section 4.1.1.10: after QUIT the server closes the connection.
/// Any subsequent MAIL FROM must fail with a connection-level error.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_send_after_quit_fails() {
    let conn = connect_greenmail().await;

    conn.quit(TIMEOUT).await.unwrap();

    let from = ReversePath::new("sender@example.com").unwrap();
    let to = vec![ForwardPath::new("recipient@example.com").unwrap()];
    let msg = test_message("after-quit");

    let result = conn.send(&from, &to, &msg, TIMEOUT).await;
    assert!(
        result.is_err(),
        "send after QUIT must fail — server closed the connection (RFC 5321 Section 4.1.1.10)"
    );
}

// ==========================================================================
// MailFromParams with SIZE (RFC 1870 Section 3)
// ==========================================================================

/// Send with the SIZE MAIL FROM parameter.
///
/// RFC 1870 Section 3: when the server advertises SIZE, the client MAY
/// include a SIZE parameter on MAIL FROM indicating the message size.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_send_with_size_param() {
    let conn = connect_greenmail().await;

    let caps = conn.capabilities().await;
    if !caps.supports_size() {
        eprintln!("skipping: GreenMail does not advertise SIZE");
        conn.quit(TIMEOUT).await.unwrap();
        return;
    }

    let from = ReversePath::new("sender@example.com").unwrap();
    let to = vec![ForwardPath::new("recipient@example.com").unwrap()];
    let msg = test_message("size-param");

    let mut params = MailFromParams::default();
    params.size = Some(msg.len() as u64);

    let result = conn
        .send_with_params(&from, &to, &msg, Some(&params), TIMEOUT)
        .await
        .unwrap();

    assert!(
        result.all_accepted(),
        "send with SIZE param should succeed when server advertises SIZE"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Custom EHLO domain then send (RFC 5321 Section 4.1.1.1)
// ==========================================================================

/// Set a custom EHLO domain and verify the connection remains usable.
///
/// RFC 5321 Section 4.1.1.1: the client identifies itself with a domain
/// in the EHLO command. After `set_ehlo_domain` + `rehlo`, the session
/// state should be refreshed and sending should work.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_custom_ehlo_domain_and_send() {
    let conn = connect_greenmail().await;

    conn.set_ehlo_domain("custom-test.example.com")
        .await
        .unwrap();
    conn.rehlo(TIMEOUT).await.unwrap();

    // Verify EHLO succeeded: the server's greeting name (from the EHLO
    // response) must be non-empty after the capability refresh.
    let caps = conn.capabilities().await;
    assert!(
        !caps.greeting_name().is_empty(),
        "rehlo must succeed and produce a non-empty server greeting"
    );

    // Sending should work with the new EHLO domain.
    let from = ReversePath::new("sender@example.com").unwrap();
    let to = vec![ForwardPath::new("recipient@example.com").unwrap()];
    let msg = test_message("custom-ehlo-send");
    let result = conn.send(&from, &to, &msg, TIMEOUT).await.unwrap();
    assert!(result.all_accepted());

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// NOOP before authentication (RFC 5321 Section 4.1.1.9)
// ==========================================================================

/// NOOP works before authentication.
///
/// RFC 5321 Section 4.1.1.9: NOOP does not affect any state and is valid
/// at any point in the session.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_noop_before_auth() {
    let conn = SmtpConnection::connect(
        greenmail::HOST,
        greenmail::SMTP_PORT,
        TlsMode::None,
        TIMEOUT,
    )
    .await
    .unwrap();

    // NOOP before auth should succeed.
    conn.noop(TIMEOUT).await.unwrap();

    assert!(
        !conn.is_authenticated().await,
        "NOOP should not change authentication state"
    );

    // Connection should still be usable — authenticate and send.
    conn.auth_plain(greenmail::USER, greenmail::PASS, TIMEOUT)
        .await
        .unwrap();

    let from = ReversePath::new("sender@example.com").unwrap();
    let to = vec![ForwardPath::new("recipient@example.com").unwrap()];
    let msg = test_message("noop-before-auth");
    let result = conn.send(&from, &to, &msg, TIMEOUT).await.unwrap();
    assert!(result.all_accepted());

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Multiple send-reset cycles (RFC 5321 Section 4.1.1.5)
// ==========================================================================

/// Multiple explicit RSET cycles on the same connection.
///
/// RFC 5321 Section 4.1.1.5: RSET aborts the current mail transaction and
/// resets the session to post-EHLO state. The connection should handle
/// many RSET-send pairs without degradation.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_multiple_reset_send_cycles() {
    let conn = connect_greenmail().await;

    let from = ReversePath::new("sender@example.com").unwrap();
    let to = vec![ForwardPath::new("recipient@example.com").unwrap()];

    for i in 0..5 {
        // Explicit RSET between sends.
        conn.reset(TIMEOUT).await.unwrap();

        let msg = test_message(&format!("reset-cycle-{i}"));
        let result = conn.send(&from, &to, &msg, TIMEOUT).await.unwrap();
        assert!(
            result.all_accepted(),
            "send in cycle {i} should succeed after RSET"
        );
    }

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// BDAT with per-recipient params (RFC 3030 Section 3, RFC 3461)
// ==========================================================================

/// `send_bdat_with_all_params` sends via BDAT/CHUNKING with per-recipient
/// DSN parameters. When the server doesn't support CHUNKING, the method
/// should fall back to DATA or return an error — either way the code path
/// is exercised.
///
/// RFC 3030 Section 3: BDAT replaces the DATA command when CHUNKING is
/// advertised. RFC 3461: DSN RCPT parameters (NOTIFY, ORCPT).
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_send_bdat_with_all_params_default() {
    use daaki_smtp::RcptToParams;

    let conn = connect_greenmail().await;

    let caps = conn.capabilities().await;
    if !caps.supports_chunking() {
        // GreenMail may not support CHUNKING — skip gracefully.
        conn.quit(TIMEOUT).await.unwrap();
        return;
    }

    let from = ReversePath::new("sender@example.com").unwrap();
    let to = vec![ForwardPath::new("recipient@example.com").unwrap()];
    let rcpt_params = vec![RcptToParams::default()];
    let msg = test_message("bdat-all-params");

    let result = conn
        .send_bdat_with_all_params(&from, &to, &msg, None, &rcpt_params, TIMEOUT)
        .await
        .unwrap();

    assert!(
        result.all_accepted(),
        "BDAT with default RcptToParams should succeed"
    );
    assert!(
        !result.has_rejections(),
        "BDAT with default RcptToParams should have no rejections"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// send_with_params — BODY=8BITMIME + SIZE (RFC 1652, RFC 1870)
// ==========================================================================

/// `send_with_params` with explicit BODY=8BITMIME and SIZE parameters
/// verifies that the client correctly encodes these MAIL FROM extensions.
///
/// RFC 1652 Section 3: BODY=8BITMIME indicates 8-bit content.
/// RFC 1870 Section 3: SIZE= declares the message size.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_send_with_params_body_and_size() {
    let conn = connect_mailpit().await;

    let msg = test_message("params-body-size");
    let mut params = MailFromParams::default();
    params.body = Some(BodyType::EightBitMime);
    params.size = Some(msg.len() as u64);

    let result = conn
        .send_with_params(
            &ReversePath::new("sender@example.com").unwrap(),
            &[ForwardPath::new("recipient@example.com").unwrap()],
            &msg,
            Some(&params),
            TIMEOUT,
        )
        .await
        .unwrap();

    assert!(
        result.all_accepted(),
        "send with BODY + SIZE params should succeed"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// ServerCapabilities supports_*() methods (RFC 5321 Section 4.1.1.1)
// ==========================================================================

/// Verify that `ServerCapabilities` supports_*() methods correctly
/// reflect the server's EHLO response.
///
/// RFC 5321 Section 4.1.1.1: The EHLO response lists the extensions
/// the server supports. This test exercises the capability introspection
/// methods against Mailpit's known extension set.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn mailpit_capability_supports_methods() {
    let conn = connect_mailpit().await;
    let caps = conn.capabilities().await;

    // Mailpit should have a non-empty greeting name.
    assert!(
        !caps.greeting_name().is_empty(),
        "greeting name from EHLO should be non-empty"
    );

    // Mailpit's extension list should not be empty.
    assert!(
        !caps.extensions().is_empty(),
        "EHLO should advertise at least one extension"
    );

    // Verify boolean methods are consistent with extensions list.
    // PIPELINING is commonly supported.
    if caps.supports_pipelining() {
        assert!(
            caps.extensions()
                .iter()
                .any(|e| matches!(e, daaki_smtp::SmtpExtension::Pipelining)),
            "supports_pipelining() true but PIPELINING not in extensions list"
        );
    }

    // If SIZE is advertised, size_limit() should return Some or the server
    // advertises SIZE with no limit (0 means no declared limit).
    if caps.supports_size() {
        // size_limit() returns None only when SIZE is not advertised at all.
        // When SIZE is advertised with 0 or no parameter, it means "no limit"
        // but supports_size() is still true.
        assert!(
            caps.extensions()
                .iter()
                .any(|e| matches!(e, daaki_smtp::SmtpExtension::Size(_))),
            "supports_size() true but SIZE not in extensions list"
        );
    }

    // AUTH should be supported (we authenticated successfully).
    assert!(
        caps.supports_auth_extension(),
        "AUTH extension should be advertised (we authenticated)"
    );
    assert!(
        caps.supports_auth(&AuthMechanism::Plain),
        "AUTH PLAIN should be supported (we used it to authenticate)"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// AUTH LOGIN followed by send (draft-murchison-sasl-login, RFC 5321)
// ==========================================================================

/// AUTH LOGIN followed by a complete MAIL/RCPT/DATA send cycle verifies
/// that the session is fully usable after LOGIN authentication.
///
/// The existing `greenmail_auth_login` test only verifies authentication
/// succeeds. This test verifies the full workflow: LOGIN → send → quit.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_auth_login_then_send() {
    let conn = SmtpConnection::connect(
        greenmail::HOST,
        greenmail::SMTP_PORT,
        TlsMode::None,
        TIMEOUT,
    )
    .await
    .unwrap();

    conn.auth_login(greenmail::USER, greenmail::PASS, TIMEOUT)
        .await
        .unwrap();

    assert!(
        conn.is_authenticated().await,
        "should be authenticated after AUTH LOGIN"
    );

    // Send a message to verify the session is fully usable.
    let msg = test_message("login-then-send");
    let result = conn
        .send(
            &ReversePath::new("sender@example.com").unwrap(),
            &[ForwardPath::new("recipient@example.com").unwrap()],
            &msg,
            TIMEOUT,
        )
        .await
        .unwrap();
    assert!(
        result.all_accepted(),
        "send after AUTH LOGIN should succeed"
    );

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// send_with_all_params — DSN parameters (RFC 3461 Section 4)
// ==========================================================================

/// `send_with_all_params` with actual DSN RCPT parameters (NOTIFY=SUCCESS).
///
/// RFC 3461 Section 4.1: NOTIFY specifies under which conditions a DSN
/// should be generated. The server may or may not support DSN — this test
/// exercises the parameter encoding path regardless.
#[tokio::test]
#[ignore = "requires Docker: docker compose up -d"]
async fn greenmail_send_with_dsn_notify_param() {
    use daaki_smtp::{DsnNotify, RcptToParams};

    let conn = connect_greenmail().await;

    let caps = conn.capabilities().await;

    let from = ReversePath::new("sender@example.com").unwrap();
    let to = vec![ForwardPath::new("recipient@example.com").unwrap()];
    let msg = test_message("dsn-notify");

    // Build RcptToParams with NOTIFY=SUCCESS,FAILURE.
    let mut rtp = RcptToParams::default();
    rtp.notify = Some(vec![DsnNotify::Success, DsnNotify::Failure]);
    let rcpt_params = vec![rtp];

    let result = conn
        .send_with_all_params(&from, &to, &msg, None, &rcpt_params, TIMEOUT)
        .await;

    if caps.supports_dsn() {
        // Server supports DSN — the send should succeed.
        let send_result =
            result.expect("send with DSN params should succeed when DSN is supported");
        assert!(
            send_result.all_accepted(),
            "send with DSN NOTIFY should succeed"
        );
    } else {
        // Server doesn't support DSN — the server may reject the NOTIFY
        // parameter or ignore it. Either way is valid per RFC 5321
        // Section 4.1.1.2 (unrecognized params).
        if let Ok(send_result) = result {
            assert!(
                send_result.all_accepted(),
                "server accepted DSN params despite not advertising DSN"
            );
        }
    }

    conn.quit(TIMEOUT).await.unwrap();
}

// ==========================================================================
// Helpers
// ==========================================================================

/// Connect and authenticate against Mailpit.
async fn connect_mailpit() -> SmtpConnection {
    let conn = SmtpConnection::connect(mailpit::HOST, mailpit::SMTP_PORT, TlsMode::None, TIMEOUT)
        .await
        .unwrap();
    conn.auth_plain(mailpit::USER, mailpit::PASS, TIMEOUT)
        .await
        .unwrap();
    conn
}

/// Connect and authenticate against `GreenMail`.
async fn connect_greenmail() -> SmtpConnection {
    let conn = SmtpConnection::connect(
        greenmail::HOST,
        greenmail::SMTP_PORT,
        TlsMode::None,
        TIMEOUT,
    )
    .await
    .unwrap();
    conn.auth_plain(greenmail::USER, greenmail::PASS, TIMEOUT)
        .await
        .unwrap();
    conn
}

/// Build a TLS config that accepts any certificate (for Docker self-signed certs).
fn build_danger_tls_config() -> Arc<rustls::ClientConfig> {
    mod danger {
        #[derive(Debug)]
        pub struct AcceptAll;

        impl rustls::client::danger::ServerCertVerifier for AcceptAll {
            fn verify_server_cert(
                &self,
                _end_entity: &rustls::pki_types::CertificateDer<'_>,
                _intermediates: &[rustls::pki_types::CertificateDer<'_>],
                _server_name: &rustls::pki_types::ServerName<'_>,
                _ocsp_response: &[u8],
                _now: rustls::pki_types::UnixTime,
            ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
                Ok(rustls::client::danger::ServerCertVerified::assertion())
            }

            fn verify_tls12_signature(
                &self,
                _message: &[u8],
                _cert: &rustls::pki_types::CertificateDer<'_>,
                _dss: &rustls::DigitallySignedStruct,
            ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error>
            {
                Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
            }

            fn verify_tls13_signature(
                &self,
                _message: &[u8],
                _cert: &rustls::pki_types::CertificateDer<'_>,
                _dss: &rustls::DigitallySignedStruct,
            ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error>
            {
                Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
            }

            fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
                rustls::crypto::ring::default_provider()
                    .signature_verification_algorithms
                    .supported_schemes()
            }
        }
    }

    let _ = rustls::crypto::ring::default_provider().install_default();

    let config = rustls::ClientConfig::builder()
        .dangerous()
        .with_custom_certificate_verifier(Arc::new(danger::AcceptAll))
        .with_no_client_auth();
    Arc::new(config)
}