Adding upstream version 9.0.0.

Signed-off-by: Daniel Baumann <daniel@debian.org>

4 files changed, 842 insertions, 0 deletions

diff --git a/services/mailer/incoming/incoming.go b/services/mailer/incoming/incoming.go
new file mode 100644
index 0000000..ac6f32c
--- /dev/null
+++ b/services/mailer/incoming/incoming.go
@@ -0,0 +1,394 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package incoming
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	net_mail "net/mail"
+	"regexp"
+	"strings"
+	"time"
+
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/process"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/services/mailer/token"
+
+	"code.forgejo.org/forgejo/reply"
+	"github.com/emersion/go-imap"
+	"github.com/emersion/go-imap/client"
+	"github.com/jhillyerd/enmime"
+)
+
+var (
+	addressTokenRegex   *regexp.Regexp
+	referenceTokenRegex *regexp.Regexp
+)
+
+func Init(ctx context.Context) error {
+	if !setting.IncomingEmail.Enabled {
+		return nil
+	}
+
+	var err error
+	addressTokenRegex, err = regexp.Compile(
+		fmt.Sprintf(
+			`\A%s\z`,
+			strings.Replace(regexp.QuoteMeta(setting.IncomingEmail.ReplyToAddress), regexp.QuoteMeta(setting.IncomingEmail.TokenPlaceholder), "(.+)", 1),
+		),
+	)
+	if err != nil {
+		return err
+	}
+	referenceTokenRegex, err = regexp.Compile(fmt.Sprintf(`\Areply-(.+)@%s\z`, regexp.QuoteMeta(setting.Domain)))
+	if err != nil {
+		return err
+	}
+
+	go func() {
+		ctx, _, finished := process.GetManager().AddTypedContext(ctx, "Incoming Email", process.SystemProcessType, true)
+		defer finished()
+
+		// This background job processes incoming emails. It uses the IMAP IDLE command to get notified about incoming emails.
+		// The following loop restarts the processing logic after errors until ctx indicates to stop.
+
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			default:
+				if err := processIncomingEmails(ctx); err != nil {
+					log.Error("Error while processing incoming emails: %v", err)
+				}
+				select {
+				case <-ctx.Done():
+					return
+				case <-time.NewTimer(10 * time.Second).C:
+				}
+			}
+		}
+	}()
+
+	return nil
+}
+
+// processIncomingEmails is the "main" method with the wait/process loop
+func processIncomingEmails(ctx context.Context) error {
+	server := fmt.Sprintf("%s:%d", setting.IncomingEmail.Host, setting.IncomingEmail.Port)
+
+	var c *client.Client
+	var err error
+	if setting.IncomingEmail.UseTLS {
+		c, err = client.DialTLS(server, &tls.Config{InsecureSkipVerify: setting.IncomingEmail.SkipTLSVerify})
+	} else {
+		c, err = client.Dial(server)
+	}
+	if err != nil {
+		return fmt.Errorf("could not connect to server '%s': %w", server, err)
+	}
+
+	if err := c.Login(setting.IncomingEmail.Username, setting.IncomingEmail.Password); err != nil {
+		return fmt.Errorf("could not login: %w", err)
+	}
+	defer func() {
+		if err := c.Logout(); err != nil {
+			log.Error("Logout from incoming email server failed: %v", err)
+		}
+	}()
+
+	if _, err := c.Select(setting.IncomingEmail.Mailbox, false); err != nil {
+		return fmt.Errorf("selecting box '%s' failed: %w", setting.IncomingEmail.Mailbox, err)
+	}
+
+	// The following loop processes messages. If there are no messages available, IMAP IDLE is used to wait for new messages.
+	// This process is repeated until an IMAP error occurs or ctx indicates to stop.
+
+	for {
+		select {
+		case <-ctx.Done():
+			return nil
+		default:
+			if err := processMessages(ctx, c); err != nil {
+				return fmt.Errorf("could not process messages: %w", err)
+			}
+			if err := waitForUpdates(ctx, c); err != nil {
+				return fmt.Errorf("wait for updates failed: %w", err)
+			}
+			select {
+			case <-ctx.Done():
+				return nil
+			case <-time.NewTimer(time.Second).C:
+			}
+		}
+	}
+}
+
+// waitForUpdates uses IMAP IDLE to wait for new emails
+func waitForUpdates(ctx context.Context, c *client.Client) error {
+	updates := make(chan client.Update, 1)
+
+	c.Updates = updates
+	defer func() {
+		c.Updates = nil
+	}()
+
+	errs := make(chan error, 1)
+	stop := make(chan struct{})
+	go func() {
+		errs <- c.Idle(stop, nil)
+	}()
+
+	stopped := false
+	for {
+		select {
+		case update := <-updates:
+			switch update.(type) {
+			case *client.MailboxUpdate:
+				if !stopped {
+					close(stop)
+					stopped = true
+				}
+			default:
+			}
+		case err := <-errs:
+			if err != nil {
+				return fmt.Errorf("imap idle failed: %w", err)
+			}
+			return nil
+		case <-ctx.Done():
+			return nil
+		}
+	}
+}
+
+// processMessages searches unread mails and processes them.
+func processMessages(ctx context.Context, c *client.Client) error {
+	criteria := imap.NewSearchCriteria()
+	criteria.WithoutFlags = []string{imap.SeenFlag}
+	criteria.Smaller = setting.IncomingEmail.MaximumMessageSize
+	ids, err := c.Search(criteria)
+	if err != nil {
+		return fmt.Errorf("imap search failed: %w", err)
+	}
+
+	if len(ids) == 0 {
+		return nil
+	}
+
+	seqset := new(imap.SeqSet)
+	seqset.AddNum(ids...)
+	messages := make(chan *imap.Message, 10)
+
+	section := &imap.BodySectionName{}
+
+	errs := make(chan error, 1)
+	go func() {
+		errs <- c.Fetch(
+			seqset,
+			[]imap.FetchItem{section.FetchItem()},
+			messages,
+		)
+	}()
+
+	handledSet := new(imap.SeqSet)
+loop:
+	for {
+		select {
+		case <-ctx.Done():
+			break loop
+		case msg, ok := <-messages:
+			if !ok {
+				if setting.IncomingEmail.DeleteHandledMessage && !handledSet.Empty() {
+					if err := c.Store(
+						handledSet,
+						imap.FormatFlagsOp(imap.AddFlags, true),
+						[]any{imap.DeletedFlag},
+						nil,
+					); err != nil {
+						return fmt.Errorf("imap store failed: %w", err)
+					}
+
+					if err := c.Expunge(nil); err != nil {
+						return fmt.Errorf("imap expunge failed: %w", err)
+					}
+				}
+				return nil
+			}
+
+			err := func() error {
+				if isAlreadyHandled(handledSet, msg) {
+					log.Debug("Skipping already handled message")
+					return nil
+				}
+
+				r := msg.GetBody(section)
+				if r == nil {
+					return fmt.Errorf("could not get body from message: %w", err)
+				}
+
+				env, err := enmime.ReadEnvelope(r)
+				if err != nil {
+					return fmt.Errorf("could not read envelope: %w", err)
+				}
+
+				if isAutomaticReply(env) {
+					log.Debug("Skipping automatic email reply")
+					return nil
+				}
+
+				t := searchTokenInHeaders(env)
+				if t == "" {
+					log.Debug("Incoming email token not found in headers")
+					return nil
+				}
+
+				handlerType, user, payload, err := token.ExtractToken(ctx, t)
+				if err != nil {
+					if _, ok := err.(*token.ErrToken); ok {
+						log.Info("Invalid incoming email token: %v", err)
+						return nil
+					}
+					return err
+				}
+
+				handler, ok := handlers[handlerType]
+				if !ok {
+					return fmt.Errorf("unexpected handler type: %v", handlerType)
+				}
+
+				content := getContentFromMailReader(env)
+
+				if err := handler.Handle(ctx, content, user, payload); err != nil {
+					return fmt.Errorf("could not handle message: %w", err)
+				}
+
+				handledSet.AddNum(msg.SeqNum)
+
+				return nil
+			}()
+			if err != nil {
+				log.Error("Error while processing incoming email[%v]: %v", msg.Uid, err)
+			}
+		}
+	}
+
+	if err := <-errs; err != nil {
+		return fmt.Errorf("imap fetch failed: %w", err)
+	}
+
+	return nil
+}
+
+// isAlreadyHandled tests if the message was already handled
+func isAlreadyHandled(handledSet *imap.SeqSet, msg *imap.Message) bool {
+	return handledSet.Contains(msg.SeqNum)
+}
+
+// isAutomaticReply tests if the headers indicate an automatic reply
+func isAutomaticReply(env *enmime.Envelope) bool {
+	autoSubmitted := env.GetHeader("Auto-Submitted")
+	if autoSubmitted != "" && autoSubmitted != "no" {
+		return true
+	}
+	autoReply := env.GetHeader("X-Autoreply")
+	if autoReply == "yes" {
+		return true
+	}
+	autoRespond := env.GetHeader("X-Autorespond")
+	return autoRespond != ""
+}
+
+// searchTokenInHeaders looks for the token in To, Delivered-To and References
+func searchTokenInHeaders(env *enmime.Envelope) string {
+	if addressTokenRegex != nil {
+		to, _ := env.AddressList("To")
+
+		token := searchTokenInAddresses(to)
+		if token != "" {
+			return token
+		}
+
+		deliveredTo, _ := env.AddressList("Delivered-To")
+
+		token = searchTokenInAddresses(deliveredTo)
+		if token != "" {
+			return token
+		}
+	}
+
+	references := env.GetHeader("References")
+	for {
+		begin := strings.IndexByte(references, '<')
+		if begin == -1 {
+			break
+		}
+		begin++
+
+		end := strings.IndexByte(references, '>')
+		if end == -1 || begin > end {
+			break
+		}
+
+		match := referenceTokenRegex.FindStringSubmatch(references[begin:end])
+		if len(match) == 2 {
+			return match[1]
+		}
+
+		references = references[end+1:]
+	}
+
+	return ""
+}
+
+// searchTokenInAddresses looks for the token in an address
+func searchTokenInAddresses(addresses []*net_mail.Address) string {
+	for _, address := range addresses {
+		match := addressTokenRegex.FindStringSubmatch(address.Address)
+		if len(match) != 2 {
+			continue
+		}
+
+		return match[1]
+	}
+
+	return ""
+}
+
+type MailContent struct {
+	Content     string
+	Attachments []*Attachment
+}
+
+type Attachment struct {
+	Name    string
+	Content []byte
+}
+
+// getContentFromMailReader grabs the plain content and the attachments from the mail.
+// A potential reply/signature gets stripped from the content.
+func getContentFromMailReader(env *enmime.Envelope) *MailContent {
+	attachments := make([]*Attachment, 0, len(env.Attachments))
+	for _, attachment := range env.Attachments {
+		attachments = append(attachments, &Attachment{
+			Name:    attachment.FileName,
+			Content: attachment.Content,
+		})
+	}
+	inlineAttachments := make([]*Attachment, 0, len(env.Inlines))
+	for _, inline := range env.Inlines {
+		if inline.FileName != "" && inline.ContentType != "text/plain" {
+			inlineAttachments = append(inlineAttachments, &Attachment{
+				Name:    inline.FileName,
+				Content: inline.Content,
+			})
+		}
+	}
+
+	return &MailContent{
+		Content:     reply.FromText(env.Text),
+		Attachments: append(attachments, inlineAttachments...),
+	}
+}
diff --git a/services/mailer/incoming/incoming_handler.go b/services/mailer/incoming/incoming_handler.go
new file mode 100644
index 0000000..dc3c4ec
--- /dev/null
+++ b/services/mailer/incoming/incoming_handler.go
@@ -0,0 +1,187 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package incoming
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+
+	issues_model "code.gitea.io/gitea/models/issues"
+	access_model "code.gitea.io/gitea/models/perm/access"
+	repo_model "code.gitea.io/gitea/models/repo"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
+	attachment_service "code.gitea.io/gitea/services/attachment"
+	"code.gitea.io/gitea/services/context/upload"
+	issue_service "code.gitea.io/gitea/services/issue"
+	incoming_payload "code.gitea.io/gitea/services/mailer/incoming/payload"
+	"code.gitea.io/gitea/services/mailer/token"
+	pull_service "code.gitea.io/gitea/services/pull"
+)
+
+type MailHandler interface {
+	Handle(ctx context.Context, content *MailContent, doer *user_model.User, payload []byte) error
+}
+
+var handlers = map[token.HandlerType]MailHandler{
+	token.ReplyHandlerType:       &ReplyHandler{},
+	token.UnsubscribeHandlerType: &UnsubscribeHandler{},
+}
+
+// ReplyHandler handles incoming emails to create a reply from them
+type ReplyHandler struct{}
+
+func (h *ReplyHandler) Handle(ctx context.Context, content *MailContent, doer *user_model.User, payload []byte) error {
+	if doer == nil {
+		return util.NewInvalidArgumentErrorf("doer can't be nil")
+	}
+
+	ref, err := incoming_payload.GetReferenceFromPayload(ctx, payload)
+	if err != nil {
+		return err
+	}
+
+	var issue *issues_model.Issue
+
+	switch r := ref.(type) {
+	case *issues_model.Issue:
+		issue = r
+	case *issues_model.Comment:
+		comment := r
+
+		if err := comment.LoadIssue(ctx); err != nil {
+			return err
+		}
+
+		issue = comment.Issue
+	default:
+		return util.NewInvalidArgumentErrorf("unsupported reply reference: %v", ref)
+	}
+
+	if err := issue.LoadRepo(ctx); err != nil {
+		return err
+	}
+
+	perm, err := access_model.GetUserRepoPermission(ctx, issue.Repo, doer)
+	if err != nil {
+		return err
+	}
+
+	// Locked issues require write permissions
+	if issue.IsLocked && !perm.CanWriteIssuesOrPulls(issue.IsPull) && !doer.IsAdmin {
+		log.Debug("can't write issue or pull")
+		return nil
+	}
+
+	if !perm.CanReadIssuesOrPulls(issue.IsPull) {
+		log.Debug("can't read issue or pull")
+		return nil
+	}
+
+	log.Trace("incoming mail related to %T", ref)
+
+	attachmentIDs := make([]string, 0, len(content.Attachments))
+	if setting.Attachment.Enabled {
+		for _, attachment := range content.Attachments {
+			a, err := attachment_service.UploadAttachment(ctx, bytes.NewReader(attachment.Content), setting.Attachment.AllowedTypes, int64(len(attachment.Content)), &repo_model.Attachment{
+				Name:       attachment.Name,
+				UploaderID: doer.ID,
+				RepoID:     issue.Repo.ID,
+			})
+			if err != nil {
+				if upload.IsErrFileTypeForbidden(err) {
+					log.Info("Skipping disallowed attachment type: %s", attachment.Name)
+					continue
+				}
+				return err
+			}
+			attachmentIDs = append(attachmentIDs, a.UUID)
+		}
+	}
+
+	if content.Content == "" && len(attachmentIDs) == 0 {
+		log.Trace("incoming mail has no content and no attachment", ref)
+		return nil
+	}
+
+	switch r := ref.(type) {
+	case *issues_model.Issue:
+		_, err = issue_service.CreateIssueComment(ctx, doer, issue.Repo, issue, content.Content, attachmentIDs)
+		if err != nil {
+			return fmt.Errorf("CreateIssueComment failed: %w", err)
+		}
+	case *issues_model.Comment:
+		comment := r
+
+		switch comment.Type {
+		case issues_model.CommentTypeComment, issues_model.CommentTypeReview:
+			_, err = issue_service.CreateIssueComment(ctx, doer, issue.Repo, issue, content.Content, attachmentIDs)
+			if err != nil {
+				return fmt.Errorf("CreateIssueComment failed: %w", err)
+			}
+		case issues_model.CommentTypeCode:
+			_, err := pull_service.CreateCodeComment(
+				ctx,
+				doer,
+				nil,
+				issue,
+				comment.Line,
+				content.Content,
+				comment.TreePath,
+				false, // not pending review but a single review
+				comment.ReviewID,
+				"",
+				attachmentIDs,
+			)
+			if err != nil {
+				return fmt.Errorf("CreateCodeComment failed: %w", err)
+			}
+		default:
+			log.Trace("incoming mail related to comment of type %v is ignored", comment.Type)
+		}
+	default:
+		log.Trace("incoming mail related to %T is ignored", ref)
+	}
+	return nil
+}
+
+// UnsubscribeHandler handles unwatching issues/pulls
+type UnsubscribeHandler struct{}
+
+func (h *UnsubscribeHandler) Handle(ctx context.Context, _ *MailContent, doer *user_model.User, payload []byte) error {
+	if doer == nil {
+		return util.NewInvalidArgumentErrorf("doer can't be nil")
+	}
+
+	ref, err := incoming_payload.GetReferenceFromPayload(ctx, payload)
+	if err != nil {
+		return err
+	}
+
+	switch r := ref.(type) {
+	case *issues_model.Issue:
+		issue := r
+
+		if err := issue.LoadRepo(ctx); err != nil {
+			return err
+		}
+
+		perm, err := access_model.GetUserRepoPermission(ctx, issue.Repo, doer)
+		if err != nil {
+			return err
+		}
+
+		if !perm.CanReadIssuesOrPulls(issue.IsPull) {
+			log.Debug("can't read issue or pull")
+			return nil
+		}
+
+		return issues_model.CreateOrUpdateIssueWatch(ctx, doer.ID, issue.ID, false)
+	default:
+		return fmt.Errorf("unsupported unsubscribe reference: %v", ref)
+	}
+}
diff --git a/services/mailer/incoming/incoming_test.go b/services/mailer/incoming/incoming_test.go
new file mode 100644
index 0000000..1ff12d0
--- /dev/null
+++ b/services/mailer/incoming/incoming_test.go
@@ -0,0 +1,191 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package incoming
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/emersion/go-imap"
+	"github.com/jhillyerd/enmime"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNotHandleTwice(t *testing.T) {
+	handledSet := new(imap.SeqSet)
+	msg := imap.NewMessage(90, []imap.FetchItem{imap.FetchBody})
+
+	handled := isAlreadyHandled(handledSet, msg)
+	assert.False(t, handled)
+
+	handledSet.AddNum(msg.SeqNum)
+
+	handled = isAlreadyHandled(handledSet, msg)
+	assert.True(t, handled)
+}
+
+func TestIsAutomaticReply(t *testing.T) {
+	cases := []struct {
+		Headers  map[string]string
+		Expected bool
+	}{
+		{
+			Headers:  map[string]string{},
+			Expected: false,
+		},
+		{
+			Headers: map[string]string{
+				"Auto-Submitted": "no",
+			},
+			Expected: false,
+		},
+		{
+			Headers: map[string]string{
+				"Auto-Submitted": "yes",
+			},
+			Expected: true,
+		},
+		{
+			Headers: map[string]string{
+				"X-Autoreply": "no",
+			},
+			Expected: false,
+		},
+		{
+			Headers: map[string]string{
+				"X-Autoreply": "yes",
+			},
+			Expected: true,
+		},
+		{
+			Headers: map[string]string{
+				"X-Autorespond": "yes",
+			},
+			Expected: true,
+		},
+	}
+
+	for _, c := range cases {
+		b := enmime.Builder().
+			From("Dummy", "dummy@gitea.io").
+			To("Dummy", "dummy@gitea.io")
+		for k, v := range c.Headers {
+			b = b.Header(k, v)
+		}
+		root, err := b.Build()
+		require.NoError(t, err)
+		env, err := enmime.EnvelopeFromPart(root)
+		require.NoError(t, err)
+
+		assert.Equal(t, c.Expected, isAutomaticReply(env))
+	}
+}
+
+func TestGetContentFromMailReader(t *testing.T) {
+	mailString := "Content-Type: multipart/mixed; boundary=message-boundary\r\n" +
+		"\r\n" +
+		"--message-boundary\r\n" +
+		"Content-Type: multipart/alternative; boundary=text-boundary\r\n" +
+		"\r\n" +
+		"--text-boundary\r\n" +
+		"Content-Type: text/plain\r\n" +
+		"Content-Disposition: inline\r\n" +
+		"\r\n" +
+		"mail content\r\n" +
+		"--text-boundary--\r\n" +
+		"--message-boundary\r\n" +
+		"Content-Type: text/plain\r\n" +
+		"Content-Disposition: attachment; filename=attachment.txt\r\n" +
+		"\r\n" +
+		"attachment content\r\n" +
+		"--message-boundary--\r\n"
+
+	env, err := enmime.ReadEnvelope(strings.NewReader(mailString))
+	require.NoError(t, err)
+	content := getContentFromMailReader(env)
+	assert.Equal(t, "mail content", content.Content)
+	assert.Len(t, content.Attachments, 1)
+	assert.Equal(t, "attachment.txt", content.Attachments[0].Name)
+	assert.Equal(t, []byte("attachment content"), content.Attachments[0].Content)
+
+	mailString = "Content-Type: multipart/mixed; boundary=message-boundary\r\n" +
+		"\r\n" +
+		"--message-boundary\r\n" +
+		"Content-Type: multipart/alternative; boundary=text-boundary\r\n" +
+		"\r\n" +
+		"--text-boundary\r\n" +
+		"Content-Type: text/plain\r\n" +
+		"Content-Disposition: inline\r\n" +
+		"\r\n" +
+		"mail content\r\n" +
+		"--text-boundary--\r\n" +
+		"--message-boundary\r\n" +
+		"Content-Type: text/plain\r\n" +
+		"Content-Disposition: inline; filename=attachment.txt\r\n" +
+		"\r\n" +
+		"attachment content\r\n" +
+		"--message-boundary\r\n" +
+		"Content-Type: text/html\r\n" +
+		"Content-Disposition: inline; filename=attachment.html\r\n" +
+		"\r\n" +
+		"<p>html attachment content</p>\r\n" +
+		"--message-boundary\r\n" +
+		"Content-Type: image/png\r\n" +
+		"Content-Disposition: inline; filename=attachment.png\r\n" +
+		"Content-Transfer-Encoding: base64\r\n" +
+		"\r\n" +
+		"iVBORw0KGgoAAAANSUhEUgAAAAgAAAAIAQMAAAD+wSzIAAAABlBMVEX///+/v7+jQ3Y5AAAADklEQVQI12P4AIX8EAgALgAD/aNpbtEAAAAASUVORK5CYII\r\n" +
+		"--message-boundary--\r\n"
+
+	env, err = enmime.ReadEnvelope(strings.NewReader(mailString))
+	require.NoError(t, err)
+	content = getContentFromMailReader(env)
+	assert.Equal(t, "mail content\n--\nattachment content", content.Content)
+	assert.Len(t, content.Attachments, 2)
+	assert.Equal(t, "attachment.html", content.Attachments[0].Name)
+	assert.Equal(t, []byte("<p>html attachment content</p>"), content.Attachments[0].Content)
+	assert.Equal(t, "attachment.png", content.Attachments[1].Name)
+
+	mailString = "Content-Type: multipart/mixed; boundary=message-boundary\r\n" +
+		"\r\n" +
+		"--message-boundary\r\n" +
+		"Content-Type: multipart/alternative; boundary=text-boundary\r\n" +
+		"\r\n" +
+		"--text-boundary\r\n" +
+		"Content-Type: text/html\r\n" +
+		"Content-Disposition: inline\r\n" +
+		"\r\n" +
+		"<p>mail content</p>\r\n" +
+		"--text-boundary--\r\n" +
+		"--message-boundary--\r\n"
+
+	env, err = enmime.ReadEnvelope(strings.NewReader(mailString))
+	require.NoError(t, err)
+	content = getContentFromMailReader(env)
+	assert.Equal(t, "mail content", content.Content)
+	assert.Empty(t, content.Attachments)
+
+	mailString = "Content-Type: multipart/mixed; boundary=message-boundary\r\n" +
+		"\r\n" +
+		"--message-boundary\r\n" +
+		"Content-Type: multipart/alternative; boundary=text-boundary\r\n" +
+		"\r\n" +
+		"--text-boundary\r\n" +
+		"Content-Type: text/plain\r\n" +
+		"Content-Disposition: inline\r\n" +
+		"\r\n" +
+		"mail content without signature\r\n" +
+		"----\r\n" +
+		"signature\r\n" +
+		"--text-boundary--\r\n" +
+		"--message-boundary--\r\n"
+
+	env, err = enmime.ReadEnvelope(strings.NewReader(mailString))
+	require.NoError(t, err)
+	content = getContentFromMailReader(env)
+	require.NoError(t, err)
+	assert.Equal(t, "mail content without signature", content.Content)
+	assert.Empty(t, content.Attachments)
+}
diff --git a/services/mailer/incoming/payload/payload.go b/services/mailer/incoming/payload/payload.go
new file mode 100644
index 0000000..00ada78
--- /dev/null
+++ b/services/mailer/incoming/payload/payload.go
@@ -0,0 +1,70 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package payload
+
+import (
+	"context"
+
+	issues_model "code.gitea.io/gitea/models/issues"
+	"code.gitea.io/gitea/modules/util"
+)
+
+const replyPayloadVersion1 byte = 1
+
+type payloadReferenceType byte
+
+const (
+	payloadReferenceIssue payloadReferenceType = iota
+	payloadReferenceComment
+)
+
+// CreateReferencePayload creates data which GetReferenceFromPayload resolves to the reference again.
+func CreateReferencePayload(reference any) ([]byte, error) {
+	var refType payloadReferenceType
+	var refID int64
+
+	switch r := reference.(type) {
+	case *issues_model.Issue:
+		refType = payloadReferenceIssue
+		refID = r.ID
+	case *issues_model.Comment:
+		refType = payloadReferenceComment
+		refID = r.ID
+	default:
+		return nil, util.NewInvalidArgumentErrorf("unsupported reference type: %T", r)
+	}
+
+	payload, err := util.PackData(refType, refID)
+	if err != nil {
+		return nil, err
+	}
+
+	return append([]byte{replyPayloadVersion1}, payload...), nil
+}
+
+// GetReferenceFromPayload resolves the reference from the payload
+func GetReferenceFromPayload(ctx context.Context, payload []byte) (any, error) {
+	if len(payload) < 1 {
+		return nil, util.NewInvalidArgumentErrorf("payload to small")
+	}
+
+	if payload[0] != replyPayloadVersion1 {
+		return nil, util.NewInvalidArgumentErrorf("unsupported payload version")
+	}
+
+	var ref payloadReferenceType
+	var id int64
+	if err := util.UnpackData(payload[1:], &ref, &id); err != nil {
+		return nil, err
+	}
+
+	switch ref {
+	case payloadReferenceIssue:
+		return issues_model.GetIssueByID(ctx, id)
+	case payloadReferenceComment:
+		return issues_model.GetCommentByID(ctx, id)
+	default:
+		return nil, util.NewInvalidArgumentErrorf("unsupported reference type: %T", ref)
+	}
+}