blacklist: add domain reputation check via checker-blacklist

Integrates the checker-blacklist module behind a new POST /blacklist/domain
endpoint that aggregates reputation/blocklist sources for a given domain,
plus a SvelteKit UI under /blacklist/domain mirroring the existing IP
blacklist flow. Per-source credentials (VirusTotal, Safe Browsing) are
exposed as CLI flags; free sources run unconditionally.

Closes: #96

internal/config/blacklist.go

@@ -0,0 +1,40 @@
+// This file is part of the happyDeliver (R) project.
+// Copyright (c) 2025 happyDomain
+// Authors: Pierre-Olivier Mercier, et al.
+//
+// This program is offered under a commercial and under the AGPL license.
+// For commercial licensing, contact us at <contact@happydomain.org>.
+//
+// For AGPL licensing:
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package config
+
+import (
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// AsCheckerOptions returns the map that checker-blacklist sources read
+// via stringOpt(). Empty values are omitted so sources that require a
+// credential stay disabled rather than failing with an empty key.
+func (b BlacklistConfig) AsCheckerOptions() sdk.CheckerOptions {
+	opts := sdk.CheckerOptions{}
+	if b.VirusTotalAPIKey != "" {
+		opts["virustotal_api_key"] = b.VirusTotalAPIKey
+	}
+	if b.SafeBrowsingAPIKey != "" {
+		opts["safebrowsing_api_key"] = b.SafeBrowsingAPIKey
+	}
+	return opts
+}

internal/config/cli.go

@@ -40,6 +40,8 @@ func declareFlags(o *Config) {
 	flag.Var(&StringArray{&o.Analysis.RBLs}, "rbl", "Append a RBL (use this option multiple time to append multiple RBLs)")
 	flag.BoolVar(&o.Analysis.CheckAllIPs, "check-all-ips", o.Analysis.CheckAllIPs, "Check all IPs found in email headers against RBLs (not just the first one)")
 	flag.StringVar(&o.Analysis.RspamdAPIURL, "rspamd-api-url", o.Analysis.RspamdAPIURL, "rspamd API URL for symbol descriptions (default: use embedded list)")
+	flag.StringVar(&o.Analysis.Blacklist.VirusTotalAPIKey, "blacklist-virustotal-api-key", o.Analysis.Blacklist.VirusTotalAPIKey, "VirusTotal v3 API key for the domain blacklist checker")
+	flag.StringVar(&o.Analysis.Blacklist.SafeBrowsingAPIKey, "blacklist-safebrowsing-api-key", o.Analysis.Blacklist.SafeBrowsingAPIKey, "Google Safe Browsing API key for the domain blacklist checker")
 	flag.DurationVar(&o.ReportRetention, "report-retention", o.ReportRetention, "How long to keep reports (e.g., 720h, 30d). 0 = keep forever")
 	flag.UintVar(&o.RateLimit, "rate-limit", o.RateLimit, "API rate limit (requests per second per IP)")
 	flag.Var(&URL{&o.SurveyURL}, "survey-url", "URL for user feedback survey")

internal/config/config.go

@@ -75,6 +75,18 @@ type AnalysisConfig struct {
 	DNSWLs       []string
 	CheckAllIPs  bool   // Check all IPs found in headers, not just the first one
 	RspamdAPIURL string // rspamd API URL for fetching symbol descriptions (empty = use embedded list)
+	Blacklist    BlacklistConfig
+}
+
+// BlacklistConfig holds per-source credentials/options for the
+// domain-oriented checker-blacklist provider. Keys must match the
+// option IDs declared by each source in the checker-blacklist module
+// (see checker/virustotal.go, checker/safebrowsing.go, …). Free sources
+// (Quad9, OISD, URLhaus, OpenPhish, Disconnect, Botvrij, …) need no
+// configuration.
+type BlacklistConfig struct {
+	VirusTotalAPIKey   string
+	SafeBrowsingAPIKey string
 }
 
 // DefaultConfig returns a configuration with sensible defaults