feat: add per-account daily rate limit for outbound emails (#13411)

Introduce a daily cap on non-channel outbound emails to prevent abuse.

Fixes https://linear.app/chatwoot/issue/CW-6418/ses-incident-jan-28

## Type of change

- [x] New feature (non-breaking change which adds functionality)
- [x] Breaking change (fix or feature that would cause existing
functionality not to work as expected)

## Summary
- Adds a Redis-based daily counter to rate limit outbound emails per
account, preventing email abuse
- Covers continuity emails (WebWidget/API), conversation transcripts,
and agent notifications
  - Email channel replies are excluded (paid feature, not abusable)
- Adds account suspension check in `ConversationReplyMailer` to block
already-queued emails for suspended accounts

  ## Limit Resolution Hierarchy
1. Per-account override (`account.limits['emails']`) — SuperAdmin
configurable
2. Enterprise plan-based (`ACCOUNT_EMAILS_PLAN_LIMITS`
InstallationConfig)
3. Global default (`ACCOUNT_EMAILS_LIMIT` InstallationConfig, default:
100)
  4. Fallback (`ChatwootApp.max_limit` — effectively unlimited)

  ## Enforcement Points
  | Path | Where | Behavior |
  |------|-------|----------|
| WebWidget/API continuity |
`SendEmailNotificationService#should_send_email_notification?` |
Silently skipped |
| Widget transcript | `Widget::ConversationsController#transcript` |
Returns 429 |
| API transcript | `ConversationsController#transcript` | Returns 429 |
| Agent notifications | `Notification::EmailNotificationService#perform`
| Silently skipped |
  | Email channel replies | Not rate limited | Paid feature |
| Suspended accounts | `ConversationReplyMailer` | Blocked at mailer
level |

app/controllers/api/v1/accounts/conversations_controller.rb

@@ -70,8 +70,10 @@ class Api::V1::Accounts::ConversationsController < Api::V1::Accounts::BaseContro
 
   def transcript
     render json: { error: 'email param missing' }, status: :unprocessable_entity and return if params[:email].blank?
+    return head :too_many_requests unless @conversation.account.within_email_rate_limit?
 
     ConversationReplyMailer.with(account: @conversation.account).conversation_transcript(@conversation, params[:email])&.deliver_later
+    @conversation.account.increment_email_sent_count
     head :ok
   end
 

app/controllers/api/v1/widget/conversations_controller.rb

@@ -35,12 +35,9 @@ class Api::V1::Widget::ConversationsController < Api::V1::Widget::BaseController
   end
 
   def transcript
-    if conversation.present? && conversation.contact.present? && conversation.contact.email.present?
-      ConversationReplyMailer.with(account: conversation.account).conversation_transcript(
-        conversation,
-        conversation.contact.email
-      )&.deliver_later
-    end
+    return head :too_many_requests unless conversation.present? && conversation.account.within_email_rate_limit?
+
+    send_transcript_email
     head :ok
   end
 
@@ -77,6 +74,16 @@ class Api::V1::Widget::ConversationsController < Api::V1::Widget::BaseController
 
   private
 
+  def send_transcript_email
+    return if conversation.contact&.email.blank?
+
+    ConversationReplyMailer.with(account: conversation.account).conversation_transcript(
+      conversation,
+      conversation.contact.email
+    )&.deliver_later
+    conversation.account.increment_email_sent_count
+  end
+
   def trigger_typing_event(event)
     Rails.configuration.dispatcher.dispatch(event, Time.zone.now, conversation: conversation, user: @contact)
   end

app/controllers/super_admin/app_configs_controller.rb

@@ -42,7 +42,7 @@ class SuperAdmin::AppConfigsController < SuperAdmin::ApplicationController
       'facebook' => %w[FB_APP_ID FB_VERIFY_TOKEN FB_APP_SECRET IG_VERIFY_TOKEN FACEBOOK_API_VERSION ENABLE_MESSENGER_CHANNEL_HUMAN_AGENT],
       'shopify' => %w[SHOPIFY_CLIENT_ID SHOPIFY_CLIENT_SECRET],
       'microsoft' => %w[AZURE_APP_ID AZURE_APP_SECRET],
-      'email' => ['MAILER_INBOUND_EMAIL_DOMAIN'],
+      'email' => %w[MAILER_INBOUND_EMAIL_DOMAIN ACCOUNT_EMAILS_LIMIT ACCOUNT_EMAILS_PLAN_LIMITS],
       'linear' => %w[LINEAR_CLIENT_ID LINEAR_CLIENT_SECRET],
       'slack' => %w[SLACK_CLIENT_ID SLACK_CLIENT_SECRET],
       'instagram' => %w[INSTAGRAM_APP_ID INSTAGRAM_APP_SECRET INSTAGRAM_VERIFY_TOKEN INSTAGRAM_API_VERSION ENABLE_INSTAGRAM_CHANNEL_HUMAN_AGENT],

app/jobs/conversation_reply_email_job.rb

@@ -3,6 +3,7 @@ class ConversationReplyEmailJob < ApplicationJob
 
   def perform(conversation_id, last_queued_id)
     conversation = Conversation.find(conversation_id)
+    return unless conversation.account.active?
 
     if conversation.messages.incoming&.last&.content_type == 'incoming_email'
       ConversationReplyMailer.with(account: conversation.account).reply_without_summary(conversation, last_queued_id).deliver_later

app/mailers/conversation_reply_mailer.rb

@@ -38,6 +38,7 @@ class ConversationReplyMailer < ApplicationMailer
     return unless smtp_config_set_or_development?
 
     init_conversation_attributes(message.conversation)
+
     @message = message
     prepare_mail(true)
   end

app/models/account.rb

@@ -29,6 +29,7 @@ class Account < ApplicationRecord
   include Featurable
   include CacheKeys
   include CaptainFeaturable
+  include AccountEmailRateLimitable
 
   SETTINGS_PARAMS_SCHEMA = {
     'type': 'object',

app/models/concerns/account_email_rate_limitable.rb

@@ -0,0 +1,49 @@
+module AccountEmailRateLimitable
+  extend ActiveSupport::Concern
+
+  OUTBOUND_EMAIL_TTL = 25.hours.to_i
+  EMAIL_LIMIT_CONFIG_KEY = 'ACCOUNT_EMAILS_LIMIT'.freeze
+
+  def email_rate_limit
+    account_limit || global_limit || default_limit
+  end
+
+  def emails_sent_today
+    Redis::Alfred.get(email_count_cache_key).to_i
+  end
+
+  def within_email_rate_limit?
+    return true if emails_sent_today < email_rate_limit
+
+    Rails.logger.warn("Account #{id} reached daily email rate limit of #{email_rate_limit}. Sent: #{emails_sent_today}")
+    false
+  end
+
+  def increment_email_sent_count
+    Redis::Alfred.incr(email_count_cache_key).tap do |count|
+      Redis::Alfred.expire(email_count_cache_key, OUTBOUND_EMAIL_TTL) if count == 1
+    end
+  end
+
+  private
+
+  def email_count_cache_key
+    @email_count_cache_key ||= format(
+      Redis::Alfred::ACCOUNT_OUTBOUND_EMAIL_COUNT_KEY,
+      account_id: id,
+      date: Time.zone.today.to_s
+    )
+  end
+
+  def account_limit
+    self[:limits]&.dig('emails')&.to_i
+  end
+
+  def global_limit
+    GlobalConfig.get(EMAIL_LIMIT_CONFIG_KEY)[EMAIL_LIMIT_CONFIG_KEY]&.to_i
+  end
+
+  def default_limit
+    ChatwootApp.max_limit.to_i
+  end
+end

app/services/messages/send_email_notification_service.rb

@@ -13,6 +13,7 @@ class Messages::SendEmailNotificationService
     return unless Redis::Alfred.set(conversation_mail_key, message.id, nx: true, ex: 1.hour.to_i)
 
     ConversationReplyEmailJob.set(wait: 2.minutes).perform_later(conversation.id, message.id)
+    message.account.increment_email_sent_count
   end
 
   private
@@ -20,6 +21,7 @@ class Messages::SendEmailNotificationService
   def should_send_email_notification?
     return false unless message.email_notifiable_message?
     return false if message.conversation.contact.email.blank?
+    return false unless message.account.within_email_rate_limit?
 
     email_reply_enabled?
   end

app/services/notification/email_notification_service.rb

@@ -7,15 +7,22 @@ class Notification::EmailNotificationService
     # don't send emails if user is not confirmed
     return if notification.user.confirmed_at.nil?
     return unless user_subscribed_to_notification?
+    return unless notification.account.within_email_rate_limit?
 
-    # TODO : Clean up whatever happening over here
-    # Segregate the mailers properly
-    AgentNotifications::ConversationNotificationsMailer.with(account: notification.account).public_send(notification
-      .notification_type.to_s, notification.primary_actor, notification.user, notification.secondary_actor).deliver_later
+    send_notification_email
+    notification.account.increment_email_sent_count
   end
 
   private
 
+  # TODO : Clean up whatever happening over here
+  # Segregate the mailers properly
+  def send_notification_email
+    AgentNotifications::ConversationNotificationsMailer.with(account: notification.account).public_send(
+      notification.notification_type.to_s, notification.primary_actor, notification.user, notification.secondary_actor
+    ).deliver_later
+  end
+
   def user_subscribed_to_notification?
     notification_setting = notification.user.notification_settings.find_by(account_id: notification.account.id)
     return true if notification_setting.public_send("email_#{notification.notification_type}?")