From 2e81d5a976b59faf46b9e9a568b00fa96aef0e2a Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Sun, 18 Jul 2021 11:20:13 +0300 Subject: [PATCH 01/41] Port existing functionality to go-imap v2 --- cmd/maddyctl/imap.go | 38 ++++------- docs/man/maddy-storage.5.scd | 11 ++-- go.mod | 11 +++- go.sum | 34 +++++----- internal/endpoint/imap/imap.go | 17 ----- internal/storage/imapsql/imapsql.go | 74 +++++++++------------ internal/updatepipe/serialize.go | 99 ++++++----------------------- internal/updatepipe/unix_pipe.go | 22 ++----- internal/updatepipe/update_pipe.go | 6 +- 9 files changed, 102 insertions(+), 210 deletions(-) diff --git a/cmd/maddyctl/imap.go b/cmd/maddyctl/imap.go index e5215b5..05ebf65 100644 --- a/cmd/maddyctl/imap.go +++ b/cmd/maddyctl/imap.go @@ -66,12 +66,7 @@ func mboxesList(be module.Storage, ctx *cli.Context) error { fmt.Fprintln(os.Stderr, "No mailboxes.") } - for _, mbox := range mboxes { - info, err := mbox.Info() - if err != nil { - return err - } - + for _, info := range mboxes { if len(info.Attributes) != 0 { fmt.Print(info.Name, "\t", info.Attributes, "\n") } else { @@ -126,13 +121,8 @@ func mboxesRemove(be module.Storage, ctx *cli.Context) error { return err } - mbox, err := u.GetMailbox(name) - if err != nil { - return err - } - if !ctx.Bool("yes,y") { - status, err := mbox.Status([]imap.StatusItem{imap.StatusMessages}) + status, err := u.Status(name, []imap.StatusItem{imap.StatusMessages}) if err != nil { return err } @@ -190,11 +180,6 @@ func msgsAdd(be module.Storage, ctx *cli.Context) error { return err } - mbox, err := u.GetMailbox(name) - if err != nil { - return err - } - flags := ctx.StringSlice("flag") if flags == nil { flags = []string{} @@ -214,15 +199,16 @@ func msgsAdd(be module.Storage, ctx *cli.Context) error { return errors.New("Error: Empty message, refusing to continue") } - status, err := mbox.Status([]imap.StatusItem{imap.StatusUidNext}) + status, err := u.Status(name, []imap.StatusItem{imap.StatusUidNext}) if err != nil { return err } - if err := mbox.CreateMessage(flags, date, &buf); err != nil { + if err := u.CreateMessage(name, flags, date, &buf, nil); err != nil { return err } + // TODO: Use APPENDUID fmt.Println(status.UidNext) return nil @@ -252,7 +238,7 @@ func msgsRemove(be module.Storage, ctx *cli.Context) error { return err } - mbox, err := u.GetMailbox(name) + _, mbox, err := u.GetMailbox(name, true, nil) if err != nil { return err } @@ -299,7 +285,7 @@ func msgsCopy(be module.Storage, ctx *cli.Context) error { return err } - srcMbox, err := u.GetMailbox(srcName) + _, srcMbox, err := u.GetMailbox(srcName, true, nil) if err != nil { return err } @@ -339,7 +325,7 @@ func msgsMove(be module.Storage, ctx *cli.Context) error { return err } - srcMbox, err := u.GetMailbox(srcName) + _, srcMbox, err := u.GetMailbox(srcName, true, nil) if err != nil { return err } @@ -373,7 +359,7 @@ func msgsList(be module.Storage, ctx *cli.Context) error { return err } - mbox, err := u.GetMailbox(mboxName) + _, mbox, err := u.GetMailbox(mboxName, true, nil) if err != nil { return err } @@ -449,7 +435,7 @@ func msgsDump(be module.Storage, ctx *cli.Context) error { return err } - mbox, err := u.GetMailbox(mboxName) + _, mbox, err := u.GetMailbox(mboxName, true, nil) if err != nil { return err } @@ -493,7 +479,7 @@ func msgsFlags(be module.Storage, ctx *cli.Context) error { return err } - mbox, err := u.GetMailbox(name) + _, mbox, err := u.GetMailbox(name, true, nil) if err != nil { return err } @@ -515,5 +501,5 @@ func msgsFlags(be module.Storage, ctx *cli.Context) error { panic("unknown command: " + ctx.Command.Name) } - return mbox.UpdateMessagesFlags(ctx.IsSet("uid"), seq, op, flags) + return mbox.UpdateMessagesFlags(ctx.IsSet("uid"), seq, op, true, flags) } diff --git a/docs/man/maddy-storage.5.scd b/docs/man/maddy-storage.5.scd index bcdee04..c752895 100644 --- a/docs/man/maddy-storage.5.scd +++ b/docs/man/maddy-storage.5.scd @@ -123,12 +123,13 @@ Enable verbose logging. The folder to put quarantined messages in. Thishis setting is not used if user does have a folder with "Junk" special-use attribute. -*Syntax*: sqlite_exclusive_lock _boolean_ ++ -*Default*: no +*Syntax*: disable_recent _boolean_ ++ +*Default: true -SQLite-specific performance tuning option. Slightly decereases ovehead of -DB locking at cost of making DB inaccessible for other processes (including -maddyctl utility). +Disable RFC 3501-conforming handling of \Recent flag. + +This significantly improves storage performance when SQLite3 or CockroackDB is +used at the cost of confusing clients that use this flag. *Syntax*: sqlite_cache_size _integer_ ++ *Default*: defined by SQLite diff --git a/go.mod b/go.mod index 28db408..32510f0 100644 --- a/go.mod +++ b/go.mod @@ -21,10 +21,11 @@ require ( github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 github.com/emersion/go-smtp v0.15.1-0.20210705155248-26eb4814e227 github.com/foxcpp/go-dovecot-sasl v0.0.0-20200522223722-c4699d7a24bf - github.com/foxcpp/go-imap-backend-tests v0.0.0-20200617132817-958ea5829771 + github.com/foxcpp/go-imap-backend-tests v0.0.0-20200802090154-7e6248c85a0e github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005 - github.com/foxcpp/go-imap-namespace v0.0.0-20200722130255-93092adf35f1 - github.com/foxcpp/go-imap-sql v0.4.1-0.20200823124337-2f57903a7ed0 + github.com/foxcpp/go-imap-mess v0.0.0-20210718073110-d5eb968a0995 + github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed + github.com/foxcpp/go-imap-sql v0.4.1-0.20210718081250-7f103db60f22 github.com/foxcpp/go-mockdns v0.0.0-20201212160233-ede2f9158d15 github.com/foxcpp/go-mtasts v0.0.0-20191219193356-62bc3f1f74b8 github.com/go-ldap/ldap/v3 v3.3.0 @@ -60,3 +61,7 @@ require ( golang.org/x/sync v0.0.0-20210220032951-036812b2e83c golang.org/x/text v0.3.6 ) + +replace github.com/emersion/go-imap => github.com/foxcpp/go-imap v1.0.0-beta.1.0.20201001193006-5a1d05e53e2c + +replace github.com/emersion/go-imap-idle => github.com/foxcpp/go-imap-idle v0.0.0-20200829140055-32dc40172769 diff --git a/go.sum b/go.sum index 06fd49f..f8a7034 100644 --- a/go.sum +++ b/go.sum @@ -111,19 +111,10 @@ github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5m github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M= -github.com/emersion/go-imap v1.0.0-beta.4.0.20190504114255-4d5af3d05147/go.mod h1:mOPegfAgLVXbhRm1bh2JTX08z2Y3HYmKYpbrKDeAzsQ= -github.com/emersion/go-imap v1.0.0/go.mod h1:MEiDDwwQFcZ+L45Pa68jNGv0qU9kbW+SJzwDpvSfX1s= -github.com/emersion/go-imap v1.0.3/go.mod h1:yKASt+C3ZiDAiCSssxg9caIckWF/JG7ZQTO7GAmvicU= -github.com/emersion/go-imap v1.0.4/go.mod h1:yKASt+C3ZiDAiCSssxg9caIckWF/JG7ZQTO7GAmvicU= -github.com/emersion/go-imap v1.0.5/go.mod h1:yKASt+C3ZiDAiCSssxg9caIckWF/JG7ZQTO7GAmvicU= -github.com/emersion/go-imap v1.0.6 h1:N9+o5laOGuntStBo+BOgfEB5evPsPD+K5+M0T2dctIc= -github.com/emersion/go-imap v1.0.6/go.mod h1:yKASt+C3ZiDAiCSssxg9caIckWF/JG7ZQTO7GAmvicU= github.com/emersion/go-imap-appendlimit v0.0.0-20190308131241-25671c986a6a h1:bMdSPm6sssuOFpIaveu3XGAijMS3Tq2S3EqFZmZxidc= github.com/emersion/go-imap-appendlimit v0.0.0-20190308131241-25671c986a6a/go.mod h1:ikgISoP7pRAolqsVP64yMteJa2FIpS6ju88eBT6K1yQ= github.com/emersion/go-imap-compress v0.0.0-20201103190257-14809af1d1b9 h1:7dmV11mle4UAQ7lX+Hdzx6akKFg3hVm/UUmQ7t6VgTQ= github.com/emersion/go-imap-compress v0.0.0-20201103190257-14809af1d1b9/go.mod h1:2Ro1PbmiqYiRe5Ct2sGR5hHaKSVHeRpVZwXx8vyYt98= -github.com/emersion/go-imap-idle v0.0.0-20201224103203-6f42b9020098 h1:J+qvrz94n18fVThwhUWwrBwRbcNqi+VgcUJlaph430A= -github.com/emersion/go-imap-idle v0.0.0-20201224103203-6f42b9020098/go.mod h1:N/6S3dRTVt8xT867m+476C16+v/Fq4WZYvh2Chg0nmg= github.com/emersion/go-imap-move v0.0.0-20180601155324-5eb20cb834bf/go.mod h1:QuMaZcKFDVI0yCrnAbPLfbwllz1wtOrZH8/vZ5yzp4w= github.com/emersion/go-imap-move v0.0.0-20190710073258-6e5a51a5b342 h1:5p1t3e1PomYgLWwEwhwEU5kVBwcyAcVrOpexv8AeZx0= github.com/emersion/go-imap-move v0.0.0-20190710073258-6e5a51a5b342/go.mod h1:QuMaZcKFDVI0yCrnAbPLfbwllz1wtOrZH8/vZ5yzp4w= @@ -135,9 +126,7 @@ github.com/emersion/go-imap-specialuse v0.0.0-20201101201809-1ab93d3d150e h1:AwV github.com/emersion/go-imap-specialuse v0.0.0-20201101201809-1ab93d3d150e/go.mod h1:/nybxhI8kXom8Tw6BrHMl42usALvka6meORflnnYwe4= github.com/emersion/go-imap-unselect v0.0.0-20171113212723-b985794e5f26 h1:FiSb8+XBQQSkcX3ubr+1tAtlRJBYaFmRZqOAweZ9Wy8= github.com/emersion/go-imap-unselect v0.0.0-20171113212723-b985794e5f26/go.mod h1:+gnnZx3Mg3MnCzZrv0eZdp5puxXQUgGT/6N6L7ShKfM= -github.com/emersion/go-message v0.9.1/go.mod h1:m3cK90skCWxm5sIMs1sXxly4Tn9Plvcf6eayHZJ1NzM= github.com/emersion/go-message v0.10.3/go.mod h1:3h+HsGTCFHmk4ngJ2IV/YPhdlaOcR6hcgqM3yca9v7c= -github.com/emersion/go-message v0.10.4-0.20190609165112-592ace5bc1ca/go.mod h1:3h+HsGTCFHmk4ngJ2IV/YPhdlaOcR6hcgqM3yca9v7c= github.com/emersion/go-message v0.11.1/go.mod h1:C4jnca5HOTo4bGN9YdqNQM9sITuT3Y0K6bSUw9RklvY= github.com/emersion/go-message v0.11.2/go.mod h1:C4jnca5HOTo4bGN9YdqNQM9sITuT3Y0K6bSUw9RklvY= github.com/emersion/go-message v0.14.1 h1:j3rj9F+7VtXE9c8P5UHBq8FTHLW/AjnmvSRre6AHoYI= @@ -146,8 +135,6 @@ github.com/emersion/go-milter v0.3.2 h1:j8hrLXf8PAHFhRHDdBoBKluQveMZYoaK7aRIqvao github.com/emersion/go-milter v0.3.2/go.mod h1:ablHK0pbLB83kMFBznp/Rj8aV+Kc3jw8cxzzmCNLIOY= github.com/emersion/go-msgauth v0.6.5 h1:UaXBtrjYBM3SWw9BBODeSp0uYtScx3CuIF7/RQfkeWo= github.com/emersion/go-msgauth v0.6.5/go.mod h1:/jbQISFJgtT12T8akRs20l+wI4HcyN/kWy7VRdHEAmA= -github.com/emersion/go-sasl v0.0.0-20161116183048-7e096a0a6197/go.mod h1:G/dpzLu16WtQpBfQ/z3LYiYJn3ZhKSGWn83fyoyQe/k= -github.com/emersion/go-sasl v0.0.0-20190520160400-47d427600317/go.mod h1:G/dpzLu16WtQpBfQ/z3LYiYJn3ZhKSGWn83fyoyQe/k= github.com/emersion/go-sasl v0.0.0-20190817083125-240c8404624e/go.mod h1:G/dpzLu16WtQpBfQ/z3LYiYJn3ZhKSGWn83fyoyQe/k= github.com/emersion/go-sasl v0.0.0-20191210011802-430746ea8b9b/go.mod h1:G/dpzLu16WtQpBfQ/z3LYiYJn3ZhKSGWn83fyoyQe/k= github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 h1:OJyUGMJTzHTd1XQp98QTaHernxMYzRaOasRir9hUlFQ= @@ -168,14 +155,21 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/foxcpp/go-dovecot-sasl v0.0.0-20200522223722-c4699d7a24bf h1:rmBPY5fryjp9zLQYsUmQqqgsYq7qeVfrjtr96Tf9vD8= github.com/foxcpp/go-dovecot-sasl v0.0.0-20200522223722-c4699d7a24bf/go.mod h1:5yZUmwr851vgjyAfN7OEfnrmKOh/qLA5dbGelXYsu1E= -github.com/foxcpp/go-imap-backend-tests v0.0.0-20200617132817-958ea5829771 h1:xemWCEhBz86Y8v5YgRBnqf6PdZg+ilVgn2jxWVoLOGo= +github.com/foxcpp/go-imap v1.0.0-beta.1.0.20201001193006-5a1d05e53e2c h1:EKhtM7IsuerenjPu3bMdZtUG7MEYBf18HLffVlrHHyc= +github.com/foxcpp/go-imap v1.0.0-beta.1.0.20201001193006-5a1d05e53e2c/go.mod h1:yKASt+C3ZiDAiCSssxg9caIckWF/JG7ZQTO7GAmvicU= github.com/foxcpp/go-imap-backend-tests v0.0.0-20200617132817-958ea5829771/go.mod h1:yUISYv/uXLQ6tQZcds/p/hdcZ5JzrEUifyED2VffWpc= +github.com/foxcpp/go-imap-backend-tests v0.0.0-20200802090154-7e6248c85a0e h1:wUYcbeGDlKqaa02jHuFMBVVfw51v7KaizLRT+i8wftc= +github.com/foxcpp/go-imap-backend-tests v0.0.0-20200802090154-7e6248c85a0e/go.mod h1:dWepYGUClcebWyUy7yl8wm2ioE6NC4m82Xy/hDAng1c= github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005 h1:pfoFtkTTQ473qStSN79jhCFBWqMQt/3DQ3NGuXvT+50= github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005/go.mod h1:34FwxnjC2N+EFs2wMtsHevrZLWRKRuVU8wEcHWKq/nE= -github.com/foxcpp/go-imap-namespace v0.0.0-20200722130255-93092adf35f1 h1:B4zNQ2r4qC7FLn8J8+LWt09fFW0tXddypBPS0+HI50s= -github.com/foxcpp/go-imap-namespace v0.0.0-20200722130255-93092adf35f1/go.mod h1:WJYkFIdxyljR/byiqcYMKUF4iFDej4CaIKe2JJrQxu8= -github.com/foxcpp/go-imap-sql v0.4.1-0.20200823124337-2f57903a7ed0 h1:PWETJtfTn94l9zt1nqIZiFO0/hUQeBmptjtktqrau/Y= -github.com/foxcpp/go-imap-sql v0.4.1-0.20200823124337-2f57903a7ed0/go.mod h1:1dHCAq3XRkYRwTDOtL/vCgvvQ13gLqNt2+nLjL1UHyk= +github.com/foxcpp/go-imap-idle v0.0.0-20200829140055-32dc40172769 h1:qMdULYMxKuAgboOllBNLmA7wQ4YEwnhvq8onksrMC3A= +github.com/foxcpp/go-imap-idle v0.0.0-20200829140055-32dc40172769/go.mod h1:PLnHIusEiOdmy63Y7IL2RjShIk4cyFi3a8MTC/WcLkk= +github.com/foxcpp/go-imap-mess v0.0.0-20210718073110-d5eb968a0995 h1:UXksj5CP+1Zg5GCD74JEijuQ2C22vXFgquhdG/YlXuI= +github.com/foxcpp/go-imap-mess v0.0.0-20210718073110-d5eb968a0995/go.mod h1:cps13jIcqI/3FGVJQ8azz3apLjikGoKKcB6xb65VSag= +github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed h1:1Jo7geyvunrPSjL6F6D9EcXoNApS5v3LQaro7aUNPnE= +github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed/go.mod h1:Shows1vmkBWO40ChOClaUe6DUnZrsP1UPAuoWzIUdgQ= +github.com/foxcpp/go-imap-sql v0.4.1-0.20210718081250-7f103db60f22 h1:ZXgI+FkKj+iKSrI58CZEkbSSojV84jm4LjEwglyH4Ik= +github.com/foxcpp/go-imap-sql v0.4.1-0.20210718081250-7f103db60f22/go.mod h1:kl+x+noffdBsp1pAR+PTHupLoxHnJZZw6BFcmmCZeUI= github.com/foxcpp/go-mockdns v0.0.0-20191216195825-5eabd8dbfe1f/go.mod h1:tPg4cp4nseejPd+UKxtCVQ2hUxNTZ7qQZJa7CLriIeo= github.com/foxcpp/go-mockdns v0.0.0-20201212160233-ede2f9158d15 h1:nLPjjvpUAODOR6vY/7o0hBIk8iTr19Fvmf8aFx/kC7A= github.com/foxcpp/go-mockdns v0.0.0-20201212160233-ede2f9158d15/go.mod h1:tPg4cp4nseejPd+UKxtCVQ2hUxNTZ7qQZJa7CLriIeo= @@ -290,6 +284,7 @@ github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= @@ -347,6 +342,7 @@ github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1 h1:6QPYqodiu3GuPL+7mfx+NwDdp2eTkp9IfEUpgAwUN0o= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= @@ -533,7 +529,9 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= diff --git a/internal/endpoint/imap/imap.go b/internal/endpoint/imap/imap.go index 3d1eb0b..8cb7169 100644 --- a/internal/endpoint/imap/imap.go +++ b/internal/endpoint/imap/imap.go @@ -57,7 +57,6 @@ type Endpoint struct { listeners []net.Listener Store module.Storage - updater imapbackend.BackendUpdater tlsConfig *tls.Config listenersWg sync.WaitGroup @@ -98,24 +97,12 @@ func (endp *Endpoint) Init(cfg *config.Map) error { return err } - var ok bool - endp.updater, ok = endp.Store.(imapbackend.BackendUpdater) - if !ok { - return fmt.Errorf("imap: storage module %T does not implement imapbackend.BackendUpdater", endp.Store) - } - if updBe, ok := endp.Store.(updatepipe.Backend); ok { if err := updBe.EnableUpdatePipe(updatepipe.ModeReplicate); err != nil { endp.Log.Error("failed to initialize updates pipe", err) } } - // Call Updates once at start, some storage backends initialize update - // channel lazily and may not generate updates at all unless it is called. - if endp.updater.Updates() == nil { - return fmt.Errorf("imap: failed to init backend: nil update channel") - } - addresses := make([]config.Endpoint, 0, len(endp.addrs)) for _, addr := range endp.addrs { saddr, err := config.ParseEndpoint(addr) @@ -198,10 +185,6 @@ func (endp *Endpoint) setupListeners(addresses []config.Endpoint) error { return nil } -func (endp *Endpoint) Updates() <-chan imapbackend.Update { - return endp.updater.Updates() -} - func (endp *Endpoint) Name() string { return "imap" } diff --git a/internal/storage/imapsql/imapsql.go b/internal/storage/imapsql/imapsql.go index ed12bcd..4ebc731 100644 --- a/internal/storage/imapsql/imapsql.go +++ b/internal/storage/imapsql/imapsql.go @@ -39,6 +39,7 @@ import ( "github.com/emersion/go-imap" sortthread "github.com/emersion/go-imap-sortthread" "github.com/emersion/go-imap/backend" + mess "github.com/foxcpp/go-imap-mess" imapsql "github.com/foxcpp/go-imap-sql" "github.com/foxcpp/maddy/framework/config" modconfig "github.com/foxcpp/maddy/framework/config/module" @@ -64,9 +65,9 @@ type Storage struct { resolver dns.Resolver - updates <-chan backend.Update - updPipe updatepipe.P - updPushStop chan struct{} + updPipe updatepipe.P + updPushStop chan struct{} + outboundUpds chan mess.Update filters module.IMAPFilter @@ -111,11 +112,7 @@ func (store *Storage) Init(cfg *config.Map) error { blobStore module.BlobStore ) - opts := imapsql.Opts{ - // Prevent deadlock if nobody is listening for updates (e.g. no IMAP - // configured). - LazyUpdatesInit: true, - } + opts := imapsql.Opts{} cfg.String("driver", false, false, store.driver, &driver) cfg.StringList("dsn", false, false, store.dsn, &dsn) cfg.Callback("fsstore", func(m *config.Map, node config.Node) error { @@ -139,7 +136,7 @@ func (store *Storage) Init(cfg *config.Map) error { cfg.Bool("debug", true, false, &store.Log.Debug) cfg.Int("sqlite3_cache_size", false, false, 0, &opts.CacheSize) cfg.Int("sqlite3_busy_timeout", false, false, 5000, &opts.BusyTimeout) - cfg.Bool("sqlite3_exclusive_lock", false, false, &opts.ExclusiveLock) + cfg.Bool("disable_recent", false, true, &opts.DisableRecent) cfg.String("junk_mailbox", false, false, "Junk", &store.junkMbox) cfg.Custom("imap_filter", false, false, func() (interface{}, error) { return nil, nil @@ -245,29 +242,28 @@ func (store *Storage) EnableUpdatePipe(mode updatepipe.BackendMode) error { if store.updPipe != nil { return nil } - if store.updates != nil { - panic("imapsql: EnableUpdatePipe called after Updates") - } - - upds := store.Back.Updates() switch store.driver { case "sqlite3": dbId := sha1.Sum([]byte(strings.Join(store.dsn, " "))) + sockPath := filepath.Join( + config.RuntimeDirectory, + fmt.Sprintf("sql-%s.sock", hex.EncodeToString(dbId[:]))) + store.Log.DebugMsg("using unix socket for external updates", "path", sockPath) store.updPipe = &updatepipe.UnixSockPipe{ - SockPath: filepath.Join( - config.RuntimeDirectory, - fmt.Sprintf("sql-%s.sock", hex.EncodeToString(dbId[:]))), + SockPath: sockPath, Log: log.Logger{Name: "sql/updpipe", Debug: store.Log.Debug}, } default: return errors.New("imapsql: driver does not have an update pipe implementation") } - wrapped := make(chan backend.Update, cap(upds)*2) + inbound := make(chan mess.Update, 32) + outbound := make(chan mess.Update, 10) + store.outboundUpds = outbound if mode == updatepipe.ModeReplicate { - if err := store.updPipe.Listen(wrapped); err != nil { + if err := store.updPipe.Listen(inbound); err != nil { store.updPipe = nil return err } @@ -278,11 +274,18 @@ func (store *Storage) EnableUpdatePipe(mode updatepipe.BackendMode) error { return err } - store.updPushStop = make(chan struct{}) + store.Back.UpdateManager().SetExternalSink(outbound) + + store.updPushStop = make(chan struct{}, 1) go func() { defer func() { + // Ensure we sent all outbound updates. + for upd := range outbound { + if err := store.updPipe.Push(upd); err != nil { + store.Log.Error("IMAP update pipe push failed", err) + } + } store.updPushStop <- struct{}{} - close(wrapped) if err := recover(); err != nil { stack := debug.Stack() @@ -292,27 +295,21 @@ func (store *Storage) EnableUpdatePipe(mode updatepipe.BackendMode) error { for { select { - case <-store.updPushStop: - return - case u := <-upds: - if u == nil { - // The channel is closed. We must be stopping now. - <-store.updPushStop + case u := <-inbound: + store.Log.DebugMsg("external update received", "type", u.Type, "key", u.Key) + store.Back.UpdateManager().ExternalUpdate(u) + case u, ok := <-outbound: + if !ok { return } - + store.Log.DebugMsg("sending external update", "type", u.Type, "key", u.Key) if err := store.updPipe.Push(u); err != nil { store.Log.Error("IMAP update pipe push failed", err) } - - if mode != updatepipe.ModePush { - wrapped <- u - } } } }() - store.updates = wrapped return nil } @@ -328,15 +325,6 @@ func (store *Storage) CreateMessageLimit() *uint32 { return store.Back.CreateMessageLimit() } -func (store *Storage) Updates() <-chan backend.Update { - if store.updates != nil { - return store.updates - } - - store.updates = store.Back.Updates() - return store.updates -} - func (store *Storage) EnableChildrenExt() bool { return store.Back.EnableChildrenExt() } @@ -378,7 +366,7 @@ func (store *Storage) Close() error { // all updates before shuting down (this is especially important for // maddyctl). if store.updPipe != nil { - store.updPushStop <- struct{}{} + close(store.outboundUpds) <-store.updPushStop store.updPipe.Close() diff --git a/internal/updatepipe/serialize.go b/internal/updatepipe/serialize.go index 8e7b63b..d5a941f 100644 --- a/internal/updatepipe/serialize.go +++ b/internal/updatepipe/serialize.go @@ -22,10 +22,10 @@ import ( "encoding/json" "errors" "fmt" + "strconv" "strings" - "github.com/emersion/go-imap" - "github.com/emersion/go-imap/backend" + mess "github.com/foxcpp/go-imap-mess" ) func unescapeName(s string) string { @@ -36,95 +36,34 @@ func escapeName(s string) string { return strings.ReplaceAll(s, ";", "\x10") } -type message struct { - SeqNum uint32 - Flags []string -} - -func parseUpdate(s string) (id string, upd backend.Update, err error) { - parts := strings.SplitN(s, ";", 5) - if len(parts) != 5 { +func parseUpdate(s string) (id string, upd *mess.Update, err error) { + parts := strings.SplitN(s, ";", 2) + if len(parts) != 2 { return "", nil, errors.New("updatepipe: mismatched parts count") } - updBase := backend.NewUpdate(unescapeName(parts[2]), unescapeName(parts[3])) - switch parts[1] { - case "ExpungeUpdate": - exUpd := &backend.ExpungeUpdate{Update: updBase} - if err := json.Unmarshal([]byte(parts[4]), &exUpd.SeqNum); err != nil { - return "", nil, err - } - upd = exUpd - case "MailboxUpdate": - mboxUpd := &backend.MailboxUpdate{Update: updBase} - if err := json.Unmarshal([]byte(parts[4]), &mboxUpd.MailboxStatus); err != nil { - return "", nil, err - } - upd = mboxUpd - case "MessageUpdate": - // imap.Message is not JSON-serializable because it contains maps with - // complex keys. - // In practice, however, MessageUpdate is used only for FLAGS, so we - // serialize them only with a SeqNum. + upd = &mess.Update{} + dec := json.NewDecoder(strings.NewReader(unescapeName(parts[1]))) + dec.UseNumber() + err = dec.Decode(upd) + if err != nil { + return "", nil, fmt.Errorf("parseUpdate: %w", err) + } - msg := message{} - if err := json.Unmarshal([]byte(parts[4]), &msg); err != nil { - return "", nil, err - } - - msgUpd := &backend.MessageUpdate{ - Update: updBase, - Message: imap.NewMessage(msg.SeqNum, []imap.FetchItem{imap.FetchFlags}), - } - msgUpd.Message.Flags = msg.Flags - upd = msgUpd + if val, ok := upd.Key.(json.Number); ok { + upd.Key, _ = strconv.ParseUint(val.String(), 10, 64) } return parts[0], upd, nil } -func formatUpdate(myID string, upd backend.Update) (string, error) { - var ( - objType string - objStr []byte - err error - ) - switch v := upd.(type) { - case *backend.ExpungeUpdate: - objType = "ExpungeUpdate" - objStr, err = json.Marshal(v.SeqNum) - if err != nil { - return "", err - } - case *backend.MessageUpdate: - // imap.Message is not JSON-serializable because it contains maps with - // complex keys. - // In practice, however, MessageUpdate is used only for FLAGS, so we - // serialize them only with a seqnum. - - objType = "MessageUpdate" - objStr, err = json.Marshal(message{ - SeqNum: v.Message.SeqNum, - Flags: v.Message.Flags, - }) - if err != nil { - return "", err - } - case *backend.MailboxUpdate: - objType = "MailboxUpdate" - objStr, err = json.Marshal(v.MailboxStatus) - if err != nil { - return "", err - } - default: - return "", fmt.Errorf("updatepipe: unknown update type: %T", upd) +func formatUpdate(myID string, upd mess.Update) (string, error) { + updBlob, err := json.Marshal(upd) + if err != nil { + return "", fmt.Errorf("formatUpdate: %w", err) } - return strings.Join([]string{ myID, - objType, - escapeName(upd.Username()), - escapeName(upd.Mailbox()), - string(objStr), + escapeName(string(updBlob)), }, ";") + "\n", nil } diff --git a/internal/updatepipe/unix_pipe.go b/internal/updatepipe/unix_pipe.go index 9e6ff66..d2e2ce8 100644 --- a/internal/updatepipe/unix_pipe.go +++ b/internal/updatepipe/unix_pipe.go @@ -25,7 +25,7 @@ import ( "net" "os" - "github.com/emersion/go-imap/backend" + mess "github.com/foxcpp/go-imap-mess" "github.com/foxcpp/maddy/framework/log" ) @@ -34,11 +34,9 @@ import ( // Listen goroutine can be running. // // The socket is stream-oriented and consists of the following messages: -// OBJ_ID;TYPE_NAME;USER;MAILBOX;JSON_SERIALIZED_INTERNAL_OBJECT\n +// SENDER_ID;JSON_SERIALIZED_INTERNAL_OBJECT\n // -// Where TYPE_NAME is one of the folow: ExpungeUpdate, MailboxUpdate, -// MessageUpdate. -// And OBJ_ID is Process ID and UnixSockPipe address concated as a string. +// And SENDER_ID is Process ID and UnixSockPipe address concated as a string. // It is used to deduplicate updates sent to Push and recevied via Listen. // // The SockPath field specifies the socket path to use. The actual socket @@ -57,7 +55,7 @@ func (usp *UnixSockPipe) myID() string { return fmt.Sprintf("%d-%p", os.Getpid(), usp) } -func (usp *UnixSockPipe) readUpdates(conn net.Conn, updCh chan<- backend.Update) { +func (usp *UnixSockPipe) readUpdates(conn net.Conn, updCh chan<- mess.Update) { scnr := bufio.NewScanner(conn) for scnr.Scan() { id, upd, err := parseUpdate(scnr.Text()) @@ -70,17 +68,11 @@ func (usp *UnixSockPipe) readUpdates(conn net.Conn, updCh chan<- backend.Update) continue } - updCh <- upd + updCh <- *upd } } -func (usp *UnixSockPipe) Wrap(upd <-chan backend.Update) chan backend.Update { - ourUpds := make(chan backend.Update, cap(upd)) - - return ourUpds -} - -func (usp *UnixSockPipe) Listen(upd chan<- backend.Update) error { +func (usp *UnixSockPipe) Listen(upd chan<- mess.Update) error { l, err := net.Listen("unix", usp.SockPath) if err != nil { return err @@ -108,7 +100,7 @@ func (usp *UnixSockPipe) InitPush() error { return nil } -func (usp *UnixSockPipe) Push(upd backend.Update) error { +func (usp *UnixSockPipe) Push(upd mess.Update) error { if usp.sender == nil { if err := usp.InitPush(); err != nil { return err diff --git a/internal/updatepipe/update_pipe.go b/internal/updatepipe/update_pipe.go index 57735ed..5320177 100644 --- a/internal/updatepipe/update_pipe.go +++ b/internal/updatepipe/update_pipe.go @@ -29,7 +29,7 @@ along with this program. If not, see . package updatepipe import ( - "github.com/emersion/go-imap/backend" + mess "github.com/foxcpp/go-imap-mess" ) // The P interface represents the handle for a transport medium used for IMAP @@ -43,7 +43,7 @@ type P interface { // // Updates sent using the same UpdatePipe object using Push are not // duplicates to the channel passed to Listen. - Listen(upds chan<- backend.Update) error + Listen(upds chan<- mess.Update) error // InitPush prepares the UpdatePipe to be used as updates source (Push // method). @@ -56,7 +56,7 @@ type P interface { // // The update will not be duplicated if the UpdatePipe is also listening // for updates. - Push(upd backend.Update) error + Push(upd mess.Update) error Close() error } From 8b494ff5d7dffdcb8259f6d032eb3c40c33fcbb3 Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Sun, 18 Jul 2021 11:32:42 +0300 Subject: [PATCH 02/41] Bump go-imap-sql version To add schema upgrade code --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 32510f0..d7c8440 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005 github.com/foxcpp/go-imap-mess v0.0.0-20210718073110-d5eb968a0995 github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed - github.com/foxcpp/go-imap-sql v0.4.1-0.20210718081250-7f103db60f22 + github.com/foxcpp/go-imap-sql v0.4.1-0.20210718082546-d38d40f5442c github.com/foxcpp/go-mockdns v0.0.0-20201212160233-ede2f9158d15 github.com/foxcpp/go-mtasts v0.0.0-20191219193356-62bc3f1f74b8 github.com/go-ldap/ldap/v3 v3.3.0 diff --git a/go.sum b/go.sum index f8a7034..6bbc084 100644 --- a/go.sum +++ b/go.sum @@ -170,6 +170,8 @@ github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed h1:1Jo7ge github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed/go.mod h1:Shows1vmkBWO40ChOClaUe6DUnZrsP1UPAuoWzIUdgQ= github.com/foxcpp/go-imap-sql v0.4.1-0.20210718081250-7f103db60f22 h1:ZXgI+FkKj+iKSrI58CZEkbSSojV84jm4LjEwglyH4Ik= github.com/foxcpp/go-imap-sql v0.4.1-0.20210718081250-7f103db60f22/go.mod h1:kl+x+noffdBsp1pAR+PTHupLoxHnJZZw6BFcmmCZeUI= +github.com/foxcpp/go-imap-sql v0.4.1-0.20210718082546-d38d40f5442c h1:bNaw79UJEonuRo1box0wUGGBT2V/XGkhT2NakjZnRIs= +github.com/foxcpp/go-imap-sql v0.4.1-0.20210718082546-d38d40f5442c/go.mod h1:kl+x+noffdBsp1pAR+PTHupLoxHnJZZw6BFcmmCZeUI= github.com/foxcpp/go-mockdns v0.0.0-20191216195825-5eabd8dbfe1f/go.mod h1:tPg4cp4nseejPd+UKxtCVQ2hUxNTZ7qQZJa7CLriIeo= github.com/foxcpp/go-mockdns v0.0.0-20201212160233-ede2f9158d15 h1:nLPjjvpUAODOR6vY/7o0hBIk8iTr19Fvmf8aFx/kC7A= github.com/foxcpp/go-mockdns v0.0.0-20201212160233-ede2f9158d15/go.mod h1:tPg4cp4nseejPd+UKxtCVQ2hUxNTZ7qQZJa7CLriIeo= From 461cf0b90fd183b403e988cacbf505d220e8202a Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Sun, 18 Jul 2021 21:12:12 +0300 Subject: [PATCH 03/41] storage/imapsql: Add support for using PostgreSQL broker for updates --- go.mod | 2 +- go.sum | 5 +- internal/storage/imapsql/imapsql.go | 17 ++++- internal/updatepipe/pubsub/pq.go | 86 +++++++++++++++++++++++ internal/updatepipe/pubsub/pubsub.go | 11 +++ internal/updatepipe/pubsub_pipe.go | 101 +++++++++++++++++++++++++++ 6 files changed, 217 insertions(+), 5 deletions(-) create mode 100644 internal/updatepipe/pubsub/pq.go create mode 100644 internal/updatepipe/pubsub/pubsub.go create mode 100644 internal/updatepipe/pubsub_pipe.go diff --git a/go.mod b/go.mod index d7c8440..bf3dddd 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/foxcpp/go-dovecot-sasl v0.0.0-20200522223722-c4699d7a24bf github.com/foxcpp/go-imap-backend-tests v0.0.0-20200802090154-7e6248c85a0e github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005 - github.com/foxcpp/go-imap-mess v0.0.0-20210718073110-d5eb968a0995 + github.com/foxcpp/go-imap-mess v0.0.0-20210718180745-f14f34d14a3b github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed github.com/foxcpp/go-imap-sql v0.4.1-0.20210718082546-d38d40f5442c github.com/foxcpp/go-mockdns v0.0.0-20201212160233-ede2f9158d15 diff --git a/go.sum b/go.sum index 6bbc084..34db9ba 100644 --- a/go.sum +++ b/go.sum @@ -164,12 +164,11 @@ github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005 h1:pfoFtk github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005/go.mod h1:34FwxnjC2N+EFs2wMtsHevrZLWRKRuVU8wEcHWKq/nE= github.com/foxcpp/go-imap-idle v0.0.0-20200829140055-32dc40172769 h1:qMdULYMxKuAgboOllBNLmA7wQ4YEwnhvq8onksrMC3A= github.com/foxcpp/go-imap-idle v0.0.0-20200829140055-32dc40172769/go.mod h1:PLnHIusEiOdmy63Y7IL2RjShIk4cyFi3a8MTC/WcLkk= -github.com/foxcpp/go-imap-mess v0.0.0-20210718073110-d5eb968a0995 h1:UXksj5CP+1Zg5GCD74JEijuQ2C22vXFgquhdG/YlXuI= github.com/foxcpp/go-imap-mess v0.0.0-20210718073110-d5eb968a0995/go.mod h1:cps13jIcqI/3FGVJQ8azz3apLjikGoKKcB6xb65VSag= +github.com/foxcpp/go-imap-mess v0.0.0-20210718180745-f14f34d14a3b h1:O85JcWCduTZz5FkqCrQX79wc88lgSezbTqrWNgXyEow= +github.com/foxcpp/go-imap-mess v0.0.0-20210718180745-f14f34d14a3b/go.mod h1:cps13jIcqI/3FGVJQ8azz3apLjikGoKKcB6xb65VSag= github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed h1:1Jo7geyvunrPSjL6F6D9EcXoNApS5v3LQaro7aUNPnE= github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed/go.mod h1:Shows1vmkBWO40ChOClaUe6DUnZrsP1UPAuoWzIUdgQ= -github.com/foxcpp/go-imap-sql v0.4.1-0.20210718081250-7f103db60f22 h1:ZXgI+FkKj+iKSrI58CZEkbSSojV84jm4LjEwglyH4Ik= -github.com/foxcpp/go-imap-sql v0.4.1-0.20210718081250-7f103db60f22/go.mod h1:kl+x+noffdBsp1pAR+PTHupLoxHnJZZw6BFcmmCZeUI= github.com/foxcpp/go-imap-sql v0.4.1-0.20210718082546-d38d40f5442c h1:bNaw79UJEonuRo1box0wUGGBT2V/XGkhT2NakjZnRIs= github.com/foxcpp/go-imap-sql v0.4.1-0.20210718082546-d38d40f5442c/go.mod h1:kl+x+noffdBsp1pAR+PTHupLoxHnJZZw6BFcmmCZeUI= github.com/foxcpp/go-mockdns v0.0.0-20191216195825-5eabd8dbfe1f/go.mod h1:tPg4cp4nseejPd+UKxtCVQ2hUxNTZ7qQZJa7CLriIeo= diff --git a/internal/storage/imapsql/imapsql.go b/internal/storage/imapsql/imapsql.go index 4ebc731..a800716 100644 --- a/internal/storage/imapsql/imapsql.go +++ b/internal/storage/imapsql/imapsql.go @@ -48,6 +48,7 @@ import ( "github.com/foxcpp/maddy/framework/module" "github.com/foxcpp/maddy/internal/authz" "github.com/foxcpp/maddy/internal/updatepipe" + "github.com/foxcpp/maddy/internal/updatepipe/pubsub" _ "github.com/go-sql-driver/mysql" _ "github.com/lib/pq" @@ -252,8 +253,22 @@ func (store *Storage) EnableUpdatePipe(mode updatepipe.BackendMode) error { store.Log.DebugMsg("using unix socket for external updates", "path", sockPath) store.updPipe = &updatepipe.UnixSockPipe{ SockPath: sockPath, - Log: log.Logger{Name: "sql/updpipe", Debug: store.Log.Debug}, + Log: log.Logger{Name: "storage.imapsql/updpipe", Debug: store.Log.Debug}, } + case "postgres": + store.Log.DebugMsg("using PostgreSQL broker for external updates") + ps, err := pubsub.NewPQ(strings.Join(store.dsn, " ")) + if err != nil { + return fmt.Errorf("enable_update_pipe: %w", err) + } + ps.Log = log.Logger{Name: "storage.imapsql/updpipe/pubsub", Debug: store.Log.Debug} + pipe := &updatepipe.PubSubPipe{ + PubSub: ps, + Log: log.Logger{Name: "storage.imapsql/updpipe", Debug: store.Log.Debug}, + } + store.Back.UpdateManager().ExternalUnsubscribe = pipe.Unsubscribe + store.Back.UpdateManager().ExternalSubscribe = pipe.Subscribe + store.updPipe = pipe default: return errors.New("imapsql: driver does not have an update pipe implementation") } diff --git a/internal/updatepipe/pubsub/pq.go b/internal/updatepipe/pubsub/pq.go new file mode 100644 index 0000000..29f9c52 --- /dev/null +++ b/internal/updatepipe/pubsub/pq.go @@ -0,0 +1,86 @@ +package pubsub + +import ( + "context" + "database/sql" + "time" + + "github.com/foxcpp/maddy/framework/log" + "github.com/lib/pq" +) + +type Msg struct { + Key string + Payload string +} + +type PqPubSub struct { + Notify chan Msg + + L *pq.Listener + sender *sql.DB + + Log log.Logger +} + +func NewPQ(dsn string) (*PqPubSub, error) { + l := &PqPubSub{ + Log: log.Logger{Name: "pgpubsub"}, + Notify: make(chan Msg), + } + l.L = pq.NewListener(dsn, 10*time.Second, time.Minute, l.eventHandler) + var err error + l.sender, err = sql.Open("postgres", dsn) + if err != nil { + return nil, err + } + + go func() { + defer close(l.Notify) + for n := range l.L.Notify { + if n == nil { + continue + } + + l.Notify <- Msg{Key: n.Channel, Payload: n.Extra} + } + }() + + return l, nil +} + +func (l *PqPubSub) Close() error { + l.sender.Close() + l.L.Close() + return nil +} + +func (l *PqPubSub) eventHandler(ev pq.ListenerEventType, err error) { + switch ev { + case pq.ListenerEventConnected: + l.Log.DebugMsg("connected") + case pq.ListenerEventReconnected: + l.Log.Msg("connection reestablished") + case pq.ListenerEventConnectionAttemptFailed: + l.Log.Error("connection attempt failed", err) + case pq.ListenerEventDisconnected: + l.Log.Msg("connection closed", "err", err) + } +} + +func (l *PqPubSub) Subscribe(_ context.Context, key string) error { + return l.L.Listen(key) +} + +func (l *PqPubSub) Unsubscribe(_ context.Context, key string) error { + return l.L.Unlisten(key) +} + +func (l *PqPubSub) Publish(key, payload string) error { + _, err := l.sender.Exec(`SELECT pg_notify($1, $2)`, key, payload) + return err +} + +func (l *PqPubSub) Listener() chan Msg { + return l.Notify +} diff --git a/internal/updatepipe/pubsub/pubsub.go b/internal/updatepipe/pubsub/pubsub.go new file mode 100644 index 0000000..64480ab --- /dev/null +++ b/internal/updatepipe/pubsub/pubsub.go @@ -0,0 +1,11 @@ +package pubsub + +import "context" + +type PubSub interface { + Subscribe(ctx context.Context, key string) error + Unsubscribe(ctx context.Context, key string) error + Publish(key, payload string) error + Listener() chan Msg + Close() error +} diff --git a/internal/updatepipe/pubsub_pipe.go b/internal/updatepipe/pubsub_pipe.go new file mode 100644 index 0000000..b1cef67 --- /dev/null +++ b/internal/updatepipe/pubsub_pipe.go @@ -0,0 +1,101 @@ +package updatepipe + +import ( + "context" + "fmt" + "os" + "strconv" + + mess "github.com/foxcpp/go-imap-mess" + "github.com/foxcpp/maddy/framework/log" + "github.com/foxcpp/maddy/internal/updatepipe/pubsub" +) + +type PubSubPipe struct { + PubSub pubsub.PubSub + Log log.Logger +} + +func (p *PubSubPipe) Listen(upds chan<- mess.Update) error { + go func() { + for m := range p.PubSub.Listener() { + id, upd, err := parseUpdate(m.Payload) + if err != nil { + p.Log.Error("failed to parse update", err) + continue + } + if id == p.myID() { + continue + } + upds <- *upd + } + }() + return nil +} + +func (p *PubSubPipe) InitPush() error { + return nil +} + +func (p *PubSubPipe) myID() string { + return fmt.Sprintf("%d-%p", os.Getpid(), p) +} + +func (p *PubSubPipe) channel(key interface{}) (string, error) { + var psKey string + switch k := key.(type) { + case string: + psKey = k + case uint64: + psKey = "__uint64_" + strconv.FormatUint(k, 10) + default: + return "", fmt.Errorf("updatepipe: key type must be either string or uint64") + } + return psKey, nil +} + +func (p *PubSubPipe) Subscribe(key interface{}) { + psKey, err := p.channel(key) + if err != nil { + p.Log.Error("invalid key passed to Subscribe", err) + return + } + + if err := p.PubSub.Subscribe(context.TODO(), psKey); err != nil { + p.Log.Error("pubsub subscribe failed", err) + } else { + p.Log.DebugMsg("subscribed to pubsub", "channel", psKey) + } +} + +func (p *PubSubPipe) Unsubscribe(key interface{}) { + psKey, err := p.channel(key) + if err != nil { + p.Log.Error("invalid key passed to Unsubscribe", err) + return + } + + if err := p.PubSub.Unsubscribe(context.TODO(), psKey); err != nil { + p.Log.Error("pubsub unsubscribe failed", err) + } else { + p.Log.DebugMsg("unsubscribed from pubsub", "channel", psKey) + } +} + +func (p *PubSubPipe) Push(upd mess.Update) error { + psKey, err := p.channel(upd.Key) + if err != nil { + return err + } + + updBlob, err := formatUpdate(p.myID(), upd) + if err != nil { + return err + } + + return p.PubSub.Publish(psKey, updBlob) +} + +func (p *PubSubPipe) Close() error { + return p.PubSub.Close() +} From 3318724acd7420eb4c2d2e8d498c189208c92322 Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Sat, 11 Dec 2021 19:22:36 +0300 Subject: [PATCH 04/41] target: Add skeleton.go --- internal/target/skeleton.go | 129 ++++++++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 internal/target/skeleton.go diff --git a/internal/target/skeleton.go b/internal/target/skeleton.go new file mode 100644 index 0000000..4eb2ee5 --- /dev/null +++ b/internal/target/skeleton.go @@ -0,0 +1,129 @@ +//+build ignore + +// Copy that file into target/ subdirectory. + +package target_name + +/* +Maddy Mail Server - Composable all-in-one email server. +Copyright © 2019-2021 Max Mazurov , Maddy Mail Server contributors + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +import ( + "context" + + "github.com/emersion/go-message/textproto" + "github.com/foxcpp/maddy/framework/buffer" + "github.com/foxcpp/maddy/framework/config" + "github.com/foxcpp/maddy/framework/log" + "github.com/foxcpp/maddy/framework/module" +) + +const modName = "target.target_name" + +type Target struct { + instName string + log log.Logger +} + +func New(_, instName string, _, inlineArgs []string) (module.Module, error) { + // If wanted, extract any values from inlineArgs (these values: + // deliver_to target_name ARG1 ARG2 { ... } + + return &Target{ + instName: instName, + log: log.Logger{Name: instName}, + }, nil +} + +func (t *Target) Init(cfg *config.Map) error { + cfg.Bool("debug", true, false, &t.log.Debug) + + // Read any config directives into Target variables here. + + if _, err := cfg.Process(); err != nil { + return err + } + + // Finish setup using obtained values. + + return nil +} + +func (t *Target) Name() string { + return modName +} + +func (t *Target) InstanceName() string { + return t.instName +} + +// If it necessary to have any server shutdown cleanup - implement Close. + +func (t *Target) Close() error { + return nil +} + +type delivery struct { + t *Target + mailFrom string + log log.Logger + msgMeta *module.MsgMetadata +} + +/* +See module.DeliveryTarget and module.Delivery docs for details on each method. +*/ + +func (t *Target) Start(ctx context.Context, msgMeta *module.MsgMetadata, mailFrom string) (module.Delivery, error) { + return &delivery{ + t: t, + mailFrom: mailFrom, + log: DeliveryLogger(t.log, msgMeta), + msgMeta: msgMeta, + }, nil +} + +func (d *delivery) AddRcpt(ctx context.Context, rcptTo string) error { + // Corresponds to SMTP RCPT command. + panic("implement me") +} + +func (d *delivery) Body(ctx context.Context, header textproto.Header, body buffer.Buffer) error { + // Corresponds to SMTP DATA command. + panic("implement me") +} + +/* +If Body call can fail partially (either success or fail for each recipient passed to AddRcpt) +- implement BodyNonAtomic and signal status for each recipient using StatusCollector callback. + +func (d *delivery) BodyNonAtomic(ctx context.Context, sc module.StatusCollector, header textproto.Header, body buffer.Buffer) { + +} +*/ + +func (d *delivery) Abort(ctx context.Context) error { + panic("implement me") +} + +func (d *delivery) Commit(ctx context.Context) error { + panic("implement me") +} + +func init() { + module.Register(modName, New) +} From 59564cbd37b49ee138d8103d6aaaa6805b388298 Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Thu, 6 Jan 2022 02:59:15 +0300 Subject: [PATCH 05/41] Upgrade to latest go-imap v2 revision Based on latest v1, therefore having a number of extensions merged in now. --- go.mod | 20 +++++++------------- go.sum | 19 ++++++++++++------- internal/endpoint/imap/imap.go | 15 --------------- internal/storage/imapsql/delivery.go | 4 ++-- 4 files changed, 21 insertions(+), 37 deletions(-) diff --git a/go.mod b/go.mod index bf3dddd..8e7c4ba 100644 --- a/go.mod +++ b/go.mod @@ -8,24 +8,20 @@ require ( github.com/caddyserver/certmagic v0.14.1 github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect github.com/emersion/go-imap v1.0.6 - github.com/emersion/go-imap-appendlimit v0.0.0-20190308131241-25671c986a6a github.com/emersion/go-imap-compress v0.0.0-20201103190257-14809af1d1b9 - github.com/emersion/go-imap-idle v0.0.0-20201224103203-6f42b9020098 - github.com/emersion/go-imap-move v0.0.0-20190710073258-6e5a51a5b342 github.com/emersion/go-imap-sortthread v1.2.0 - github.com/emersion/go-imap-specialuse v0.0.0-20201101201809-1ab93d3d150e - github.com/emersion/go-imap-unselect v0.0.0-20171113212723-b985794e5f26 - github.com/emersion/go-message v0.14.1 + github.com/emersion/go-imap-specialuse v0.0.0-20161227184202-ba031ced6a62 // indirect + github.com/emersion/go-message v0.15.0 github.com/emersion/go-milter v0.3.2 github.com/emersion/go-msgauth v0.6.5 github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 github.com/emersion/go-smtp v0.15.1-0.20210705155248-26eb4814e227 github.com/foxcpp/go-dovecot-sasl v0.0.0-20200522223722-c4699d7a24bf - github.com/foxcpp/go-imap-backend-tests v0.0.0-20200802090154-7e6248c85a0e + github.com/foxcpp/go-imap-backend-tests v0.0.0-20220105184719-e80aa29a5e16 github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005 - github.com/foxcpp/go-imap-mess v0.0.0-20210718180745-f14f34d14a3b + github.com/foxcpp/go-imap-mess v0.0.0-20220105225909-b3469f4a4315 github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed - github.com/foxcpp/go-imap-sql v0.4.1-0.20210718082546-d38d40f5442c + github.com/foxcpp/go-imap-sql v0.5.1-0.20220105233636-946daf36ce81 github.com/foxcpp/go-mockdns v0.0.0-20201212160233-ede2f9158d15 github.com/foxcpp/go-mtasts v0.0.0-20191219193356-62bc3f1f74b8 github.com/go-ldap/ldap/v3 v3.3.0 @@ -59,9 +55,7 @@ require ( golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a golang.org/x/net v0.0.0-20210525063256-abc453219eb5 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c - golang.org/x/text v0.3.6 + golang.org/x/text v0.3.7 ) -replace github.com/emersion/go-imap => github.com/foxcpp/go-imap v1.0.0-beta.1.0.20201001193006-5a1d05e53e2c - -replace github.com/emersion/go-imap-idle => github.com/foxcpp/go-imap-idle v0.0.0-20200829140055-32dc40172769 +replace github.com/emersion/go-imap => github.com/foxcpp/go-imap v1.0.0-beta.1.0.20220105164802-1e767d4cfd62 diff --git a/go.sum b/go.sum index 34db9ba..ab816b1 100644 --- a/go.sum +++ b/go.sum @@ -121,6 +121,7 @@ github.com/emersion/go-imap-move v0.0.0-20190710073258-6e5a51a5b342/go.mod h1:Qu github.com/emersion/go-imap-sortthread v1.1.1-0.20200727121200-18e5fb409fed/go.mod h1:opHOzblOHZKQM1JEy+GPk1217giNLa7kleyWTN06qnc= github.com/emersion/go-imap-sortthread v1.2.0 h1:EMVEJXPWAhXMWECjR82Rn/tza6MddcvTwGAdTu1vJKU= github.com/emersion/go-imap-sortthread v1.2.0/go.mod h1:UhenCBupR+vSYRnqJkpjSq84INUCsyAK1MLpogv14pE= +github.com/emersion/go-imap-specialuse v0.0.0-20161227184202-ba031ced6a62 h1:4ZAfwfc8aDlj26kkEap1UDSwwDnJp9Ie8Uj1MSXAkPk= github.com/emersion/go-imap-specialuse v0.0.0-20161227184202-ba031ced6a62/go.mod h1:/nybxhI8kXom8Tw6BrHMl42usALvka6meORflnnYwe4= github.com/emersion/go-imap-specialuse v0.0.0-20201101201809-1ab93d3d150e h1:AwVkRMFFUMNu+tx0jchwyoXhS2VClQSzTtByVuzxbsE= github.com/emersion/go-imap-specialuse v0.0.0-20201101201809-1ab93d3d150e/go.mod h1:/nybxhI8kXom8Tw6BrHMl42usALvka6meORflnnYwe4= @@ -129,8 +130,9 @@ github.com/emersion/go-imap-unselect v0.0.0-20171113212723-b985794e5f26/go.mod h github.com/emersion/go-message v0.10.3/go.mod h1:3h+HsGTCFHmk4ngJ2IV/YPhdlaOcR6hcgqM3yca9v7c= github.com/emersion/go-message v0.11.1/go.mod h1:C4jnca5HOTo4bGN9YdqNQM9sITuT3Y0K6bSUw9RklvY= github.com/emersion/go-message v0.11.2/go.mod h1:C4jnca5HOTo4bGN9YdqNQM9sITuT3Y0K6bSUw9RklvY= -github.com/emersion/go-message v0.14.1 h1:j3rj9F+7VtXE9c8P5UHBq8FTHLW/AjnmvSRre6AHoYI= github.com/emersion/go-message v0.14.1/go.mod h1:N1JWdZQ2WRUalmdHAX308CWBq747VJ8oUorFI3VCBwU= +github.com/emersion/go-message v0.15.0 h1:urgKGqt2JAc9NFJcgncQcohHdiYb803YTH9OQwHBHIY= +github.com/emersion/go-message v0.15.0/go.mod h1:wQUEfE+38+7EW8p8aZ96ptg6bAb1iwdgej19uXASlE4= github.com/emersion/go-milter v0.3.2 h1:j8hrLXf8PAHFhRHDdBoBKluQveMZYoaK7aRIqvaoRTA= github.com/emersion/go-milter v0.3.2/go.mod h1:ablHK0pbLB83kMFBznp/Rj8aV+Kc3jw8cxzzmCNLIOY= github.com/emersion/go-msgauth v0.6.5 h1:UaXBtrjYBM3SWw9BBODeSp0uYtScx3CuIF7/RQfkeWo= @@ -155,22 +157,25 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/foxcpp/go-dovecot-sasl v0.0.0-20200522223722-c4699d7a24bf h1:rmBPY5fryjp9zLQYsUmQqqgsYq7qeVfrjtr96Tf9vD8= github.com/foxcpp/go-dovecot-sasl v0.0.0-20200522223722-c4699d7a24bf/go.mod h1:5yZUmwr851vgjyAfN7OEfnrmKOh/qLA5dbGelXYsu1E= -github.com/foxcpp/go-imap v1.0.0-beta.1.0.20201001193006-5a1d05e53e2c h1:EKhtM7IsuerenjPu3bMdZtUG7MEYBf18HLffVlrHHyc= -github.com/foxcpp/go-imap v1.0.0-beta.1.0.20201001193006-5a1d05e53e2c/go.mod h1:yKASt+C3ZiDAiCSssxg9caIckWF/JG7ZQTO7GAmvicU= +github.com/foxcpp/go-imap v1.0.0-beta.1.0.20220105164802-1e767d4cfd62 h1:fkQX2NRzBgtR2PC60IXzrhcxr3Gti8zIY9HNhJ43/7w= +github.com/foxcpp/go-imap v1.0.0-beta.1.0.20220105164802-1e767d4cfd62/go.mod h1:Qlx1FSx2FTxjnjWpIlVNEuX+ylerZQNFE5NsmKFSejY= github.com/foxcpp/go-imap-backend-tests v0.0.0-20200617132817-958ea5829771/go.mod h1:yUISYv/uXLQ6tQZcds/p/hdcZ5JzrEUifyED2VffWpc= github.com/foxcpp/go-imap-backend-tests v0.0.0-20200802090154-7e6248c85a0e h1:wUYcbeGDlKqaa02jHuFMBVVfw51v7KaizLRT+i8wftc= github.com/foxcpp/go-imap-backend-tests v0.0.0-20200802090154-7e6248c85a0e/go.mod h1:dWepYGUClcebWyUy7yl8wm2ioE6NC4m82Xy/hDAng1c= +github.com/foxcpp/go-imap-backend-tests v0.0.0-20220105184719-e80aa29a5e16/go.mod h1:OPP1AgKxMPo3aHX5pcEZLQhhh5sllFcB8aUN9f6a6X8= github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005 h1:pfoFtkTTQ473qStSN79jhCFBWqMQt/3DQ3NGuXvT+50= github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005/go.mod h1:34FwxnjC2N+EFs2wMtsHevrZLWRKRuVU8wEcHWKq/nE= -github.com/foxcpp/go-imap-idle v0.0.0-20200829140055-32dc40172769 h1:qMdULYMxKuAgboOllBNLmA7wQ4YEwnhvq8onksrMC3A= -github.com/foxcpp/go-imap-idle v0.0.0-20200829140055-32dc40172769/go.mod h1:PLnHIusEiOdmy63Y7IL2RjShIk4cyFi3a8MTC/WcLkk= github.com/foxcpp/go-imap-mess v0.0.0-20210718073110-d5eb968a0995/go.mod h1:cps13jIcqI/3FGVJQ8azz3apLjikGoKKcB6xb65VSag= github.com/foxcpp/go-imap-mess v0.0.0-20210718180745-f14f34d14a3b h1:O85JcWCduTZz5FkqCrQX79wc88lgSezbTqrWNgXyEow= github.com/foxcpp/go-imap-mess v0.0.0-20210718180745-f14f34d14a3b/go.mod h1:cps13jIcqI/3FGVJQ8azz3apLjikGoKKcB6xb65VSag= +github.com/foxcpp/go-imap-mess v0.0.0-20220105225909-b3469f4a4315 h1:3MxfvA+zWxl+p5BeQ7pROzigTSHAcalvsExTu1Is41Y= +github.com/foxcpp/go-imap-mess v0.0.0-20220105225909-b3469f4a4315/go.mod h1:S/ELw0SONJ3ffk0ie7TYD6OxoIiyeMI22Fr3kwKUG8s= github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed h1:1Jo7geyvunrPSjL6F6D9EcXoNApS5v3LQaro7aUNPnE= github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed/go.mod h1:Shows1vmkBWO40ChOClaUe6DUnZrsP1UPAuoWzIUdgQ= github.com/foxcpp/go-imap-sql v0.4.1-0.20210718082546-d38d40f5442c h1:bNaw79UJEonuRo1box0wUGGBT2V/XGkhT2NakjZnRIs= github.com/foxcpp/go-imap-sql v0.4.1-0.20210718082546-d38d40f5442c/go.mod h1:kl+x+noffdBsp1pAR+PTHupLoxHnJZZw6BFcmmCZeUI= +github.com/foxcpp/go-imap-sql v0.5.1-0.20220105233636-946daf36ce81 h1:hd79KlESgagszJqmV+dm36r5NR5NFYCMQ2dWi05gKKs= +github.com/foxcpp/go-imap-sql v0.5.1-0.20220105233636-946daf36ce81/go.mod h1:tl6w1OlN7LLvJOoWTR7bNt0JQE+wPbYr8f3/nJSSlwU= github.com/foxcpp/go-mockdns v0.0.0-20191216195825-5eabd8dbfe1f/go.mod h1:tPg4cp4nseejPd+UKxtCVQ2hUxNTZ7qQZJa7CLriIeo= github.com/foxcpp/go-mockdns v0.0.0-20201212160233-ede2f9158d15 h1:nLPjjvpUAODOR6vY/7o0hBIk8iTr19Fvmf8aFx/kC7A= github.com/foxcpp/go-mockdns v0.0.0-20201212160233-ede2f9158d15/go.mod h1:tPg4cp4nseejPd+UKxtCVQ2hUxNTZ7qQZJa7CLriIeo= @@ -403,7 +408,6 @@ github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/martinlindhe/base36 v0.0.0-20190418230009-7c6542dfbb41/go.mod h1:+AtEs8xrBpCeYgSLoY/aJ6Wf37jtBuR0s35750M27+8= github.com/martinlindhe/base36 v1.0.0/go.mod h1:+AtEs8xrBpCeYgSLoY/aJ6Wf37jtBuR0s35750M27+8= -github.com/martinlindhe/base36 v1.1.0 h1:cIwvvwYse/0+1CkUPYH5ZvVIYG3JrILmQEIbLuar02Y= github.com/martinlindhe/base36 v1.1.0/go.mod h1:+AtEs8xrBpCeYgSLoY/aJ6Wf37jtBuR0s35750M27+8= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= @@ -789,8 +793,9 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5-0.20201125200606-c27b9fd57aec/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/internal/endpoint/imap/imap.go b/internal/endpoint/imap/imap.go index 8cb7169..b9bbd87 100644 --- a/internal/endpoint/imap/imap.go +++ b/internal/endpoint/imap/imap.go @@ -27,13 +27,8 @@ import ( "sync" "github.com/emersion/go-imap" - appendlimit "github.com/emersion/go-imap-appendlimit" compress "github.com/emersion/go-imap-compress" - idle "github.com/emersion/go-imap-idle" - move "github.com/emersion/go-imap-move" sortthread "github.com/emersion/go-imap-sortthread" - specialuse "github.com/emersion/go-imap-specialuse" - unselect "github.com/emersion/go-imap-unselect" imapbackend "github.com/emersion/go-imap/backend" imapserver "github.com/emersion/go-imap/server" "github.com/emersion/go-message" @@ -241,14 +236,6 @@ func (endp *Endpoint) enableExtensions() error { exts := endp.Store.IMAPExtensions() for _, ext := range exts { switch ext { - case "APPENDLIMIT": - endp.serv.Enable(appendlimit.NewExtension()) - case "CHILDREN": - endp.serv.Enable(children.NewExtension()) - case "MOVE": - endp.serv.Enable(move.NewExtension()) - case "SPECIAL-USE": - endp.serv.Enable(specialuse.NewExtension()) case "I18NLEVEL=1", "I18NLEVEL=2": endp.serv.Enable(i18nlevel.NewExtension()) case "SORT": @@ -260,8 +247,6 @@ func (endp *Endpoint) enableExtensions() error { } endp.serv.Enable(compress.NewExtension()) - endp.serv.Enable(unselect.NewExtension()) - endp.serv.Enable(idle.NewExtension()) endp.serv.Enable(namespace.NewExtension()) return nil diff --git a/internal/storage/imapsql/delivery.go b/internal/storage/imapsql/delivery.go index bad03c3..7692ddc 100644 --- a/internal/storage/imapsql/delivery.go +++ b/internal/storage/imapsql/delivery.go @@ -22,7 +22,7 @@ import ( "context" "runtime/trace" - specialuse "github.com/emersion/go-imap-specialuse" + "github.com/emersion/go-imap" "github.com/emersion/go-imap/backend" "github.com/emersion/go-message/textproto" imapsql "github.com/foxcpp/go-imap-sql" @@ -108,7 +108,7 @@ func (d *delivery) Body(ctx context.Context, header textproto.Header, body buffe } if d.msgMeta.Quarantine { - if err := d.d.SpecialMailbox(specialuse.Junk, d.store.junkMbox); err != nil { + if err := d.d.SpecialMailbox(imap.JunkAttr, d.store.junkMbox); err != nil { if _, ok := err.(imapsql.SerializationError); ok { return &exterrors.SMTPError{ Code: 453, From 6f6b4cd19b911fad50b928682142c5de05a1adc3 Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Thu, 6 Jan 2022 03:15:43 +0300 Subject: [PATCH 06/41] Update really outdated .version On dev branch is was somehow stuck on 0.4.4. Probably since I switched the workflow to make releases on master branch. --- .version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.version b/.version index 6f2743d..fb0b754 100644 --- a/.version +++ b/.version @@ -1 +1 @@ -0.4.4 +0.6.0-dev From b217232c2964459618351d52e78cabf9a8289ad9 Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Thu, 6 Jan 2022 03:34:30 +0300 Subject: [PATCH 07/41] Remove references to merged extension packages --- cmd/maddyctl/appendlimit.go | 4 ++-- go.sum | 1 + internal/endpoint/imap/imap.go | 5 ----- internal/storage/imapsql/imapsql.go | 7 ------- 4 files changed, 3 insertions(+), 14 deletions(-) diff --git a/cmd/maddyctl/appendlimit.go b/cmd/maddyctl/appendlimit.go index effe581..c807356 100644 --- a/cmd/maddyctl/appendlimit.go +++ b/cmd/maddyctl/appendlimit.go @@ -22,7 +22,7 @@ import ( "errors" "fmt" - appendlimit "github.com/emersion/go-imap-appendlimit" + imapbackend "github.com/emersion/go-imap/backend" "github.com/foxcpp/maddy/framework/module" "github.com/urfave/cli" ) @@ -32,7 +32,7 @@ import ( // AppendLimitUser is extension for backend.User interface which allows to // set append limit value for testing and administration purposes. type AppendLimitUser interface { - appendlimit.User + imapbackend.AppendLimitUser // SetMessageLimit sets new value for limit. // nil pointer means no limit. diff --git a/go.sum b/go.sum index ab816b1..bc48c79 100644 --- a/go.sum +++ b/go.sum @@ -162,6 +162,7 @@ github.com/foxcpp/go-imap v1.0.0-beta.1.0.20220105164802-1e767d4cfd62/go.mod h1: github.com/foxcpp/go-imap-backend-tests v0.0.0-20200617132817-958ea5829771/go.mod h1:yUISYv/uXLQ6tQZcds/p/hdcZ5JzrEUifyED2VffWpc= github.com/foxcpp/go-imap-backend-tests v0.0.0-20200802090154-7e6248c85a0e h1:wUYcbeGDlKqaa02jHuFMBVVfw51v7KaizLRT+i8wftc= github.com/foxcpp/go-imap-backend-tests v0.0.0-20200802090154-7e6248c85a0e/go.mod h1:dWepYGUClcebWyUy7yl8wm2ioE6NC4m82Xy/hDAng1c= +github.com/foxcpp/go-imap-backend-tests v0.0.0-20220105184719-e80aa29a5e16 h1:qheFPDpteiUy7Ym18R68OYenpk85UyKYGkhYTmddSBg= github.com/foxcpp/go-imap-backend-tests v0.0.0-20220105184719-e80aa29a5e16/go.mod h1:OPP1AgKxMPo3aHX5pcEZLQhhh5sllFcB8aUN9f6a6X8= github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005 h1:pfoFtkTTQ473qStSN79jhCFBWqMQt/3DQ3NGuXvT+50= github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005/go.mod h1:34FwxnjC2N+EFs2wMtsHevrZLWRKRuVU8wEcHWKq/nE= diff --git a/internal/endpoint/imap/imap.go b/internal/endpoint/imap/imap.go index b9bbd87..e7a3a93 100644 --- a/internal/endpoint/imap/imap.go +++ b/internal/endpoint/imap/imap.go @@ -36,7 +36,6 @@ import ( "github.com/emersion/go-sasl" i18nlevel "github.com/foxcpp/go-imap-i18nlevel" namespace "github.com/foxcpp/go-imap-namespace" - "github.com/foxcpp/go-imap-sql/children" "github.com/foxcpp/maddy/framework/config" modconfig "github.com/foxcpp/maddy/framework/config/module" tls2 "github.com/foxcpp/maddy/framework/config/tls" @@ -220,10 +219,6 @@ func (endp *Endpoint) Login(connInfo *imap.ConnInfo, username, password string) return endp.Store.GetOrCreateIMAPAcct(username) } -func (endp *Endpoint) EnableChildrenExt() bool { - return endp.Store.(children.Backend).EnableChildrenExt() -} - func (endp *Endpoint) I18NLevel() int { be, ok := endp.Store.(i18nlevel.Backend) if !ok { diff --git a/internal/storage/imapsql/imapsql.go b/internal/storage/imapsql/imapsql.go index c4b1674..7ba29e2 100644 --- a/internal/storage/imapsql/imapsql.go +++ b/internal/storage/imapsql/imapsql.go @@ -259,9 +259,6 @@ func (store *Storage) Init(cfg *config.Map) error { store.driver = driver store.dsn = dsn - store.Back.EnableChildrenExt() - store.Back.EnableSpecialUseExt() - return nil } @@ -366,10 +363,6 @@ func (store *Storage) CreateMessageLimit() *uint32 { return store.Back.CreateMessageLimit() } -func (store *Storage) EnableChildrenExt() bool { - return store.Back.EnableChildrenExt() -} - func (store *Storage) GetOrCreateIMAPAcct(username string) (backend.User, error) { accountName, err := store.authNormalize(context.TODO(), username) if err != nil { From 89d150547863490b6f765b3ab19891bb69464d50 Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Thu, 6 Jan 2022 03:48:38 +0300 Subject: [PATCH 08/41] Remove remaining references to go-imap-specialuse^ --- cmd/maddyctl/imapacct.go | 11 ++++----- go.mod | 2 +- go.sum | 51 ++-------------------------------------- 3 files changed, 8 insertions(+), 56 deletions(-) diff --git a/cmd/maddyctl/imapacct.go b/cmd/maddyctl/imapacct.go index 69ca27f..1d3af83 100644 --- a/cmd/maddyctl/imapacct.go +++ b/cmd/maddyctl/imapacct.go @@ -23,7 +23,6 @@ import ( "fmt" "os" - specialuse "github.com/emersion/go-imap-specialuse" "github.com/foxcpp/maddy/cmd/maddyctl/clitools" "github.com/foxcpp/maddy/framework/module" "github.com/urfave/cli" @@ -87,27 +86,27 @@ func imapAcctCreate(be module.Storage, ctx *cli.Context) error { } if name := ctx.String("sent-name"); name != "" { - if err := createMbox(name, specialuse.Sent); err != nil { + if err := createMbox(name, imap.SentAttr); err != nil { fmt.Fprintf(os.Stderr, "Failed to create sent folder: %v", err) } } if name := ctx.String("trash-name"); name != "" { - if err := createMbox(name, specialuse.Trash); err != nil { + if err := createMbox(name, imap.TrashAttr); err != nil { fmt.Fprintf(os.Stderr, "Failed to create trash folder: %v", err) } } if name := ctx.String("junk-name"); name != "" { - if err := createMbox(name, specialuse.Junk); err != nil { + if err := createMbox(name, imap.JunkAttr); err != nil { fmt.Fprintf(os.Stderr, "Failed to create junk folder: %v", err) } } if name := ctx.String("drafts-name"); name != "" { - if err := createMbox(name, specialuse.Drafts); err != nil { + if err := createMbox(name, imap.DraftsAttr); err != nil { fmt.Fprintf(os.Stderr, "Failed to create drafts folder: %v", err) } } if name := ctx.String("archive-name"); name != "" { - if err := createMbox(name, specialuse.Archive); err != nil { + if err := createMbox(name, imap.ArchiveAttr); err != nil { fmt.Fprintf(os.Stderr, "Failed to create archive folder: %v", err) } } diff --git a/go.mod b/go.mod index a625efc..814f3cb 100644 --- a/go.mod +++ b/go.mod @@ -70,8 +70,8 @@ require ( golang.org/x/net v0.0.0-20211011170408-caeb26a5c8c0 golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1 // indirect golang.org/x/sync v0.0.0-20210220032951-036812b2e83c - golang.org/x/text v0.3.7 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac // indirect + golang.org/x/text v0.3.7 google.golang.org/api v0.58.0 // indirect google.golang.org/genproto v0.0.0-20211011165927-a5fb3255271e // indirect google.golang.org/grpc v1.41.0 // indirect diff --git a/go.sum b/go.sum index 4e42192..36835ec 100644 --- a/go.sum +++ b/go.sum @@ -99,43 +99,15 @@ github.com/digitalocean/godo v1.69.1 h1:aCyfwth8R3DeOaWB9J9E8v7cjlDIlF19eXTt8R3X github.com/digitalocean/godo v1.69.1/go.mod h1:epPuOzTOOJujNo0nduDj2D5O1zu8cSpp9R+DdN0W9I0= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= -github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= -github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= -github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M= -github.com/emersion/go-imap-appendlimit v0.0.0-20190308131241-25671c986a6a h1:bMdSPm6sssuOFpIaveu3XGAijMS3Tq2S3EqFZmZxidc= -github.com/emersion/go-imap v1.0.0-beta.4.0.20190504114255-4d5af3d05147/go.mod h1:mOPegfAgLVXbhRm1bh2JTX08z2Y3HYmKYpbrKDeAzsQ= -github.com/emersion/go-imap v1.0.0/go.mod h1:MEiDDwwQFcZ+L45Pa68jNGv0qU9kbW+SJzwDpvSfX1s= -github.com/emersion/go-imap v1.0.3/go.mod h1:yKASt+C3ZiDAiCSssxg9caIckWF/JG7ZQTO7GAmvicU= -github.com/emersion/go-imap v1.0.4/go.mod h1:yKASt+C3ZiDAiCSssxg9caIckWF/JG7ZQTO7GAmvicU= -github.com/emersion/go-imap v1.0.5/go.mod h1:yKASt+C3ZiDAiCSssxg9caIckWF/JG7ZQTO7GAmvicU= -github.com/emersion/go-imap v1.0.6/go.mod h1:yKASt+C3ZiDAiCSssxg9caIckWF/JG7ZQTO7GAmvicU= -github.com/emersion/go-imap v1.2.0 h1:lyUQ3+EVM21/qbWE/4Ya5UG9r5+usDxlg4yfp3TgHFA= -github.com/emersion/go-imap v1.2.0/go.mod h1:Qlx1FSx2FTxjnjWpIlVNEuX+ylerZQNFE5NsmKFSejY= github.com/emersion/go-imap-appendlimit v0.0.0-20190308131241-25671c986a6a/go.mod h1:ikgISoP7pRAolqsVP64yMteJa2FIpS6ju88eBT6K1yQ= -github.com/emersion/go-imap-appendlimit v0.0.0-20210907172056-e3baed77bbe4 h1:U6LL6F1dYqXpVTwEbXhcfU8hgpNvmjB9xeOAiHN695o= -github.com/emersion/go-imap-appendlimit v0.0.0-20210907172056-e3baed77bbe4/go.mod h1:ikgISoP7pRAolqsVP64yMteJa2FIpS6ju88eBT6K1yQ= github.com/emersion/go-imap-compress v0.0.0-20201103190257-14809af1d1b9 h1:7dmV11mle4UAQ7lX+Hdzx6akKFg3hVm/UUmQ7t6VgTQ= github.com/emersion/go-imap-compress v0.0.0-20201103190257-14809af1d1b9/go.mod h1:2Ro1PbmiqYiRe5Ct2sGR5hHaKSVHeRpVZwXx8vyYt98= -github.com/emersion/go-imap-idle v0.0.0-20210907174914-db2568431445 h1:dAGbaaU4LLupO7dnYZaELOoI3RoVDNi5DCGejLe8a7c= -github.com/emersion/go-imap-idle v0.0.0-20210907174914-db2568431445/go.mod h1:N/6S3dRTVt8xT867m+476C16+v/Fq4WZYvh2Chg0nmg= github.com/emersion/go-imap-move v0.0.0-20180601155324-5eb20cb834bf/go.mod h1:QuMaZcKFDVI0yCrnAbPLfbwllz1wtOrZH8/vZ5yzp4w= -github.com/emersion/go-imap-move v0.0.0-20210907172020-fe4558f9c872 h1:HGBfonz0q/zq7y3ew+4oy4emHSvk6bkmV0mdDG3E77M= -github.com/emersion/go-imap-move v0.0.0-20210907172020-fe4558f9c872/go.mod h1:QuMaZcKFDVI0yCrnAbPLfbwllz1wtOrZH8/vZ5yzp4w= github.com/emersion/go-imap-sortthread v1.1.1-0.20200727121200-18e5fb409fed/go.mod h1:opHOzblOHZKQM1JEy+GPk1217giNLa7kleyWTN06qnc= github.com/emersion/go-imap-sortthread v1.2.0 h1:EMVEJXPWAhXMWECjR82Rn/tza6MddcvTwGAdTu1vJKU= github.com/emersion/go-imap-sortthread v1.2.0/go.mod h1:UhenCBupR+vSYRnqJkpjSq84INUCsyAK1MLpogv14pE= -github.com/emersion/go-imap-specialuse v0.0.0-20161227184202-ba031ced6a62 h1:4ZAfwfc8aDlj26kkEap1UDSwwDnJp9Ie8Uj1MSXAkPk= -github.com/emersion/go-imap-specialuse v0.0.0-20161227184202-ba031ced6a62/go.mod h1:/nybxhI8kXom8Tw6BrHMl42usALvka6meORflnnYwe4= github.com/emersion/go-imap-specialuse v0.0.0-20201101201809-1ab93d3d150e h1:AwVkRMFFUMNu+tx0jchwyoXhS2VClQSzTtByVuzxbsE= github.com/emersion/go-imap-specialuse v0.0.0-20201101201809-1ab93d3d150e/go.mod h1:/nybxhI8kXom8Tw6BrHMl42usALvka6meORflnnYwe4= -github.com/emersion/go-imap-unselect v0.0.0-20171113212723-b985794e5f26 h1:FiSb8+XBQQSkcX3ubr+1tAtlRJBYaFmRZqOAweZ9Wy8= -github.com/emersion/go-imap-unselect v0.0.0-20171113212723-b985794e5f26/go.mod h1:+gnnZx3Mg3MnCzZrv0eZdp5puxXQUgGT/6N6L7ShKfM= -github.com/emersion/go-imap-unselect v0.0.0-20210907172115-4c2c4843bf69 h1:ltTnRlPdSMMb0a/pg7S31T3g+syYeSS5UVJtiR7ez1Y= -github.com/emersion/go-imap-unselect v0.0.0-20210907172115-4c2c4843bf69/go.mod h1:+gnnZx3Mg3MnCzZrv0eZdp5puxXQUgGT/6N6L7ShKfM= -github.com/emersion/go-message v0.9.1/go.mod h1:m3cK90skCWxm5sIMs1sXxly4Tn9Plvcf6eayHZJ1NzM= -github.com/emersion/go-message v0.10.3/go.mod h1:3h+HsGTCFHmk4ngJ2IV/YPhdlaOcR6hcgqM3yca9v7c= -github.com/emersion/go-message v0.11.1/go.mod h1:C4jnca5HOTo4bGN9YdqNQM9sITuT3Y0K6bSUw9RklvY= github.com/emersion/go-message v0.11.2/go.mod h1:C4jnca5HOTo4bGN9YdqNQM9sITuT3Y0K6bSUw9RklvY= github.com/emersion/go-message v0.14.1/go.mod h1:N1JWdZQ2WRUalmdHAX308CWBq747VJ8oUorFI3VCBwU= github.com/emersion/go-message v0.15.0 h1:urgKGqt2JAc9NFJcgncQcohHdiYb803YTH9OQwHBHIY= @@ -167,31 +139,19 @@ github.com/foxcpp/go-dovecot-sasl v0.0.0-20200522223722-c4699d7a24bf h1:rmBPY5fr github.com/foxcpp/go-dovecot-sasl v0.0.0-20200522223722-c4699d7a24bf/go.mod h1:5yZUmwr851vgjyAfN7OEfnrmKOh/qLA5dbGelXYsu1E= github.com/foxcpp/go-imap v1.0.0-beta.1.0.20220105164802-1e767d4cfd62 h1:fkQX2NRzBgtR2PC60IXzrhcxr3Gti8zIY9HNhJ43/7w= github.com/foxcpp/go-imap v1.0.0-beta.1.0.20220105164802-1e767d4cfd62/go.mod h1:Qlx1FSx2FTxjnjWpIlVNEuX+ylerZQNFE5NsmKFSejY= -github.com/foxcpp/go-imap-backend-tests v0.0.0-20200617132817-958ea5829771/go.mod h1:yUISYv/uXLQ6tQZcds/p/hdcZ5JzrEUifyED2VffWpc= -github.com/foxcpp/go-imap-backend-tests v0.0.0-20200802090154-7e6248c85a0e h1:wUYcbeGDlKqaa02jHuFMBVVfw51v7KaizLRT+i8wftc= -github.com/foxcpp/go-imap-backend-tests v0.0.0-20200802090154-7e6248c85a0e/go.mod h1:dWepYGUClcebWyUy7yl8wm2ioE6NC4m82Xy/hDAng1c= github.com/foxcpp/go-imap-backend-tests v0.0.0-20220105184719-e80aa29a5e16 h1:qheFPDpteiUy7Ym18R68OYenpk85UyKYGkhYTmddSBg= github.com/foxcpp/go-imap-backend-tests v0.0.0-20220105184719-e80aa29a5e16/go.mod h1:OPP1AgKxMPo3aHX5pcEZLQhhh5sllFcB8aUN9f6a6X8= github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005 h1:pfoFtkTTQ473qStSN79jhCFBWqMQt/3DQ3NGuXvT+50= github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005/go.mod h1:34FwxnjC2N+EFs2wMtsHevrZLWRKRuVU8wEcHWKq/nE= -github.com/foxcpp/go-imap-mess v0.0.0-20210718073110-d5eb968a0995/go.mod h1:cps13jIcqI/3FGVJQ8azz3apLjikGoKKcB6xb65VSag= -github.com/foxcpp/go-imap-mess v0.0.0-20210718180745-f14f34d14a3b h1:O85JcWCduTZz5FkqCrQX79wc88lgSezbTqrWNgXyEow= -github.com/foxcpp/go-imap-mess v0.0.0-20210718180745-f14f34d14a3b/go.mod h1:cps13jIcqI/3FGVJQ8azz3apLjikGoKKcB6xb65VSag= github.com/foxcpp/go-imap-mess v0.0.0-20220105225909-b3469f4a4315 h1:3MxfvA+zWxl+p5BeQ7pROzigTSHAcalvsExTu1Is41Y= github.com/foxcpp/go-imap-mess v0.0.0-20220105225909-b3469f4a4315/go.mod h1:S/ELw0SONJ3ffk0ie7TYD6OxoIiyeMI22Fr3kwKUG8s= github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed h1:1Jo7geyvunrPSjL6F6D9EcXoNApS5v3LQaro7aUNPnE= github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed/go.mod h1:Shows1vmkBWO40ChOClaUe6DUnZrsP1UPAuoWzIUdgQ= -github.com/foxcpp/go-imap-sql v0.4.1-0.20210718082546-d38d40f5442c h1:bNaw79UJEonuRo1box0wUGGBT2V/XGkhT2NakjZnRIs= -github.com/foxcpp/go-imap-sql v0.4.1-0.20210718082546-d38d40f5442c/go.mod h1:kl+x+noffdBsp1pAR+PTHupLoxHnJZZw6BFcmmCZeUI= github.com/foxcpp/go-imap-sql v0.5.1-0.20220105233636-946daf36ce81 h1:hd79KlESgagszJqmV+dm36r5NR5NFYCMQ2dWi05gKKs= github.com/foxcpp/go-imap-sql v0.5.1-0.20220105233636-946daf36ce81/go.mod h1:tl6w1OlN7LLvJOoWTR7bNt0JQE+wPbYr8f3/nJSSlwU= -github.com/foxcpp/go-imap-namespace v0.0.0-20200722130255-93092adf35f1 h1:B4zNQ2r4qC7FLn8J8+LWt09fFW0tXddypBPS0+HI50s= -github.com/foxcpp/go-imap-namespace v0.0.0-20200722130255-93092adf35f1/go.mod h1:WJYkFIdxyljR/byiqcYMKUF4iFDej4CaIKe2JJrQxu8= -github.com/foxcpp/go-imap-sql v0.5.1-0.20210828123943-f74ead8f06cd h1:4vpPV74xAqiJD6AVGIK6jucz/Frq70sYRcOAU5FLz6I= -github.com/foxcpp/go-imap-sql v0.5.1-0.20210828123943-f74ead8f06cd/go.mod h1:1dHCAq3XRkYRwTDOtL/vCgvvQ13gLqNt2+nLjL1UHyk= github.com/foxcpp/go-mockdns v0.0.0-20191216195825-5eabd8dbfe1f/go.mod h1:tPg4cp4nseejPd+UKxtCVQ2hUxNTZ7qQZJa7CLriIeo= -github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897 h1:E52jfcE64UG42SwLmrW0QByONfGynWuzBvm86BoB9z8= -github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= +github.com/foxcpp/go-mockdns v0.0.0-20201212160233-ede2f9158d15 h1:nLPjjvpUAODOR6vY/7o0hBIk8iTr19Fvmf8aFx/kC7A= +github.com/foxcpp/go-mockdns v0.0.0-20201212160233-ede2f9158d15/go.mod h1:tPg4cp4nseejPd+UKxtCVQ2hUxNTZ7qQZJa7CLriIeo= github.com/foxcpp/go-mtasts v0.0.0-20191219193356-62bc3f1f74b8 h1:k8w0iy6GP9oeSZWUH3p2DqZHaXDKZGNs3NZGZMGfQHc= github.com/foxcpp/go-mtasts v0.0.0-20191219193356-62bc3f1f74b8/go.mod h1:HO1YOCbBM8KjpgThMMFejHx6K/UsnEv2Oh9YGtBIlOU= github.com/frankban/quicktest v1.5.0 h1:Tb4jWdSpdjKzTUicPnY61PZxKbDoGa7ABbrReT3gQVY= @@ -299,7 +259,6 @@ github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= github.com/googleapis/gax-go/v2 v2.1.1 h1:dp3bWCh+PPO1zjRRiCSczJav13sBvG4UhNyVTa1KqdU= github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM= @@ -336,7 +295,6 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= -github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= @@ -395,7 +353,6 @@ github.com/libdns/vultr v0.0.0-20201128180404-1d5ee21ea62f/go.mod h1:T6u+iQbIf9w github.com/mailru/easyjson v0.7.1/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/martinlindhe/base36 v0.0.0-20190418230009-7c6542dfbb41/go.mod h1:+AtEs8xrBpCeYgSLoY/aJ6Wf37jtBuR0s35750M27+8= github.com/martinlindhe/base36 v1.0.0/go.mod h1:+AtEs8xrBpCeYgSLoY/aJ6Wf37jtBuR0s35750M27+8= github.com/martinlindhe/base36 v1.1.0/go.mod h1:+AtEs8xrBpCeYgSLoY/aJ6Wf37jtBuR0s35750M27+8= github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJKjyR5WD3HYQSd+U= @@ -405,7 +362,6 @@ github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5 github.com/mholt/acmez v1.0.0 h1:ZAdWrilnq41HTlUO0vMJ6C+z8ZvzQ9I2LR1/Bo+137U= github.com/mholt/acmez v1.0.0/go.mod h1:8qnn8QA/Ewx8E3ZSsmscqsIjhhpxuy9vqdgbX2ceceM= github.com/miekg/dns v1.1.22/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= -github.com/miekg/dns v1.1.25/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= github.com/miekg/dns v1.1.42/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= @@ -476,9 +432,7 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= -github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.2.1/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= @@ -727,7 +681,6 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From e264db0bd6b2edbc8e06d2b45130d79eda4cea9d Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Thu, 6 Jan 2022 03:48:54 +0300 Subject: [PATCH 09/41] Fix incorrect .gitignore See #426. --- .gitignore | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 6b204b6..9e5f5bf 100644 --- a/.gitignore +++ b/.gitignore @@ -24,8 +24,8 @@ _testmain.go cmd/maddy/maddy cmd/maddyctl/maddyctl cmd/maddy-*-helper/maddy-*-helper -maddy -maddyctl +/maddy +/maddyctl # Man pages docs/man/*.1 From cca7b485f6ab8979f8b41975f538f48be8576f1f Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Thu, 6 Jan 2022 04:40:27 +0300 Subject: [PATCH 10/41] cmd/maddyctl: Migrate to urfave/cli/v2 --- cmd/maddyctl/appendlimit.go | 7 +- cmd/maddyctl/hash.go | 14 +- cmd/maddyctl/imap.go | 74 +++++----- cmd/maddyctl/imapacct.go | 15 ++- cmd/maddyctl/main.go | 260 ++++++++++++++++++++---------------- cmd/maddyctl/users.go | 6 +- go.mod | 1 + go.sum | 4 +- 8 files changed, 207 insertions(+), 174 deletions(-) diff --git a/cmd/maddyctl/appendlimit.go b/cmd/maddyctl/appendlimit.go index c807356..86a519d 100644 --- a/cmd/maddyctl/appendlimit.go +++ b/cmd/maddyctl/appendlimit.go @@ -19,12 +19,11 @@ along with this program. If not, see . package main import ( - "errors" "fmt" imapbackend "github.com/emersion/go-imap/backend" "github.com/foxcpp/maddy/framework/module" - "github.com/urfave/cli" + "github.com/urfave/cli/v2" ) // Copied from go-imap-backend-tests. @@ -42,7 +41,7 @@ type AppendLimitUser interface { func imapAcctAppendlimit(be module.Storage, ctx *cli.Context) error { username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } u, err := be.GetIMAPAcct(username) @@ -51,7 +50,7 @@ func imapAcctAppendlimit(be module.Storage, ctx *cli.Context) error { } userAL, ok := u.(AppendLimitUser) if !ok { - return errors.New("Error: module.Storage does not support per-user append limit") + return cli.Exit("Error: module.Storage does not support per-user append limit", 2) } if ctx.IsSet("value") { diff --git a/cmd/maddyctl/hash.go b/cmd/maddyctl/hash.go index f4ce5f5..35a2b88 100644 --- a/cmd/maddyctl/hash.go +++ b/cmd/maddyctl/hash.go @@ -19,14 +19,13 @@ along with this program. If not, see . package main import ( - "errors" "fmt" "os" "strings" "github.com/foxcpp/maddy/cmd/maddyctl/clitools" "github.com/foxcpp/maddy/internal/auth/pass_table" - "github.com/urfave/cli" + "github.com/urfave/cli/v2" "golang.org/x/crypto/bcrypt" ) @@ -43,7 +42,7 @@ func hashCommand(ctx *cli.Context) error { funcs = append(funcs, k) } - return fmt.Errorf("Error: Unknown hash function, available: %s", strings.Join(funcs, ", ")) + return cli.Exit(fmt.Sprintf("Error: Unknown hash function, available: %s", strings.Join(funcs, ", ")), 2) } opts := pass_table.HashOpts{ @@ -54,10 +53,10 @@ func hashCommand(ctx *cli.Context) error { } if ctx.IsSet("bcrypt-cost") { if ctx.Int("bcrypt-cost") > bcrypt.MaxCost { - return errors.New("Error: too big bcrypt cost") + return cli.Exit("Error: too big bcrypt cost", 2) } if ctx.Int("bcrypt-cost") < bcrypt.MinCost { - return errors.New("Error: too small bcrypt cost") + return cli.Exit("Error: too small bcrypt cost", 2) } opts.BcryptCost = ctx.Int("bcrypt-cost") } @@ -83,7 +82,10 @@ func hashCommand(ctx *cli.Context) error { } if pass == "" { - fmt.Fprintln(os.Stderr, "WARNING: This is the hash of empty string") + fmt.Fprintln(os.Stderr, "WARNING: This is the hash of an empty string") + } + if strings.TrimSpace(pass) != pass { + fmt.Fprintln(os.Stderr, "WARNING: There is leading/trailing whitespace in the string") } hash, err := hashCompute(opts, pass) diff --git a/cmd/maddyctl/imap.go b/cmd/maddyctl/imap.go index e974842..3681fc5 100644 --- a/cmd/maddyctl/imap.go +++ b/cmd/maddyctl/imap.go @@ -31,7 +31,7 @@ import ( imapsql "github.com/foxcpp/go-imap-sql" "github.com/foxcpp/maddy/cmd/maddyctl/clitools" "github.com/foxcpp/maddy/framework/module" - "github.com/urfave/cli" + "github.com/urfave/cli/v2" ) func FormatAddress(addr *imap.Address) string { @@ -49,7 +49,7 @@ func FormatAddressList(addrs []*imap.Address) string { func mboxesList(be module.Storage, ctx *cli.Context) error { username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } u, err := be.GetIMAPAcct(username) @@ -62,7 +62,7 @@ func mboxesList(be module.Storage, ctx *cli.Context) error { return err } - if len(mboxes) == 0 && !ctx.GlobalBool("quiet") { + if len(mboxes) == 0 && !ctx.Bool("quiet") { fmt.Fprintln(os.Stderr, "No mailboxes.") } @@ -80,11 +80,11 @@ func mboxesList(be module.Storage, ctx *cli.Context) error { func mboxesCreate(be module.Storage, ctx *cli.Context) error { username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } name := ctx.Args().Get(1) if name == "" { - return errors.New("Error: NAME is required") + return cli.Exit("Error: NAME is required", 2) } u, err := be.GetIMAPAcct(username) @@ -97,7 +97,7 @@ func mboxesCreate(be module.Storage, ctx *cli.Context) error { suu, ok := u.(SpecialUseUser) if !ok { - return errors.New("Error: storage backend does not support SPECIAL-USE IMAP extension") + return cli.Exit("Error: storage backend does not support SPECIAL-USE IMAP extension", 2) } return suu.CreateMailboxSpecial(name, attr) @@ -109,11 +109,11 @@ func mboxesCreate(be module.Storage, ctx *cli.Context) error { func mboxesRemove(be module.Storage, ctx *cli.Context) error { username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } name := ctx.Args().Get(1) if name == "" { - return errors.New("Error: NAME is required") + return cli.Exit("Error: NAME is required", 2) } u, err := be.GetIMAPAcct(username) @@ -121,7 +121,7 @@ func mboxesRemove(be module.Storage, ctx *cli.Context) error { return err } - if !ctx.Bool("yes,y") { + if !ctx.Bool("yes") { status, err := u.Status(name, []imap.StatusItem{imap.StatusMessages}) if err != nil { return err @@ -142,15 +142,15 @@ func mboxesRemove(be module.Storage, ctx *cli.Context) error { func mboxesRename(be module.Storage, ctx *cli.Context) error { username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } oldName := ctx.Args().Get(1) if oldName == "" { - return errors.New("Error: OLDNAME is required") + return cli.Exit("Error: OLDNAME is required", 2) } newName := ctx.Args().Get(2) if newName == "" { - return errors.New("Error: NEWNAME is required") + return cli.Exit("Error: NEWNAME is required", 2) } u, err := be.GetIMAPAcct(username) @@ -164,11 +164,11 @@ func mboxesRename(be module.Storage, ctx *cli.Context) error { func msgsAdd(be module.Storage, ctx *cli.Context) error { username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } name := ctx.Args().Get(1) if name == "" { - return errors.New("Error: MAILBOX is required") + return cli.Exit("Error: MAILBOX is required", 2) } u, err := be.GetIMAPAcct(username) @@ -192,7 +192,7 @@ func msgsAdd(be module.Storage, ctx *cli.Context) error { } if buf.Len() == 0 { - return errors.New("Error: Empty message, refusing to continue") + return cli.Exit("Error: Empty message, refusing to continue", 2) } status, err := u.Status(name, []imap.StatusItem{imap.StatusUidNext}) @@ -213,15 +213,15 @@ func msgsAdd(be module.Storage, ctx *cli.Context) error { func msgsRemove(be module.Storage, ctx *cli.Context) error { username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } name := ctx.Args().Get(1) if name == "" { - return errors.New("Error: MAILBOX is required") + return cli.Exit("Error: MAILBOX is required", 2) } seqset := ctx.Args().Get(2) if seqset == "" { - return errors.New("Error: SEQSET is required") + return cli.Exit("Error: SEQSET is required", 2) } seq, err := imap.ParseSeqSet(seqset) @@ -252,19 +252,19 @@ func msgsRemove(be module.Storage, ctx *cli.Context) error { func msgsCopy(be module.Storage, ctx *cli.Context) error { username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } srcName := ctx.Args().Get(1) if srcName == "" { - return errors.New("Error: SRCMAILBOX is required") + return cli.Exit("Error: SRCMAILBOX is required", 2) } seqset := ctx.Args().Get(2) if seqset == "" { - return errors.New("Error: SEQSET is required") + return cli.Exit("Error: SEQSET is required", 2) } tgtName := ctx.Args().Get(3) if tgtName == "" { - return errors.New("Error: TGTMAILBOX is required") + return cli.Exit("Error: TGTMAILBOX is required", 2) } seq, err := imap.ParseSeqSet(seqset) @@ -286,25 +286,25 @@ func msgsCopy(be module.Storage, ctx *cli.Context) error { } func msgsMove(be module.Storage, ctx *cli.Context) error { - if ctx.Bool("y,yes") || !clitools.Confirmation("Currently, it is unsafe to remove messages from mailboxes used by connected clients, continue?", false) { - return errors.New("Cancelled") + if ctx.Bool("yes") || !clitools.Confirmation("Currently, it is unsafe to remove messages from mailboxes used by connected clients, continue?", false) { + return cli.Exit("Cancelled", 2) } username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } srcName := ctx.Args().Get(1) if srcName == "" { - return errors.New("Error: SRCMAILBOX is required") + return cli.Exit("Error: SRCMAILBOX is required", 2) } seqset := ctx.Args().Get(2) if seqset == "" { - return errors.New("Error: SEQSET is required") + return cli.Exit("Error: SEQSET is required", 2) } tgtName := ctx.Args().Get(3) if tgtName == "" { - return errors.New("Error: TGTMAILBOX is required") + return cli.Exit("Error: TGTMAILBOX is required", 2) } seq, err := imap.ParseSeqSet(seqset) @@ -330,11 +330,11 @@ func msgsMove(be module.Storage, ctx *cli.Context) error { func msgsList(be module.Storage, ctx *cli.Context) error { username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } mboxName := ctx.Args().Get(1) if mboxName == "" { - return errors.New("Error: MAILBOX is required") + return cli.Exit("Error: MAILBOX is required", 2) } seqset := ctx.Args().Get(2) if seqset == "" { @@ -406,11 +406,11 @@ func msgsList(be module.Storage, ctx *cli.Context) error { func msgsDump(be module.Storage, ctx *cli.Context) error { username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } mboxName := ctx.Args().Get(1) if mboxName == "" { - return errors.New("Error: MAILBOX is required") + return cli.Exit("Error: MAILBOX is required", 2) } seqset := ctx.Args().Get(2) if seqset == "" { @@ -450,15 +450,15 @@ func msgsDump(be module.Storage, ctx *cli.Context) error { func msgsFlags(be module.Storage, ctx *cli.Context) error { username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } name := ctx.Args().Get(1) if name == "" { - return errors.New("Error: MAILBOX is required") + return cli.Exit("Error: MAILBOX is required", 2) } seqStr := ctx.Args().Get(2) if seqStr == "" { - return errors.New("Error: SEQ is required") + return cli.Exit("Error: SEQ is required", 2) } seq, err := imap.ParseSeqSet(seqStr) @@ -476,9 +476,9 @@ func msgsFlags(be module.Storage, ctx *cli.Context) error { return err } - flags := ctx.Args()[3:] + flags := ctx.Args().Slice()[3:] if len(flags) == 0 { - return errors.New("Error: at least once FLAG is required") + return cli.Exit("Error: at least once FLAG is required", 2) } var op imap.FlagsOp diff --git a/cmd/maddyctl/imapacct.go b/cmd/maddyctl/imapacct.go index 1d3af83..1b560e8 100644 --- a/cmd/maddyctl/imapacct.go +++ b/cmd/maddyctl/imapacct.go @@ -23,9 +23,10 @@ import ( "fmt" "os" + "github.com/emersion/go-imap" "github.com/foxcpp/maddy/cmd/maddyctl/clitools" "github.com/foxcpp/maddy/framework/module" - "github.com/urfave/cli" + "github.com/urfave/cli/v2" ) type SpecialUseUser interface { @@ -35,7 +36,7 @@ type SpecialUseUser interface { func imapAcctList(be module.Storage, ctx *cli.Context) error { mbe, ok := be.(module.ManageableStorage) if !ok { - return errors.New("Error: storage backend does not support accounts management using maddyctl") + return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2) } list, err := mbe.ListIMAPAccts() @@ -43,7 +44,7 @@ func imapAcctList(be module.Storage, ctx *cli.Context) error { return err } - if len(list) == 0 && !ctx.GlobalBool("quiet") { + if len(list) == 0 && !ctx.Bool("quiet") { fmt.Fprintln(os.Stderr, "No users.") } @@ -56,12 +57,12 @@ func imapAcctList(be module.Storage, ctx *cli.Context) error { func imapAcctCreate(be module.Storage, ctx *cli.Context) error { mbe, ok := be.(module.ManageableStorage) if !ok { - return errors.New("Error: storage backend does not support accounts management using maddyctl") + return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2) } username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } if err := mbe.CreateIMAPAcct(username); err != nil { @@ -117,12 +118,12 @@ func imapAcctCreate(be module.Storage, ctx *cli.Context) error { func imapAcctRemove(be module.Storage, ctx *cli.Context) error { mbe, ok := be.(module.ManageableStorage) if !ok { - return errors.New("Error: storage backend does not support accounts management using maddyctl") + return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2) } username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } if !ctx.Bool("yes") { diff --git a/cmd/maddyctl/main.go b/cmd/maddyctl/main.go index 026af1d..f784f88 100644 --- a/cmd/maddyctl/main.go +++ b/cmd/maddyctl/main.go @@ -24,6 +24,7 @@ import ( "io" "os" "path/filepath" + "time" "github.com/foxcpp/maddy" parser "github.com/foxcpp/maddy/framework/cfgparser" @@ -31,7 +32,7 @@ import ( "github.com/foxcpp/maddy/framework/hooks" "github.com/foxcpp/maddy/framework/module" "github.com/foxcpp/maddy/internal/updatepipe" - "github.com/urfave/cli" + "github.com/urfave/cli/v2" "golang.org/x/crypto/bcrypt" ) @@ -46,29 +47,35 @@ func main() { app.Name = "maddyctl" app.Usage = "maddy mail server administration utility" app.Version = maddy.BuildInfo() - + app.ExitErrHandler = func(c *cli.Context, err error) { + cli.HandleExitCoder(err) + if err != nil { + fmt.Fprintln(os.Stderr, err.Error()) + cli.OsExiter(1) + } + } app.Flags = []cli.Flag{ - cli.StringFlag{ + &cli.PathFlag{ Name: "config", Usage: "Configuration file to use", - EnvVar: "MADDY_CONFIG", + EnvVars: []string{"MADDY_CONFIG"}, Value: filepath.Join(maddy.ConfigDirectory, "maddy.conf"), }, } - app.Commands = []cli.Command{ + app.Commands = []*cli.Command{ { Name: "creds", Usage: "Local credentials management", - Subcommands: []cli.Command{ + Subcommands: []*cli.Command{ { Name: "list", Usage: "List created credentials", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_authdb", }, }, @@ -87,26 +94,28 @@ func main() { Description: "Reads password from stdin", ArgsUsage: "USERNAME", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_authdb", }, - cli.StringFlag{ - Name: "password,p", + &cli.StringFlag{ + Name: "password", + Aliases: []string{"p"}, Usage: "Use `PASSWORD instead of reading password from stdin.\n\t\tWARNING: Provided only for debugging convenience. Don't leave your passwords in shell history!", }, - cli.BoolFlag{ - Name: "null,n", + &cli.BoolFlag{ + Name: "null", + Aliases: []string{"n"}, Usage: "Create account with null password", }, - cli.StringFlag{ + &cli.StringFlag{ Name: "hash", Usage: "Use specified hash algorithm. Valid values: sha3-512, bcrypt", Value: "bcrypt", }, - cli.IntFlag{ + &cli.IntFlag{ Name: "bcrypt-cost", Usage: "Specify bcrypt cost value", Value: bcrypt.DefaultCost, @@ -126,14 +135,15 @@ func main() { Usage: "Delete user account", ArgsUsage: "USERNAME", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_authdb", }, - cli.BoolFlag{ - Name: "yes,y", + &cli.BoolFlag{ + Name: "yes", + Aliases: []string{"y"}, Usage: "Don't ask for confirmation", }, }, @@ -152,14 +162,15 @@ func main() { Description: "Reads password from stdin", ArgsUsage: "USERNAME", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_authdb", }, - cli.StringFlag{ - Name: "password,p", + &cli.StringFlag{ + Name: "password", + Aliases: []string{"p"}, Usage: "Use `PASSWORD` instead of reading password from stdin.\n\t\tWARNING: Provided only for debugging convenience. Don't leave your passwords in shell history!", }, }, @@ -177,15 +188,15 @@ func main() { { Name: "imap-acct", Usage: "IMAP storage accounts management", - Subcommands: []cli.Command{ + Subcommands: []*cli.Command{ { Name: "list", Usage: "List storage accounts", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, }, @@ -203,33 +214,33 @@ func main() { Usage: "Create IMAP storage account", ArgsUsage: "USERNAME", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.StringFlag{ + &cli.StringFlag{ Name: "sent-name", Usage: "Name of special mailbox for sent messages, use empty string to not create any", Value: "Sent", }, - cli.StringFlag{ + &cli.StringFlag{ Name: "trash-name", Usage: "Name of special mailbox for trash, use empty string to not create any", Value: "Trash", }, - cli.StringFlag{ + &cli.StringFlag{ Name: "junk-name", Usage: "Name of special mailbox for 'junk' (spam), use empty string to not create any", Value: "Junk", }, - cli.StringFlag{ + &cli.StringFlag{ Name: "drafts-name", Usage: "Name of special mailbox for drafts, use empty string to not create any", Value: "Drafts", }, - cli.StringFlag{ + &cli.StringFlag{ Name: "archive-name", Usage: "Name of special mailbox for archive, use empty string to not create any", Value: "Archive", @@ -249,14 +260,15 @@ func main() { Usage: "Delete IMAP storage account", ArgsUsage: "USERNAME", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.BoolFlag{ - Name: "yes,y", + &cli.BoolFlag{ + Name: "yes", + Aliases: []string{"y"}, Usage: "Don't ask for confirmation", }, }, @@ -274,14 +286,15 @@ func main() { Usage: "Query or set accounts's APPENDLIMIT value", ArgsUsage: "USERNAME", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.IntFlag{ - Name: "value,v", + &cli.IntFlag{ + Name: "value", + Aliases: []string{"v"}, Usage: "Set APPENDLIMIT to specified value (in bytes)", }, }, @@ -299,20 +312,21 @@ func main() { { Name: "imap-mboxes", Usage: "IMAP mailboxes (folders) management", - Subcommands: []cli.Command{ + Subcommands: []*cli.Command{ { Name: "list", Usage: "Show mailboxes of user", ArgsUsage: "USERNAME", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.BoolFlag{ - Name: "subscribed,s", + &cli.BoolFlag{ + Name: "subscribed", + Aliases: []string{"s"}, Usage: "List only subscribed mailboxes", }, }, @@ -330,13 +344,13 @@ func main() { Usage: "Create mailbox", ArgsUsage: "USERNAME NAME", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.StringFlag{ + &cli.StringFlag{ Name: "special", Usage: "Set SPECIAL-USE attribute on mailbox; valid values: archive, drafts, junk, sent, trash", }, @@ -356,14 +370,15 @@ func main() { Description: "WARNING: All contents of mailbox will be irrecoverably lost.", ArgsUsage: "USERNAME MAILBOX", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.BoolFlag{ - Name: "yes,y", + &cli.BoolFlag{ + Name: "yes", + Aliases: []string{"y"}, Usage: "Don't ask for confirmation", }, }, @@ -382,10 +397,10 @@ func main() { Description: "Rename may cause unexpected failures on client-side so be careful.", ArgsUsage: "USERNAME OLDNAME NEWNAME", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, }, @@ -403,26 +418,29 @@ func main() { { Name: "imap-msgs", Usage: "IMAP messages management", - Subcommands: []cli.Command{ + Subcommands: []*cli.Command{ { Name: "add", Usage: "Add message to mailbox", ArgsUsage: "USERNAME MAILBOX", Description: "Reads message body (with headers) from stdin. Prints UID of created message on success.", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.StringSliceFlag{ - Name: "flag,f", + &cli.StringSliceFlag{ + Name: "flag", + Aliases: []string{"f"}, Usage: "Add flag to message. Can be specified multiple times", }, - cli.Int64Flag{ - Name: "date,d", - Usage: "Set internal date value to specified UNIX timestamp", + &cli.TimestampFlag{ + Layout: time.RFC3339, + Name: "date", + Aliases: []string{"d"}, + Usage: "Set internal date value to specified one in ISO 8601 format (2006-01-02T15:04:05Z07:00)", }, }, Action: func(ctx *cli.Context) error { @@ -440,14 +458,15 @@ func main() { ArgsUsage: "USERNAME MAILBOX SEQ FLAGS...", Description: "Add flags to all messages matched by SEQ.", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.BoolFlag{ - Name: "uid,u", + &cli.BoolFlag{ + Name: "uid", + Aliases: []string{"u"}, Usage: "Use UIDs for SEQSET instead of sequence numbers", }, }, @@ -466,14 +485,15 @@ func main() { ArgsUsage: "USERNAME MAILBOX SEQ FLAGS...", Description: "Remove flags from all messages matched by SEQ.", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.BoolFlag{ - Name: "uid,u", + &cli.BoolFlag{ + Name: "uid", + Aliases: []string{"u"}, Usage: "Use UIDs for SEQSET instead of sequence numbers", }, }, @@ -492,14 +512,15 @@ func main() { ArgsUsage: "USERNAME MAILBOX SEQ FLAGS...", Description: "Set flags on all messages matched by SEQ.", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.BoolFlag{ - Name: "uid,u", + &cli.BoolFlag{ + Name: "uid", + Aliases: []string{"u"}, Usage: "Use UIDs for SEQSET instead of sequence numbers", }, }, @@ -517,18 +538,20 @@ func main() { Usage: "Remove messages from mailbox", ArgsUsage: "USERNAME MAILBOX SEQSET", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.BoolFlag{ + &cli.BoolFlag{ Name: "uid,u", + Aliases: []string{"u"}, Usage: "Use UIDs for SEQSET instead of sequence numbers", }, - cli.BoolFlag{ - Name: "yes,y", + &cli.BoolFlag{ + Name: "yes", + Aliases: []string{"y"}, Usage: "Don't ask for confirmation", }, }, @@ -547,14 +570,15 @@ func main() { Description: "Note: You can't copy between mailboxes of different users. APPENDLIMIT of target mailbox is not enforced.", ArgsUsage: "USERNAME SRCMAILBOX SEQSET TGTMAILBOX", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.BoolFlag{ - Name: "uid,u", + &cli.BoolFlag{ + Name: "uid", + Aliases: []string{"u"}, Usage: "Use UIDs for SEQSET instead of sequence numbers", }, }, @@ -573,18 +597,20 @@ func main() { Description: "Note: You can't move between mailboxes of different users. APPENDLIMIT of target mailbox is not enforced.", ArgsUsage: "USERNAME SRCMAILBOX SEQSET TGTMAILBOX", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.BoolFlag{ - Name: "uid,u", + &cli.BoolFlag{ + Name: "uid", + Aliases: []string{"u"}, Usage: "Use UIDs for SEQSET instead of sequence numbers", }, - cli.BoolFlag{ - Name: "yes,y", + &cli.BoolFlag{ + Name: "yes", + Aliases: []string{"y"}, Usage: "Don't ask for confirmation", }, }, @@ -603,18 +629,20 @@ func main() { Description: "If SEQSET is specified - only show messages that match it.", ArgsUsage: "USERNAME MAILBOX [SEQSET]", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.BoolFlag{ - Name: "uid,u", + &cli.BoolFlag{ + Name: "uid", + Aliases: []string{"u"}, Usage: "Use UIDs for SEQSET instead of sequence numbers", }, - cli.BoolFlag{ + &cli.BoolFlag{ Name: "full,f", + Aliases: []string{"f"}, Usage: "Show entire envelope and all server meta-data", }, }, @@ -633,14 +661,15 @@ func main() { Description: "If passed SEQ matches multiple messages - they will be joined.", ArgsUsage: "USERNAME MAILBOX SEQ", Flags: []cli.Flag{ - cli.StringFlag{ + &cli.StringFlag{ Name: "cfg-block", Usage: "Module configuration block to use", - EnvVar: "MADDY_CFGBLOCK", + EnvVars: []string{"MADDY_CFGBLOCK"}, Value: "local_mailboxes", }, - cli.BoolFlag{ - Name: "uid,u", + &cli.BoolFlag{ + Name: "uid", + Aliases: []string{"u"}, Usage: "Use UIDs for SEQ instead of sequence numbers", }, }, @@ -660,31 +689,32 @@ func main() { Usage: "Generate password hashes for use with pass_table", Action: hashCommand, Flags: []cli.Flag{ - cli.StringFlag{ - Name: "password,p", + &cli.StringFlag{ + Name: "password", + Aliases: []string{"p"}, Usage: "Use `PASSWORD instead of reading password from stdin\n\t\tWARNING: Provided only for debugging convenience. Don't leave your passwords in shell history!", }, - cli.StringFlag{ + &cli.StringFlag{ Name: "hash", Usage: "Use specified hash algorithm", Value: "bcrypt", }, - cli.IntFlag{ + &cli.IntFlag{ Name: "bcrypt-cost", Usage: "Specify bcrypt cost value", Value: bcrypt.DefaultCost, }, - cli.IntFlag{ + &cli.IntFlag{ Name: "argon2-time", Usage: "Time factor for Argon2id", Value: 3, }, - cli.IntFlag{ + &cli.IntFlag{ Name: "argon2-memory", Usage: "Memory in KiB to use for Argon2id", Value: 1024, }, - cli.IntFlag{ + &cli.IntFlag{ Name: "argon2-threads", Usage: "Threads to use for Argon2id", Value: 1, @@ -699,18 +729,18 @@ func main() { } func getCfgBlockModule(ctx *cli.Context) (map[string]interface{}, *maddy.ModInfo, error) { - cfgPath := ctx.GlobalString("config") + cfgPath := ctx.String("config") if cfgPath == "" { - return nil, nil, errors.New("Error: config is required") + return nil, nil, cli.Exit("Error: config is required", 2) } cfgFile, err := os.Open(cfgPath) if err != nil { - return nil, nil, fmt.Errorf("Error: failed to open config: %w", err) + return nil, nil, cli.Exit(fmt.Sprintf("Error: failed to open config: %v", err), 2) } defer cfgFile.Close() cfgNodes, err := parser.Read(cfgFile, cfgFile.Name()) if err != nil { - return nil, nil, fmt.Errorf("Error: failed to parse config: %w", err) + return nil, nil, cli.Exit(fmt.Sprintf("Error: failed to parse config: %v", err), 2) } globals, cfgNodes, err := maddy.ReadGlobals(cfgNodes) @@ -731,7 +761,7 @@ func getCfgBlockModule(ctx *cli.Context) (map[string]interface{}, *maddy.ModInfo cfgBlock := ctx.String("cfg-block") if cfgBlock == "" { - return nil, nil, errors.New("Error: cfg-block is required") + return nil, nil, cli.Exit("Error: cfg-block is required", 2) } var mod maddy.ModInfo for _, m := range mods { @@ -741,7 +771,7 @@ func getCfgBlockModule(ctx *cli.Context) (map[string]interface{}, *maddy.ModInfo } } if mod.Instance == nil { - return nil, nil, fmt.Errorf("Error: unknown configuration block: %s", cfgBlock) + return nil, nil, cli.Exit(fmt.Sprintf("Error: unknown configuration block: %s", cfgBlock), 2) } return globals, &mod, nil @@ -755,7 +785,7 @@ func openStorage(ctx *cli.Context) (module.Storage, error) { storage, ok := mod.Instance.(module.Storage) if !ok { - return nil, fmt.Errorf("Error: configuration block %s is not an IMAP storage", ctx.String("cfg-block")) + return nil, cli.Exit(fmt.Sprintf("Error: configuration block %s is not an IMAP storage", ctx.String("cfg-block")), 2) } if err := mod.Instance.Init(config.NewMap(globals, mod.Cfg)); err != nil { @@ -781,7 +811,7 @@ func openUserDB(ctx *cli.Context) (module.PlainUserDB, error) { userDB, ok := mod.Instance.(module.PlainUserDB) if !ok { - return nil, fmt.Errorf("Error: configuration block %s is not a local credentials store", ctx.String("cfg-block")) + return nil, cli.Exit(fmt.Sprintf("Error: configuration block %s is not a local credentials store", ctx.String("cfg-block")), 2) } if err := mod.Instance.Init(config.NewMap(globals, mod.Cfg)); err != nil { diff --git a/cmd/maddyctl/users.go b/cmd/maddyctl/users.go index 6201f38..b83d64c 100644 --- a/cmd/maddyctl/users.go +++ b/cmd/maddyctl/users.go @@ -25,7 +25,7 @@ import ( "github.com/foxcpp/maddy/cmd/maddyctl/clitools" "github.com/foxcpp/maddy/framework/module" - "github.com/urfave/cli" + "github.com/urfave/cli/v2" ) func usersList(be module.PlainUserDB, ctx *cli.Context) error { @@ -34,7 +34,7 @@ func usersList(be module.PlainUserDB, ctx *cli.Context) error { return err } - if len(list) == 0 && !ctx.GlobalBool("quiet") { + if len(list) == 0 && !ctx.Bool("quiet") { fmt.Fprintln(os.Stderr, "No users.") } @@ -47,7 +47,7 @@ func usersList(be module.PlainUserDB, ctx *cli.Context) error { func usersCreate(be module.PlainUserDB, ctx *cli.Context) error { username := ctx.Args().First() if username == "" { - return errors.New("Error: USERNAME is required") + return cli.Exit("Error: USERNAME is required", 2) } var pass string diff --git a/go.mod b/go.mod index 814f3cb..063ed17 100644 --- a/go.mod +++ b/go.mod @@ -62,6 +62,7 @@ require ( github.com/prometheus/procfs v0.7.3 // indirect github.com/rs/xid v1.3.0 // indirect github.com/urfave/cli v1.22.5 + github.com/urfave/cli/v2 v2.3.0 github.com/vultr/govultr/v2 v2.9.0 // indirect go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.7.0 // indirect diff --git a/go.sum b/go.sum index 36835ec..5185bdd 100644 --- a/go.sum +++ b/go.sum @@ -106,8 +106,6 @@ github.com/emersion/go-imap-move v0.0.0-20180601155324-5eb20cb834bf/go.mod h1:Qu github.com/emersion/go-imap-sortthread v1.1.1-0.20200727121200-18e5fb409fed/go.mod h1:opHOzblOHZKQM1JEy+GPk1217giNLa7kleyWTN06qnc= github.com/emersion/go-imap-sortthread v1.2.0 h1:EMVEJXPWAhXMWECjR82Rn/tza6MddcvTwGAdTu1vJKU= github.com/emersion/go-imap-sortthread v1.2.0/go.mod h1:UhenCBupR+vSYRnqJkpjSq84INUCsyAK1MLpogv14pE= -github.com/emersion/go-imap-specialuse v0.0.0-20201101201809-1ab93d3d150e h1:AwVkRMFFUMNu+tx0jchwyoXhS2VClQSzTtByVuzxbsE= -github.com/emersion/go-imap-specialuse v0.0.0-20201101201809-1ab93d3d150e/go.mod h1:/nybxhI8kXom8Tw6BrHMl42usALvka6meORflnnYwe4= github.com/emersion/go-message v0.11.2/go.mod h1:C4jnca5HOTo4bGN9YdqNQM9sITuT3Y0K6bSUw9RklvY= github.com/emersion/go-message v0.14.1/go.mod h1:N1JWdZQ2WRUalmdHAX308CWBq747VJ8oUorFI3VCBwU= github.com/emersion/go-message v0.15.0 h1:urgKGqt2JAc9NFJcgncQcohHdiYb803YTH9OQwHBHIY= @@ -448,6 +446,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.22.5 h1:lNq9sAHXK2qfdI8W+GRItjCEkI+2oR4d+MEHy1CKXoU= github.com/urfave/cli v1.22.5/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli/v2 v2.3.0 h1:qph92Y649prgesehzOrQjdWyxFOp/QVM+6imKHad91M= +github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI= github.com/vultr/govultr/v2 v2.0.0/go.mod h1:2PsEeg+gs3p/Fo5Pw8F9mv+DUBEOlrNZ8GmCTGmhOhs= github.com/vultr/govultr/v2 v2.9.0 h1:n0a0fGOiHAE07twu1VR3jWTDFDE0+DJ/cIqZqX9IlNw= github.com/vultr/govultr/v2 v2.9.0/go.mod h1:JjUljQdSZx+MELCAJvZ/JH32bJotmflnsyS0NOjb8Jg= From 2eb955bbc0b3503869224277785867a44b358938 Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Thu, 6 Jan 2022 16:31:33 +0300 Subject: [PATCH 11/41] tests: Update tests to match go-imap v2 behavior --- tests/imapsql_test.go | 3 +++ tests/smtp_autobuffer_test.go | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/imapsql_test.go b/tests/imapsql_test.go index cdd83ad..62a0dbe 100644 --- a/tests/imapsql_test.go +++ b/tests/imapsql_test.go @@ -94,6 +94,7 @@ func TestImapsqlDelivery(tt *testing.T) { imapConn.Writeln(". NOOP") imapConn.ExpectPattern(`\* 1 EXISTS`) + imapConn.ExpectPattern(`\* 1 RECENT`) imapConn.ExpectPattern(". OK *") imapConn.Writeln(". FETCH 1 (BODY.PEEK[])") @@ -180,6 +181,7 @@ func TestImapsqlDeliveryMap(tt *testing.T) { imapConn.Writeln(". NOOP") imapConn.ExpectPattern(`\* 1 EXISTS`) + imapConn.ExpectPattern(`\* 1 RECENT`) imapConn.ExpectPattern(". OK *") } @@ -251,5 +253,6 @@ func TestImapsqlAuthMap(tt *testing.T) { imapConn.Writeln(". NOOP") imapConn.ExpectPattern(`\* 1 EXISTS`) + imapConn.ExpectPattern(`\* 1 RECENT`) imapConn.ExpectPattern(". OK *") } diff --git a/tests/smtp_autobuffer_test.go b/tests/smtp_autobuffer_test.go index 1b00399..b7c2bbd 100644 --- a/tests/smtp_autobuffer_test.go +++ b/tests/smtp_autobuffer_test.go @@ -98,6 +98,7 @@ func TestSMTPEndpoint_LargeMessage(tt *testing.T) { imapConn.Writeln(". NOOP") imapConn.ExpectPattern(`\* 1 EXISTS`) + imapConn.ExpectPattern(`\* 1 RECENT`) imapConn.ExpectPattern(". OK *") imapConn.Writeln(". FETCH 1 (BODY.PEEK[])") @@ -185,6 +186,7 @@ func TestSMTPEndpoint_FileBuffer(tt *testing.T) { imapConn.Writeln(". NOOP") imapConn.ExpectPattern(`\* 1 EXISTS`) + imapConn.ExpectPattern(`\* 1 RECENT`) imapConn.ExpectPattern(". OK *") imapConn.Writeln(". FETCH 1 (BODY.PEEK[])") @@ -300,9 +302,8 @@ func TestSMTPEndpoint_Autobuffer(tt *testing.T) { imapConn.Writeln(". NOOP") // This will break with go-imap v2 upgrade merging updates. - imapConn.ExpectPattern(`\* 1 EXISTS`) - imapConn.ExpectPattern(`\* 2 EXISTS`) imapConn.ExpectPattern(`\* 3 EXISTS`) + imapConn.ExpectPattern(`\* 3 RECENT`) imapConn.ExpectPattern(". OK *") imapConn.Writeln(". FETCH 1:3 (BODY.PEEK[])") From a8e0a74be90beb215e4c80b1bc5720b28d73f2bd Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Thu, 6 Jan 2022 21:55:24 +0300 Subject: [PATCH 12/41] docs: Convert manual pages into per-module Markdown pages --- .mkdocs.yml | 86 +- docs/{ => internals}/specifications.md | 0 docs/{ => internals}/unicode.md | 0 docs/man/maddy-auth.5.scd | 373 ------- docs/man/maddy-blob.5.scd | 113 --- docs/man/maddy-filters.5.scd | 953 ------------------ docs/man/maddy-smtp.5.scd | 642 ------------ docs/man/maddy-storage.5.scd | 202 ---- docs/man/maddy-tables.5.scd | 314 ------ docs/man/maddy-targets.5.scd | 457 --------- docs/man/maddy-tls.5.scd | 379 ------- docs/reference/auth/dovecot_sasl.md | 26 + docs/reference/auth/external.md | 47 + docs/reference/auth/ldap.md | 113 +++ docs/reference/auth/pam.md | 44 + docs/reference/auth/pass_table.md | 44 + docs/reference/auth/plain_separate.md | 42 + docs/reference/auth/shadow.md | 36 + docs/reference/blob/fs.md | 22 + docs/reference/blob/s3.md | 71 ++ docs/reference/checks/actions.md | 21 + docs/reference/checks/authorize_sender.md | 87 ++ docs/reference/checks/command.md | 131 +++ docs/reference/checks/dkim.md | 55 + docs/reference/checks/dnsbl.md | 156 +++ docs/reference/checks/milter.md | 47 + docs/reference/checks/misc.md | 43 + docs/reference/checks/rspamd.md | 79 ++ docs/reference/checks/spf.md | 83 ++ .../config-syntax.md} | 8 +- docs/reference/endpoints/imap.md | 65 ++ docs/{ => reference/endpoints}/openmetrics.md | 0 docs/reference/endpoints/smtp.md | 265 +++++ docs/reference/global-config.md | 94 ++ docs/reference/modifiers/dkim.md | 197 ++++ docs/reference/modifiers/envelope.md | 50 + docs/reference/modules.md | 76 ++ docs/reference/smtp-pipeline.md | 384 +++++++ docs/reference/storage/imapsql.md | 181 ++++ docs/reference/table/auth.md | 6 + docs/reference/table/chain.md | 38 + docs/reference/table/email_localpart.md | 12 + docs/reference/table/file.md | 54 + docs/reference/table/regexp.md | 58 ++ docs/reference/table/sql_query.md | 110 ++ docs/reference/table/static.md | 21 + docs/reference/targets/queue.md | 84 ++ docs/reference/targets/remote.md | 246 +++++ docs/reference/targets/smtp.md | 114 +++ docs/reference/tls-acme.md | 225 +++++ docs/reference/tls.md | 155 +++ docs/seclevels.md | 5 +- docs/third-party/rspamd.md | 6 +- 53 files changed, 3651 insertions(+), 3469 deletions(-) rename docs/{ => internals}/specifications.md (100%) rename docs/{ => internals}/unicode.md (100%) delete mode 100644 docs/man/maddy-auth.5.scd delete mode 100644 docs/man/maddy-blob.5.scd delete mode 100644 docs/man/maddy-filters.5.scd delete mode 100644 docs/man/maddy-smtp.5.scd delete mode 100644 docs/man/maddy-storage.5.scd delete mode 100644 docs/man/maddy-tables.5.scd delete mode 100644 docs/man/maddy-targets.5.scd delete mode 100644 docs/man/maddy-tls.5.scd create mode 100644 docs/reference/auth/dovecot_sasl.md create mode 100644 docs/reference/auth/external.md create mode 100644 docs/reference/auth/ldap.md create mode 100644 docs/reference/auth/pam.md create mode 100644 docs/reference/auth/pass_table.md create mode 100644 docs/reference/auth/plain_separate.md create mode 100644 docs/reference/auth/shadow.md create mode 100644 docs/reference/blob/fs.md create mode 100644 docs/reference/blob/s3.md create mode 100644 docs/reference/checks/actions.md create mode 100644 docs/reference/checks/authorize_sender.md create mode 100644 docs/reference/checks/command.md create mode 100644 docs/reference/checks/dkim.md create mode 100644 docs/reference/checks/dnsbl.md create mode 100644 docs/reference/checks/milter.md create mode 100644 docs/reference/checks/misc.md create mode 100644 docs/reference/checks/rspamd.md create mode 100644 docs/reference/checks/spf.md rename docs/{man/maddy-config.5.scd => reference/config-syntax.md} (96%) create mode 100644 docs/reference/endpoints/imap.md rename docs/{ => reference/endpoints}/openmetrics.md (100%) create mode 100644 docs/reference/endpoints/smtp.md create mode 100644 docs/reference/global-config.md create mode 100644 docs/reference/modifiers/dkim.md create mode 100644 docs/reference/modifiers/envelope.md create mode 100644 docs/reference/modules.md create mode 100644 docs/reference/smtp-pipeline.md create mode 100644 docs/reference/storage/imapsql.md create mode 100644 docs/reference/table/auth.md create mode 100644 docs/reference/table/chain.md create mode 100644 docs/reference/table/email_localpart.md create mode 100644 docs/reference/table/file.md create mode 100644 docs/reference/table/regexp.md create mode 100644 docs/reference/table/sql_query.md create mode 100644 docs/reference/table/static.md create mode 100644 docs/reference/targets/queue.md create mode 100644 docs/reference/targets/remote.md create mode 100644 docs/reference/targets/smtp.md create mode 100644 docs/reference/tls-acme.md create mode 100644 docs/reference/tls.md diff --git a/.mkdocs.yml b/.mkdocs.yml index 240c655..189eba5 100644 --- a/.mkdocs.yml +++ b/.mkdocs.yml @@ -2,44 +2,80 @@ site_name: maddy repo_url: https://github.com/foxcpp/maddy -theme: readthedocs +theme: alb markdown_extensions: - codehilite: guess_lang: false nav: + - faq.md - Tutorials: - tutorials/setting-up.md - tutorials/building-from-source.md - tutorials/alias-to-remote.md - tutorials/pam.md - Release builds: 'https://maddy.email/builds/' - - Integration with software: - - third-party/dovecot.md - - third-party/smtp-servers.md - - third-party/rspamd.md - - third-party/mailman3.md - - seclevels.md - - faq.md - multiple-domains.md - - unicode.md - upgrading.md - - specifications.md - - openmetrics.md - - Manual pages: - - man/_generated_maddy.1.md - - man/_generated_maddy.5.md - - man/_generated_maddy-auth.5.md - - man/_generated_maddy-blob.5.md - - man/_generated_maddy-config.5.md - - man/_generated_maddy-filters.5.md - - man/_generated_maddy-imap.5.md - - man/_generated_maddy-smtp.5.md - - man/_generated_maddy-storage.5.md - - man/_generated_maddy-targets.5.md - - man/_generated_maddy-tables.5.md - - man/_generated_maddy-tls.5.md + - seclevels.md + - Reference manual: + - reference/modules.md + - reference/global-config.md + - reference/tls.md + - reference/tls-acme.md + - Endpoints configuration: + - reference/endpoints/imap.md + - reference/endpoints/smtp.md + - reference/endpoints/openmetrics.md + - IMAP storage: + - reference/storage/imap-filters.md + - reference/storage/imapsql.md + - Blob storage: + - reference/blob/fs.md + - reference/blob/s3.md + - reference/smtp-pipeline.md + - SMTP targets: + - reference/targets/queue.md + - reference/targets/remote.md + - reference/targets/smtp.md + - SMTP checks: + - reference/checks/actions.md + - reference/checks/dkim.md + - reference/checks/spf.md + - reference/checks/milter.md + - reference/checks/rspamd.md + - reference/checks/dnsbl.md + - reference/checks/command.md + - reference/checks/authorize_sender.md + - reference/checks/misc.md + - SMTP modifiers: + - reference/modifiers/dkim.md + - reference/modifiers/envelope.md + - Lookup tables (string translation): + - reference/table/static.md + - reference/table/regexp.md + - reference/table/file.md + - reference/table/sql_query.md + - reference/table/chain.md + - reference/table/email_localpart.md + - reference/table/auth.md + - Authentication providers: + - reference/auth/pass_table.md + - reference/auth/pam.md + - reference/auth/shadow.md + - reference/auth/external.md + - reference/auth/ldap.md + - reference/auth/dovecot_sasl.md + - reference/auth/plain_separate.md + - reference/config-syntax.md + - Integration with software: + - third-party/dovecot.md + - third-party/smtp-servers.md + - third-party/rspamd.md + - third-party/mailman3.md - Internals: + - internals/specifications.md + - internals/unicode.md - internals/quirks.md - - internals/sqlite.md + - internals/sqlite.md \ No newline at end of file diff --git a/docs/specifications.md b/docs/internals/specifications.md similarity index 100% rename from docs/specifications.md rename to docs/internals/specifications.md diff --git a/docs/unicode.md b/docs/internals/unicode.md similarity index 100% rename from docs/unicode.md rename to docs/internals/unicode.md diff --git a/docs/man/maddy-auth.5.scd b/docs/man/maddy-auth.5.scd deleted file mode 100644 index a8473a8..0000000 --- a/docs/man/maddy-auth.5.scd +++ /dev/null @@ -1,373 +0,0 @@ -maddy-auth(5) "maddy mail server" "maddy authentication backends" - -; TITLE Authentication backends - -# Introduction - -Modules described in this man page can be used to provide functionality to -check validity of username-password pairs in accordance with some database. -That is, they authenticate users. - -Most likely, you are going to use these modules with 'auth' directive of IMAP -(*maddy-imap*(5)) or SMTP endpoint (*maddy-smtp*(5)). - -Most modules listed here are also usable as a table (see *maddy-tables*(5)) -that contains all usernames known to the module. Exceptions are auth.external and -pam as underlying interfaces do not define a way to check credentials -existence. - -# External authentication module (auth.external) - -Module for authentication using external helper binary. It looks for binary -named maddy-auth-helper in $PATH and libexecdir and uses it for authentication -using username/password pair. - -The protocol is very simple: -Program is launched for each authentication. Username and password are written -to stdin, adding \\n to the end. If binary exits with 0 status code - -authentication is considered successful. If the status code is 1 - -authentication is failed. If the status code is 2 - another unrelated error has -happened. Additional information should be written to stderr. - -``` -auth.external { - helper /usr/bin/ldap-helper - perdomain no - domains example.org -} -``` - -## Configuration directives - -*Syntax*: helper _file_path_ - -Location of the helper binary. *Required.* - -*Syntax*: perdomain _boolean_ ++ -*Default*: no - -Don't remove domain part of username when authenticating and require it to be -present. Can be used if you want user@domain1 and user@domain2 to be different -accounts. - -*Syntax*: domains _domains..._ ++ -*Default*: not specified - -Domains that should be allowed in username during authentication. - -For example, if 'domains' is set to "domain1 domain2", then -username, username@domain1 and username@domain2 will be accepted as valid login -name in addition to just username. - -If used without 'perdomain', domain part will be removed from login before -check with underlying auth. mechanism. If 'perdomain' is set, then -domains must be also set and domain part WILL NOT be removed before check. - -# PAM module (auth.pam) - -Implements authentication using libpam. Alternatively it can be configured to -use helper binary like auth.external module does. - -maddy should be built with libpam build tag to use this module without -'use_helper' directive. -``` -go get -tags 'libpam' ... -``` - -``` -auth.pam { - debug no - use_helper no -} -``` - -## Configuration directives - -*Syntax*: debug _boolean_ ++ -*Default*: no - -Enable verbose logging for all modules. You don't need that unless you are -reporting a bug. - -*Syntax*: use_helper _boolean_ ++ -*Default*: no - -Use LibexecDirectory/maddy-pam-helper instead of directly calling libpam. -You need to use that if: -1. maddy is not compiled with libpam, but maddy-pam-helper is built separately. -2. maddy is running as an unprivileged user and used PAM configuration requires additional -privileges (e.g. when using system accounts). - -For 2, you need to make maddy-pam-helper binary setuid, see -README.md in source tree for details. - -TL;DR (assuming you have the maddy group): -``` -chown root:maddy /usr/lib/maddy/maddy-pam-helper -chmod u+xs,g+x,o-x /usr/lib/maddy/maddy-pam-helper -``` - -# Shadow database authentication module (auth.shadow) - -Implements authentication by reading /etc/shadow. Alternatively it can be -configured to use helper binary like auth.external does. - -``` -auth.shadow { - debug no - use_helper no -} -``` - -## Configuration directives - -*Syntax*: debug _boolean_ ++ -*Default*: no - -Enable verbose logging for all modules. You don't need that unless you are -reporting a bug. - -*Syntax*: use_helper _boolean_ ++ -*Default*: no - -Use LibexecDirectory/maddy-shadow-helper instead of directly reading /etc/shadow. -You need to use that if maddy is running as an unprivileged user -privileges (e.g. when using system accounts). - -You need to make maddy-shadow-helper binary setuid, see -cmd/maddy-shadow-helper/README.md in source tree for details. - -TL;DR (assuming you have maddy group): -``` -chown root:maddy /usr/lib/maddy/maddy-shadow-helper -chmod u+xs,g+x,o-x /usr/lib/maddy/maddy-shadow-helper -``` - -# Table-based password hash lookup (auth.pass_table) - -This module implements username:password authentication by looking up the -password hash using a table module (maddy-tables(5)). It can be used -to load user credentials from text file (file module) or SQL query -(sql_table module). - - -Definition: -``` -auth.pass_table [block name] { - table - -} -``` -Shortened variant for inline use: -``` -pass_table
[table arguments] { - [additional table config] -} -``` - -Example, read username:password pair from the text file: -``` -smtp tcp://0.0.0.0:587 { - auth pass_table file /etc/maddy/smtp_passwd - ... -} -``` - -## Password hashes - -pass_table expects the used table to contain certain structured values with -hash algorithm name, salt and other necessary parameters. - -You should use 'maddyctl hash' command to generate suitable values. -See 'maddyctl hash --help' for details. - -## maddyctl creds - -If the underlying table is a "mutable" table (see maddy-tables(5)) then -the 'maddyctl creds' command can be used to modify the underlying tables -via pass_table module. It will act a "local credentials store" and will write -appropriate hash values to the table. - -# Separate username and password lookup (auth.plain_separate) - -This module implements authentication using username:password pairs but can -use zero or more "table modules" (maddy-tables(5)) and one or more -authentication providers to verify credentials. - -``` -auth.plain_separate { - user ... - user ... - ... - pass ... - pass ... - ... -} -``` - -How it works: -- Initial username input is normalized using PRECIS UsernameCaseMapped profile. -- Each table specified with the 'user' directive looked up using normalized - username. If match is not found in any table, authentication fails. -- Each authentication provider specified with the 'pass' directive is tried. - If authentication with all providers fails - an error is returned. - -## Configuration directives - -**Syntax:** user _table module_ - -Configuration block for any module from maddy-tables(5) can be used here. - -Example: -``` -user file /etc/maddy/allowed_users -``` - -**Syntax:** pass _auth provider_ - -Configuration block for any auth. provider module can be used here, even -'plain_split' itself. - -The used auth. provider must provide username:password pair-based -authentication. - -# Dovecot authentication client (auth.dovecot_sasl) - -The 'dovecot_sasl' module implements the client side of the Dovecot -authentication protocol, allowing maddy to use it as a credentials source. - -Currently SASL mechanisms support is limited to mechanisms supported by maddy -so you cannot get e.g. SCRAM-MD5 this way. - -``` -auth.dovecot_sasl { - endpoint unix://socket_path -} - -dovecot_sasl unix://socket_path -``` - -## Configuration directives - -*Syntax*: endpoint _schema://address_ ++ -*Default*: not set - -Set the address to use to contact Dovecot SASL server in the standard endpoint -format. - -tcp://10.0.0.1:2222 for TCP, unix:///var/lib/dovecot/auth.sock for Unix -domain sockets. - -# LDAP BindDN authentication (EXPERIMENTAL) (auth.ldap) - -maddy supports authentication via LDAP using DN binding. Passwords are verified -by the LDAP server. - -maddy needs to know the DN to use for binding. It can be obtained either by -directory search or template . - -Note that storage backends conventionally use email addresses, if you use -non-email identifiers as usernames then you should map them onto -emails on delivery by using auth_map (see *maddy-storage*(5)). - -auth.ldap also can be a used as a table module. This way you can check -whether the account exists. It works only if DN template is not used. - -``` -auth.ldap { - urls ldap://maddy.test:389 - - # Specify initial bind credentials. Not required ('bind off') - # if DN template is used. - bind plain "cn=maddy,ou=people,dc=maddy,dc=test" "123456" - - # Specify DN template to skip lookup. - dn_template "cn={username},ou=people,dc=maddy,dc=test" - - # Specify base_dn and filter to lookup DN. - base_dn "ou=people,dc=maddy,dc=test" - filter "(&(objectClass=posixAccount)(uid={username}))" - - tls_client { ... } - starttls off - debug off - connect_timeout 1m -} -``` -``` -auth.ldap ldap://maddy.test.389 { - ... -} -``` - -## Configuration directives - -*Syntax:* urls _servers..._ - -REQUIRED. - -URLs of the directory servers to use. First available server -is used - no load-balancing is done. - -URLs should use 'ldap://', 'ldaps://', 'ldapi://' schemes. - -*Syntax:* bind off ++ - bind unauth ++ - bind external ++ - bind plain _username_ _password_ ++ -*Default:* off - -Credentials to use for initial binding. Required if DN lookup is used. - -'unauth' performs unauthenticated bind. 'external' performs external binding -which is useful for Unix socket connections (ldapi://) or TLS client certificate -authentication (cert. is set using tls_client directive). 'plain' performs a -simple bind using provided credentials. - -*Syntax:* dn_template _template_ - -DN template to use for binding. '{username}' is replaced with the -username specified by the user. - -*Syntax:* base_dn _dn_ - -Base DN to use for lookup. - -*Syntax:* filter _str_ - -DN lookup filter. '{username}' is replaced with the username specified -by the user. - -Example: -``` -(&(objectClass=posixAccount)(uid={username})) -``` - -Example (using ActiveDirectory): -``` -(&(objectCategory=Person)(memberOf=CN=user-group,OU=example,DC=example,DC=org)(sAMAccountName={username})(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) -``` - -Example: -``` -(&(objectClass=Person)(mail={username})) -``` - -*Syntax:* starttls _bool_ ++ -*Default:* off - -Whether to upgrade connection to TLS using STARTTLS. - -*Syntax:* tls_client { ... } - -Advanced TLS client configuration. See *maddy-tls*(5) for details. - -*Syntax:* connect_timeout _duration_ ++ -*Default:* 1m - -Timeout for initial connection to the directory server. - -*Syntax:* request_timeout _duration_ ++ -*Default:* 1m - -Timeout for each request (binding, lookup). \ No newline at end of file diff --git a/docs/man/maddy-blob.5.scd b/docs/man/maddy-blob.5.scd deleted file mode 100644 index dcc9a11..0000000 --- a/docs/man/maddy-blob.5.scd +++ /dev/null @@ -1,113 +0,0 @@ -maddy-blob(5) "maddy mail server" "maddy reference documentation" - -; TITLE Message blob storage - -Some IMAP storage backends support pluggable message storage that allows -message contents to be stored separately from IMAP index. - -Modules described in this page are what can be used with such storage backends. -In most cases they have to be specified using the 'msg_store' directive, like -this: -``` -storage.imapsql local_mailboxes { - msg_store fs /var/lib/email -} -``` - -Unless explicitly configured, storage backends with pluggable storage will -store messages in state_dir/messages (e.g. /var/lib/maddy/messages) FS -directory. - -# FS directory storage (storage.blob.fs) - -This module stores message bodies in a file system directory. - -``` -storage.blob.fs { - root -} -``` -``` -storage.blob.fs -``` - -## Configuration directives - -*Syntax:* root _path_ ++ -*Default:* not set - -Path to the FS directory. Must be readable and writable by the server process. -If it does not exist - it will be created (parent directory should be writable -for this). Relative paths are interpreted relatively to server state directory. - -# Amazon S3 storage (storage.blob.s3) - -This modules stores messages bodies in a bucket on S3-compatible storage. - -``` -storage.blob.s3 { - endpoint play.min.io - secure yes - access_key "Q3AM3UQ867SPQQA43P2F" - secret_key "zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG" - bucket maddy-test - - # optional - region eu-central-1 - object_prefix maddy/ -} -``` - -Example: -``` -storage.imapsql local_mailboxes { - ... - msg_store s3 { - endpoint s3.amazonaws.com - access_key "..." - secret_key "..." - bucket maddy-messages - region us-west-2 - } -} -``` - -## Configuration directives - -*Syntax:* endpoint _address:port_ - -REQUIRED. - -Root S3 endpoint. e.g. s3.amazonaws.com - -*Syntax:* secure _boolean_ ++ -*Default:* yes - -Whether TLS should be used. - -*Syntax:* access_key _string_ ++ -*Syntax:* secret_key _string_ - -REQUIRED. - -Static S3 credentials. - -*Syntax:* bucket _name_ - -REQUIRED. - -S3 bucket name. The bucket must exist and -be read-writable. - -*Syntax:* region _string_ ++ -*Default:* not set - -S3 bucket location. May be called "endpoint" -in some manuals. - -*Syntax:* object_prefix _string_ ++ -*Default:* empty string - -String to add to all keys stored by maddy. - -Can be useful when S3 is used as a file system. \ No newline at end of file diff --git a/docs/man/maddy-filters.5.scd b/docs/man/maddy-filters.5.scd deleted file mode 100644 index 6fc4363..0000000 --- a/docs/man/maddy-filters.5.scd +++ /dev/null @@ -1,953 +0,0 @@ -maddy-filters(5) "maddy mail server" "maddy reference documentation" - -; TITLE Message filtering - -maddy does have two distinct types of modules that do message filtering. -"Checks" and "modifiers". - -"Checks" are meant to be used to reject or quarantine -messages that are unwanted, such as potential spam or messages with spoofed -sender address. They are limited in ways they can modify the message and their -execution is heavily parallelized to improve performance. - -"Modifiers" are executed serially in order they are referenced in the -configuration and are allowed to modify the message data and meta-data. - -# Check actions - -When a certain check module thinks the message is "bad", it takes some actions -depending on its configuration. Most checks follow the same configuration -structure and allow following actions to be taken on check failure: - -- Do nothing ('action ignore') - -Useful for testing deployment of new checks. Check failures are still logged -but they have no effect on message delivery. - -- Reject the message ('action reject') - -Reject the message at connection time. No bounce is generated locally. - -- Quarantine the message ('action quarantine') - -Mark message as 'quarantined'. If message is then delivered to the local -storage, the storage backend can place the message in the 'Junk' mailbox. -Another thing to keep in mind that 'remote' module (see *maddy-targets*(5)) -will refuse to send quarantined messages. - -# Simple checks - -## Configuration directives - -Following directives are defined for all modules listed below. - -*Syntax*: ++ - fail_action ignore ++ - fail_action reject ++ - fail_action quarantine ++ -*Default*: quarantine - -Action to take when check fails. See Check actions for details. - -*Syntax*: debug _boolean_ ++ -*Default*: global directive value - -Log both sucessfull and unsucessfull check executions instead of just -unsucessfull. - -## require_mx_record - -Check that domain in MAIL FROM command does have a MX record and none of them -are "null" (contain a single dot as the host). - -By default, quarantines messages coming from servers missing MX records, -use 'fail_action' directive to change that. - -## require_matching_rdns - -Check that source server IP does have a PTR record point to the domain -specified in EHLO/HELO command. - -By default, quarantines messages coming from servers with mismatched or missing -PTR record, use 'fail_action' directive to change that. - -## require_tls - -Check that the source server is connected via TLS; either directly, or by using -the STARTTLS command. - -By default, rejects messages coming from unencrypted servers. Use the -'fail_action' directive to change that. - -# DKIM authentication module (check.dkim) - -This is the check module that performs verification of the DKIM signatures -present on the incoming messages. - -``` -check.dkim { - debug no - required_fields From Subject - allow_body_subset no - no_sig_action ignore - broken_sig_action ignore - fail_open no -} -``` - -## Configuration directives - -*Syntax*: debug _boolean_ ++ -*Default*: global directive value - -Log both sucessfull and unsucessfull check executions instead of just -unsucessfull. - -*Syntax*: required_fields _string..._ ++ -*Default*: From Subject - -Header fields that should be included in each signature. If signature -lacks any field listed in that directive, it will be considered invalid. - -Note that From is always required to be signed, even if it is not included in -this directive. - -*Syntax*: no_sig_action _action_ ++ -*Default*: ignore (recommended by RFC 6376) - -Action to take when message without any signature is received. - -Note that DMARC policy of the sender domain can request more strict handling of -missing DKIM signatures. - -*Syntax*: broken_sig_action _action_ ++ -*Default*: ignore (recommended by RFC 6376) - -Action to take when there are not valid signatures in a message. - -Note that DMARC policy of the sender domain can request more strict handling of -broken DKIM signatures. - -*Syntax*: fail_open _boolean_ ++ -*Default*: no - -Whether to accept the message if a temporary error occurs during DKIM -verification. Rejecting the message with a 4xx code will require the sender -to resend it later in a hope that the problem will be resolved. - -# SPF policy enforcement module (check.spf) - -This is the check module that verifies whether IP address of the client is -authorized to send messages for domain in MAIL FROM address. - -``` -check.spf { - debug no - enforce_early no - fail_action quarantine - softfail_action ignore - permerr_action reject - temperr_action reject -} -``` - -## DMARC override - -It is recommended by the DMARC standard to don't fail delivery based solely on -SPF policy and always check DMARC policy and take action based on it. - -If enforce_early is no, check.spf module will not take any action on SPF -policy failure if sender domain does have a DMARC record with 'quarantine' or -'reject' policy. Instead it will rely on DMARC support to take necesary -actions using SPF results as an input. - -Disabling enforce_early without enabling DMARC support will make SPF policies -no-op and is considered insecure. - -## Configuration directives - -*Syntax*: debug _boolean_ ++ -*Default*: global directive value - -Enable verbose logging for check.spf. - -*Syntax*: enforce_early _boolean_ ++ -*Default*: no - -Make policy decision on MAIL FROM stage (before the message body is received). -This makes it impossible to apply DMARC override (see above). - -*Syntax*: none_action reject|qurantine|ignore ++ -*Default*: ignore - -Action to take when SPF policy evaluates to a 'none' result. - -See https://tools.ietf.org/html/rfc7208#section-2.6 for meaning of -SPF results. - -*Syntax*: neutral_action reject|qurantine|ignore ++ -*Default*: ignore - -Action to take when SPF policy evaluates to a 'neutral' result. - -See https://tools.ietf.org/html/rfc7208#section-2.6 for meaning of -SPF results. - -*Syntax*: fail_action reject|qurantine|ignore ++ -*Default*: quarantine - -Action to take when SPF policy evaluates to a 'fail' result. - -*Syntax*: softfail_action reject|qurantine|ignore ++ -*Default*: ignore - -Action to take when SPF policy evaluates to a 'softfail' result. - -*Syntax*: permerr_action reject|qurantine|ignore ++ -*Default*: reject - -Action to take when SPF policy evaluates to a 'permerror' result. - -*Syntax*: temperr_action reject|qurantine|ignore ++ -*Default*: reject - -Action to take when SPF policy evaluates to a 'temperror' result. - -# DNSBL lookup module (check.dnsbl) - -The dnsbl module implements checking of source IP and hostnames against a set -of DNS-based Blackhole lists (DNSBLs). - -Its configuration consists of module configuration directives and a set -of blocks specifing lists to use and kind of lookups to perform on them. - -``` -check.dnsbl { - debug no - check_early no - - quarantine_threshold 1 - reject_threshold 1 - - # Lists configuration example. - dnsbl.example.org { - client_ipv4 yes - client_ipv6 no - ehlo no - mailfrom no - score 1 - } - hsrbl.example.org { - client_ipv4 no - client_ipv6 no - ehlo yes - mailfrom yes - score 1 - } -} -``` - -## Arguments - -Arguments specify the list of IP-based BLs to use. - -The following configurations are equivalent. - -``` -check { - dnsbl dnsbl.example.org dnsbl2.example.org -} -``` - -``` -check { - dnsbl { - dnsbl.example.org dnsbl2.example.org { - client_ipv4 yes - client_ipv6 no - ehlo no - mailfrom no - score 1 - } - } -} -``` - -## Configuration directives - -*Syntax*: debug _boolean_ ++ -*Default*: global directive value - -Enable verbose logging. - -*Syntax*: check_early _boolean_ ++ -*Default*: no - -Check BLs before mail delivery starts and silently reject blacklisted clients. - -For this to work correctly, check should not be used in source/destination -pipeline block. - -In particular, this means: -- No logging is done for rejected messages. -- No action is taken if quarantine_threshold is hit, only reject_threshold - applies. -- defer_sender_reject from SMTP configuration takes no effect. -- MAIL FROM is not checked, even if specified. - -If you often get hit by spam attacks, this is recommended to enable this -setting to save server resources. - -*Syntax*: quarantine_threshold _integer_ ++ -*Default*: 1 - -DNSBL score needed (equals-or-higher) to quarantine the message. - -*Syntax*: reject_threshold _integer_ ++ -*Default*: 9999 - -DNSBL score needed (equals-or-higher) to reject the message. - -## List configuration - -``` -dnsbl.example.org dnsbl.example.com { - client_ipv4 yes - client_ipv6 no - ehlo no - mailfrom no - responses 127.0.0.1/24 - score 1 -} -``` - -Directive name and arguments specify the actual DNS zone to query when checking -the list. Using multiple arguments is equivalent to specifying the same -configuration separately for each list. - -*Syntax*: client_ipv4 _boolean_ ++ -*Default*: yes - -Whether to check address of the IPv4 clients against the list. - -*Syntax*: client_ipv6 _boolean_ ++ -*Default*: yes - -Whether to check address of the IPv6 clients against the list. - -*Syntax*: ehlo _boolean_ ++ -*Default*: no - -Whether to check hostname specified n the HELO/EHLO command -against the list. - -This works correctly only with domain-based DNSBLs. - -*Syntax*: mailfrom _boolean_ ++ -*Default*: no - -Whether to check domain part of the MAIL FROM address against the list. - -This works correctly only with domain-based DNSBLs. - -*Syntax*: responses _cidr|ip..._ ++ -*Default*: 127.0.0.1/24 - -IP networks (in CIDR notation) or addresses to permit in list lookup results. -Addresses not matching any entry in this directives will be ignored. - -*Syntax*: score _integer_ ++ -*Default*: 1 - -Score value to add for the message if it is listed. - -If sum of list scores is equals or higher than quarantine_threshold, the -message will be quarantined. - -If sum of list scores is equals or higher than rejected_threshold, the message -will be rejected. - -It is possible to specify a negative value to make list act like a whitelist -and override results of other blocklists. - -# DKIM signing module (modify.dkim) - -modify.dkim module is a modifier that signs messages using DKIM -protocol (RFC 6376). - -``` -modify.dkim { - debug no - domains example.org example.com - selector default - key_path dkim-keys/{domain}-{selector}.key - oversign_fields ... - sign_fields ... - header_canon relaxed - body_canon relaxed - sig_expiry 120h # 5 days - hash sha256 - newkey_algo rsa2048 -} -``` - -## Arguments - -domains and selector can be specified in arguments, so actual modify.dkim use can -be shortened to the following: -``` -modify { - dkim example.org selector -} -``` - -## Configuration directives - -*Syntax*: debug _boolean_ ++ -*Default*: global directive value - -Enable verbose logging. - -*Syntax*: domains _string list_ ++ -*Default*: not specified - -*REQUIRED.* - -ADministrative Management Domains (ADMDs) taking responsibility for messages. - -A key will be generated or read for each domain specified here, the key to use -for each message will be selected based on the SMTP envelope sender. Exception -for that is that for domain-less postmaster address and null address, the -key for the first domain will be used. If domain in envelope sender -does not match any of loaded keys, message will not be signed. - -Should be specified either as a directive or as an argument. - -*Syntax*: selector _string_ ++ -*Default*: not specified - -*REQUIRED.* - -Identifier of used key within the ADMD. -Should be specified either as a directive or as an argument. - -*Syntax*: key_path _string_ ++ -*Default*: dkim_keys/{domain}\_{selector}.key - -Path to private key. It should be in PKCS#8 format wrapped in PAM encoding. -If key does not exist, it will be generated using algorithm specified -in newkey_algo. - -Placeholders '{domain}' and '{selector}' will be replaced with corresponding -values from domain and selector directives. - -Additionally, keys in PKCS#1 ("RSA PRIVATE KEY") and -RFC 5915 ("EC PRIVATE KEY") can be read by modify.dkim. Note, however that -newly generated keys are always in PKCS#8. - -*Syntax*: oversign_fields _list..._ ++ -*Default*: see below - -Header fields that should be signed n+1 times where n is times they are -present in the message. This makes it impossible to replace field -value by prepending another field with the same name to the message. - -Fields specified here don't have to be also specified in sign_fields. - -Default set of oversigned fields: -- Subject -- To -- From -- Date -- MIME-Version -- Content-Type -- Content-Transfer-Encoding -- Reply-To -- Message-Id -- References -- Autocrypt -- Openpgp - -*Syntax*: sign_fields _list..._ ++ -*Default*: see below - -Header fields that should be signed n+1 times where n is times they are -present in the message. For these fields, additional values can be prepended -by intermediate relays, but existing values can't be changed. - -Default set of signed fields: -- List-Id -- List-Help -- List-Unsubscribe -- List-Post -- List-Owner -- List-Archive -- Resent-To -- Resent-Sender -- Resent-Message-Id -- Resent-Date -- Resent-From -- Resent-Cc - -*Syntax*: header_canon relaxed|simple ++ -*Default*: relaxed - -Canonicalization algorithm to use for header fields. With 'relaxed', whitespace within -fields can be modified without breaking the signature, with 'simple' no -modifications are allowed. - -*Syntax*: body_canon relaxed|simple ++ -*Default*: relaxed - -Canonicalization algorithm to use for message body. With 'relaxed', whitespace within -can be modified without breaking the signature, with 'simple' no -modifications are allowed. - -*Syntax*: sig_expiry _duration_ ++ -*Default*: 120h - -Time for which signature should be considered valid. Mainly used to prevent -unauthorized resending of old messages. - -*Syntax*: hash _hash_ ++ -*Default*: sha256 - -Hash algorithm to use when computing body hash. - -sha256 is the only supported algorithm now. - -*Syntax*: newkey_algo rsa4096|rsa2048|ed25519 ++ -*Default*: rsa2048 - -Algorithm to use when generating a new key. - -*Syntax*: require_sender_match _ids..._ ++ -*Default*: envelope auth - -Require specified identifiers to match From header field and key domain, -otherwise - don't sign the message. - -If From field contains multiple addresses, message will not be -signed unless allow_multiple_from is also specified. In that -case only first address will be compared. - -Matching is done in a case-insensitive way. - -Valid values: -- off + - Disable check, always sign. -- envelope + - Require MAIL FROM address to match From header. -- auth + - If authorization identity contains @ - then require it to - fully match From header. Otherwise, check only local-part - (username). - -*Syntax*: allow_multiple_from _boolean_ ++ -*Default*: no - -Allow multiple addresses in From header field for purposes of -require_sender_match checks. Only first address will be checked, however. - -*Syntax*: sign_subdomains _boolean_ ++ -*Default*: no - -Sign emails from subdomains using a top domain key. - -Allows only one domain to be specified (can be workarounded using modify.dkim -multiple times). - -# Envelope sender / recipient rewriting (modify.replace_sender, modify.replace_rcpt) - -'replace_sender' and 'replace_rcpt' modules replace SMTP envelope addresses -based on the mapping defined by the table module (maddy-tables(5)). Currently, -only 1:1 mappings are supported (that is, it is not possible to specify -multiple replacements for a single address). - -The address is normalized before lookup (Punycode in domain-part is decoded, -Unicode is normalized to NFC, the whole string is case-folded). - -First, the whole address is looked up. If there is no replacement, local-part -of the address is looked up separately and is replaced in the address while -keeping the domain part intact. Replacements are not applied recursively, that -is, lookup is not repeated for the replacement. - -Recipients are not deduplicated after expansion, so message may be delivered -multiple times to a single recipient. However, used delivery target can apply -such deduplication (imapsql storage does it). - -Definition: -``` -replace_rcpt
[table arguments] { - [extended table config] -} -replace_sender
[table arguments] { - [extended table config] -} -``` - -Use examples: -``` -modify { - replace_rcpt file /etc/maddy/aliases - replace_rcpt static { - entry a@example.org b@example.org - } - replace_rcpt regexp "(.+)@example.net" "$1@example.org" -} -``` - -Possible contents of /etc/maddy/aliases in the example above: -``` -# Replace 'cat' with any domain to 'dog'. -# E.g. cat@example.net -> dog@example.net -cat: dog - -# Replace cat@example.org with cat@example.com. -# Takes priority over the previous line. -cat@example.org: cat@example.com -``` - -# System command filter (check.command) - -This module executes an arbitrary system command during a specified stage of -checks execution. - -``` -command executable_name arg0 arg1 ... { - run_on body - - code 1 reject - code 2 quarantine -} -``` - -## Arguments - -The module arguments specify the command to run. If the first argument is not -an absolute path, it is looked up in the Libexec Directory (/usr/lib/maddy on -Linux) and in $PATH (in that ordering). Note that no additional handling -of arguments is done, especially, the command is executed directly, not via the -system shell. - -There is a set of special strings that are replaced with the corresponding -message-specific values: - -- {source_ip} - - IPv4/IPv6 address of the sending MTA. - -- {source_host} - - Hostname of the sending MTA, from the HELO/EHLO command. - -- {source_rdns} - - PTR record of the sending MTA IP address. - -- {msg_id} - - Internal message identifier. Unique for each delivery. - -- {auth_user} - - Client username, if authenticated using SASL PLAIN - -- {sender} - - Message sender address, as specified in the MAIL FROM SMTP command. - -- {rcpts} - - List of accepted recipient addresses, including the currently handled - one. - -- {address} - - Currently handled address. This is a recipient address if the command - is called during RCPT TO command handling ('run_on rcpt') or a sender - address if the command is called during MAIL FROM command handling ('run_on - sender'). - - -If value is undefined (e.g. {source_ip} for a message accepted over a Unix -socket) or unavailable (the command is executed too early), the placeholder -is replaced with an empty string. Note that it can not remove the argument. -E.g. -i {source_ip} will not become just -i, it will be -i "" - -Undefined placeholders are not replaced. - -## Command stdout - -The command stdout must be either empty or contain a valid RFC 5322 header. -If it contains a byte stream that does not look a valid header, the message -will be rejected with a temporary error. - -The header from stdout will be *prepended* to the message header. - -## Configuration directives - -*Syntax*: run_on conn|sender|rcpt|body ++ -*Default*: body - -When to run the command. This directive also affects the information visible -for the message. - -- conn - - Run before the sender address (MAIL FROM) is handled. - - *Stdin*: Empty ++ -*Available placeholders*: {source_ip}, {source_host}, {msg_id}, {auth_user}. - -- sender - - Run during sender address (MAIL FROM) handling. - - *Stdin*: Empty ++ -*Available placeholders*: conn placeholders + {sender}, {address}. - - The {address} placeholder contains the MAIL FROM address. - -- rcpt - - Run during recipient address (RCPT TO) handling. The command is executed - once for each RCPT TO command, even if the same recipient is specified - multiple times. - - *Stdin*: Empty ++ -*Available placeholders*: sender placeholders + {rcpts}. - - The {address} placeholder contains the recipient address. - -- body - - Run during message body handling. - - *Stdin*: The message header + body ++ -*Available placeholders*: all except for {address}. - -*Syntax*: ++ - code _integer_ ignore ++ - code _integer_ quarantine ++ - code _integer_ reject [SMTP code] [SMTP enhanced code] [SMTP message] - -This directives specified the mapping from the command exit code _integer_ to -the message pipeline action. - -Two codes are defined implicitly, exit code 1 causes the message to be rejected -with a permanent error, exit code 2 causes the message to be quarantined. Both -action can be overriden using the 'code' directive. - -## Milter protocol check (check.milter) - -The 'milter' implements subset of Sendmail's milter protocol that can be used -to integrate external software in maddy. - -Notable limitations of protocol implementation in maddy include: -1. Changes of envelope sender address are not supported -2. Removal and addition of envelope recipients is not supported -3. Removal and replacement of header fields is not supported -4. Headers fields can be inserted only on top -5. Milter does not receive some "macros" provided by sendmail. - -Restrictions 1 and 2 are inherent to the maddy checks interface and cannot be -removed without major changes to it. Restrictions 3, 4 and 5 are temporary due to -incomplete implementation. - -``` -check.milter { - endpoint - fail_open false -} - -milter -``` - -## Arguments - -When defined inline, the first argument specifies endpoint to access milter -via. See below. - -## Configuration directives - -**Syntax:** endpoint _scheme://path_ ++ -**Default:** not set - -Specifies milter protocol endpoint to use. -The endpoit is specified in standard URL-like format: -'tcp://127.0.0.1:6669' or 'unix:///var/lib/milter/filter.sock' - -**Syntax:** fail_open _boolean_ ++ -**Default:** false - -Toggles behavior on milter I/O errors. If false ("fail closed") - message is -rejected with temporary error code. If true ("fail open") - check is skipped. - -## rspamd check (check.rspamd) - -The 'rspamd' module implements message filtering by contacting the rspamd -server via HTTP API. - -``` -check.rspamd { - tls_client { ... } - api_path http://127.0.0.1:11333 - settings_id whatever - tag maddy - hostname mx.example.org - io_error_action ignore - error_resp_action ignore - add_header_action quarantine - rewrite_subj_action quarantine - flags pass_all -} - -rspamd http://127.0.0.1:11333 -``` - -## Configuration directives - -*Syntax:* tls_client { ... } ++ -*Default:* not set - -Configure TLS client if HTTPS is used, see *maddy-tls*(5) for details. - -*Syntax:* api_path _url_ ++ -*Default:* http://127.0.0.1:11333 - -URL of HTTP API endpoint. Supports both HTTP and HTTPS and can include -path element. - -*Syntax:* settings_id _string_ ++ -*Default:* not set - -Settings ID to pass to the server. - -*Syntax:* tag _string_ ++ -*Default:* maddy - -Value to send in MTA-Tag header field. - -*Syntax:* hostname _string_ ++ -*Default:* value of global directive - -Value to send in MTA-Name header field. - -*Syntax:* io_error_action _action_ ++ -*Default:* ignore - -Action to take in case of inability to contact the rspamd server. - -*Syntax:* error_resp_action _action_ ++ -*Default:* ignore - -Action to take in case of 5xx or 4xx response received from the rspamd server. - -*Syntax:* add_header_action _action_ ++ -*Default:* quarantine - -Action to take when rspamd requests to "add header". - -X-Spam-Flag and X-Spam-Score are added to the header irregardless of value. - -*Syntax:* rewrite_subj_action _action_ ++ -*Default:* quarantine - -Action to take when rspamd requests to "rewrite subject". - -X-Spam-Flag and X-Spam-Score are added to the header irregardless of value. - -*Syntax:* flags _string list..._ ++ -*Default:* pass_all - -Flags to pass to the rspamd server. -See https://rspamd.com/doc/architecture/protocol.html for details. - -## MAIL FROM and From authorization (check.authorize_sender) - -This check verifies that envelope and header sender addresses belong -to the authenticated user. Address ownership is established via table -that maps each user account to a email address it is allowed to use. -There are some special cases, see user_to_email description below. - -``` -check.authorize_sender { - prepare_email identity - user_to_email identity - check_header yes - - unauth_action reject - no_match_action reject - malformed_action reject - err_action reject - - auth_normalize precis_casefold_email - from_normalize precis_casefold_email -} -``` -``` -check { - authorize_sender { ... } -} -``` - -## Configuration directives - -*Syntax:* user_to_email _table_ ++ -*Default:* identity - -Table to use for lookups. Result of the lookup should contain either the -domain name, the full email address or "*" string. If it is just domain - user -will be allowed to use any mailbox within a domain as a sender address. -If result contains "*" - user will be allowed to use any address. - -*Syntax:* check_header _boolean_ ++ -*Default:* yes - -Whether to verify header sender in addition to envelope. - -Either Sender or From field value should match the -authorization identity. - -*Syntax:* unauth_action _action_ ++ -*Default:* reject - -What to do if the user is not authenticated at all. - -*Syntax:* no_match_action _action_ ++ -*Default:* reject - -What to do if user is not allowed to use the sender address specified. - -*Syntax:* malformed_action _action_ ++ -*Default:* reject - -What to do if From or Sender header fields contain malformed values. - -*Syntax:* err_action _action_ ++ -*Default:* reject - -What to do if error happens during prepare_email or user_to_email lookup. - -*Syntax:* auth_normalize _action_ ++ -*Default:* precis_casefold_email - -Normalization function to apply to authorization username before -further processing. - -Available options: -- precis_casefold_email PRECIS UsernameCaseMapped profile + U-labels form for domain -- precis_casefold PRECIS UsernameCaseMapped profile for the entire string -- precis_email PRECIS UsernameCasePreserved profile + U-labels form for domain -- precis PRECIS UsernameCasePreserved profile for the entire string -- casefold Convert to lower case -- noop Nothing - -*Syntax:* from_normalize _action_ ++ -*Default:* precis_casefold_email - -Normalization function to apply to email addresses before -further processing. - -Available options are same as for auth_normalize. \ No newline at end of file diff --git a/docs/man/maddy-smtp.5.scd b/docs/man/maddy-smtp.5.scd deleted file mode 100644 index 899ae04..0000000 --- a/docs/man/maddy-smtp.5.scd +++ /dev/null @@ -1,642 +0,0 @@ -maddy-smtp(5) "maddy mail server" "maddy reference documentation" - -; TITLE SMTP endpoint module - -# SMTP endpoint module (smtp) - -Module 'smtp' is a listener that implements ESMTP protocol with optional -authentication, LMTP and Submission support. Incoming messages are processed in -accordance with pipeline rules (explained in Message pipeline section below). - -``` -smtp tcp://0.0.0.0:25 { - hostname example.org - tls /etc/ssl/private/cert.pem /etc/ssl/private/pkey.key - io_debug no - debug no - insecure_auth no - read_timeout 10m - write_timeout 1m - max_message_size 32M - max_header_size 1M - auth pam - defer_sender_reject yes - dmarc yes - smtp_max_line_length 4000 - limits { - endpoint rate 10 - endpoint concurrency 500 - } - - # Example pipeline ocnfiguration. - destination example.org { - deliver_to &local_mailboxes - } - default_destination { - reject - } -} -``` - -## Configuration directives - -*Syntax*: hostname _string_ ++ -*Default*: global directive value - -Server name to use in SMTP banner. - -``` -220 example.org ESMTP Service Ready -``` - -*Syntax*: tls _certificate_path_ _key_path_ { ... } ++ -*Default*: global directive value - -TLS certificate & key to use. Fine-tuning of other TLS properties is possible -by specifing a configuration block and options inside it: -``` -tls cert.crt key.key { - protocols tls1.2 tls1.3 -} -``` -See section 'TLS configuration' in *maddy*(1) for valid options. - -*Syntax*: io_debug _boolean_ ++ -*Default*: no - -Write all commands and responses to stderr. - -*Syntax*: debug _boolean_ ++ -*Default*: global directive value - -Enable verbose logging. - -*Syntax*: insecure_auth _boolean_ ++ -*Default*: no (yes if TLS is disabled) - -Allow plain-text authentication over unencrypted connections. Not recommended! - -*Syntax*: read_timeout _duration_ ++ -*Default*: 10m - -I/O read timeout. - -*Syntax*: write_timeout _duration_ ++ -*Default*: 1m - -I/O write timeout. - -*Syntax*: max_message_size _size_ ++ -*Default*: 32M - -Limit the size of incoming messages to 'size'. - -*Syntax*: max_header_size _size_ ++ -*Default*: 1M - -Limit the size of incoming message headers to 'size'. - -*Syntax*: auth _module_reference_ ++ -*Default*: not specified - -Use the specified module for authentication. - -*Syntax*: defer_sender_reject _boolean_ ++ -*Default*: yes - -Apply sender-based checks and routing logic when first RCPT TO command -is received. This allows maddy to log recipient address of the rejected -message and also improves interoperability with (improperly implemented) -clients that don't expect an error early in session. - -*Syntax*: max_logged_rcpt_errors _integer_ ++ -*Default*: 5 - -Amount of RCPT-time errors that should be logged. Further errors will be -handled silently. This is to prevent log flooding during email dictonary -attacks (address probing). - -*Syntax*: max_received _integer_ ++ -*Default*: 50 - -Max. amount of Received header fields in the message header. If the incoming -message has more fields than this number, it will be rejected with the permanent error -5.4.6 ("Routing loop detected"). - -*Syntax*: ++ - buffer ram ++ - buffer fs _[path]_ ++ - buffer auto _max_size_ _[path]_ ++ -*Default*: auto 1M StateDirectory/buffer - -Temporary storage to use for the body of accepted messages. - -- ram - -Store the body in RAM. - -- fs - -Write out the message to the FS and read it back as needed. -_path_ can be omitted and defaults to StateDirectory/buffer. - -- auto - -Store message bodies smaller than _max_size_ entirely in RAM, otherwise write -them out to the FS. -_path_ can be omitted and defaults to StateDirectory/buffer. - -*Syntax*: smtp_max_line_length _integer_ ++ -*Default*: 4000 - -The maximum line length allowed in the SMTP input stream. If client sends a -longer line - connection will be closed and message (if any) will be rejected -with a permanent error. - -RFC 5321 has the recommended limit of 998 bytes. Servers are not required -to handle longer lines correctly but some senders may produce them. - -Unless BDAT extension is used by the sender, this limitation also applies to -the message body. - -*Syntax*: dmarc _boolean_ ++ -*Default*: yes - -Enforce sender's DMARC policy. Due to implementation limitations, it is not a -check module. - -*NOTE*: Report generation is not implemented now. - -*NOTE*: DMARC needs SPF and DKIM checks to function correctly. -Without these, DMARC check will not run. - -## Rate & concurrency limiting - -*Syntax*: limits _config block_ ++ -*Default*: no limits - -This allows configuring a set of message flow restrictions including -max. concurrency and rate per-endpoint, per-source, per-destination. - -Limits are specified as directives inside the block: -``` -limits { - all rate 20 - destination concurrency 5 -} -``` - -Supported limits: - -- Rate limit - -*Syntax*: _scope_ rate _burst_ _[period]_ ++ -Restrict the amount of messages processed in _period_ to _burst_ messages. -If period is not specified, 1 second is used. - -- Concurrency limit - -*Syntax*: _scope_ concurrency _max_ ++ -Restrict the amount of messages processed in parallel to _max_. - -For each supported limitation, _scope_ determines whether it should be applied -for all messages ("all"), per-sender IP ("ip"), per-sender domain ("source") or -per-recipient domain ("destination"). Having a scope other than "all" means -that the restriction will be enforced independently for each group determined -by scope. E.g. "ip rate 20" means that the same IP cannot send more than 20 -messages in a scond. "destination concurrency 5" means that no more than 5 -messages can be sent in parallel to a single domain. - -*Note*: At the moment, SMTP endpoint on its own does not support per-recipient -limits. They will be no-op. If you want to enforce a per-recipient restriction -on outbound messages, do so using 'limits' directive for the 'remote' module -(see *maddy-targets*(5)). - -It is possible to share limit counters between multiple endpoints (or any other -modules). To do so define a top-level configuration block for module "limits" -and reference it where needed using standard & syntax. E.g. -``` -limits inbound_limits { - all rate 20 -} - -smtp smtp://0.0.0.0:25 { - limits &inbound_limits - ... -} - -submission tls://0.0.0.0:465 { - limits &inbound_limits - ... -} -``` -Using an "all rate" restriction in such way means that no more than 20 -messages can enter the server through both endpoints in one second. - -# Submission module (submission) - -Module 'submission' implements all functionality of the 'smtp' module and adds -certain message preprocessing on top of it, additionaly authentication is -always required. - -'submission' module checks whether addresses in header fields From, Sender, To, -Cc, Bcc, Reply-To are correct and adds Message-ID and Date if it is missing. - -``` -submission tcp://0.0.0.0:587 tls://0.0.0.0:465 { - # ... same as smtp ... -} -``` - -# LMTP module (lmtp) - -Module 'lmtp' implements all functionality of the 'smtp' module but uses -LMTP (RFC 2033) protocol. - -``` -lmtp unix://lmtp.sock { - # ... same as smtp ... -} -``` - -## Limitations of LMTP implementation - -- Can't be used with TCP. - -- Per-recipient status is not supported. - -- Delivery to 'sql' module storage is always atomic, either all recipients will - succeed or none of them will. - -# Mesage pipeline - -Message pipeline is a set of module references and associated rules that -describe how to handle messages. - -The pipeline is responsible for -- Running message filters (called "checks"), (e.g. DKIM signature verification, - DNSBL lookup and so on). - -- Running message modifiers (e.g. DKIM signature creation). - -- Assocating each message recipient with one or more delivery targets. - Delivery target is a module that does final processing (delivery) of the - message. - -Message handling flow is as follows: -- Execute checks referenced in top-level 'check' blocks (if any) - -- Execute modifiers referenced in top-level 'modify' blocks (if any) - -- If there are 'source' blocks - select one that matches message sender (as - specified in MAIL FROM). If there are no 'source' blocks - entire - configuration is assumed to be the 'default_source' block. - -- Execute checks referenced in 'check' blocks inside selected 'source' block - (if any). - -- Execute modifiers referenced in 'modify' blocks inside selected 'source' - block (if any). - -Then, for each recipient: -- Select 'destination' block that matches it. If there are - no 'destination' blocks - entire used 'source' block is interpreted as if it - was a 'default_destination' block. - -- Execute checks referenced in 'check' block inside selected 'destination' block - (if any). - -- Execute modifiers referenced in 'modify' block inside selected 'destination' - block (if any). - -- If used block contains 'reject' directive - reject the recipient with - specified SMTP status code. - -- If used block contains 'deliver_to' directive - pass the message to the - specified target module. Only recipients that are handled - by used block are visible to the target. - -Each recipient is handled only by a single 'destination' block, in case of -overlapping 'destination' - first one takes priority. -``` -destination example.org { - deliver_to targetA -} -destination example.org { # ambiguous and thus not allowed - deliver_to targetB -} -``` -Same goes for 'source' blocks, each message is handled only by a single block. - -Each recipient block should contain at least one 'deliver_to' directive or -'reject' directive. If 'destination' blocks are used, then -'default_destination' block should also be used to specify behavior for -unmatched recipients. Same goes for source blocks, 'default_source' should be -used if 'source' is used. - -That is, pipeline configuration should explicitly specify behavior for each -possible sender/recipient combination. - -Additionally, directives that specify final handling decision ('deliver_to', -'reject') can't be used at the same level as source/destination rules. -Consider example: -``` -destination example.org { - deliver_to local_mboxes -} -reject -``` -It is not obvious whether 'reject' applies to all recipients or -just for non-example.org ones, hence this is not allowed. - -Complete configuration example using all of the mentioned directives: -``` -check { - # Run a check to make sure source SMTP server identification - # is legit. - require_matching_ehlo -} - -# Messages coming from senders at example.org will be handled in -# accordance with the following configuration block. -source example.org { - # We are example.com, so deliver all messages with recipients - # at example.com to our local mailboxes. - destination example.com { - deliver_to &local_mailboxes - } - - # We don't do anything with recipients at different domains - # because we are not an open relay, thus we reject them. - default_destination { - reject 521 5.0.0 "User not local" - } -} - -# We do our business only with example.org, so reject all -# other senders. -default_source { - reject -} -``` - -## Directives - -*Syntax*: check _block name_ { ... } ++ -*Context*: pipeline configuration, source block, destination block - -List of the module references for checks that should be executed on -messages handled by block where 'check' is placed in. - -Note that message body checks placed in destination block are currently -ignored. Due to the way SMTP protocol is defined, they would cause message to -be rejected for all recipients which is not what you usually want when using -such configurations. - -Example: -``` -check { - # Reference implicitly defined default configuration for check. - require_matching_ehlo - - # Inline definition of custom config. - require_source_mx { - # Configuration for require_source_mx goes here. - fail_action reject - } -} -``` - -It is also possible to define the block of checks at the top level -as "checks" module and reference it using & syntax. Example: -``` -checks inbound_checks { - require_matching_ehlo -} - -# ... somewhere else ... -{ - ... - check &inbound_checks -} -``` - -*Syntax*: modify { ... } ++ -*Default*: not specified ++ -*Context*: pipeline configuration, source block, destination block - -List of the module references for modifiers that should be executed on -messages handled by block where 'modify' is placed in. - -Message modifiers are similar to checks with the difference in that checks -purpose is to verify whether the message is legitimate and valid per local -policy, while modifier purpose is to post-process message and its metadata -before final delivery. - -For example, modifier can replace recipient address to make message delivered -to the different mailbox or it can cryptographically sign outgoing message -(e.g. using DKIM). Some modifier can perform multiple unrelated modifications -on the message. - -*Note*: Modifiers that affect source address can be used only globally or on -per-source basis, they will be no-op inside destination blocks. Modifiers that -affect the message header will affect it for all recipients. - -It is also possible to define the block of modifiers at the top level -as "modiifers" module and reference it using & syntax. Example: -``` -modifiers local_modifiers { - replace_rcpt file /etc/maddy/aliases -} - -# ... somewhere else ... -{ - ... - modify &local_modifiers -} -``` - -*Syntax*: ++ - reject _smtp_code_ _smtp_enhanced_code_ _error_description_ ++ - reject _smtp_code_ _smtp_enhanced_code_ ++ - reject _smtp_code_ ++ - reject ++ -*Context*: destination block - -Messages handled by the configuration block with this directive will be -rejected with the specified SMTP error. - -If you aren't sure which codes to use, use 541 and 5.4.0 with your message or -just leave all arguments out, the error description will say "message is -rejected due to policy reasons" which is usually what you want to mean. - -'reject' can't be used in the same block with 'deliver_to' or -'destination/source' directives. - -Example: -``` -reject 541 5.4.0 "We don't like example.org, go away" -``` - -*Syntax*: deliver_to _target-config-block_ ++ -*Context*: pipeline configuration, source block, destination block - -Deliver the message to the referenced delivery target. What happens next is -defined solely by used target. If deliver_to is used inside 'destination' -block, only matching recipients will be passed to the target. - -*Syntax*: source_in _table reference_ { ... } ++ -*Context*: pipeline configuration - -Handle messages with envelope senders present in the specified table in -accordance with the specified configuration block. - -Takes precedence over all 'sender' directives. - -Example: -``` -source_in file /etc/maddy/banned_addrs { - reject 550 5.7.0 "You are not welcome here" -} -source example.org { - ... -} -... -``` - -See 'destination_in' documentation for note about table configuration. - -*Syntax*: source _rules..._ { ... } ++ -*Context*: pipeline configuration - -Handle messages with MAIL FROM value (sender address) matching any of the rules -in accordance with the specified configuration block. - -"Rule" is either a domain or a complete address. In case of overlapping -'rules', first one takes priority. Matching is case-insensitive. - -Example: -``` -# All messages coming from example.org domain will be delivered -# to local_mailboxes. -source example.org { - deliver_to &local_mailboxes -} -# Messages coming from different domains will be rejected. -default_source { - reject 521 5.0.0 "You were not invited" -} -``` - -*Syntax*: reroute { ... } ++ -*Context*: pipeline configuration, source block, destination block - -This directive allows to make message routing decisions based on the -result of modifiers. The block can contain all pipeline directives and they -will be handled the same with the exception that source and destination rules -will use the final recipient and sender values (e.g. after all modifiers are -applied). - -Here is the concrete example how it can be useful: -``` -destination example.org { - modify { - replace_rcpt file /etc/maddy/aliases - } - reroute { - destination example.org { - deliver_to &local_mailboxes - } - default_destination { - deliver_to &remote_queue - } - } -} -``` - -This configuration allows to specify alias local addresses to remote ones -without being an open relay, since remote_queue can be used only if remote -address was introduced as a result of rewrite of local address. - -*WARNING*: If you have DMARC enabled (default), results generated by SPF -and DKIM checks inside a reroute block *will not* be considered in DMARC -evaluation. - -*Syntax*: destination_in _table reference_ { ... } ++ -*Context*: pipeline configuration, source block - -Handle messages with envelope recipients present in the specified table in -accordance with the specified configuration block. - -Takes precedence over all 'destination' directives. - -Example: -``` -destination_in file /etc/maddy/remote_addrs { - deliver_to smtp tcp://10.0.0.7:25 -} -destination example.com { - deliver_to &local_mailboxes -} -... -``` - -Note that due to the syntax restrictions, it is not possible to specify -extended configuration for table module. E.g. this is not valid: -``` -destination_in sql_table { - dsn ... - driver ... -} { - deliver_to whatever -} -``` - -In this case, configuration should be specified separately and be referneced -using '&' syntax: -``` -table.sql_table remote_addrs { - dsn ... - driver ... -} - -whatever { - destination_in &remote_addrs { - deliver_to whatever - } -} -``` - -*Syntax*: destination _rule..._ { ... } ++ -*Context*: pipeline configuration, source block - -Handle messages with RCPT TO value (recipient address) matching any of the -rules in accordance with the specified configuration block. - -"Rule" is either a domain or a complete address. Duplicate rules are not -allowed. Matching is case-insensitive. - -Note that messages with multiple recipients are split into multiple messages if -they have recipients matched by multiple blocks. Each block will see the -message only with recipients matched by its rules. - -Example: -``` -# Messages with recipients at example.com domain will be -# delivered to local_mailboxes target. -destination example.com { - deliver_to &local_mailboxes -} - -# Messages with other recipients will be rejected. -default_destination { - rejected 541 5.0.0 "User not local" -} -``` - -## Reusable pipeline parts (msgpipeline module) - -The message pipeline can be used independently of the SMTP module in other -contexts that require a delivery target. - -Full pipeline functionality can be used where a delivery target is expected. diff --git a/docs/man/maddy-storage.5.scd b/docs/man/maddy-storage.5.scd deleted file mode 100644 index e726cbc..0000000 --- a/docs/man/maddy-storage.5.scd +++ /dev/null @@ -1,202 +0,0 @@ -maddy-targets(5) "maddy mail server" "maddy reference documentation" - -; TITLE Storage backends - -maddy storage interface is built with IMAP in mind and directly represents -IMAP data model. That is, maddy storage does have the concept of folders, -flags, message UIDs, etc defined as in RFC 3501. - -This man page lists supported storage backends along with supported -configuration directives for each. - -Most likely, you are going to use modules listed here in 'storage' directive -for IMAP endpoint module (see *maddy-imap*(5)). - -In most cases, local storage modules will auto-create accounts when they are -accessed via IMAP. This relies on authentication provider used by IMAP endpoint -to provide what essentially is access control. There is a caveat, however: this -auto-creation will not happen when delivering incoming messages via SMTP as -there is no authentication to confirm that this account should indeed be -created. - -# SQL-based database module (storage.imapsql) - -The imapsql module implements database for IMAP index and message -metadata using SQL-based relational database. - -Message contents are stored in an "external store" defined by msg_store -directive. By default this is a file system directory under /var/lib/maddy. - -Supported RDBMS: -- SQLite 3.25.0 -- PostgreSQL 9.6 or newer - -Account names are required to have the form of a email address and are -case-insensitive. UTF-8 names are supported with restrictions defined in the -PRECIS UsernameCaseMapped profile. - -``` -storage.imapsql { - driver sqlite3 - dsn imapsql.db - msg_store fs messages/ -} -``` - -imapsql module also can be used as a lookup table (*maddy-table*(5)). -It returns empty string values for existing usernames. This might be useful -with destination_in directive (*maddy-smtp*(5)) e.g. to implement catch-all -addresses (this is a bad idea to do so, this is just an example): -``` -destination_in &local_mailboxes { - deliver_to &local_mailboxes -} -destination example.org { - modify { - replace_rcpt regexp ".*" "catchall@example.org" - } - deliver_to &local_mailboxes -} -``` - - -## Arguments - -Specify the driver and DSN. - -## Configuration directives - -*Syntax*: driver _string_ ++ -*Default*: not specified - -REQUIRED. - -Use a specified driver to communicate with the database. Supported values: -sqlite3, postgres. - -Should be specified either via an argument or via this directive. - -*Syntax*: dsn _string_ ++ -*Default*: not specified - -REQUIRED. - -Data Source Name, the driver-specific value that specifies the database to use. - -For SQLite3 this is just a file path. -For PostgreSQL: https://godoc.org/github.com/lib/pq#hdr-Connection_String_Parameters - -Should be specified either via an argument or via this directive. - -*Syntax*: msg_store _store_ ++ -*Default*: fs messages/ - -Module to use for message bodies storage. - -See *maddy-blob*(5) for details. - -*Syntax*: ++ - compression off ++ - compression _algorithm_ ++ - compression _algorithm_ _level_ ++ -*Default*: off - -Apply compression to message contents. -Supported algorithms: lz4, zstd. - -*Syntax*: appendlimit _size_ ++ -*Default*: 32M - -Don't allow users to add new messages larger than 'size'. - -This does not affect messages added when using module as a delivery target. -Use 'max_message_size' directive in SMTP endpoint module to restrict it too. - -*Syntax*: debug _boolean_ ++ -*Default*: global directive value - -Enable verbose logging. - -*Syntax*: junk_mailbox _name_ ++ -*Default*: Junk - -The folder to put quarantined messages in. Thishis setting is not used if user -does have a folder with "Junk" special-use attribute. - -*Syntax*: disable_recent _boolean_ ++ -*Default: true - -Disable RFC 3501-conforming handling of \Recent flag. - -This significantly improves storage performance when SQLite3 or CockroackDB is -used at the cost of confusing clients that use this flag. - -*Syntax*: sqlite_cache_size _integer_ ++ -*Default*: defined by SQLite - -SQLite page cache size. If positive - specifies amount of pages (1 page - 4 -KiB) to keep in cache. If negative - specifies approximate upper bound -of cache size in KiB. - -*Syntax*: sqlite_busy_timeout _integer_ ++ -*Default*: 5000000 - -SQLite-specific performance tuning option. Amount of milliseconds to wait -before giving up on DB lock. - -*Syntax*: imap_filter { ... } ++ -*Default*: not set - -Specifies IMAP filters to apply for messages delivered from SMTP pipeline. - -See *maddy-imap*(5) for filter modules usable here. - -Ex. -``` -imap_filter { - command /etc/maddy/sieve.sh {account_name} -} -``` - -*Syntax:* delivery_map *table* ++ -*Default:* identity - -Use specified table module (*maddy-tables*(5)) to map recipient -addresses from incoming messages to mailbox names. - -Normalization algorithm specified in delivery_normalize is appied before -delivery_map. - -*Syntax:* delivery_normalize _name_ ++ -*Default:* precis_casefold_email - -Normalization function to apply to email addresses before mapping them -to mailboxes. - -See auth_normalize. - -*Syntax*: auth_map *table* ++ -*Default*: identity - -Use specified table module (*maddy-tables*(5)) to map authentication -usernames to mailbox names. - -Normalization algorithm specified in auth_normalize is applied before -auth_map. - -*Syntax*: auth_normalize _name_ ++ -*Default*: precis_casefold_email - -Normalization function to apply to authentication usernames before mapping -them to mailboxes. - -Available options: -- precis_casefold_email PRECIS UsernameCaseMapped profile + U-labels form for domain -- precis_casefold PRECIS UsernameCaseMapped profile for the entire string -- precis_email PRECIS UsernameCasePreserved profile + U-labels form for domain -- precis PRECIS UsernameCasePreserved profile for the entire string -- casefold Convert to lower case -- noop Nothing - -Note: On message delivery, recipient address is unconditionally normalized -using precis_casefold_email function. diff --git a/docs/man/maddy-tables.5.scd b/docs/man/maddy-tables.5.scd deleted file mode 100644 index 19a27e0..0000000 --- a/docs/man/maddy-tables.5.scd +++ /dev/null @@ -1,314 +0,0 @@ -maddy-tables(5) "maddy mail server" "maddy reference documentation" - -; TITLE String-string translation - -Whenever you need to replace one string with another when handling anything in -maddy, you can use any of the following modules to obtain the replacement -string. They are commonly called "table modules" or just "tables". - -Some table modules implement write options allowing other maddy modules to -change the source of data, effectively turning the table into a complete -interface to a key-value store for maddy. Such tables are referred to as -"mutable tables". - -# File mapping (table.file) - -This module builds string-string mapping from a text file. - -File is reloaded every 15 seconds if there are any changes (detected using -modification time). No changes are applied if file contains syntax errors. - -Definition: -``` -file -``` -or -``` -file { - file -} -``` - -Usage example: -``` -# Resolve SMTP address aliases using text file mapping. -modify { - replace_rcpt file /etc/maddy/aliases -} -``` - -## Syntax - -Better demonstrated by examples: - -``` -# Lines starting with # are ignored. - -# And so are lines only with whitespace. - -# Whenever 'aaa' is looked up, return 'bbb' -aaa: bbb - - # Trailing and leading whitespace is ignored. - ccc: ddd - -# If there is no colon, the string is translated into "" -# That is, the following line is equivalent to -# aaa: -aaa - -# If the same key is used multiple times - table.file will return -# multiple values when queries. Note that this is not used by -# most modules. E.g. replace_rcpt does not (intentionally) support -# 1-to-N alias expansion. -ddd: firstvalue -ddd: secondvalue -``` - -# SQL query mapping (table.sql_query) - -The sql_query module implements table interface using SQL queries. - -Definition: -``` -table.sql_query { - driver - dsn - lookup - - # Optional: - init - list - add - del - set -} -``` - -Usage example: -``` -# Resolve SMTP address aliases using PostgreSQL DB. -modify { - replace_rcpt sql_query { - driver postgres - dsn "dbname=maddy user=maddy" - lookup "SELECT alias FROM aliases WHERE address = $1" - } -} -``` - -## Configuration directives - -**Syntax**: driver _driver name_ ++ -**REQUIRED** - -Driver to use to access the database. - -Supported drivers: postgres, sqlite3 (if compiled with C support) - -**Syntax**: dsn _data source name_ ++ -**REQUIRED** - -Data Source Name to pass to the driver. For SQLite3 this is just a path to DB -file. For Postgres, see -https://pkg.go.dev/github.com/lib/pq?tab=doc#hdr-Connection_String_Parameters - -**Syntax**: lookup _query_ ++ -**REQUIRED** - -SQL query to use to obtain the lookup result. - -It will get one named argument containing the lookup key. Use :key -placeholder to access it in SQL. The result row set should contain one row, one -column with the string that will be used as a lookup result. If there are more -rows, they will be ignored. If there are more columns, lookup will fail. If -there are no rows, lookup returns "no results". If there are any error - lookup -will fail. - -**Syntax**: init _queries..._ ++ -**Default**: empty - -List of queries to execute on initialization. Can be used to configure RDBMS. - -Example, to improve SQLite3 performance: -``` -table.sql_query { - driver sqlite3 - dsn whatever.db - init "PRAGMA journal_mode=WAL" \ - "PRAGMA synchronous=NORMAL" - lookup "SELECT alias FROM aliases WHERE address = $1" -} -``` - -*Syntax:* named_args _boolean_ ++ -*Default:* yes - -Whether to use named parameters binding when executing SQL queries -or not. - -Note that maddy's PostgreSQL driver does not support named parameters and -SQLite3 driver has issues handling numbered parameters: -https://github.com/mattn/go-sqlite3/issues/472 - -**Syntax:** add _query_ ++ -**Syntax:** list _query_ ++ -**Syntax:** set _query_ ++ -**Syntax:** del _query_ ++ -**Default:** none - -If queries are set to implement corresponding table operations - table becomes -"mutable" and can be used in contexts that require writable key-value store. - -'add' query gets :key, :value named arguments - key and value strings to store. -They should be added to the store. The query *should* not add multiple values -for the same key and *should* fail if the key already exists. - -'list' query gets no arguments and should return a column with all keys in -the store. - -'set' query gets :key, :value named arguments - key and value and should replace the existing -entry in the database. - -'del' query gets :key argument - key and should remove it from the database. - -If named_args is set to "no" - key is passed as the first numbered parameter -($1), value is passed as the second numbered parameter ($2). - -# Static table (table.static) - -The 'static' module implements table lookups using key-value pairs in its -configuration. - -``` -table.static { - entry KEY1 VALUE1 - entry KEY2 VALUE2 - ... -} -``` - -## Configuration directives - -**Syntax**: entry _key_ _value_ - -Add an entry to the table. - -If the same key is used multiple times, the last one takes effect. - -# Regexp rewrite table (table.regexp) - -The 'regexp' module implements table lookups by applying a regular expression -to the key value. If it matches - 'replacement' value is returned with $N -placeholders being replaced with corresponding capture groups from the match. -Otherwise, no value is returned. - -The regular expression syntax is the subset of PCRE. See -https://golang.org/pkg/regexp/syntax/ for details. - -``` -table.regexp [replacement] { - full_match yes - case_insensitive yes - expand_placeholders yes -} -``` - -Note that [replacement] is optional. If it is not included - table.regexp -will return the original string, therefore acting as a regexp match check. -This can be useful in combination in destination_in (*maddy-smtp*(5)) for -advanced matching: -``` -destination_in regexp ".*-bounce+.*@example.com" { - ... -} -``` - -## Configuration directives - -**Syntax**: full_match _boolean_ ++ -**Default**: yes - -Whether to implicitly add start/end anchors to the regular expression. -That is, if 'full_match' is yes, then the provided regular expression should -match the whole string. With no - partial match is enough. - -**Syntax**: case_insensitive _boolean_ ++ -**Default**: yes - -Whether to make matching case-insensitive. - -**Syntax**: expand_placeholders _boolean_ ++ -**Default**: yes - -Replace '$name' and '${name}' in the replacement string with contents of -corresponding capture groups from the match. - -To insert a literal $ in the output, use $$ in the template. - -# Identity table (table.identity) - -The module 'identity' is a table module that just returns the key looked up. - -``` -table.identity { } -``` - -# No-op table (dummy) - -The module 'dummy' represents an empty table. - -``` -dummy { } -``` - -# Email local part (table.email_localpart) - -The module 'email_localpart' extracts and unescaped local ("username") part -of the email address. - -E.g. -test@example.org => test -"test @ a"@example.org => test @ a - -``` -table.email_localpart { } -``` - -# Table chaining module (table.chain) - -The table.chain module allows chaining together multiple table modules -by using value returned by a previous table as an input for the second -table. - -Example: -``` -table.chain { - step regexp "(.+)(\\+[^+"@]+)?@example.org" "$1@example.org" - step file /etc/maddy/emails -} -``` -This will strip +prefix from mailbox before looking it up -in /etc/maddy/emails list. - -## Configuration directives - -*Syntax*: step _table_ - -Adds a table module to the chain. If input value is not in the table -(e.g. file) - return "not exists" error. - -*Syntax*: optional_step _table_ - -Same as step but if input value is not in the table - it is passed to the -next step without changes. - -Example: -Something like this can be used to map emails to usernames -after translating them via aliases map: -``` -table.chain { - optional_step file /etc/maddy/aliases - step regexp "(.+)@(.+)" "$1" -} -``` diff --git a/docs/man/maddy-targets.5.scd b/docs/man/maddy-targets.5.scd deleted file mode 100644 index 6f591f5..0000000 --- a/docs/man/maddy-targets.5.scd +++ /dev/null @@ -1,457 +0,0 @@ -maddy-targets(5) "maddy mail server" "maddy reference documentation" - -; TITLE Delivery targets - -This man page describes modules that can used with 'deliver_to' directive -of SMTP endpoint module. - -# SQL module (target.imapsql) - -SQL module described in *maddy-storage*(5) can also be used as a delivery -target. - -# Queue module (target.queue) - -Queue module buffers messages on disk and retries delivery multiple times to -another target to ensure reliable delivery. - -``` -target.queue { - target remote - location ... - max_parallelism 16 - max_tries 4 - bounce { - destination example.org { - deliver_to &local_mailboxes - } - default_destination { - reject - } - } - - autogenerated_msg_domain example.org - debug no -} -``` - -## Arguments - -First argument specifies directory to use for storage. -Relative paths are relative to the StateDirectory. - -## Configuration directives - -*Syntax*: target _block_name_ ++ -*Default*: not specified - -REQUIRED. - -Delivery target to use for final delivery. - -*Syntax*: location _directory_ ++ -*Default*: StateDirectory/configuration_block_name - -File system directory to use to store queued messages. -Relative paths are relative to the StateDirectory. - -*Syntax*: max_parallelism _integer_ ++ -*Default*: 16 - -Start up to _integer_ goroutines for message processing. Basically, this option -limits amount of messages tried to be delivered concurrently. - -*Syntax*: max_tries _integer_ ++ -*Default*: 20 - -Attempt delivery up to _integer_ times. Note that no more attempts will be done -is permanent error occured during previous attempt. - -Delay before the next attempt will be increased exponentally using the -following formula: 15mins \* 1.2 ^ (n - 1) where n is the attempt number. -This gives you approximately the following sequence of delays: -18mins, 21mins, 25mins, 31mins, 37mins, 44mins, 53mins, 64mins, ... - -*Syntax*: bounce { ... } ++ -*Default*: not specified - -This configuration contains pipeline configuration to be used for generated DSN -(Delivery Status Notifiaction) messages. - -If this is block is not present in configuration, DSNs will not be generated. -Note, however, this is not what you want most of the time. - -*Syntax*: autogenerated_msg_domain _domain_ ++ -*Default*: global directive value - -Domain to use in sender address for DSNs. Should be specified too if 'bounce' -block is specified. - -*Syntax*: debug _boolean_ ++ -*Default*: no - -Enable verbose logging. - -# Remote MX module (remote) - -Module that implements message delivery to remote MTAs discovered via DNS MX -records. You probably want to use it with queue module for reliability. - -``` -target.remote { - hostname mx.example.org - debug no -} -``` - -If a message check marks a message as 'quarantined', remote module -will refuse to deliver it. - -## Configuration directives - -*Syntax*: hostname _domain_ ++ -*Default*: global directive value - -Hostname to use client greeting (EHLO/HELO command). Some servers require it to -be FQDN, SPF-capable servers check whether it corresponds to the server IP -address, so it is better to set it to a domain that resolves to the server IP. - -*Syntax*: limits _config block_ ++ -*Default*: no limits - -See 'limits' directive in *maddy-smtp*(5) for SMTP endpoint. -It works the same except for address domains used for -per-source/per-destination are as observed when message exits the server. - -*Syntax*: local_ip _IP address_ ++ -*Default*: empty - -Choose the local IP to bind for outbound SMTP connections. - -*Syntax*: connect_timeout _duration_ ++ -*Default*: 5m - -Timeout for TCP connection establishment. - -RFC 5321 recommends 5 minutes for "initial greeting" that includes TCP -handshake. maddy uses two separate timers - one for "dialing" (DNS A/AAAA -lookup + TCP handshake) and another for "initial greeting". This directive -configures the former. The latter is not configurable and is hardcoded to be -5 minutes. - -*Syntax*: command_timeout _duration_ ++ -*Default*: 5m - -Timeout for any SMTP command (EHLO, MAIL, RCPT, DATA, etc). - -If STARTTLS is used this timeout also applies to TLS handshake. - -RFC 5321 recommends 5 minutes for MAIL/RCPT and 3 minutes for -DATA. - -*Syntax*: submission_timeout _duration_ ++ -*Default*: 12m - -Time to wait after the entire message is sent (after "final dot"). - -RFC 5321 recommends 10 minutes. - -*Syntax*: debug _boolean_ ++ -*Default*: global directive value - -Enable verbose logging. - -*Syntax*: requiretls_override _boolean_ ++ -*Default*: true - -Allow local security policy to be disabled using 'TLS-Required' header field in -sent messages. Note that the field has no effect if transparent forwarding is -used, message body should be processed before outbound delivery starts for it -to take effect (e.g. message should be queued using 'queue' module). - -*Syntax*: relaxed_requiretls _boolean_ ++ -*Default*: true - -This option disables strict conformance with REQUIRETLS specification and -allows forwarding of messages 'tagged' with REQUIRETLS to MXes that are not -advertising REQUIRETLS support. It is meant to allow REQUIRETLS use without the -need to have support from all servers. It is based on the assumption that -server referenced by MX record is likely the final destination and therefore -there is only need to secure communication towards it and not beyond. - -*Syntax*: conn_reuse_limit _integer_ ++ -*Default*: 10 - -Amount of times the same SMTP connection can be used. -Connections are never reused if the previous DATA command failed. - -*Syntax*: conn_max_idle_count _integer_ ++ -*Default*: 10 - -Max. amount of idle connections per recipient domains to keep in cache. - -*Syntax*: conn_max_idle_time _integer_ ++ -*Default*: 150 (2.5 min) - -Amount of time the idle connection is still considered potentially usable. - -## Security policies - -*Syntax*: mx_auth _config block_ ++ -*Default*: no policies - -'remote' module implements a number of of schemes and protocols necessary to -ensure security of message delivery. Most of these schemes are concerned with -authentication of recipient server and TLS enforcement. - -To enable mechanism, specify its name in the mx_auth directive block: -``` -mx_auth { - dane - mtasts -} -``` -Additional configuration is possible if supported by the mechanism by -specifying additional options as a block for the corresponding mechanism. -E.g. -``` -mtasts { - cache ram -} -``` - -If the mx_auth directive is not specified, no mechanisms are enabled. Note -that, however, this makes outbound SMTP vulnerable to a numberous downgrade -attacks and hence not recommended. - -It is possible to share the same set of policies for multiple 'remote' module -instances by defining it at the top-level using 'mx_auth' module and then -referencing it using standard & syntax: -``` -mx_auth outbound_policy { - dane - mtasts { - cache ram - } -} - -# ... somewhere else ... - -deliver_to remote { - mx_auth &outbound_policy -} - -# ... somewhere else ... - -deliver_to remote { - mx_auth &outbound_policy - tls_client { ... } -} -``` - -## Security policies: MTA-STS - -Checks MTA-STS policy of the recipient domain. Provides proper authentication -and TLS enforcement for delivery, but partially vulnerable to persistent active -attacks. - -Sets MX level to "mtasts" if the used MX matches MTA-STS policy even if it is -not set to "enforce" mode. - -``` -mtasts { - cache fs - fs_dir StateDirectory/mtasts_cache -} -``` - -*Syntax*: cache fs|ram ++ -*Default*: fs - -Storage to use for MTA-STS cache. 'fs' is to use a filesystem directory, 'ram' -to store the cache in memory. - -It is recommended to use 'fs' since that will not discard the cache (and thus -cause MTA-STS security to disappear) on server restart. However, using the RAM -cache can make sense for high-load configurations with good uptime. - -*Syntax*: fs_dir _directory_ ++ -*Default*: StateDirectory/mtasts_cache - -Filesystem directory to use for policies caching if 'cache' is set to 'fs'. - -## Security policies: DNSSEC - -Checks whether MX records are signed. Sets MX level to "dnssec" is they are. - -maddy does not validate DNSSEC signatures on its own. Instead it reslies on -the upstream resolver to do so by causing lookup to fail when verification -fails and setting the AD flag for signed and verfified zones. As a safety -measure, if the resolver is not 127.0.0.1 or ::1, the AD flag is ignored. - -DNSSEC is currently not supported on Windows and other platforms that do not -have the /etc/resolv.conf file in the standard format. - -``` -dnssec { } -``` - -## Security policies: DANE - -Checks TLSA records for the recipient MX. Provides downgrade-resistant TLS -enforcement. - -Sets TLS level to "authenticated" if a valid and matching TLSA record uses -DANE-EE or DANE-TA usage type. - -See above for notes on DNSSEC. DNSSEC support is required for DANE to work. - -``` -dane { } -``` - -## Security policies: Local policy - -Checks effective TLS and MX levels (as set by other policies) against local -configuration. - -``` -local_policy { - min_tls_level none - min_mx_level none -} -``` - -Using 'local_policy off' is equivalent to setting both directives to 'none'. - -*Syntax*: min_tls_level none|encrypted|authenticated ++ -*Default*: none - -Set the minimal TLS security level required for all outbound messages. - -See [Security levels](../../seclevels) page for details. - -*Syntax*: min_mx_level: none|mtasts|dnssec ++ -*Default*: none - -Set the minimal MX security level required for all outbound messages. - -See [Security levels](../../seclevels) page for details. - -# SMTP transparent forwarding module (target.smtp) - -Module that implements transparent forwarding of messages over SMTP. - -Use in pipeline configuration: -``` -deliver_to smtp tcp://127.0.0.1:5353 -# or -deliver_to smtp tcp://127.0.0.1:5353 { - # Other settings, see below. -} -``` - -``` -target.smtp { - debug no - tls_client { - ... - } - attempt_starttls yes - require_yes no - auth off - targets tcp://127.0.0.1:2525 - connect_timeout 5m - command_timeout 5m - submission_timeout 12m -} -``` - -Endpoint addresses use format described in *maddy-config*(5). - -## Configuration directives - -*Syntax*: debug _boolean_ ++ -*Default*: global directive value - -Enable verbose logging. - -*Syntax*: tls_client { ... } ++ -*Default*: not specified - -Advanced TLS client configuration options. See *maddy-tls*(5) for details. - -*Syntax*: attempt_starttls _boolean_ ++ -*Default*: yes (no for target.lmtp) - -Attempt to use STARTTLS if it is supported by the remote server. -If TLS handshake fails, connection will be retried without STARTTLS -unless 'require_tls' is also specified. - -*Syntax*: require_tls _boolean_ ++ -*Default*: no - -Refuse to pass messages over plain-text connections. - -*Syntax*: ++ - auth off ++ - plain _username_ _password_ ++ - forward ++ - external ++ -*Default*: off - -Specify the way to authenticate to the remote server. -Valid values: - -- off - - No authentication. - -- plain - - Authenticate using specified username-password pair. - *Don't use* this without enforced TLS ('require_tls'). - -- forward - - Forward credentials specified by the client. - *Don't use* this without enforced TLS ('require_tls'). - -- external - - Request "external" SASL authentication. This is usually used for - authentication using TLS client certificates. See *maddy-tls*(5) - for how to specify the client certificate. - -*Syntax*: targets _endpoints..._ ++ -*Default:* not specified - -REQUIRED. - -List of remote server addresses to use. See Address definitions in -*maddy-config*(5) for syntax to use. Basically, it is 'tcp://ADDRESS:PORT' -for plain SMTP and 'tls://ADDRESS:PORT' for SMTPS (aka SMTP with Implicit -TLS). - -Multiple addresses can be specified, they will be tried in order until connection to -one succeeds (including TLS handshake if TLS is required). - -*Syntax*: connect_timeout _duration_ ++ -*Default*: 5m - -Same as for target.remote. - -*Syntax*: command_timeout _duration_ ++ -*Default*: 5m - -Same as for target.remote. - -*Syntax*: submission_timeout _duration_ ++ -*Default*: 12m - -Same as for target.remote. - -# LMTP transparent forwarding module (target.lmtp) - -The 'target.lmtp' module is similar to 'target.smtp' and supports all -its options and syntax but speaks LMTP instead of SMTP. diff --git a/docs/man/maddy-tls.5.scd b/docs/man/maddy-tls.5.scd deleted file mode 100644 index 3307820..0000000 --- a/docs/man/maddy-tls.5.scd +++ /dev/null @@ -1,379 +0,0 @@ -maddy-tls(5) "maddy mail server" "maddy reference documentation" - -; TITLE Advanced TLS configuration - -# TLS server configuration - -TLS certificates are obtained by modules called "certificate loaders". 'tls' directive -arguments specify name of loader to use and arguments. Due to syntax limitations -advanced configuration for loader should be specified using 'loader' directive, see -below. - -``` -tls file cert.pem key.pem { - protocols tls1.2 tls1.3 - curve X25519 - ciphers ... -} - -tls { - loader file cert.pem key.pem { - # Options for loader go here. - } - protocols tls1.2 tls1.3 - curve X25519 - ciphers ... -} -``` - -## Available certificate loaders - -- file - - Accepts argument pairs specifying certificate and then key. - E.g. 'tls file certA.pem keyA.pem certB.pem keyB.pem' - - If multiple certificates are listed, SNI will be used. - -- acme - - Automatically obtains a certificate using ACME protocol (Let's Encrypt) - - See below for details. - -- off - - Not really a loader but a special value for tls directive, explicitly disables TLS for - endpoint(s). - -## Advanced TLS configuration - -*Note: maddy uses secure defaults and TLS handshake is resistant to active downgrade attacks.* -*There is no need to change anything in most cases.* - -*Syntax*: ++ - protocols _min_version_ _max_version_ ++ - protocols _version_ ++ -*Default*: tls1.0 tls1.3 - -Minimum/maximum accepted TLS version. If only one value is specified, it will -be the only one usable version. - -Valid values are: tls1.0, tls1.1, tls1.2, tls1.3 - -*Syntax*: ciphers _ciphers..._ ++ -*Default*: Go version-defined set of 'secure ciphers', ordered by hardware -performance - -List of supported cipher suites, in preference order. Not used with TLS 1.3. - -Valid values: - -- RSA-WITH-RC4128-SHA -- RSA-WITH-3DES-EDE-CBC-SHA -- RSA-WITH-AES128-CBC-SHA -- RSA-WITH-AES256-CBC-SHA -- RSA-WITH-AES128-CBC-SHA256 -- RSA-WITH-AES128-GCM-SHA256 -- RSA-WITH-AES256-GCM-SHA384 -- ECDHE-ECDSA-WITH-RC4128-SHA -- ECDHE-ECDSA-WITH-AES128-CBC-SHA -- ECDHE-ECDSA-WITH-AES256-CBC-SHA -- ECDHE-RSA-WITH-RC4128-SHA -- ECDHE-RSA-WITH-3DES-EDE-CBC-SHA -- ECDHE-RSA-WITH-AES128-CBC-SHA -- ECDHE-RSA-WITH-AES256-CBC-SHA -- ECDHE-ECDSA-WITH-AES128-CBC-SHA256 -- ECDHE-RSA-WITH-AES128-CBC-SHA256 -- ECDHE-RSA-WITH-AES128-GCM-SHA256 -- ECDHE-ECDSA-WITH-AES128-GCM-SHA256 -- ECDHE-RSA-WITH-AES256-GCM-SHA384 -- ECDHE-ECDSA-WITH-AES256-GCM-SHA384 -- ECDHE-RSA-WITH-CHACHA20-POLY1305 -- ECDHE-ECDSA-WITH-CHACHA20-POLY1305 - -*Syntax*: curve _curves..._ ++ -*Default*: defined by Go version - -The elliptic curves that will be used in an ECDHE handshake, in preference -order. - -Valid values: p256, p384, p521, X25519. - -# TLS client configuration - -tls_client directive allows to customize behavior of TLS client implementation, -notably adjusting minimal and maximal TLS versions and allowed cipher suites, -enabling TLS client authentication. - -``` -tls_client { - protocols tls1.2 tls1.3 - ciphers ... - curve X25519 - root_ca /etc/ssl/cert.pem - - cert /etc/ssl/private/maddy-client.pem - key /etc/ssl/private/maddy-client.pem -} -``` - -*Syntax*: ++ - protocols _min_version_ _max_version_ ++ - protocols _version_ ++ -*Default*: tls1.0 tls1.3 - -Minimum/maximum accepted TLS version. If only one value is specified, it will -be the only one usable version. - -Valid values are: tls1.0, tls1.1, tls1.2, tls1.3 - -*Syntax*: ciphers _ciphers..._ ++ -*Default*: Go version-defined set of 'secure ciphers', ordered by hardware -performance - -List of supported cipher suites, in preference order. Not used with TLS 1.3. - -See TLS server configuration for list of supported values. - -*Syntax*: curve _curves..._ ++ -*Default*: defined by Go version - -The elliptic curves that will be used in an ECDHE handshake, in preference -order. - -Valid values: p256, p384, p521, X25519. - -*Syntax*: root_ca _paths..._ ++ -*Default*: system CA pool - -List of files with PEM-encoded CA certificates to use when verifying -server certificates. - -*Syntax*: ++ - cert _cert_path_ ++ - key _key_path_ ++ -*Default*: not specified - -Present the specified certificate when server requests a client certificate. -Files should use PEM format. Both directives should be specified. - -# Automatic certificate management via ACME - -``` -tls.loader.acme { - debug off - hostname example.maddy.invalid - store_path /var/lib/maddy/acme - ca https://acme-v02.api.letsencrypt.org/directory - test_ca https://acme-staging-v02.api.letsencrypt.org/directory - email test@maddy.invalid - agreed off - challenge dns-01 - dns ... -} -``` - -Maddy supports obtaining certificates using ACME protocol. - -To use it, create a configuration name for tls.loader.acme -and reference it from endpoints that should use automatically -configured certificates: -``` -tls.loader.acme local_tls { - email put-your-email-here@example.org - agreed # indicate your agreement with Let's Encrypt ToS - challenge dns-01 -} - -smtp tcp://127.0.0.1:25 { - tls &local_tls - ... -} -``` - -Currently the only supported challenge is dns-01 one therefore -you also need to configure the DNS provider: -``` -tls.loader.acme local_tls { - email maddy-acme@example.org - agreed - challenge dns-01 - dns PROVIDER_NAME { - ... - } -} -``` -See below for supported providers and necessary configuration -for each. - -## Configuration directives - -*Syntax:* debug _boolean_ ++ -*Default:* global directive value - -Enable debug logging. - -*Syntax:* hostname _str_ ++ -*Default:* global directive value - -Domain name to issue certificate for. Required. - -*Syntax:* store_path _path_ ++ -*Default:* state_dir/acme - -Where to store issued certificates and associated metadata. -Currently only filesystem-based store is supported. - -*Syntax:* ca _url_ ++ -*Default:* Let's Encrypt production CA - -URL of ACME directory to use. - -*Syntax:* test_ca _url_ ++ -*Default:* Let's Encrypt staging CA - -URL of ACME directory to use for retries should -primary CA fail. - -maddy will keep attempting to issues certificates -using test_ca until it succeeds then it will switch -back to the one configured via 'ca' option. - -This avoids rate limit issues with production CA. - -*Syntax:* email _str_ ++ -*Default:* not set - -Email to pass while registering an ACME account. - -*Syntax:* agreed _boolean_ ++ -*Default:* false - -Whether you agreed to ToS of the CA service you are using. - -*Syntax:* challenge dns-01 ++ -*Default:* not set - -Challenge(s) to use while performing domain verification. - -## DNS providers - -Support for some providers is not provided by standard builds. -To be able to use these, you need to compile maddy -with "libdns_PROVIDER" build tag. -E.g. -``` -./build.sh -tags 'libdns_googleclouddns' -``` - -- gandi - -``` -dns gandi { - api_token "token" -} -``` - -- digitalocean - -``` -dns digitalocean { - api_token "..." -} -``` - -- cloudflare - -See https://github.com/libdns/cloudflare#authenticating - -``` -dns cloudflare { - api_token "..." -} -``` - -- vultr - -``` -dns vultr { - api_token "..." -} -``` - -- hetzner - -``` -dns hetzner { - api_token "..." -} -``` - -- namecheap - -``` -dns namecheap { - api_key "..." - api_username "..." - - # optional: API endpoint, production one is used if not set. - endpoint "https://api.namecheap.com/xml.response" - - # optional: your public IP, discovered using icanhazip.com if not set - client_ip 1.2.3.4 -} -``` - -- googleclouddns (non-default) - -``` -dns googleclouddns { - project "project_id" - service_account_json "path" -} -``` - -- route53 (non-default) - -``` -dns route53 { - secret_access_key "..." - access_key_id "..." - # or use environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY -} -``` - -- leaseweb (non-default) - -``` -dns leaseweb { - api_key "key" -} -``` - -- metaname (non-default) - -``` -dns metaname { - api_key "key" - account_ref "reference" -} -``` - -- alidns (non-default) - -``` -dns alidns { - key_id "..." - key_secret "..." -} -``` - -- namedotcom (non-default) - -``` -dns namedotcom { - user "..." - token "..." -} -``` diff --git a/docs/reference/auth/dovecot_sasl.md b/docs/reference/auth/dovecot_sasl.md new file mode 100644 index 0000000..b00f9c7 --- /dev/null +++ b/docs/reference/auth/dovecot_sasl.md @@ -0,0 +1,26 @@ +# Dovecot SASL + +The 'auth.dovecot\_sasl' module implements the client side of the Dovecot +authentication protocol, allowing maddy to use it as a credentials source. + +Currently SASL mechanisms support is limited to mechanisms supported by maddy +so you cannot get e.g. SCRAM-MD5 this way. + +``` +auth.dovecot_sasl { + endpoint unix://socket_path +} + +dovecot_sasl unix://socket_path +``` + +## Configuration directives + +**Syntax**: endpoint _schema://address_
+**Default**: not set + +Set the address to use to contact Dovecot SASL server in the standard endpoint +format. + +tcp://10.0.0.1:2222 for TCP, unix:///var/lib/dovecot/auth.sock for Unix +domain sockets. diff --git a/docs/reference/auth/external.md b/docs/reference/auth/external.md new file mode 100644 index 0000000..6c28d74 --- /dev/null +++ b/docs/reference/auth/external.md @@ -0,0 +1,47 @@ +# System command + +auth.external module for authentication using external helper binary. It looks for binary +named maddy-auth-helper in $PATH and libexecdir and uses it for authentication +using username/password pair. + +The protocol is very simple: +Program is launched for each authentication. Username and password are written +to stdin, adding \\n to the end. If binary exits with 0 status code - +authentication is considered successful. If the status code is 1 - +authentication is failed. If the status code is 2 - another unrelated error has +happened. Additional information should be written to stderr. + +``` +auth.external { + helper /usr/bin/ldap-helper + perdomain no + domains example.org +} +``` + +## Configuration directives + +**Syntax**: helper _file\_path\_ + +Location of the helper binary. **Required.** + +**Syntax**: perdomain _boolean_
+**Default**: no + +Don't remove domain part of username when authenticating and require it to be +present. Can be used if you want user@domain1 and user@domain2 to be different +accounts. + +**Syntax**: domains _domains..._
+**Default**: not specified + +Domains that should be allowed in username during authentication. + +For example, if 'domains' is set to "domain1 domain2", then +username, username@domain1 and username@domain2 will be accepted as valid login +name in addition to just username. + +If used without 'perdomain', domain part will be removed from login before +check with underlying auth. mechanism. If 'perdomain' is set, then +domains must be also set and domain part WILL NOT be removed before check. + diff --git a/docs/reference/auth/ldap.md b/docs/reference/auth/ldap.md new file mode 100644 index 0000000..c2c3ce6 --- /dev/null +++ b/docs/reference/auth/ldap.md @@ -0,0 +1,113 @@ +# LDAP BindDN + +maddy supports authentication via LDAP using DN binding. Passwords are verified +by the LDAP server. + +maddy needs to know the DN to use for binding. It can be obtained either by +directory search or template . + +Note that storage backends conventionally use email addresses, if you use +non-email identifiers as usernames then you should map them onto +emails on delivery by using auth\_map (see documentation page for used storage backend). + +auth.ldap also can be a used as a table module. This way you can check +whether the account exists. It works only if DN template is not used. + +``` +auth.ldap { + urls ldap://maddy.test:389 + + # Specify initial bind credentials. Not required ('bind off') + # if DN template is used. + bind plain "cn=maddy,ou=people,dc=maddy,dc=test" "123456" + + # Specify DN template to skip lookup. + dn_template "cn={username},ou=people,dc=maddy,dc=test" + + # Specify base_dn and filter to lookup DN. + base_dn "ou=people,dc=maddy,dc=test" + filter "(&(objectClass=posixAccount)(uid={username}))" + + tls_client { ... } + starttls off + debug off + connect_timeout 1m +} +``` +``` +auth.ldap ldap://maddy.test.389 { + ... +} +``` + +## Configuration directives + +**Syntax:** urls _servers...\_ + +REQUIRED. + +URLs of the directory servers to use. First available server +is used - no load-balancing is done. + +URLs should use 'ldap://', 'ldaps://', 'ldapi://' schemes. + +**Syntax:** bind off
+bind unauth
+bind external
+bind plain _username_ _password_
+**Default:** off + +Credentials to use for initial binding. Required if DN lookup is used. + +'unauth' performs unauthenticated bind. 'external' performs external binding +which is useful for Unix socket connections (ldapi://) or TLS client certificate +authentication (cert. is set using tls\_client directive). 'plain' performs a +simple bind using provided credentials. + +**Syntax:** dn\_template _template\_ + +DN template to use for binding. '{username}' is replaced with the +username specified by the user. + +**Syntax:** base\_dn _dn\_ + +Base DN to use for lookup. + +**Syntax:** filter _str\_ + +DN lookup filter. '{username}' is replaced with the username specified +by the user. + +Example: +``` +(&(objectClass=posixAccount)(uid={username})) +``` + +Example (using ActiveDirectory): +``` +(&(objectCategory=Person)(memberOf=CN=user-group,OU=example,DC=example,DC=org)(sAMAccountName={username})(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) +``` + +Example: +``` +(&(objectClass=Person)(mail={username})) +``` + +**Syntax:** starttls _bool_
+**Default:** off + +Whether to upgrade connection to TLS using STARTTLS. + +**Syntax:** tls\_client { ... } + +Advanced TLS client configuration. See [TLS configuration / Client](/reference/tls/#client) for details. + +**Syntax:** connect\_timeout _duration_
+**Default:** 1m + +Timeout for initial connection to the directory server. + +**Syntax:** request\_timeout _duration_
+**Default:** 1m + +Timeout for each request (binding, lookup). diff --git a/docs/reference/auth/pam.md b/docs/reference/auth/pam.md new file mode 100644 index 0000000..79331fc --- /dev/null +++ b/docs/reference/auth/pam.md @@ -0,0 +1,44 @@ +# PAM + +auth.pam module implements authentication using libpam. Alternatively it can be configured to +use helper binary like auth.external module does. + +maddy should be built with libpam build tag to use this module without +'use\_helper' directive. +``` +go get -tags 'libpam' ... +``` + +``` +auth.pam { + debug no + use_helper no +} +``` + +## Configuration directives + +**Syntax**: debug _boolean_
+**Default**: no + +Enable verbose logging for all modules. You don't need that unless you are +reporting a bug. + +**Syntax**: use\_helper _boolean_
+**Default**: no + +Use LibexecDirectory/maddy-pam-helper instead of directly calling libpam. +You need to use that if: +1. maddy is not compiled with libpam, but maddy-pam-helper is built separately. +2. maddy is running as an unprivileged user and used PAM configuration requires additional + privileges (e.g. when using system accounts). + +For 2, you need to make maddy-pam-helper binary setuid, see +README.md in source tree for details. + +TL;DR (assuming you have the maddy group): +``` +chown root:maddy /usr/lib/maddy/maddy-pam-helper +chmod u+xs,g+x,o-x /usr/lib/maddy/maddy-pam-helper +``` + diff --git a/docs/reference/auth/pass_table.md b/docs/reference/auth/pass_table.md new file mode 100644 index 0000000..5596c1e --- /dev/null +++ b/docs/reference/auth/pass_table.md @@ -0,0 +1,44 @@ +# Password table + +auth.pass_table module implements username:password authentication by looking up the +password hash using a table module (maddy-tables(5)). It can be used +to load user credentials from text file (via table.file module) or SQL query +(via table.sql\_table module). + + +Definition: +``` +auth.pass_table [block name] { + table
+ +} +``` +Shortened variant for inline use: +``` +pass_table
[table arguments] { + [additional table config] +} +``` + +Example, read username:password pair from the text file: +``` +smtp tcp://0.0.0.0:587 { + auth pass_table file /etc/maddy/smtp_passwd + ... +} +``` + +## Password hashes + +pass\_table expects the used table to contain certain structured values with +hash algorithm name, salt and other necessary parameters. + +You should use 'maddyctl hash' command to generate suitable values. +See 'maddyctl hash --help' for details. + +## maddyctl creds + +If the underlying table is a "mutable" table (see maddy-tables(5)) then +the 'maddyctl creds' command can be used to modify the underlying tables +via pass\_table module. It will act on a "local credentials store" and will write +appropriate hash values to the table. diff --git a/docs/reference/auth/plain_separate.md b/docs/reference/auth/plain_separate.md new file mode 100644 index 0000000..0e1cb09 --- /dev/null +++ b/docs/reference/auth/plain_separate.md @@ -0,0 +1,42 @@ +# Separate username and password lookup + +auth.plain\_separate module implements authentication using username:password pairs but can +use zero or more "table modules" (maddy-tables(5)) and one or more +authentication providers to verify credentials. + +``` +auth.plain_separate { + user ... + user ... + ... + pass ... + pass ... + ... +} +``` + +How it works: +- Initial username input is normalized using PRECIS UsernameCaseMapped profile. +- Each table specified with the 'user' directive looked up using normalized + username. If match is not found in any table, authentication fails. +- Each authentication provider specified with the 'pass' directive is tried. + If authentication with all providers fails - an error is returned. + +## Configuration directives + +***Syntax:*** user _table module\_ + +Configuration block for any module from maddy-tables(5) can be used here. + +Example: +``` +user file /etc/maddy/allowed_users +``` + +***Syntax:*** pass _auth provider\_ + +Configuration block for any auth. provider module can be used here, even +'plain\_split' itself. + +The used auth. provider must provide username:password pair-based +authentication. diff --git a/docs/reference/auth/shadow.md b/docs/reference/auth/shadow.md new file mode 100644 index 0000000..e3c41c8 --- /dev/null +++ b/docs/reference/auth/shadow.md @@ -0,0 +1,36 @@ +# /etc/shadow + +auth.shadow module implements authentication by reading /etc/shadow. Alternatively it can be +configured to use helper binary like auth.external does. + +``` +auth.shadow { + debug no + use_helper no +} +``` + +## Configuration directives + +**Syntax**: debug _boolean_
+**Default**: no + +Enable verbose logging for all modules. You don't need that unless you are +reporting a bug. + +**Syntax**: use\_helper _boolean_
+**Default**: no + +Use LibexecDirectory/maddy-shadow-helper instead of directly reading /etc/shadow. +You need to use that if maddy is running as an unprivileged user +privileges (e.g. when using system accounts). + +You need to make maddy-shadow-helper binary setuid, see +cmd/maddy-shadow-helper/README.md in source tree for details. + +TL;DR (assuming you have maddy group): +``` +chown root:maddy /usr/lib/maddy/maddy-shadow-helper +chmod u+xs,g+x,o-x /usr/lib/maddy/maddy-shadow-helper +``` + diff --git a/docs/reference/blob/fs.md b/docs/reference/blob/fs.md new file mode 100644 index 0000000..4bc1c89 --- /dev/null +++ b/docs/reference/blob/fs.md @@ -0,0 +1,22 @@ +# Filesystem + +This module stores message bodies in a file system directory. + +``` +storage.blob.fs { + root +} +``` +``` +storage.blob.fs +``` + +## Configuration directives + +**Syntax:** root _path_
+**Default:** not set + +Path to the FS directory. Must be readable and writable by the server process. +If it does not exist - it will be created (parent directory should be writable +for this). Relative paths are interpreted relatively to server state directory. + diff --git a/docs/reference/blob/s3.md b/docs/reference/blob/s3.md new file mode 100644 index 0000000..fdc256d --- /dev/null +++ b/docs/reference/blob/s3.md @@ -0,0 +1,71 @@ +# Amazon S3 + +storage.blob.s3 module stores messages bodies in a bucket on S3-compatible storage. + +``` +storage.blob.s3 { + endpoint play.min.io + secure yes + access_key "Q3AM3UQ867SPQQA43P2F" + secret_key "zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG" + bucket maddy-test + + # optional + region eu-central-1 + object_prefix maddy/ +} +``` + +Example: +``` +storage.imapsql local_mailboxes { + ... + msg_store s3 { + endpoint s3.amazonaws.com + access_key "..." + secret_key "..." + bucket maddy-messages + region us-west-2 + } +} +``` + +## Configuration directives + +**Syntax:** endpoint _address:port\_ + +REQUIRED. + +Root S3 endpoint. e.g. s3.amazonaws.com + +**Syntax:** secure _boolean_
+**Default:** yes + +Whether TLS should be used. + +**Syntax:** access\_key _string_
+**Syntax:** secret\_key _string\_ + +REQUIRED. + +Static S3 credentials. + +**Syntax:** bucket _name\_ + +REQUIRED. + +S3 bucket name. The bucket must exist and +be read-writable. + +**Syntax:** region _string_
+**Default:** not set + +S3 bucket location. May be called "endpoint" +in some manuals. + +**Syntax:** object\_prefix _string_
+**Default:** empty string + +String to add to all keys stored by maddy. + +Can be useful when S3 is used as a file system. diff --git a/docs/reference/checks/actions.md b/docs/reference/checks/actions.md new file mode 100644 index 0000000..7ab8828 --- /dev/null +++ b/docs/reference/checks/actions.md @@ -0,0 +1,21 @@ +# Check actions + +When a certain check module thinks the message is "bad", it takes some actions +depending on its configuration. Most checks follow the same configuration +structure and allow following actions to be taken on check failure: + +- Do nothing ('action ignore') + +Useful for testing deployment of new checks. Check failures are still logged +but they have no effect on message delivery. + +- Reject the message ('action reject') + +Reject the message at connection time. No bounce is generated locally. + +- Quarantine the message ('action quarantine') + +Mark message as 'quarantined'. If message is then delivered to the local +storage, the storage backend can place the message in the 'Junk' mailbox. +Another thing to keep in mind that 'target.remote' module +will refuse to send quarantined messages. \ No newline at end of file diff --git a/docs/reference/checks/authorize_sender.md b/docs/reference/checks/authorize_sender.md new file mode 100644 index 0000000..49a0e62 --- /dev/null +++ b/docs/reference/checks/authorize_sender.md @@ -0,0 +1,87 @@ +# MAIL FROM and From authorization + +Module check.authorize_sender verifies that envelope and header sender addresses belong +to the authenticated user. Address ownership is established via table +that maps each user account to a email address it is allowed to use. +There are some special cases, see user\_to\_email description below. + +``` +check.authorize_sender { + prepare_email identity + user_to_email identity + check_header yes + + unauth_action reject + no_match_action reject + malformed_action reject + err_action reject + + auth_normalize precis_casefold_email + from_normalize precis_casefold_email +} +``` +``` +check { + authorize_sender { ... } +} +``` + +## Configuration directives + +**Syntax:** user\_to\_email _table_
+**Default:** identity + +Table to use for lookups. Result of the lookup should contain either the +domain name, the full email address or "*" string. If it is just domain - user +will be allowed to use any mailbox within a domain as a sender address. +If result contains "*" - user will be allowed to use any address. + +**Syntax:** check\_header _boolean_
+**Default:** yes + +Whether to verify header sender in addition to envelope. + +Either Sender or From field value should match the +authorization identity. + +**Syntax:** unauth\_action _action_
+**Default:** reject + +What to do if the user is not authenticated at all. + +**Syntax:** no\_match\_action _action_
+**Default:** reject + +What to do if user is not allowed to use the sender address specified. + +**Syntax:** malformed\_action _action_
+**Default:** reject + +What to do if From or Sender header fields contain malformed values. + +**Syntax:** err\_action _action_
+**Default:** reject + +What to do if error happens during prepare\_email or user\_to\_email lookup. + +**Syntax:** auth\_normalize _action_
+**Default:** precis\_casefold\_email + +Normalization function to apply to authorization username before +further processing. + +Available options: +- precis\_casefold\_email PRECIS UsernameCaseMapped profile + U-labels form for domain +- precis\_casefold PRECIS UsernameCaseMapped profile for the entire string +- precis\_email PRECIS UsernameCasePreserved profile + U-labels form for domain +- precis PRECIS UsernameCasePreserved profile for the entire string +- casefold Convert to lower case +- noop Nothing + +**Syntax:** from\_normalize _action_
+**Default:** precis\_casefold\_email + +Normalization function to apply to email addresses before +further processing. + +Available options are same as for auth\_normalize. diff --git a/docs/reference/checks/command.md b/docs/reference/checks/command.md new file mode 100644 index 0000000..909b7b0 --- /dev/null +++ b/docs/reference/checks/command.md @@ -0,0 +1,131 @@ +# System command filter + +This module executes an arbitrary system command during a specified stage of +checks execution. + +``` +command executable_name arg0 arg1 ... { + run_on body + + code 1 reject + code 2 quarantine +} +``` + +## Arguments + +The module arguments specify the command to run. If the first argument is not +an absolute path, it is looked up in the Libexec Directory (/usr/lib/maddy on +Linux) and in $PATH (in that ordering). Note that no additional handling +of arguments is done, especially, the command is executed directly, not via the +system shell. + +There is a set of special strings that are replaced with the corresponding +message-specific values: + +- {source\_ip} + + IPv4/IPv6 address of the sending MTA. + +- {source\_host} + + Hostname of the sending MTA, from the HELO/EHLO command. + +- {source\_rdns} + + PTR record of the sending MTA IP address. + +- {msg\_id} + + Internal message identifier. Unique for each delivery. + +- {auth\_user} + + Client username, if authenticated using SASL PLAIN + +- {sender} + + Message sender address, as specified in the MAIL FROM SMTP command. + +- {rcpts} + + List of accepted recipient addresses, including the currently handled + one. + +- {address} + + Currently handled address. This is a recipient address if the command + is called during RCPT TO command handling ('run\_on rcpt') or a sender + address if the command is called during MAIL FROM command handling ('run\_on + sender'). + + +If value is undefined (e.g. {source\_ip} for a message accepted over a Unix +socket) or unavailable (the command is executed too early), the placeholder +is replaced with an empty string. Note that it can not remove the argument. +E.g. -i {source\_ip} will not become just -i, it will be -i "" + +Undefined placeholders are not replaced. + +## Command stdout + +The command stdout must be either empty or contain a valid RFC 5322 header. +If it contains a byte stream that does not look a valid header, the message +will be rejected with a temporary error. + +The header from stdout will be **prepended** to the message header. + +## Configuration directives + +**Syntax**: run\_on conn|sender|rcpt|body
+**Default**: body + +When to run the command. This directive also affects the information visible +for the message. + +- conn + + Run before the sender address (MAIL FROM) is handled. + + **Stdin**: Empty
+ **Available placeholders**: {source\_ip}, {source\_host}, {msg\_id}, {auth\_user}. + +- sender + + Run during sender address (MAIL FROM) handling. + + **Stdin**: Empty
+ **Available placeholders**: conn placeholders + {sender}, {address}. + + The {address} placeholder contains the MAIL FROM address. + +- rcpt + + Run during recipient address (RCPT TO) handling. The command is executed + once for each RCPT TO command, even if the same recipient is specified + multiple times. + + **Stdin**: Empty
+ **Available placeholders**: sender placeholders + {rcpts}. + + The {address} placeholder contains the recipient address. + +- body + + Run during message body handling. + + **Stdin**: The message header + body
+ **Available placeholders**: all except for {address}. + +**Syntax**:
+code _integer_ ignore
+code _integer_ quarantine
+code _integer_ reject [SMTP code] [SMTP enhanced code] [SMTP message] + +This directives specified the mapping from the command exit code _integer_ to +the message pipeline action. + +Two codes are defined implicitly, exit code 1 causes the message to be rejected +with a permanent error, exit code 2 causes the message to be quarantined. Both +action can be overriden using the 'code' directive. + diff --git a/docs/reference/checks/dkim.md b/docs/reference/checks/dkim.md new file mode 100644 index 0000000..cd3ff89 --- /dev/null +++ b/docs/reference/checks/dkim.md @@ -0,0 +1,55 @@ +# DKIM + +This is the check module that performs verification of the DKIM signatures +present on the incoming messages. + +## Configuration directives + +``` +check.dkim { + debug no + required_fields From Subject + allow_body_subset no + no_sig_action ignore + broken_sig_action ignore + fail_open no +} +``` + +**Syntax**: debug _boolean_
+**Default**: global directive value + +Log both successfull and unsuccessful check executions instead of just +unsuccessful. + +**Syntax**: required\_fields _string..._
+**Default**: From Subject + +Header fields that should be included in each signature. If signature +lacks any field listed in that directive, it will be considered invalid. + +Note that From is always required to be signed, even if it is not included in +this directive. + +**Syntax**: no\_sig\_action _action_
+**Default**: ignore (recommended by RFC 6376) + +Action to take when message without any signature is received. + +Note that DMARC policy of the sender domain can request more strict handling of +missing DKIM signatures. + +**Syntax**: broken\_sig\_action _action_
+**Default**: ignore (recommended by RFC 6376) + +Action to take when there are not valid signatures in a message. + +Note that DMARC policy of the sender domain can request more strict handling of +broken DKIM signatures. + +**Syntax**: fail\_open _boolean_
+**Default**: no + +Whether to accept the message if a temporary error occurs during DKIM +verification. Rejecting the message with a 4xx code will require the sender +to resend it later in a hope that the problem will be resolved. diff --git a/docs/reference/checks/dnsbl.md b/docs/reference/checks/dnsbl.md new file mode 100644 index 0000000..74cf361 --- /dev/null +++ b/docs/reference/checks/dnsbl.md @@ -0,0 +1,156 @@ +# DNSBL lookup + +The check.dnsbl module implements checking of source IP and hostnames against a set +of DNS-based Blackhole lists (DNSBLs). + +Its configuration consists of module configuration directives and a set +of blocks specifing lists to use and kind of lookups to perform on them. + +``` +check.dnsbl { + debug no + check_early no + + quarantine_threshold 1 + reject_threshold 1 + + # Lists configuration example. + dnsbl.example.org { + client_ipv4 yes + client_ipv6 no + ehlo no + mailfrom no + score 1 + } + hsrbl.example.org { + client_ipv4 no + client_ipv6 no + ehlo yes + mailfrom yes + score 1 + } +} +``` + +## Arguments + +Arguments specify the list of IP-based BLs to use. + +The following configurations are equivalent. + +``` +check { + dnsbl dnsbl.example.org dnsbl2.example.org +} +``` + +``` +check { + dnsbl { + dnsbl.example.org dnsbl2.example.org { + client_ipv4 yes + client_ipv6 no + ehlo no + mailfrom no + score 1 + } + } +} +``` + +## Configuration directives + +**Syntax**: debug _boolean_
+**Default**: global directive value + +Enable verbose logging. + +**Syntax**: check\_early _boolean_
+**Default**: no + +Check BLs before mail delivery starts and silently reject blacklisted clients. + +For this to work correctly, check should not be used in source/destination +pipeline block. + +In particular, this means: +- No logging is done for rejected messages. +- No action is taken if quarantine\_threshold is hit, only reject\_threshold + applies. +- defer\_sender\_reject from SMTP configuration takes no effect. +- MAIL FROM is not checked, even if specified. + +If you often get hit by spam attacks, it is recommended to enable this +setting to save server resources. + +**Syntax**: quarantine\_threshold _integer_
+**Default**: 1 + +DNSBL score needed (equals-or-higher) to quarantine the message. + +**Syntax**: reject\_threshold _integer_
+**Default**: 9999 + +DNSBL score needed (equals-or-higher) to reject the message. + +## List configuration + +``` +dnsbl.example.org dnsbl.example.com { + client_ipv4 yes + client_ipv6 no + ehlo no + mailfrom no + responses 127.0.0.1/24 + score 1 +} +``` + +Directive name and arguments specify the actual DNS zone to query when checking +the list. Using multiple arguments is equivalent to specifying the same +configuration separately for each list. + +**Syntax**: client\_ipv4 _boolean_
+**Default**: yes + +Whether to check address of the IPv4 clients against the list. + +**Syntax**: client\_ipv6 _boolean_
+**Default**: yes + +Whether to check address of the IPv6 clients against the list. + +**Syntax**: ehlo _boolean_
+**Default**: no + +Whether to check hostname specified n the HELO/EHLO command +against the list. + +This works correctly only with domain-based DNSBLs. + +**Syntax**: mailfrom _boolean_
+**Default**: no + +Whether to check domain part of the MAIL FROM address against the list. + +This works correctly only with domain-based DNSBLs. + +**Syntax**: responses _cidr|ip..._
+**Default**: 127.0.0.1/24 + +IP networks (in CIDR notation) or addresses to permit in list lookup results. +Addresses not matching any entry in this directives will be ignored. + +**Syntax**: score _integer_
+**Default**: 1 + +Score value to add for the message if it is listed. + +If sum of list scores is equals or higher than quarantine\_threshold, the +message will be quarantined. + +If sum of list scores is equals or higher than rejected\_threshold, the message +will be rejected. + +It is possible to specify a negative value to make list act like a whitelist +and override results of other blocklists. diff --git a/docs/reference/checks/milter.md b/docs/reference/checks/milter.md new file mode 100644 index 0000000..4f59763 --- /dev/null +++ b/docs/reference/checks/milter.md @@ -0,0 +1,47 @@ +# Milter client + +The 'milter' implements subset of Sendmail's milter protocol that can be used +to integrate external software with maddy. +maddy implements version 6 of the protocol, older versions are +not supported. + +Notable limitations of protocol implementation in maddy include: +1. Changes of envelope sender address are not supported +2. Removal and addition of envelope recipients is not supported +3. Removal and replacement of header fields is not supported +4. Headers fields can be inserted only on top +5. Milter does not receive some "macros" provided by sendmail. + +Restrictions 1 and 2 are inherent to the maddy checks interface and cannot be +removed without major changes to it. Restrictions 3, 4 and 5 are temporary due to +incomplete implementation. + +``` +check.milter { + endpoint + fail_open false +} + +milter +``` + +## Arguments + +When defined inline, the first argument specifies endpoint to access milter +via. See below. + +## Configuration directives + +***Syntax:*** endpoint _scheme://path_
+***Default:*** not set + +Specifies milter protocol endpoint to use. +The endpoit is specified in standard URL-like format: +'tcp://127.0.0.1:6669' or 'unix:///var/lib/milter/filter.sock' + +***Syntax:*** fail\_open _boolean_
+***Default:*** false + +Toggles behavior on milter I/O errors. If false ("fail closed") - message is +rejected with temporary error code. If true ("fail open") - check is skipped. + diff --git a/docs/reference/checks/misc.md b/docs/reference/checks/misc.md new file mode 100644 index 0000000..ac520b8 --- /dev/null +++ b/docs/reference/checks/misc.md @@ -0,0 +1,43 @@ +# Misc checks + +## Configuration directives + +Following directives are defined for all modules listed below. + +**Syntax**:
+fail\_action ignore
+fail\_action reject
+fail\_action quarantine
+**Default**: quarantine + +Action to take when check fails. See Check actions for details. + +**Syntax**: debug _boolean_
+**Default**: global directive value + +Log both sucessfull and unsucessfull check executions instead of just +unsucessfull. + +## require\_mx\_record + +Check that domain in MAIL FROM command does have a MX record and none of them +are "null" (contain a single dot as the host). + +By default, quarantines messages coming from servers missing MX records, +use 'fail\_action' directive to change that. + +## require\_matching\_rdns + +Check that source server IP does have a PTR record point to the domain +specified in EHLO/HELO command. + +By default, quarantines messages coming from servers with mismatched or missing +PTR record, use 'fail\_action' directive to change that. + +## require\_tls + +Check that the source server is connected via TLS; either directly, or by using +the STARTTLS command. + +By default, rejects messages coming from unencrypted servers. Use the +'fail\_action' directive to change that. \ No newline at end of file diff --git a/docs/reference/checks/rspamd.md b/docs/reference/checks/rspamd.md new file mode 100644 index 0000000..cf30d51 --- /dev/null +++ b/docs/reference/checks/rspamd.md @@ -0,0 +1,79 @@ +# rspamd + +The 'rspamd' module implements message filtering by contacting the rspamd +server via HTTP API. + +``` +check.rspamd { + tls_client { ... } + api_path http://127.0.0.1:11333 + settings_id whatever + tag maddy + hostname mx.example.org + io_error_action ignore + error_resp_action ignore + add_header_action quarantine + rewrite_subj_action quarantine + flags pass_all +} + +rspamd http://127.0.0.1:11333 +``` + +## Configuration directives + +**Syntax:** tls\_client { ... }
+**Default:** not set + +Configure TLS client if HTTPS is used. See [TLS configuration / Client](/reference/tls/#client) for details. + +**Syntax:** api\_path _url_
+**Default:** http://127.0.0.1:11333 + +URL of HTTP API endpoint. Supports both HTTP and HTTPS and can include +path element. + +**Syntax:** settings\_id _string_
+**Default:** not set + +Settings ID to pass to the server. + +**Syntax:** tag _string_
+**Default:** maddy + +Value to send in MTA-Tag header field. + +**Syntax:** hostname _string_
+**Default:** value of global directive + +Value to send in MTA-Name header field. + +**Syntax:** io\_error\_action _action_
+**Default:** ignore + +Action to take in case of inability to contact the rspamd server. + +**Syntax:** error\_resp\_action _action_
+**Default:** ignore + +Action to take in case of 5xx or 4xx response received from the rspamd server. + +**Syntax:** add\_header\_action _action_
+**Default:** quarantine + +Action to take when rspamd requests to "add header". + +X-Spam-Flag and X-Spam-Score are added to the header irregardless of value. + +**Syntax:** rewrite\_subj\_action _action_
+**Default:** quarantine + +Action to take when rspamd requests to "rewrite subject". + +X-Spam-Flag and X-Spam-Score are added to the header irregardless of value. + +**Syntax:** flags _string list..._
+**Default:** pass\_all + +Flags to pass to the rspamd server. +See [https://rspamd.com/doc/architecture/protocol.html](https://rspamd.com/doc/architecture/protocol.html) for details. diff --git a/docs/reference/checks/spf.md b/docs/reference/checks/spf.md new file mode 100644 index 0000000..ebc71af --- /dev/null +++ b/docs/reference/checks/spf.md @@ -0,0 +1,83 @@ +# SPF + +check.spf the check module that verifies whether IP address of the client is +authorized to send messages for domain in MAIL FROM address. + +SPF statuses are mapped to maddy check actions in a way +specified by \*_action directives. By default, SPF failure +results in the message being quarantined and errors (both permanent and +temporary) cause message to be rejected. +Authentication-Results field is generated irregardless of status. + +## DMARC override + +It is recommended by the DMARC standard to don't fail delivery based solely on +SPF policy and always check DMARC policy and take action based on it. + +If enforce\_early is no, check.spf module will not take any action on SPF +policy failure if sender domain does have a DMARC record with 'quarantine' or +'reject' policy. Instead it will rely on DMARC support to take necesary +actions using SPF results as an input. + +Disabling enforce\_early without enabling DMARC support will make SPF policies +no-op and is considered insecure. + +## Configuration directives + +``` +check.spf { + debug no + enforce_early no + fail_action quarantine + softfail_action ignore + permerr_action reject + temperr_action reject +} +``` + +**Syntax**: debug _boolean_
+**Default**: global directive value + +Enable verbose logging for check.spf. + +**Syntax**: enforce\_early _boolean_
+**Default**: no + +Make policy decision on MAIL FROM stage (before the message body is received). +This makes it impossible to apply DMARC override (see above). + +**Syntax**: none\_action reject|qurantine|ignore
+**Default**: ignore + +Action to take when SPF policy evaluates to a 'none' result. + +See [https://tools.ietf.org/html/rfc7208#section-2.6](https://tools.ietf.org/html/rfc7208#section-2.6) for meaning of +SPF results. + +**Syntax**: neutral\_action reject|qurantine|ignore
+**Default**: ignore + +Action to take when SPF policy evaluates to a 'neutral' result. + +See [https://tools.ietf.org/html/rfc7208#section-2.6](https://tools.ietf.org/html/rfc7208#section-2.6) for meaning of +SPF results. + +**Syntax**: fail\_action reject|qurantine|ignore
+**Default**: quarantine + +Action to take when SPF policy evaluates to a 'fail' result. + +**Syntax**: softfail\_action reject|qurantine|ignore
+**Default**: ignore + +Action to take when SPF policy evaluates to a 'softfail' result. + +**Syntax**: permerr\_action reject|qurantine|ignore
+**Default**: reject + +Action to take when SPF policy evaluates to a 'permerror' result. + +**Syntax**: temperr\_action reject|qurantine|ignore
+**Default**: reject + +Action to take when SPF policy evaluates to a 'temperror' result. diff --git a/docs/man/maddy-config.5.scd b/docs/reference/config-syntax.md similarity index 96% rename from docs/man/maddy-config.5.scd rename to docs/reference/config-syntax.md index ba29a38..506ff02 100644 --- a/docs/man/maddy-config.5.scd +++ b/docs/reference/config-syntax.md @@ -1,6 +1,7 @@ -maddy-config(5) "maddy mail server" "maddy reference documentation" +# Configuration files syntax -; TITLE Configuration files syntax +**Note:** This file is a technical document describing how +maddy parses configuration files. Configuration consists of newline-delimited "directives". Each directive can have zero or more arguments. @@ -185,7 +186,7 @@ Also note that the following is not valid, unlike Duration values syntax: Maddy configuration uses URL-like syntax to specify network addresses. -- unix://file_path +- unix://file\_path Unix domain socket. Relative paths are relative to runtime directory (/run/maddy). @@ -202,3 +203,4 @@ using "dummy" name. It can act as a delivery target or auth. provider. In the latter case, it will accept any credentials, allowing any client to authenticate using any username and password (use with care!). + diff --git a/docs/reference/endpoints/imap.md b/docs/reference/endpoints/imap.md new file mode 100644 index 0000000..ceffae0 --- /dev/null +++ b/docs/reference/endpoints/imap.md @@ -0,0 +1,65 @@ +# IMAP4rev1 endpoint + +Module 'imap' is a listener that implements IMAP4rev1 protocol and provides +access to local messages storage specified by 'storage' directive. + +In most cases, local storage modules will auto-create accounts when they are +accessed via IMAP. This relies on authentication provider used by IMAP endpoint +to provide what essentially is access control. There is a caveat, however: this +auto-creation will not happen when delivering incoming messages via SMTP as +there is no authentication to confirm that this account should indeed be +created. + +## Configuration directives + +``` +imap tcp://0.0.0.0:143 tls://0.0.0.0:993 { + tls /etc/ssl/private/cert.pem /etc/ssl/private/pkey.key + io_debug no + debug no + insecure_auth no + auth pam + storage &local_mailboxes +} +``` + +**Syntax**: tls _certificate\_path_ _key\_path_ { ... }
+**Default**: global directive value + +TLS certificate & key to use. Fine-tuning of other TLS properties is possible +by specifing a configuration block and options inside it: +``` +tls cert.crt key.key { + protocols tls1.2 tls1.3 +} +``` + +See [TLS configuration / Server](/reference/tls/#server-side) for details. + +**Syntax**: io\_debug _boolean_
+**Default**: no + +Write all commands and responses to stderr. + +**Syntax**: io\_errors _boolean_
+**Default**: no + +Log I/O errors. + +**Syntax**: debug _boolean_
+**Default**: global directive value + +Enable verbose logging. + +**Syntax**: insecure\_auth _boolean_
+**Default**: no (yes if TLS is disabled) + +**Syntax**: auth _module\_reference\_ + +Use the specified module for authentication. +**Required.** + +**Syntax**: storage _module\_reference\_ + +Use the specified module for message storage. +**Required.** \ No newline at end of file diff --git a/docs/openmetrics.md b/docs/reference/endpoints/openmetrics.md similarity index 100% rename from docs/openmetrics.md rename to docs/reference/endpoints/openmetrics.md diff --git a/docs/reference/endpoints/smtp.md b/docs/reference/endpoints/smtp.md new file mode 100644 index 0000000..cd99df9 --- /dev/null +++ b/docs/reference/endpoints/smtp.md @@ -0,0 +1,265 @@ +# SMTP/LMTP/Submission endpoint + +Module 'smtp' is a listener that implements ESMTP protocol with optional +authentication, LMTP and Submission support. Incoming messages are processed in +accordance with pipeline rules (explained in Message pipeline section below). + +``` +smtp tcp://0.0.0.0:25 { + hostname example.org + tls /etc/ssl/private/cert.pem /etc/ssl/private/pkey.key + io_debug no + debug no + insecure_auth no + read_timeout 10m + write_timeout 1m + max_message_size 32M + max_header_size 1M + auth pam + defer_sender_reject yes + dmarc yes + smtp_max_line_length 4000 + limits { + endpoint rate 10 + endpoint concurrency 500 + } + + # Example pipeline ocnfiguration. + destination example.org { + deliver_to &local_mailboxes + } + default_destination { + reject + } +} +``` + +## Configuration directives + +**Syntax**: hostname _string_
+**Default**: global directive value + +Server name to use in SMTP banner. + +``` +220 example.org ESMTP Service Ready +``` + +**Syntax**: tls _certificate\_path_ _key\_path_ { ... }
+**Default**: global directive value + +TLS certificate & key to use. Fine-tuning of other TLS properties is possible +by specifing a configuration block and options inside it: +``` +tls cert.crt key.key { + protocols tls1.2 tls1.3 +} +``` + +See [TLS configuration / Server](/reference/tls/#server-side) for details. + + +**Syntax**: io\_debug _boolean_
+**Default**: no + +Write all commands and responses to stderr. + +**Syntax**: debug _boolean_
+**Default**: global directive value + +Enable verbose logging. + +**Syntax**: insecure\_auth _boolean_
+**Default**: no (yes if TLS is disabled) + +Allow plain-text authentication over unencrypted connections. Not recommended! + +**Syntax**: read\_timeout _duration_
+**Default**: 10m + +I/O read timeout. + +**Syntax**: write\_timeout _duration_
+**Default**: 1m + +I/O write timeout. + +**Syntax**: max\_message\_size _size_
+**Default**: 32M + +Limit the size of incoming messages to 'size'. + +**Syntax**: max\_header\_size _size_
+**Default**: 1M + +Limit the size of incoming message headers to 'size'. + +**Syntax**: auth _module\_reference_
+**Default**: not specified + +Use the specified module for authentication. + +**Syntax**: defer\_sender\_reject _boolean_
+**Default**: yes + +Apply sender-based checks and routing logic when first RCPT TO command +is received. This allows maddy to log recipient address of the rejected +message and also improves interoperability with (improperly implemented) +clients that don't expect an error early in session. + +**Syntax**: max\_logged\_rcpt\_errors _integer_
+**Default**: 5 + +Amount of RCPT-time errors that should be logged. Further errors will be +handled silently. This is to prevent log flooding during email dictonary +attacks (address probing). + +**Syntax**: max\_received _integer_
+**Default**: 50 + +Max. amount of Received header fields in the message header. If the incoming +message has more fields than this number, it will be rejected with the permanent error +5.4.6 ("Routing loop detected"). + +**Syntax**:
+buffer ram
+buffer fs _[path]_
+buffer auto _max\_size_ _[path]_
+**Default**: auto 1M StateDirectory/buffer + +Temporary storage to use for the body of accepted messages. + +- ram + +Store the body in RAM. + +- fs + +Write out the message to the FS and read it back as needed. +_path_ can be omitted and defaults to StateDirectory/buffer. + +- auto + +Store message bodies smaller than _max\_size_ entirely in RAM, otherwise write +them out to the FS. +_path_ can be omitted and defaults to StateDirectory/buffer. + +**Syntax**: smtp\_max\_line\_length _integer_
+**Default**: 4000 + +The maximum line length allowed in the SMTP input stream. If client sends a +longer line - connection will be closed and message (if any) will be rejected +with a permanent error. + +RFC 5321 has the recommended limit of 998 bytes. Servers are not required +to handle longer lines correctly but some senders may produce them. + +Unless BDAT extension is used by the sender, this limitation also applies to +the message body. + +**Syntax**: dmarc _boolean_
+**Default**: yes + +Enforce sender's DMARC policy. Due to implementation limitations, it is not a +check module. + +**NOTE**: Report generation is not implemented now. + +**NOTE**: DMARC needs SPF and DKIM checks to function correctly. +Without these, DMARC check will not run. + +## Rate & concurrency limiting + +**Syntax**: limits _config block_
+**Default**: no limits + +This allows configuring a set of message flow restrictions including +max. concurrency and rate per-endpoint, per-source, per-destination. + +Limits are specified as directives inside the block: +``` +limits { + all rate 20 + destination concurrency 5 +} +``` + +Supported limits: + +- Rate limit + +**Syntax**: _scope_ rate _burst_ _[period]_
+Restrict the amount of messages processed in _period_ to _burst_ messages. +If period is not specified, 1 second is used. + +- Concurrency limit + +**Syntax**: _scope_ concurrency _max_
+Restrict the amount of messages processed in parallel to _max\_. + +For each supported limitation, _scope_ determines whether it should be applied +for all messages ("all"), per-sender IP ("ip"), per-sender domain ("source") or +per-recipient domain ("destination"). Having a scope other than "all" means +that the restriction will be enforced independently for each group determined +by scope. E.g. "ip rate 20" means that the same IP cannot send more than 20 +messages in a scond. "destination concurrency 5" means that no more than 5 +messages can be sent in parallel to a single domain. + +**Note**: At the moment, SMTP endpoint on its own does not support per-recipient +limits. They will be no-op. If you want to enforce a per-recipient restriction +on outbound messages, do so using 'limits' directive for the 'table.remote' module + +It is possible to share limit counters between multiple endpoints (or any other +modules). To do so define a top-level configuration block for module "limits" +and reference it where needed using standard & syntax. E.g. +``` +limits inbound_limits { + all rate 20 +} + +smtp smtp://0.0.0.0:25 { + limits &inbound_limits + ... +} + +submission tls://0.0.0.0:465 { + limits &inbound_limits + ... +} +``` +Using an "all rate" restriction in such way means that no more than 20 +messages can enter the server through both endpoints in one second. + +# Submission module (submission) + +Module 'submission' implements all functionality of the 'smtp' module and adds +certain message preprocessing on top of it, additionaly authentication is +always required. + +'submission' module checks whether addresses in header fields From, Sender, To, +Cc, Bcc, Reply-To are correct and adds Message-ID and Date if it is missing. + +``` +submission tcp://0.0.0.0:587 tls://0.0.0.0:465 { + # ... same as smtp ... +} +``` + +# LMTP module (lmtp) + +Module 'lmtp' implements all functionality of the 'smtp' module but uses +LMTP (RFC 2033) protocol. + +``` +lmtp unix://lmtp.sock { + # ... same as smtp ... +} +``` + +## Limitations of LMTP implementation + +- Can't be used with TCP. + +- Delivery to 'sql' module storage is always atomic, either all recipients will + succeed or none of them will. + diff --git a/docs/reference/global-config.md b/docs/reference/global-config.md new file mode 100644 index 0000000..7894b6a --- /dev/null +++ b/docs/reference/global-config.md @@ -0,0 +1,94 @@ +# Global configuration directives + +These directives can be specified outside of any +configuration blocks and they are applied to all modules. + +Some directives can be overridden on per-module basis (e.g. hostname). + +**Syntax**: state\_dir _path_
+**Default**: /var/lib/maddy + +The path to the state directory. This directory will be used to store all +persistent data and should be writable. + +**Syntax**: runtime\_dir _path_
+**Default**: /run/maddy + +The path to the runtime directory. Used for Unix sockets and other temporary +objects. Should be writable. + +**Syntax**: hostname _domain_
+**Default**: not specified + +Internet hostname of this mail server. Typicall FQDN is used. It is recommended +to make sure domain specified here resolved to the public IP of the server. + +**Syntax**: autogenerated\_msg\_domain _domain_
+**Default**: not specified + +Domain that is used in From field for auto-generated messages (such as Delivery +Status Notifications). + +**Syntax**:
+tls file _cert\_file_ _pkey\_file_
+tls _module reference_
+tls off
+**Default**: not specified + +Default TLS certificate to use for all endpoints. + +Must be present in either all endpoint modules configuration blocks or as +global directive. + +You can also specify other configuration options such as cipher suites and TLS +version. See maddy-tls(5) for details. maddy uses reasonable +cipher suites and TLS versions by default so you generally don't have to worry +about it. + +**Syntax**: tls\_client { ... }
+**Default**: not specified + +This is optional block that specifies various TLS-related options to use when +making outbound connections. See TLS client configuration for details on +directives that can be used in it. maddy uses reasonable cipher suites and TLS +versions by default so you generally don't have to worry about it. + +**Syntax**:
+log _targets..._
+log off
+**Default**: stderr + +Write log to one of more "targets". + +The target can be one or the following: + +- stderr + + Write logs to stderr. + +- stderr\_ts + + Write logs to stderr with timestamps. + +- syslog + + Send logs to the local syslog daemon. + +- _file path_ + + Write (append) logs to file. + +Example: +``` +log syslog /var/log/maddy.log +``` + +**Note:** Maddy does not perform log files rotation, this is the job of the +logrotate daemon. Send SIGUSR1 to maddy process to make it reopen log files. + +**Syntax**: debug _boolean_
+**Default**: no + +Enable verbose logging for all modules. You don't need that unless you are +reporting a bug. + diff --git a/docs/reference/modifiers/dkim.md b/docs/reference/modifiers/dkim.md new file mode 100644 index 0000000..fadbe51 --- /dev/null +++ b/docs/reference/modifiers/dkim.md @@ -0,0 +1,197 @@ +# DKIM signing + +modify.dkim module is a modifier that signs messages using DKIM +protocol (RFC 6376). + +Each configuration block specifies a single selector +and one or more domains. + +A key will be generated or read for each domain, the key to use +for each message will be selected based on the SMTP envelope sender. Exception +for that is that for domain-less postmaster address and null address, the +key for the first domain will be used. If domain in envelope sender +does not match any of loaded keys, message will not be signed. +Additionally, for each messages From header is checked to +match MAIL FROM and authorization identity (username sender is logged in as). +This can be controlled using require\_sender\_match directive. + +Generated private keys are stored in unencrypted PKCS#8 format +in state_directory/dkim_keys (/var/lib/maddy/dkim_keys). +In the same directory .dns files are generated that contain +public key for each domain formatted in the form of a DNS record. + +## Arguments + +domains and selector can be specified in arguments, so actual modify.dkim use can +be shortened to the following: +``` +modify { + dkim example.org selector +} +``` + +## Configuration directives + +``` +modify.dkim { + debug no + domains example.org example.com + selector default + key_path dkim-keys/{domain}-{selector}.key + oversign_fields ... + sign_fields ... + header_canon relaxed + body_canon relaxed + sig_expiry 120h # 5 days + hash sha256 + newkey_algo rsa2048 +} +``` + +**Syntax**: debug _boolean_
+**Default**: global directive value + +Enable verbose logging. + +**Syntax**: domains _string list_
+**Default**: not specified + +**REQUIRED.** + +ADministrative Management Domains (ADMDs) taking responsibility for messages. + +Should be specified either as a directive or as an argument. + +**Syntax**: selector _string_
+**Default**: not specified + +**REQUIRED.** + +Identifier of used key within the ADMD. +Should be specified either as a directive or as an argument. + +**Syntax**: key\_path _string_
+**Default**: dkim\_keys/{domain}\\_{selector}.key + +Path to private key. It should be in PKCS#8 format wrapped in PAM encoding. +If key does not exist, it will be generated using algorithm specified +in newkey\_algo. + +Placeholders '{domain}' and '{selector}' will be replaced with corresponding +values from domain and selector directives. + +Additionally, keys in PKCS#1 ("RSA PRIVATE KEY") and +RFC 5915 ("EC PRIVATE KEY") can be read by modify.dkim. Note, however that +newly generated keys are always in PKCS#8. + +**Syntax**: oversign\_fields _list..._
+**Default**: see below + +Header fields that should be signed n+1 times where n is times they are +present in the message. This makes it impossible to replace field +value by prepending another field with the same name to the message. + +Fields specified here don't have to be also specified in sign\_fields. + +Default set of oversigned fields: +- Subject +- To +- From +- Date +- MIME-Version +- Content-Type +- Content-Transfer-Encoding +- Reply-To +- Message-Id +- References +- Autocrypt +- Openpgp + +**Syntax**: sign\_fields _list..._
+**Default**: see below + +Header fields that should be signed n+1 times where n is times they are +present in the message. For these fields, additional values can be prepended +by intermediate relays, but existing values can't be changed. + +Default set of signed fields: +- List-Id +- List-Help +- List-Unsubscribe +- List-Post +- List-Owner +- List-Archive +- Resent-To +- Resent-Sender +- Resent-Message-Id +- Resent-Date +- Resent-From +- Resent-Cc + +**Syntax**: header\_canon relaxed|simple
+**Default**: relaxed + +Canonicalization algorithm to use for header fields. With 'relaxed', whitespace within +fields can be modified without breaking the signature, with 'simple' no +modifications are allowed. + +**Syntax**: body\_canon relaxed|simple
+**Default**: relaxed + +Canonicalization algorithm to use for message body. With 'relaxed', whitespace within +can be modified without breaking the signature, with 'simple' no +modifications are allowed. + +**Syntax**: sig\_expiry _duration_
+**Default**: 120h + +Time for which signature should be considered valid. Mainly used to prevent +unauthorized resending of old messages. + +**Syntax**: hash _hash_
+**Default**: sha256 + +Hash algorithm to use when computing body hash. + +sha256 is the only supported algorithm now. + +**Syntax**: newkey\_algo rsa4096|rsa2048|ed25519
+**Default**: rsa2048 + +Algorithm to use when generating a new key. + +**Syntax**: require\_sender\_match _ids..._
+**Default**: envelope auth + +Require specified identifiers to match From header field and key domain, +otherwise - don't sign the message. + +If From field contains multiple addresses, message will not be +signed unless allow\_multiple\_from is also specified. In that +case only first address will be compared. + +Matching is done in a case-insensitive way. + +Valid values: +- off + Disable check, always sign. +- envelope + Require MAIL FROM address to match From header. +- auth + If authorization identity contains @ - then require it to + fully match From header. Otherwise, check only local-part + (username). + +**Syntax**: allow\_multiple\_from _boolean_
+**Default**: no + +Allow multiple addresses in From header field for purposes of +require\_sender\_match checks. Only first address will be checked, however. + +**Syntax**: sign\_subdomains _boolean_
+**Default**: no + +Sign emails from subdomains using a top domain key. + +Allows only one domain to be specified (can be workarounded using modify.dkim +multiple times). diff --git a/docs/reference/modifiers/envelope.md b/docs/reference/modifiers/envelope.md new file mode 100644 index 0000000..5a0c86c --- /dev/null +++ b/docs/reference/modifiers/envelope.md @@ -0,0 +1,50 @@ +# Envelope sender / recipient rewriting + +'replace\_sender' and 'replace\_rcpt' modules replace SMTP envelope addresses +based on the mapping defined by the table module. Currently, +only 1:1 mappings are supported (that is, it is not possible to specify +multiple replacements for a single address). + +The address is normalized before lookup (Punycode in domain-part is decoded, +Unicode is normalized to NFC, the whole string is case-folded). + +First, the whole address is looked up. If there is no replacement, local-part +of the address is looked up separately and is replaced in the address while +keeping the domain part intact. Replacements are not applied recursively, that +is, lookup is not repeated for the replacement. + +Recipients are not deduplicated after expansion, so message may be delivered +multiple times to a single recipient. However, used delivery target can apply +such deduplication (imapsql storage does it). + +Definition: +``` +replace_rcpt
[table arguments] { + [extended table config] +} +replace_sender
[table arguments] { + [extended table config] +} +``` + +Use examples: +``` +modify { + replace_rcpt file /etc/maddy/aliases + replace_rcpt static { + entry a@example.org b@example.org + } + replace_rcpt regexp "(.+)@example.net" "$1@example.org" +} +``` + +Possible contents of /etc/maddy/aliases in the example above: +``` +# Replace 'cat' with any domain to 'dog'. +# E.g. cat@example.net -> dog@example.net +cat: dog + +# Replace cat@example.org with cat@example.com. +# Takes priority over the previous line. +cat@example.org: cat@example.com +``` \ No newline at end of file diff --git a/docs/reference/modules.md b/docs/reference/modules.md new file mode 100644 index 0000000..f327e86 --- /dev/null +++ b/docs/reference/modules.md @@ -0,0 +1,76 @@ +# Modules introduction + +maddy is built of many small components called "modules". Each module does one +certain well-defined task. Modules can be connected to each other in arbitrary +ways to achieve wanted functionality. Default configuration file defines +set of modules that together implement typical email server stack. + +To specify the module that should be used by another module for something, look +for configuration directives with "module reference" argument. Then +put the module name as an argument for it. Optionally, if referenced module +needs that, put additional arguments after the name. You can also put a +configuration block with additional directives specifing the module +configuration. + +Here are some examples: + +``` +smtp ... { + # Deliver messages to the 'dummy' module with the default configuration. + deliver_to dummy + + # Deliver messages to the 'target.smtp' module with + # 'tcp://127.0.0.1:1125' argument as a configuration. + deliver_to smtp tcp://127.0.0.1:1125 + + # Deliver messages to the 'queue' module with the specified configuration. + deliver_to queue { + target ... + max_tries 10 + } +} +``` + +Additionally, module configuration can be placed in a separate named block +at the top-level and referenced by its name where it is needed. + +Here is the example: +``` +storage.imapsql local_mailboxes { + driver sqlite3 + dsn all.db +} + +smtp ... { + deliver_to &local_mailboxes +} +``` + +It is recommended to use this syntax for modules that are 'expensive' to +initialize such as storage backends and authentication providers. + +For top-level configuration block definition, syntax is as follows: +``` +namespace.module_name config_block_name... { + module_configuration +} +``` +If config\_block\_name is omitted, it will be the same as module\_name. Multiple +names can be specified. All names must be unique. + +Note the "storage." prefix. This is the actual module name and includes +"namespace". It is a little cheating to make more concise names and can +be omitted when you reference the module where it is used since it can +be implied (e.g. putting module reference in "check{}" likely means you want +something with "check." prefix) + +Usual module arguments can't be specified when using this syntax, however, +modules usually provide explicit directives that allow to specify the needed +values. For example 'sql sqlite3 all.db' is equivalent to +``` +storage.imapsql { + driver sqlite3 + dsn all.db +} +``` + diff --git a/docs/reference/smtp-pipeline.md b/docs/reference/smtp-pipeline.md new file mode 100644 index 0000000..a86ef42 --- /dev/null +++ b/docs/reference/smtp-pipeline.md @@ -0,0 +1,384 @@ +# SMTP message routing (pipeline) + +# Message pipeline + +Message pipeline is a set of module references and associated rules that +describe how to handle messages. + +The pipeline is responsible for +- Running message filters (called "checks"), (e.g. DKIM signature verification, + DNSBL lookup and so on). + +- Running message modifiers (e.g. DKIM signature creation). + +- Assocating each message recipient with one or more delivery targets. + Delivery target is a module that does final processing (delivery) of the + message. + +Message handling flow is as follows: +- Execute checks referenced in top-level 'check' blocks (if any) + +- Execute modifiers referenced in top-level 'modify' blocks (if any) + +- If there are 'source' blocks - select one that matches message sender (as + specified in MAIL FROM). If there are no 'source' blocks - entire + configuration is assumed to be the 'default\_source' block. + +- Execute checks referenced in 'check' blocks inside selected 'source' block + (if any). + +- Execute modifiers referenced in 'modify' blocks inside selected 'source' + block (if any). + +Then, for each recipient: +- Select 'destination' block that matches it. If there are + no 'destination' blocks - entire used 'source' block is interpreted as if it + was a 'default\_destination' block. + +- Execute checks referenced in 'check' block inside selected 'destination' block + (if any). + +- Execute modifiers referenced in 'modify' block inside selected 'destination' + block (if any). + +- If used block contains 'reject' directive - reject the recipient with + specified SMTP status code. + +- If used block contains 'deliver\_to' directive - pass the message to the + specified target module. Only recipients that are handled + by used block are visible to the target. + +Each recipient is handled only by a single 'destination' block, in case of +overlapping 'destination' - first one takes priority. +``` +destination example.org { + deliver_to targetA +} +destination example.org { # ambiguous and thus not allowed + deliver_to targetB +} +``` +Same goes for 'source' blocks, each message is handled only by a single block. + +Each recipient block should contain at least one 'deliver\_to' directive or +'reject' directive. If 'destination' blocks are used, then +'default\_destination' block should also be used to specify behavior for +unmatched recipients. Same goes for source blocks, 'default\_source' should be +used if 'source' is used. + +That is, pipeline configuration should explicitly specify behavior for each +possible sender/recipient combination. + +Additionally, directives that specify final handling decision ('deliver\_to', +'reject') can't be used at the same level as source/destination rules. +Consider example: +``` +destination example.org { + deliver_to local_mboxes +} +reject +``` +It is not obvious whether 'reject' applies to all recipients or +just for non-example.org ones, hence this is not allowed. + +Complete configuration example using all of the mentioned directives: +``` +check { + # Run a check to make sure source SMTP server identification + # is legit. + require_matching_ehlo +} + +# Messages coming from senders at example.org will be handled in +# accordance with the following configuration block. +source example.org { + # We are example.com, so deliver all messages with recipients + # at example.com to our local mailboxes. + destination example.com { + deliver_to &local_mailboxes + } + + # We don't do anything with recipients at different domains + # because we are not an open relay, thus we reject them. + default_destination { + reject 521 5.0.0 "User not local" + } +} + +# We do our business only with example.org, so reject all +# other senders. +default_source { + reject +} +``` + +## Directives + +**Syntax**: check _block name_ { ... }
+**Context**: pipeline configuration, source block, destination block + +List of the module references for checks that should be executed on +messages handled by block where 'check' is placed in. + +Note that message body checks placed in destination block are currently +ignored. Due to the way SMTP protocol is defined, they would cause message to +be rejected for all recipients which is not what you usually want when using +such configurations. + +Example: +``` +check { + # Reference implicitly defined default configuration for check. + require_matching_ehlo + + # Inline definition of custom config. + require_source_mx { + # Configuration for require_source_mx goes here. + fail_action reject + } +} +``` + +It is also possible to define the block of checks at the top level +as "checks" module and reference it using & syntax. Example: +``` +checks inbound_checks { + require_matching_ehlo +} + +# ... somewhere else ... +{ + ... + check &inbound_checks +} +``` + +**Syntax**: modify { ... }
+**Default**: not specified
+**Context**: pipeline configuration, source block, destination block + +List of the module references for modifiers that should be executed on +messages handled by block where 'modify' is placed in. + +Message modifiers are similar to checks with the difference in that checks +purpose is to verify whether the message is legitimate and valid per local +policy, while modifier purpose is to post-process message and its metadata +before final delivery. + +For example, modifier can replace recipient address to make message delivered +to the different mailbox or it can cryptographically sign outgoing message +(e.g. using DKIM). Some modifier can perform multiple unrelated modifications +on the message. + +**Note**: Modifiers that affect source address can be used only globally or on +per-source basis, they will be no-op inside destination blocks. Modifiers that +affect the message header will affect it for all recipients. + +It is also possible to define the block of modifiers at the top level +as "modiifers" module and reference it using & syntax. Example: +``` +modifiers local_modifiers { + replace_rcpt file /etc/maddy/aliases +} + +# ... somewhere else ... +{ + ... + modify &local_modifiers +} +``` + +**Syntax**:
+reject _smtp\_code_ _smtp\_enhanced\_code_ _error\_description_
+reject _smtp\_code_ _smtp\_enhanced\_code_
+reject _smtp\_code_
+reject
+**Context**: destination block + +Messages handled by the configuration block with this directive will be +rejected with the specified SMTP error. + +If you aren't sure which codes to use, use 541 and 5.4.0 with your message or +just leave all arguments out, the error description will say "message is +rejected due to policy reasons" which is usually what you want to mean. + +'reject' can't be used in the same block with 'deliver\_to' or +'destination/source' directives. + +Example: +``` +reject 541 5.4.0 "We don't like example.org, go away" +``` + +**Syntax**: deliver\_to _target-config-block_
+**Context**: pipeline configuration, source block, destination block + +Deliver the message to the referenced delivery target. What happens next is +defined solely by used target. If deliver\_to is used inside 'destination' +block, only matching recipients will be passed to the target. + +**Syntax**: source\_in _table reference_ { ... }
+**Context**: pipeline configuration + +Handle messages with envelope senders present in the specified table in +accordance with the specified configuration block. + +Takes precedence over all 'sender' directives. + +Example: +``` +source_in file /etc/maddy/banned_addrs { + reject 550 5.7.0 "You are not welcome here" +} +source example.org { + ... +} +... +``` + +See 'destination\_in' documentation for note about table configuration. + +**Syntax**: source _rules..._ { ... }
+**Context**: pipeline configuration + +Handle messages with MAIL FROM value (sender address) matching any of the rules +in accordance with the specified configuration block. + +"Rule" is either a domain or a complete address. In case of overlapping +'rules', first one takes priority. Matching is case-insensitive. + +Example: +``` +# All messages coming from example.org domain will be delivered +# to local_mailboxes. +source example.org { + deliver_to &local_mailboxes +} +# Messages coming from different domains will be rejected. +default_source { + reject 521 5.0.0 "You were not invited" +} +``` + +**Syntax**: reroute { ... }
+**Context**: pipeline configuration, source block, destination block + +This directive allows to make message routing decisions based on the +result of modifiers. The block can contain all pipeline directives and they +will be handled the same with the exception that source and destination rules +will use the final recipient and sender values (e.g. after all modifiers are +applied). + +Here is the concrete example how it can be useful: +``` +destination example.org { + modify { + replace_rcpt file /etc/maddy/aliases + } + reroute { + destination example.org { + deliver_to &local_mailboxes + } + default_destination { + deliver_to &remote_queue + } + } +} +``` + +This configuration allows to specify alias local addresses to remote ones +without being an open relay, since remote\_queue can be used only if remote +address was introduced as a result of rewrite of local address. + +**WARNING**: If you have DMARC enabled (default), results generated by SPF +and DKIM checks inside a reroute block **will not** be considered in DMARC +evaluation. + +**Syntax**: destination\_in _table reference_ { ... }
+**Context**: pipeline configuration, source block + +Handle messages with envelope recipients present in the specified table in +accordance with the specified configuration block. + +Takes precedence over all 'destination' directives. + +Example: +``` +destination_in file /etc/maddy/remote_addrs { + deliver_to smtp tcp://10.0.0.7:25 +} +destination example.com { + deliver_to &local_mailboxes +} +... +``` + +Note that due to the syntax restrictions, it is not possible to specify +extended configuration for table module. E.g. this is not valid: +``` +destination_in sql_table { + dsn ... + driver ... +} { + deliver_to whatever +} +``` + +In this case, configuration should be specified separately and be referneced +using '&' syntax: +``` +table.sql_table remote_addrs { + dsn ... + driver ... +} + +whatever { + destination_in &remote_addrs { + deliver_to whatever + } +} +``` + +**Syntax**: destination _rule..._ { ... }
+**Context**: pipeline configuration, source block + +Handle messages with RCPT TO value (recipient address) matching any of the +rules in accordance with the specified configuration block. + +"Rule" is either a domain or a complete address. Duplicate rules are not +allowed. Matching is case-insensitive. + +Note that messages with multiple recipients are split into multiple messages if +they have recipients matched by multiple blocks. Each block will see the +message only with recipients matched by its rules. + +Example: +``` +# Messages with recipients at example.com domain will be +# delivered to local_mailboxes target. +destination example.com { + deliver_to &local_mailboxes +} + +# Messages with other recipients will be rejected. +default_destination { + rejected 541 5.0.0 "User not local" +} +``` + +## Reusable pipeline snippets (msgpipeline module) + +The message pipeline can be used independently of the SMTP module in other +contexts that require a delivery target via "msgpipeline" module. + +Example: +``` +msgpipeline local_routing { + destination whatever.com { + deliver_to dummy + } +} + +# ... somewhere else ... +deliver_to &local_routing +``` \ No newline at end of file diff --git a/docs/reference/storage/imapsql.md b/docs/reference/storage/imapsql.md new file mode 100644 index 0000000..17bdbc4 --- /dev/null +++ b/docs/reference/storage/imapsql.md @@ -0,0 +1,181 @@ +# SQL-indexed storage + +The imapsql module implements database for IMAP index and message +metadata using SQL-based relational database. + +Message contents are stored in an "blob store" defined by msg\_store +directive. By default this is a file system directory under /var/lib/maddy. + +Supported RDBMS: +- SQLite 3.25.0 +- PostgreSQL 9.6 or newer +- CockroachDB 20.1.5 or newer + +Account names are required to have the form of a email address (unless configured otherwise) +and are case-insensitive. UTF-8 names are supported with restrictions defined in the +PRECIS UsernameCaseMapped profile. + +``` +storage.imapsql { + driver sqlite3 + dsn imapsql.db + msg_store fs messages/ +} +``` + +imapsql module also can be used as a lookup table. +It returns empty string values for existing usernames. This might be useful +with destination\_in directive e.g. to implement catch-all +addresses (this is a bad idea to do so, this is just an example): +``` +destination_in &local_mailboxes { + deliver_to &local_mailboxes +} +destination example.org { + modify { + replace_rcpt regexp ".*" "catchall@example.org" + } + deliver_to &local_mailboxes +} +``` + + +## Arguments + +Specify the driver and DSN. + +## Configuration directives + +**Syntax**: driver _string_
+**Default**: not specified + +REQUIRED. + +Use a specified driver to communicate with the database. Supported values: +sqlite3, postgres. + +Should be specified either via an argument or via this directive. + +**Syntax**: dsn _string_
+**Default**: not specified + +REQUIRED. + +Data Source Name, the driver-specific value that specifies the database to use. + +For SQLite3 this is just a file path. +For PostgreSQL: [https://godoc.org/github.com/lib/pq#hdr-Connection\_String\_Parameters](https://godoc.org/github.com/lib/pq#hdr-Connection\_String\_Parameters) + +Should be specified either via an argument or via this directive. + +**Syntax**: msg\_store _store_
+**Default**: fs messages/ + +Module to use for message bodies storage. + +See "Blob storage" section for what you can use here. + +**Syntax**:
+compression off
+compression _algorithm_
+compression _algorithm_ _level_
+**Default**: off + +Apply compression to message contents. +Supported algorithms: lz4, zstd. + +**Syntax**: appendlimit _size_
+**Default**: 32M + +Don't allow users to add new messages larger than 'size'. + +This does not affect messages added when using module as a delivery target. +Use 'max\_message\_size' directive in SMTP endpoint module to restrict it too. + +**Syntax**: debug _boolean_
+**Default**: global directive value + +Enable verbose logging. + +**Syntax**: junk\_mailbox _name_
+**Default**: Junk + +The folder to put quarantined messages in. Thishis setting is not used if user +does have a folder with "Junk" special-use attribute. + +**Syntax**: disable\_recent _boolean_
+*Default: true + +Disable RFC 3501-conforming handling of \Recent flag. + +This significantly improves storage performance when SQLite3 or CockroackDB is +used at the cost of confusing clients that use this flag. + +**Syntax**: sqlite\_cache\_size _integer_
+**Default**: defined by SQLite + +SQLite page cache size. If positive - specifies amount of pages (1 page - 4 +KiB) to keep in cache. If negative - specifies approximate upper bound +of cache size in KiB. + +**Syntax**: sqlite\_busy\_timeout _integer_
+**Default**: 5000000 + +SQLite-specific performance tuning option. Amount of milliseconds to wait +before giving up on DB lock. + +**Syntax**: imap\_filter { ... }
+**Default**: not set + +Specifies IMAP filters to apply for messages delivered from SMTP pipeline. + +Ex. +``` +imap_filter { + command /etc/maddy/sieve.sh {account_name} +} +``` + +**Syntax:** delivery\_map **table**
+**Default:** identity + +Use specified table module to map recipient +addresses from incoming messages to mailbox names. + +Normalization algorithm specified in delivery\_normalize is appied before +delivery\_map. + +**Syntax:** delivery\_normalize _name_
+**Default:** precis\_casefold\_email + +Normalization function to apply to email addresses before mapping them +to mailboxes. + +See auth\_normalize. + +**Syntax**: auth\_map **table**
+**Default**: identity + +Use specified table module to map authentication +usernames to mailbox names. + +Normalization algorithm specified in auth\_normalize is applied before +auth\_map. + +**Syntax**: auth\_normalize _name_
+**Default**: precis\_casefold\_email + +Normalization function to apply to authentication usernames before mapping +them to mailboxes. + +Available options: +- precis\_casefold\_email PRECIS UsernameCaseMapped profile + U-labels form for domain +- precis\_casefold PRECIS UsernameCaseMapped profile for the entire string +- precis\_email PRECIS UsernameCasePreserved profile + U-labels form for domain +- precis PRECIS UsernameCasePreserved profile for the entire string +- casefold Convert to lower case +- noop Nothing + +Note: On message delivery, recipient address is unconditionally normalized +using precis\_casefold\_email function. + diff --git a/docs/reference/table/auth.md b/docs/reference/table/auth.md new file mode 100644 index 0000000..4bfe4bd --- /dev/null +++ b/docs/reference/table/auth.md @@ -0,0 +1,6 @@ +# Authentication providers + +Most authentication providers are also usable as a table +that contains all usernames known to the module. Exceptions are auth.external and +pam as underlying interfaces do not define a way to check credentials +existence. diff --git a/docs/reference/table/chain.md b/docs/reference/table/chain.md new file mode 100644 index 0000000..12ef3be --- /dev/null +++ b/docs/reference/table/chain.md @@ -0,0 +1,38 @@ +# Table chaining + +The table.chain module allows chaining together multiple table modules +by using value returned by a previous table as an input for the second +table. + +Example: +``` +table.chain { + step regexp "(.+)(\\+[^+"@]+)?@example.org" "$1@example.org" + step file /etc/maddy/emails +} +``` +This will strip +prefix from mailbox before looking it up +in /etc/maddy/emails list. + +## Configuration directives + +**Syntax**: step _table\_ + +Adds a table module to the chain. If input value is not in the table +(e.g. file) - return "not exists" error. + +**Syntax**: optional\_step _table\_ + +Same as step but if input value is not in the table - it is passed to the +next step without changes. + +Example: +Something like this can be used to map emails to usernames +after translating them via aliases map: +``` +table.chain { + optional_step file /etc/maddy/aliases + step regexp "(.+)@(.+)" "$1" +} +``` + diff --git a/docs/reference/table/email_localpart.md b/docs/reference/table/email_localpart.md new file mode 100644 index 0000000..342e870 --- /dev/null +++ b/docs/reference/table/email_localpart.md @@ -0,0 +1,12 @@ +# Email local part + +The module 'table.email\_localpart' extracts and unescaped local ("username") part +of the email address. + +E.g. +test@example.org => test +"test @ a"@example.org => test @ a + +``` +table.email_localpart { } +``` diff --git a/docs/reference/table/file.md b/docs/reference/table/file.md new file mode 100644 index 0000000..deb6e6d --- /dev/null +++ b/docs/reference/table/file.md @@ -0,0 +1,54 @@ +# File + +table.file module builds string-string mapping from a text file. + +File is reloaded every 15 seconds if there are any changes (detected using +modification time). No changes are applied if file contains syntax errors. + +Definition: +``` +file +``` +or +``` +file { + file +} +``` + +Usage example: +``` +# Resolve SMTP address aliases using text file mapping. +modify { + replace_rcpt file /etc/maddy/aliases +} +``` + +## Syntax + +Better demonstrated by examples: + +``` +# Lines starting with # are ignored. + +# And so are lines only with whitespace. + +# Whenever 'aaa' is looked up, return 'bbb' +aaa: bbb + + # Trailing and leading whitespace is ignored. + ccc: ddd + +# If there is no colon, the string is translated into "" +# That is, the following line is equivalent to +# aaa: +aaa + +# If the same key is used multiple times - table.file will return +# multiple values when queries. Note that this is not used by +# most modules. E.g. replace_rcpt does not (intentionally) support +# 1-to-N alias expansion. +ddd: firstvalue +ddd: secondvalue +``` + diff --git a/docs/reference/table/regexp.md b/docs/reference/table/regexp.md new file mode 100644 index 0000000..9a39b6f --- /dev/null +++ b/docs/reference/table/regexp.md @@ -0,0 +1,58 @@ +# Regexp rewrite table + +The 'regexp' module implements table lookups by applying a regular expression +to the key value. If it matches - 'replacement' value is returned with $N +placeholders being replaced with corresponding capture groups from the match. +Otherwise, no value is returned. + +The regular expression syntax is the subset of PCRE. See +[https://golang.org/pkg/regexp/syntax](https://golang.org/pkg/regexp/syntax)/ for details. + +``` +table.regexp [replacement] { + full_match yes + case_insensitive yes + expand_placeholders yes +} +``` + +Note that [replacement] is optional. If it is not included - table.regexp +will return the original string, therefore acting as a regexp match check. +This can be useful in combination in destination\_in for +advanced matching: +``` +destination_in regexp ".*-bounce+.*@example.com" { + ... +} +``` + +## Configuration directives + +***Syntax***: full\_match _boolean_
+***Default***: yes + +Whether to implicitly add start/end anchors to the regular expression. +That is, if 'full\_match' is yes, then the provided regular expression should +match the whole string. With no - partial match is enough. + +***Syntax***: case\_insensitive _boolean_
+***Default***: yes + +Whether to make matching case-insensitive. + +***Syntax***: expand\_placeholders _boolean_
+***Default***: yes + +Replace '$name' and '${name}' in the replacement string with contents of +corresponding capture groups from the match. + +To insert a literal $ in the output, use $$ in the template. + +# Identity table (table.identity) + +The module 'identity' is a table module that just returns the key looked up. + +``` +table.identity { } +``` + diff --git a/docs/reference/table/sql_query.md b/docs/reference/table/sql_query.md new file mode 100644 index 0000000..c6eb354 --- /dev/null +++ b/docs/reference/table/sql_query.md @@ -0,0 +1,110 @@ +# SQL query mapping + +The table.sql\_query module implements table interface using SQL queries. + +Definition: +``` +table.sql_query { + driver + dsn + lookup + + # Optional: + init + list + add + del + set +} +``` + +Usage example: +``` +# Resolve SMTP address aliases using PostgreSQL DB. +modify { + replace_rcpt sql_query { + driver postgres + dsn "dbname=maddy user=maddy" + lookup "SELECT alias FROM aliases WHERE address = $1" + } +} +``` + +## Configuration directives + +***Syntax***: driver _driver name_
+***REQUIRED*** + +Driver to use to access the database. + +Supported drivers: postgres, sqlite3 (if compiled with C support) + +***Syntax***: dsn _data source name_
+***REQUIRED*** + +Data Source Name to pass to the driver. For SQLite3 this is just a path to DB +file. For Postgres, see +[https://pkg.go.dev/github.com/lib/pq?tab=doc#hdr-Connection\_String\_Parameters](https://pkg.go.dev/github.com/lib/pq?tab=doc#hdr-Connection\_String\_Parameters) + +***Syntax***: lookup _query_
+***REQUIRED*** + +SQL query to use to obtain the lookup result. + +It will get one named argument containing the lookup key. Use :key +placeholder to access it in SQL. The result row set should contain one row, one +column with the string that will be used as a lookup result. If there are more +rows, they will be ignored. If there are more columns, lookup will fail. If +there are no rows, lookup returns "no results". If there are any error - lookup +will fail. + +***Syntax***: init _queries..._
+***Default***: empty + +List of queries to execute on initialization. Can be used to configure RDBMS. + +Example, to improve SQLite3 performance: +``` +table.sql_query { + driver sqlite3 + dsn whatever.db + init "PRAGMA journal_mode=WAL" \ + "PRAGMA synchronous=NORMAL" + lookup "SELECT alias FROM aliases WHERE address = $1" +} +``` + +**Syntax:** named\_args _boolean_
+**Default:** yes + +Whether to use named parameters binding when executing SQL queries +or not. + +Note that maddy's PostgreSQL driver does not support named parameters and +SQLite3 driver has issues handling numbered parameters: +[https://github.com/mattn/go-sqlite3/issues/472](https://github.com/mattn/go-sqlite3/issues/472) + +***Syntax:*** add _query_
+***Syntax:*** list _query_
+***Syntax:*** set _query_
+***Syntax:*** del _query_
+***Default:*** none + +If queries are set to implement corresponding table operations - table becomes +"mutable" and can be used in contexts that require writable key-value store. + +'add' query gets :key, :value named arguments - key and value strings to store. +They should be added to the store. The query **should** not add multiple values +for the same key and **should** fail if the key already exists. + +'list' query gets no arguments and should return a column with all keys in +the store. + +'set' query gets :key, :value named arguments - key and value and should replace the existing +entry in the database. + +'del' query gets :key argument - key and should remove it from the database. + +If named\_args is set to "no" - key is passed as the first numbered parameter +($1), value is passed as the second numbered parameter ($2). + diff --git a/docs/reference/table/static.md b/docs/reference/table/static.md new file mode 100644 index 0000000..ccee1d2 --- /dev/null +++ b/docs/reference/table/static.md @@ -0,0 +1,21 @@ +# Static table + +The 'static' module implements table lookups using key-value pairs in its +configuration. + +``` +table.static { + entry KEY1 VALUE1 + entry KEY2 VALUE2 + ... +} +``` + +## Configuration directives + +***Syntax***: entry _key_ _value\_ + +Add an entry to the table. + +If the same key is used multiple times, the last one takes effect. + diff --git a/docs/reference/targets/queue.md b/docs/reference/targets/queue.md new file mode 100644 index 0000000..c4e5beb --- /dev/null +++ b/docs/reference/targets/queue.md @@ -0,0 +1,84 @@ +# Local queue + +Queue module buffers messages on disk and retries delivery multiple times to +another target to ensure reliable delivery. + +It is also responsible for generation of DSN messages +in case of delivery failures. + +## Arguments + +First argument specifies directory to use for storage. +Relative paths are relative to the StateDirectory. + +## Configuration directives + +``` +target.queue { + target remote + location ... + max_parallelism 16 + max_tries 4 + bounce { + destination example.org { + deliver_to &local_mailboxes + } + default_destination { + reject + } + } + + autogenerated_msg_domain example.org + debug no +} +``` + +**Syntax**: target _block\_name_
+**Default**: not specified + +REQUIRED. + +Delivery target to use for final delivery. + +**Syntax**: location _directory_
+**Default**: StateDirectory/configuration\_block\_name + +File system directory to use to store queued messages. +Relative paths are relative to the StateDirectory. + +**Syntax**: max\_parallelism _integer_
+**Default**: 16 + +Start up to _integer_ goroutines for message processing. Basically, this option +limits amount of messages tried to be delivered concurrently. + +**Syntax**: max\_tries _integer_
+**Default**: 20 + +Attempt delivery up to _integer_ times. Note that no more attempts will be done +is permanent error occured during previous attempt. + +Delay before the next attempt will be increased exponentally using the +following formula: 15mins \* 1.2 ^ (n - 1) where n is the attempt number. +This gives you approximately the following sequence of delays: +18mins, 21mins, 25mins, 31mins, 37mins, 44mins, 53mins, 64mins, ... + +**Syntax**: bounce { ... }
+**Default**: not specified + +This configuration contains pipeline configuration to be used for generated DSN +(Delivery Status Notifiaction) messages. + +If this is block is not present in configuration, DSNs will not be generated. +Note, however, this is not what you want most of the time. + +**Syntax**: autogenerated\_msg\_domain _domain_
+**Default**: global directive value + +Domain to use in sender address for DSNs. Should be specified too if 'bounce' +block is specified. + +**Syntax**: debug _boolean_
+**Default**: no + +Enable verbose logging. \ No newline at end of file diff --git a/docs/reference/targets/remote.md b/docs/reference/targets/remote.md new file mode 100644 index 0000000..9a507aa --- /dev/null +++ b/docs/reference/targets/remote.md @@ -0,0 +1,246 @@ +# Remote MX delivery + +Module that implements message delivery to remote MTAs discovered via DNS MX +records. You probably want to use it with queue module for reliability. + +If a message check marks a message as 'quarantined', remote module +will refuse to deliver it. + +## Configuration directives + +``` +target.remote { + hostname mx.example.org + debug no +} +``` + +**Syntax**: hostname _domain_
+**Default**: global directive value + +Hostname to use client greeting (EHLO/HELO command). Some servers require it to +be FQDN, SPF-capable servers check whether it corresponds to the server IP +address, so it is better to set it to a domain that resolves to the server IP. + +**Syntax**: limits _config block_
+**Default**: no limits + +See ['limits' directive for SMTP endpoint](/reference/endpoints/smtp/#rate-concurrency-limiting). +It works the same except for address domains used for +per-source/per-destination are as observed when message exits the server. + +**Syntax**: local\_ip _IP address_
+**Default**: empty + +Choose the local IP to bind for outbound SMTP connections. + +**Syntax**: connect\_timeout _duration_
+**Default**: 5m + +Timeout for TCP connection establishment. + +RFC 5321 recommends 5 minutes for "initial greeting" that includes TCP +handshake. maddy uses two separate timers - one for "dialing" (DNS A/AAAA +lookup + TCP handshake) and another for "initial greeting". This directive +configures the former. The latter is not configurable and is hardcoded to be +5 minutes. + +**Syntax**: command\_timeout _duration_
+**Default**: 5m + +Timeout for any SMTP command (EHLO, MAIL, RCPT, DATA, etc). + +If STARTTLS is used this timeout also applies to TLS handshake. + +RFC 5321 recommends 5 minutes for MAIL/RCPT and 3 minutes for +DATA. + +**Syntax**: submission\_timeout _duration_
+**Default**: 12m + +Time to wait after the entire message is sent (after "final dot"). + +RFC 5321 recommends 10 minutes. + +**Syntax**: debug _boolean_
+**Default**: global directive value + +Enable verbose logging. + +**Syntax**: requiretls\_override _boolean_
+**Default**: true + +Allow local security policy to be disabled using 'TLS-Required' header field in +sent messages. Note that the field has no effect if transparent forwarding is +used, message body should be processed before outbound delivery starts for it +to take effect (e.g. message should be queued using 'queue' module). + +**Syntax**: relaxed\_requiretls _boolean_
+**Default**: true + +This option disables strict conformance with REQUIRETLS specification and +allows forwarding of messages 'tagged' with REQUIRETLS to MXes that are not +advertising REQUIRETLS support. It is meant to allow REQUIRETLS use without the +need to have support from all servers. It is based on the assumption that +server referenced by MX record is likely the final destination and therefore +there is only need to secure communication towards it and not beyond. + +**Syntax**: conn\_reuse\_limit _integer_
+**Default**: 10 + +Amount of times the same SMTP connection can be used. +Connections are never reused if the previous DATA command failed. + +**Syntax**: conn\_max\_idle\_count _integer_
+**Default**: 10 + +Max. amount of idle connections per recipient domains to keep in cache. + +**Syntax**: conn\_max\_idle\_time _integer_
+**Default**: 150 (2.5 min) + +Amount of time the idle connection is still considered potentially usable. + +## Security policies + +**Syntax**: mx\_auth _config block_
+**Default**: no policies + +'remote' module implements a number of of schemes and protocols necessary to +ensure security of message delivery. Most of these schemes are concerned with +authentication of recipient server and TLS enforcement. + +To enable mechanism, specify its name in the mx\_auth directive block: +``` +mx_auth { + dane + mtasts +} +``` +Additional configuration is possible if supported by the mechanism by +specifying additional options as a block for the corresponding mechanism. +E.g. +``` +mtasts { + cache ram +} +``` + +If the mx\_auth directive is not specified, no mechanisms are enabled. Note +that, however, this makes outbound SMTP vulnerable to a numberous downgrade +attacks and hence not recommended. + +It is possible to share the same set of policies for multiple 'remote' module +instances by defining it at the top-level using 'mx\_auth' module and then +referencing it using standard & syntax: +``` +mx_auth outbound_policy { + dane + mtasts { + cache ram + } +} + +# ... somewhere else ... + +deliver_to remote { + mx_auth &outbound_policy +} + +# ... somewhere else ... + +deliver_to remote { + mx_auth &outbound_policy + tls_client { ... } +} +``` + +### MTA-STS + +Checks MTA-STS policy of the recipient domain. Provides proper authentication +and TLS enforcement for delivery, but partially vulnerable to persistent active +attacks. + +Sets MX level to "mtasts" if the used MX matches MTA-STS policy even if it is +not set to "enforce" mode. + +``` +mtasts { + cache fs + fs_dir StateDirectory/mtasts_cache +} +``` + +**Syntax**: cache fs|ram
+**Default**: fs + +Storage to use for MTA-STS cache. 'fs' is to use a filesystem directory, 'ram' +to store the cache in memory. + +It is recommended to use 'fs' since that will not discard the cache (and thus +cause MTA-STS security to disappear) on server restart. However, using the RAM +cache can make sense for high-load configurations with good uptime. + +**Syntax**: fs\_dir _directory_
+**Default**: StateDirectory/mtasts\_cache + +Filesystem directory to use for policies caching if 'cache' is set to 'fs'. + +### DNSSEC + +Checks whether MX records are signed. Sets MX level to "dnssec" is they are. + +maddy does not validate DNSSEC signatures on its own. Instead it reslies on +the upstream resolver to do so by causing lookup to fail when verification +fails and setting the AD flag for signed and verfified zones. As a safety +measure, if the resolver is not 127.0.0.1 or ::1, the AD flag is ignored. + +DNSSEC is currently not supported on Windows and other platforms that do not +have the /etc/resolv.conf file in the standard format. + +``` +dnssec { } +``` + +### DANE + +Checks TLSA records for the recipient MX. Provides downgrade-resistant TLS +enforcement. + +Sets TLS level to "authenticated" if a valid and matching TLSA record uses +DANE-EE or DANE-TA usage type. + +See above for notes on DNSSEC. DNSSEC support is required for DANE to work. + +``` +dane { } +``` + +### Local policy + +Checks effective TLS and MX levels (as set by other policies) against local +configuration. + +``` +local_policy { + min_tls_level none + min_mx_level none +} +``` + +Using 'local\_policy off' is equivalent to setting both directives to 'none'. + +**Syntax**: min\_tls\_level none|encrypted|authenticated
+**Default**: none + +Set the minimal TLS security level required for all outbound messages. + +See [Security levels](../../seclevels) page for details. + +**Syntax**: min\_mx\_level: none|mtasts|dnssec
+**Default**: none + +Set the minimal MX security level required for all outbound messages. + +See [Security levels](../../seclevels) page for details. + diff --git a/docs/reference/targets/smtp.md b/docs/reference/targets/smtp.md new file mode 100644 index 0000000..6d4ca8b --- /dev/null +++ b/docs/reference/targets/smtp.md @@ -0,0 +1,114 @@ +# SMTP & LMTP transparent forwarding + +Module that implements transparent forwarding of messages over SMTP. + +Use in pipeline configuration: +``` +deliver_to smtp tcp://127.0.0.1:5353 +# or +deliver_to smtp tcp://127.0.0.1:5353 { + # Other settings, see below. +} +``` + +target.lmtp can be used instead of target.smtp to +use LMTP protocol. + +Endpoint addresses use format described in [Configuration files syntax / Address definitions](/reference/config-syntax/#address-definitions). + +## Configuration directives + +``` +target.smtp { + debug no + tls_client { + ... + } + attempt_starttls yes + require_yes no + auth off + targets tcp://127.0.0.1:2525 + connect_timeout 5m + command_timeout 5m + submission_timeout 12m +} +``` + +**Syntax**: debug _boolean_
+**Default**: global directive value + +Enable verbose logging. + +**Syntax**: tls\_client { ... }
+**Default**: not specified + +Advanced TLS client configuration options. See [TLS configuration / Client](/reference/tls/#client) for details. + +**Syntax**: attempt\_starttls _boolean_
+**Default**: yes (no for target.lmtp) + +Attempt to use STARTTLS if it is supported by the remote server. +If TLS handshake fails, connection will be retried without STARTTLS +unless 'require\_tls' is also specified. + +**Syntax**: require\_tls _boolean_
+**Default**: no + +Refuse to pass messages over plain-text connections. + +**Syntax**:
+auth off
+plain _username_ _password_
+forward
+external
+**Default**: off + +Specify the way to authenticate to the remote server. +Valid values: + +- off + + No authentication. + +- plain + + Authenticate using specified username-password pair. + **Don't use** this without enforced TLS ('require\_tls'). + +- forward + + Forward credentials specified by the client. + **Don't use** this without enforced TLS ('require\_tls'). + +- external + + Request "external" SASL authentication. This is usually used for + authentication using TLS client certificates. See [TLS configuration / Client](/reference/tls/#client) for details. + +**Syntax**: targets _endpoints..._
+**Default:** not specified + +REQUIRED. + +List of remote server addresses to use. See [Address definitions](/reference/config-syntax/#address-definitions) +for syntax to use. Basically, it is 'tcp://ADDRESS:PORT' +for plain SMTP and 'tls://ADDRESS:PORT' for SMTPS (aka SMTP with Implicit +TLS). + +Multiple addresses can be specified, they will be tried in order until connection to +one succeeds (including TLS handshake if TLS is required). + +**Syntax**: connect\_timeout _duration_
+**Default**: 5m + +Same as for target.remote. + +**Syntax**: command\_timeout _duration_
+**Default**: 5m + +Same as for target.remote. + +**Syntax**: submission\_timeout _duration_
+**Default**: 12m + +Same as for target.remote. \ No newline at end of file diff --git a/docs/reference/tls-acme.md b/docs/reference/tls-acme.md new file mode 100644 index 0000000..891795e --- /dev/null +++ b/docs/reference/tls-acme.md @@ -0,0 +1,225 @@ +# Automatic certificate management via ACME + +Maddy supports obtaining certificates using ACME protocol. + +To use it, create a configuration name for tls.loader.acme +and reference it from endpoints that should use automatically +configured certificates: +``` +tls.loader.acme local_tls { + email put-your-email-here@example.org + agreed # indicate your agreement with Let's Encrypt ToS + challenge dns-01 +} + +smtp tcp://127.0.0.1:25 { + tls &local_tls + ... +} +``` +You can also use a global `tls` directive to use automatically +obtained certificates for all endpoints: +``` +tls &local_tls +``` + +Currently the only supported challenge is dns-01 one therefore +you also need to configure the DNS provider: +``` +tls.loader.acme local_tls { + email maddy-acme@example.org + agreed + challenge dns-01 + dns PROVIDER_NAME { + ... + } +} +``` +See below for supported providers and necessary configuration +for each. + +## Configuration directives + +``` +tls.loader.acme { + debug off + hostname example.maddy.invalid + store_path /var/lib/maddy/acme + ca https://acme-v02.api.letsencrypt.org/directory + test_ca https://acme-staging-v02.api.letsencrypt.org/directory + email test@maddy.invalid + agreed off + challenge dns-01 + dns ... +} +``` + +**Syntax:** debug _boolean_
+**Default:** global directive value + +Enable debug logging. + +**Syntax:** hostname _str_
+**Default:** global directive value + +Domain name to issue certificate for. Required. + +**Syntax:** store\_path _path_
+**Default:** state\_dir/acme + +Where to store issued certificates and associated metadata. +Currently only filesystem-based store is supported. + +**Syntax:** ca _url_
+**Default:** Let's Encrypt production CA + +URL of ACME directory to use. + +**Syntax:** test\_ca _url_
+**Default:** Let's Encrypt staging CA + +URL of ACME directory to use for retries should +primary CA fail. + +maddy will keep attempting to issues certificates +using test\_ca until it succeeds then it will switch +back to the one configured via 'ca' option. + +This avoids rate limit issues with production CA. + +**Syntax:** email _str_
+**Default:** not set + +Email to pass while registering an ACME account. + +**Syntax:** agreed _boolean_
+**Default:** false + +Whether you agreed to ToS of the CA service you are using. + +**Syntax:** challenge dns-01
+**Default:** not set + +Challenge(s) to use while performing domain verification. + +## DNS providers + +Support for some providers is not provided by standard builds. +To be able to use these, you need to compile maddy +with "libdns\_PROVIDER" build tag. +E.g. +``` +./build.sh -tags 'libdns_googleclouddns' +``` + +- gandi + +``` +dns gandi { + api_token "token" +} +``` + +- digitalocean + +``` +dns digitalocean { + api_token "..." +} +``` + +- cloudflare + +See [https://github.com/libdns/cloudflare#authenticating](https://github.com/libdns/cloudflare#authenticating) + +``` +dns cloudflare { + api_token "..." +} +``` + +- vultr + +``` +dns vultr { + api_token "..." +} +``` + +- hetzner + +``` +dns hetzner { + api_token "..." +} +``` + +- namecheap + +``` +dns namecheap { + api_key "..." + api_username "..." + + # optional: API endpoint, production one is used if not set. + endpoint "https://api.namecheap.com/xml.response" + + # optional: your public IP, discovered using icanhazip.com if not set + client_ip 1.2.3.4 +} +``` + +- googleclouddns (non-default) + +``` +dns googleclouddns { + project "project_id" + service_account_json "path" +} +``` + +- route53 (non-default) + +``` +dns route53 { + secret_access_key "..." + access_key_id "..." + # or use environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY +} +``` + +- leaseweb (non-default) + +``` +dns leaseweb { + api_key "key" +} +``` + +- metaname (non-default) + +``` +dns metaname { + api_key "key" + account_ref "reference" +} +``` + +- alidns (non-default) + +``` +dns alidns { + key_id "..." + key_secret "..." +} +``` + +- namedotcom (non-default) + +``` +dns namedotcom { + user "..." + token "..." +} +``` + diff --git a/docs/reference/tls.md b/docs/reference/tls.md new file mode 100644 index 0000000..1ba657b --- /dev/null +++ b/docs/reference/tls.md @@ -0,0 +1,155 @@ +# TLS configuration + +## Server-side + +TLS certificates are obtained by modules called "certificate loaders". 'tls' directive +arguments specify name of loader to use and arguments. Due to syntax limitations +advanced configuration for loader should be specified using 'loader' directive, see +below. + +``` +tls file cert.pem key.pem { + protocols tls1.2 tls1.3 + curve X25519 + ciphers ... +} + +tls { + loader file cert.pem key.pem { + # Options for loader go here. + } + protocols tls1.2 tls1.3 + curve X25519 + ciphers ... +} +``` + +### Available certificate loaders + +- file + + Accepts argument pairs specifying certificate and then key. + E.g. 'tls file certA.pem keyA.pem certB.pem keyB.pem' + + If multiple certificates are listed, SNI will be used. + +- acme + + Automatically obtains a certificate using ACME protocol (Let's Encrypt) + +- off + + Not really a loader but a special value for tls directive, explicitly disables TLS for + endpoint(s). + +## Advanced TLS configuration + +**Note: maddy uses secure defaults and TLS handshake is resistant to active downgrade attacks.** +**There is no need to change anything in most cases.** + +**Syntax**:
+protocols _min\_version_ _max\_version_
+protocols _version_
+**Default**: tls1.0 tls1.3 + +Minimum/maximum accepted TLS version. If only one value is specified, it will +be the only one usable version. + +Valid values are: tls1.0, tls1.1, tls1.2, tls1.3 + +**Syntax**: ciphers _ciphers..._
+**Default**: Go version-defined set of 'secure ciphers', ordered by hardware +performance + +List of supported cipher suites, in preference order. Not used with TLS 1.3. + +Valid values: + +- RSA-WITH-RC4128-SHA +- RSA-WITH-3DES-EDE-CBC-SHA +- RSA-WITH-AES128-CBC-SHA +- RSA-WITH-AES256-CBC-SHA +- RSA-WITH-AES128-CBC-SHA256 +- RSA-WITH-AES128-GCM-SHA256 +- RSA-WITH-AES256-GCM-SHA384 +- ECDHE-ECDSA-WITH-RC4128-SHA +- ECDHE-ECDSA-WITH-AES128-CBC-SHA +- ECDHE-ECDSA-WITH-AES256-CBC-SHA +- ECDHE-RSA-WITH-RC4128-SHA +- ECDHE-RSA-WITH-3DES-EDE-CBC-SHA +- ECDHE-RSA-WITH-AES128-CBC-SHA +- ECDHE-RSA-WITH-AES256-CBC-SHA +- ECDHE-ECDSA-WITH-AES128-CBC-SHA256 +- ECDHE-RSA-WITH-AES128-CBC-SHA256 +- ECDHE-RSA-WITH-AES128-GCM-SHA256 +- ECDHE-ECDSA-WITH-AES128-GCM-SHA256 +- ECDHE-RSA-WITH-AES256-GCM-SHA384 +- ECDHE-ECDSA-WITH-AES256-GCM-SHA384 +- ECDHE-RSA-WITH-CHACHA20-POLY1305 +- ECDHE-ECDSA-WITH-CHACHA20-POLY1305 + +**Syntax**: curve _curves..._
+**Default**: defined by Go version + +The elliptic curves that will be used in an ECDHE handshake, in preference +order. + +Valid values: p256, p384, p521, X25519. + +## Client + +tls\_client directive allows to customize behavior of TLS client implementation, +notably adjusting minimal and maximal TLS versions and allowed cipher suites, +enabling TLS client authentication. + +``` +tls_client { + protocols tls1.2 tls1.3 + ciphers ... + curve X25519 + root_ca /etc/ssl/cert.pem + + cert /etc/ssl/private/maddy-client.pem + key /etc/ssl/private/maddy-client.pem +} +``` + +**Syntax**:
+protocols _min\_version_ _max\_version_
+protocols _version_
+**Default**: tls1.0 tls1.3 + +Minimum/maximum accepted TLS version. If only one value is specified, it will +be the only one usable version. + +Valid values are: tls1.0, tls1.1, tls1.2, tls1.3 + +**Syntax**: ciphers _ciphers..._
+**Default**: Go version-defined set of 'secure ciphers', ordered by hardware +performance + +List of supported cipher suites, in preference order. Not used with TLS 1.3. + +See TLS server configuration for list of supported values. + +**Syntax**: curve _curves..._
+**Default**: defined by Go version + +The elliptic curves that will be used in an ECDHE handshake, in preference +order. + +Valid values: p256, p384, p521, X25519. + +**Syntax**: root\_ca _paths..._
+**Default**: system CA pool + +List of files with PEM-encoded CA certificates to use when verifying +server certificates. + +**Syntax**:
+cert _cert\_path_
+key _key\_path_
+**Default**: not specified + +Present the specified certificate when server requests a client certificate. +Files should use PEM format. Both directives should be specified. diff --git a/docs/seclevels.md b/docs/seclevels.md index a26dda7..94e1a82 100644 --- a/docs/seclevels.md +++ b/docs/seclevels.md @@ -1,4 +1,4 @@ -# Security levels +# Outbound delivery security maddy implements a number of schemes and protocols for discovery and enforcement of security features supported by the recipient MTA. @@ -83,8 +83,7 @@ passive attacks. ## maddy security policies -See [**maddy-targets(5)**](../man/\_generated\_maddy-targets.5) page for -description of configuration options available for each policy mechanism +See [Remote MX delivery](/reference/targets/remote/) for description of configuration options available for each policy mechanism supported by maddy. [RFC 8461 Section 10.2]: https://www.rfc-editor.org/rfc/rfc8461.html#section-10.2 (SMTP MTA Strict Transport Security - 10.2. Preventing Policy Discovery) diff --git a/docs/third-party/rspamd.md b/docs/third-party/rspamd.md index 43cf3d8..b528215 100644 --- a/docs/third-party/rspamd.md +++ b/docs/third-party/rspamd.md @@ -35,8 +35,4 @@ Default mapping of rspamd action -> maddy action is as follows: - "rewrite subject" => Quarantine - "soft reject" => Reject with temporary error - "reject" => Reject with permanent error -- "greylist" => Ignored - -This and additional data to pass to rspamd (MTA name, settings ID, etc) -can be configured as described in -[**maddy-checks**(5)](/man/_generated_maddy-filters.5/#rspamd-check-checkrspamd). +- "greylist" => Ignored \ No newline at end of file From 9b1ee1b52ff45666da03f6afa1cb90ba02f8149c Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Thu, 6 Jan 2022 21:56:08 +0300 Subject: [PATCH 13/41] docs: Convert manual pages into per-module Markdown pages --- docs/faq.md | 83 ++++++++----------- .../storage/imap-filters.md} | 81 +++--------------- 2 files changed, 44 insertions(+), 120 deletions(-) rename docs/{man/maddy-imap.5.scd => reference/storage/imap-filters.md} (50%) diff --git a/docs/faq.md b/docs/faq.md index 0aacdc3..a216020 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -1,16 +1,42 @@ # Frequently Asked Questions -## Why? +## I configured maddy as recommended and gmail still puts my messages in spam -For fun. Turned out to be a rather convenient approach to -self-hosted email. +Unfortunately, GMail policies are opaque so we cannot tell why this happens. -## Is it caddy for email? +Verify that you have a rDNS record set for the IP used +by sender server. Also some IPs may just happen to +have bad reputation - check it with various DNSBLs. In this +case you do not have much of a choice but to replace it. -No. It was intended to be one but developers quickly acknowledged -the fact email cannot be easily abstracted behind some magic. +Additionally, you may try marking multiple messages sent from +your domain as "not spam" in GMail UI. -## How it compares to MailCow or Mail-In-The-Box? +## Message sending fails with `dial tcp X.X.X.X:25: connect: connection timed out` in log + +Your provider is blocking outbound SMTP traffic on port 25. + +You either have to ask them to unblock it or forward +all outbound messages via a "smart-host". + +## What is resource usage of maddy? + +For a small personal server, you do not need much more than a +single 1 GiB of RAM and disk space. + +## How to setup a catchall address? + +https://github.com/foxcpp/maddy/issues/243#issuecomment-655694512 + +## maddyctl prints a "permission denied" error + +Run maddyctl under the same user as maddy itself. +E.g. +``` +sudo -u maddy maddyctl creds ... +``` + +## How maddy compares to MailCow or Mail-In-The-Box? MailCow and MIAB are bundles of well-known email-related software configured to work together. maddy is a single piece of software implementing subset of what @@ -62,13 +88,6 @@ ZoneMTA has a number of features that may make it easier to integrate with HTTP-based services. maddy speaks standard email protocols (SMTP, Submission). -## What is the scope of project? - -1. Implement a usable SMTP + Submission server that can both accept - and send email as secure as possible with todays state of - relevant protocols. -2. Implement a meaningful subset of IMAP for access to local storage. - ## Is there a webmail? No, at least currently. @@ -97,38 +116,4 @@ of bugs in one component. Besides, you are not required to use a single process, it is easy to launch maddy with a non-default configuration path and connect multiple instances -together using off-the-shelf protocols. - -## Can I do X with maddy? - -Ask on #maddy. - -maddy is less feature-packed than other SMTP/IMAP server -implementations but it is not completely useless for anything other than -its default configuration. - -## Can you implement X? - -"Umbrella" projects like maddy are susceptible to scope -creep unless maintainers apply a lot of skepticism to proposed -features. - -If X is essential for providing email security or extends the space of useful -configurations significantly and does not require major design changes - -we can talk, go to #maddy. Otherwise the likely answer is no. - -## Are you breaking things between releases? - -maddy releases follow Semantic Versioning 2.0.0 specification. -It is expected that 0.X releases may not be compatible with each -other. I attempt to minimize such breakage unless there is a significant -benefit. - -## 1.0 when? - -When no more backward-incompatible changes will be needed. maddy releases follow -Semantic Versioning 2.0.0 specification. - -## maddy is bad name, it is almost impossible to Google! - -Call it Maddy Mail Server. +together using off-the-shelf protocols. \ No newline at end of file diff --git a/docs/man/maddy-imap.5.scd b/docs/reference/storage/imap-filters.md similarity index 50% rename from docs/man/maddy-imap.5.scd rename to docs/reference/storage/imap-filters.md index e701a6e..22ce608 100644 --- a/docs/man/maddy-imap.5.scd +++ b/docs/reference/storage/imap-filters.md @@ -1,66 +1,4 @@ -maddy-imap(5) "maddy mail server" "maddy reference documentation" - -; TITLE IMAP endpoint module - -Module 'imap' is a listener that implements IMAP4rev1 protocol and provides -access to local messages storage specified by 'storage' directive. See -*maddy-storage*(5) for support storage backends and corresponding -configuration options. - -``` -imap tcp://0.0.0.0:143 tls://0.0.0.0:993 { - tls /etc/ssl/private/cert.pem /etc/ssl/private/pkey.key - io_debug no - debug no - insecure_auth no - auth pam - storage &local_mailboxes -} -``` - -## Configuration directives - -*Syntax*: tls _certificate_path_ _key_path_ { ... } ++ -*Default*: global directive value - -TLS certificate & key to use. Fine-tuning of other TLS properties is possible -by specifing a configuration block and options inside it: -``` -tls cert.crt key.key { - protocols tls1.2 tls1.3 -} -``` -See section 'TLS configuration' in *maddy*(1) for valid options. - -*Syntax*: io_debug _boolean_ ++ -*Default*: no - -Write all commands and responses to stderr. - -*Syntax*: io_errors _boolean_ ++ -*Default*: no - -Log I/O errors. - -*Syntax*: debug _boolean_ ++ -*Default*: global directive value - -Enable verbose logging. - -*Syntax*: insecure_auth _boolean_ ++ -*Default*: no (yes if TLS is disabled) - -*Syntax*: auth _module_reference_ - -Use the specified module for authentication. -*Required.* - -*Syntax*: storage _module_reference_ - -Use the specified module for message storage. -*Required.* - -## IMAP filters +# IMAP filters Most storage backends support application of custom code late in delivery process. As opposed to using SMTP pipeline modifiers or checks, it allows @@ -72,7 +10,7 @@ eariler in SMTP pipeline logic. Quarantined messages are not processed by IMAP filters and are unconditionally delivered to Junk folder (or other folder with \Junk special-use attribute). -To use an IMAP filter, specify it in the 'imap_filter' directive for the +To use an IMAP filter, specify it in the 'imap\_filter' directive for the used storage backend, like this: ``` storage.imapsql local_mailboxes { @@ -86,8 +24,8 @@ storage.imapsql local_mailboxes { ## System command filter (imap.filter.command) -This filter is similar to check.command module described in *maddy-filters*(5) -and runs system command +This filter is similar to check.command module +and runs a system command to obtain necessary information. Usage: ``` @@ -95,14 +33,14 @@ command executable_name args... { } ``` Same as check.command, following placeholders are supported for command -arguments: {source_ip}, {source_host}, {source_rdns}, {msg_id}, {auth_user}, -{sender}. Note: placeholders in command name are not processed to avoid +arguments: {source\_ip}, {source\_host}, {source\_rdns}, {msg\_id}, {auth\_user}, +{sender}. Note: placeholders in command name are not processed to avoid possible command injection attacks. -Additionally, for imap.filter.command, {account_name} placeholder is replaced +Additionally, for imap.filter.command, {account\_name} placeholder is replaced with effective IMAP account name. -Note that if you use provided systemd units on Linux, maddy executable is +Note that if you use provided systemd units on Linux, maddy executable is sandboxed - all commands will be executed with heavily restricted filesystem acccess and other privileges. Notably, /tmp is isolated and all directories except for /var/lib/maddy and /run/maddy are read-only. You will need to modify @@ -126,5 +64,6 @@ In this case, message will be placed in the Junk folder. $Label1 ``` -In this case, message will be placed in inbox and will have +In this case, message will be placed in inbox and will have '$Label1' added. + From c0eacfa0f34f4040ec4fd5d3ca44a35e8cde21b4 Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Fri, 7 Jan 2022 00:37:29 +0300 Subject: [PATCH 14/41] Merge maddyctl and maddy executabes Closes #432. --- Dockerfile | 2 +- build.sh | 9 +- cmd/README.md | 7 - cmd/maddy/main.go | 8 +- cmd/maddyctl/imapacct.go | 136 --- cmd/maddyctl/main.go | 822 ------------------ cmd/maddyctl/users.go | 100 --- dist/systemd/maddy.service | 2 +- dist/systemd/maddy@.service | 2 +- docs/man/maddy.5.scd | 228 ----- framework/dns/debugflags.go | 10 +- internal/auth/pass_table/table.go | 17 +- internal/cli/app.go | 105 +++ .../cli}/clitools/clitools.go | 0 .../cli}/clitools/termios.go | 0 .../cli}/clitools/termios_stub.go | 0 .../cli/ctl}/appendlimit.go | 2 +- {cmd/maddyctl => internal/cli/ctl}/hash.go | 48 +- {cmd/maddyctl => internal/cli/ctl}/imap.go | 389 ++++++++- internal/cli/ctl/imapacct.go | 292 +++++++ internal/cli/ctl/moduleinit.go | 133 +++ internal/cli/ctl/users.go | 246 ++++++ internal/target/remote/debugflags.go | 11 +- maddy.go | 142 +-- tests/cover_test.go | 16 +- 25 files changed, 1343 insertions(+), 1384 deletions(-) delete mode 100644 cmd/maddyctl/imapacct.go delete mode 100644 cmd/maddyctl/main.go delete mode 100644 cmd/maddyctl/users.go delete mode 100644 docs/man/maddy.5.scd create mode 100644 internal/cli/app.go rename {cmd/maddyctl => internal/cli}/clitools/clitools.go (100%) rename {cmd/maddyctl => internal/cli}/clitools/termios.go (100%) rename {cmd/maddyctl => internal/cli}/clitools/termios_stub.go (100%) rename {cmd/maddyctl => internal/cli/ctl}/appendlimit.go (99%) rename {cmd/maddyctl => internal/cli/ctl}/hash.go (67%) rename {cmd/maddyctl => internal/cli/ctl}/imap.go (50%) create mode 100644 internal/cli/ctl/imapacct.go create mode 100644 internal/cli/ctl/moduleinit.go create mode 100644 internal/cli/ctl/users.go diff --git a/Dockerfile b/Dockerfile index 0d0f4ab..aa07b5d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,4 +25,4 @@ COPY --from=build-env /pkg/usr/local/bin/maddyctl /bin/maddyctl EXPOSE 25 143 993 587 465 VOLUME ["/data"] -ENTRYPOINT ["/bin/maddy", "-config", "/data/maddy.conf"] +ENTRYPOINT ["/bin/maddy", "-config", "/data/maddy.conf", "run"] diff --git a/build.sh b/build.sh index 9c4e8cc..9ea3355 100755 --- a/build.sh +++ b/build.sh @@ -123,15 +123,9 @@ build() { go build -trimpath -buildmode pie -tags "$tags osusergo netgo static_build" \ -ldflags "-extldflags '-fno-PIC -static' -X \"github.com/foxcpp/maddy.Version=${version}\"" \ -o "${builddir}/maddy" ${GOFLAGS} ./cmd/maddy - echo "-- Building management utility (maddyctl)..." >&2 - go build -trimpath -buildmode pie -tags "$tags osusergo netgo static_build" \ - -ldflags "-extldflags '-fno-PIC -static' -X \"github.com/foxcpp/maddy.Version=${version}\"" \ - -o "${builddir}/maddyctl" ${GOFLAGS} ./cmd/maddyctl else echo "-- Building main server executable..." >&2 go build -tags "$tags" -trimpath -ldflags="-X \"github.com/foxcpp/maddy.Version=${version}\"" -o "${builddir}/maddy" ${GOFLAGS} ./cmd/maddy - echo "-- Building management utility (maddyctl)..." >&2 - go build -tags "$tags" -trimpath -ldflags="-X \"github.com/foxcpp/maddy.Version=${version}\"" -o "${builddir}/maddyctl" ${GOFLAGS} ./cmd/maddyctl fi build_man_pages @@ -147,7 +141,8 @@ install() { echo "-- Installing built files..." >&2 command install -m 0755 -d "${destdir}/${prefix}/bin/" - command install -m 0755 "${builddir}/maddy" "${builddir}/maddyctl" "${destdir}/${prefix}/bin/" + command install -m 0755 "${builddir}/maddy" "${destdir}/${prefix}/bin/" + command ln -s maddy "${destdir}/${prefix}/bin/maddyctl" command install -m 0755 -d "${destdir}/etc/maddy/" command install -m 0644 ./maddy.conf "${destdir}/etc/maddy/maddy.conf" diff --git a/cmd/README.md b/cmd/README.md index cff7ad6..3132fea 100644 --- a/cmd/README.md +++ b/cmd/README.md @@ -5,14 +5,7 @@ maddy executables Main server executable. -### maddyctl - -IMAP index and authentication database inspection and manipulation utility. - ### maddy-pam-helper, maddy-shadow-helper -__Deprecated: Currently they are unusable due to changes made to the storage -implementation.__ - Utilities compatible with the auth.external module that call libpam or read /etc/shadow on Unix systems. diff --git a/cmd/maddy/main.go b/cmd/maddy/main.go index 2d8047e..23c6047 100644 --- a/cmd/maddy/main.go +++ b/cmd/maddy/main.go @@ -19,11 +19,11 @@ along with this program. If not, see . package main import ( - "os" - - "github.com/foxcpp/maddy" + _ "github.com/foxcpp/maddy" + "github.com/foxcpp/maddy/internal/cli" + _ "github.com/foxcpp/maddy/internal/cli/ctl" ) func main() { - os.Exit(maddy.Run()) + maddycli.Run() } diff --git a/cmd/maddyctl/imapacct.go b/cmd/maddyctl/imapacct.go deleted file mode 100644 index 1b560e8..0000000 --- a/cmd/maddyctl/imapacct.go +++ /dev/null @@ -1,136 +0,0 @@ -/* -Maddy Mail Server - Composable all-in-one email server. -Copyright © 2019-2020 Max Mazurov , Maddy Mail Server contributors - -This program is free software: you can redistribute it and/or modify -it under the terms of the GNU General Public License as published by -the Free Software Foundation, either version 3 of the License, or -(at your option) any later version. - -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU General Public License for more details. - -You should have received a copy of the GNU General Public License -along with this program. If not, see . -*/ - -package main - -import ( - "errors" - "fmt" - "os" - - "github.com/emersion/go-imap" - "github.com/foxcpp/maddy/cmd/maddyctl/clitools" - "github.com/foxcpp/maddy/framework/module" - "github.com/urfave/cli/v2" -) - -type SpecialUseUser interface { - CreateMailboxSpecial(name, specialUseAttr string) error -} - -func imapAcctList(be module.Storage, ctx *cli.Context) error { - mbe, ok := be.(module.ManageableStorage) - if !ok { - return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2) - } - - list, err := mbe.ListIMAPAccts() - if err != nil { - return err - } - - if len(list) == 0 && !ctx.Bool("quiet") { - fmt.Fprintln(os.Stderr, "No users.") - } - - for _, user := range list { - fmt.Println(user) - } - return nil -} - -func imapAcctCreate(be module.Storage, ctx *cli.Context) error { - mbe, ok := be.(module.ManageableStorage) - if !ok { - return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2) - } - - username := ctx.Args().First() - if username == "" { - return cli.Exit("Error: USERNAME is required", 2) - } - - if err := mbe.CreateIMAPAcct(username); err != nil { - return err - } - - act, err := mbe.GetIMAPAcct(username) - if err != nil { - return fmt.Errorf("failed to get user: %w", err) - } - - suu, ok := act.(SpecialUseUser) - if !ok { - fmt.Fprintf(os.Stderr, "Note: Storage backend does not support SPECIAL-USE IMAP extension") - } - - createMbox := func(name, specialUseAttr string) error { - if suu == nil { - return act.CreateMailbox(name) - } - return suu.CreateMailboxSpecial(name, specialUseAttr) - } - - if name := ctx.String("sent-name"); name != "" { - if err := createMbox(name, imap.SentAttr); err != nil { - fmt.Fprintf(os.Stderr, "Failed to create sent folder: %v", err) - } - } - if name := ctx.String("trash-name"); name != "" { - if err := createMbox(name, imap.TrashAttr); err != nil { - fmt.Fprintf(os.Stderr, "Failed to create trash folder: %v", err) - } - } - if name := ctx.String("junk-name"); name != "" { - if err := createMbox(name, imap.JunkAttr); err != nil { - fmt.Fprintf(os.Stderr, "Failed to create junk folder: %v", err) - } - } - if name := ctx.String("drafts-name"); name != "" { - if err := createMbox(name, imap.DraftsAttr); err != nil { - fmt.Fprintf(os.Stderr, "Failed to create drafts folder: %v", err) - } - } - if name := ctx.String("archive-name"); name != "" { - if err := createMbox(name, imap.ArchiveAttr); err != nil { - fmt.Fprintf(os.Stderr, "Failed to create archive folder: %v", err) - } - } - - return nil -} - -func imapAcctRemove(be module.Storage, ctx *cli.Context) error { - mbe, ok := be.(module.ManageableStorage) - if !ok { - return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2) - } - - username := ctx.Args().First() - if username == "" { - return cli.Exit("Error: USERNAME is required", 2) - } - - if !ctx.Bool("yes") { - if !clitools.Confirmation("Are you sure you want to delete this user account?", false) { - return errors.New("Cancelled") - } - } - - return mbe.DeleteIMAPAcct(username) -} diff --git a/cmd/maddyctl/main.go b/cmd/maddyctl/main.go deleted file mode 100644 index f784f88..0000000 --- a/cmd/maddyctl/main.go +++ /dev/null @@ -1,822 +0,0 @@ -/* -Maddy Mail Server - Composable all-in-one email server. -Copyright © 2019-2020 Max Mazurov , Maddy Mail Server contributors - -This program is free software: you can redistribute it and/or modify -it under the terms of the GNU General Public License as published by -the Free Software Foundation, either version 3 of the License, or -(at your option) any later version. - -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU General Public License for more details. - -You should have received a copy of the GNU General Public License -along with this program. If not, see . -*/ - -package main - -import ( - "errors" - "fmt" - "io" - "os" - "path/filepath" - "time" - - "github.com/foxcpp/maddy" - parser "github.com/foxcpp/maddy/framework/cfgparser" - "github.com/foxcpp/maddy/framework/config" - "github.com/foxcpp/maddy/framework/hooks" - "github.com/foxcpp/maddy/framework/module" - "github.com/foxcpp/maddy/internal/updatepipe" - "github.com/urfave/cli/v2" - "golang.org/x/crypto/bcrypt" -) - -func closeIfNeeded(i interface{}) { - if c, ok := i.(io.Closer); ok { - c.Close() - } -} - -func main() { - app := cli.NewApp() - app.Name = "maddyctl" - app.Usage = "maddy mail server administration utility" - app.Version = maddy.BuildInfo() - app.ExitErrHandler = func(c *cli.Context, err error) { - cli.HandleExitCoder(err) - if err != nil { - fmt.Fprintln(os.Stderr, err.Error()) - cli.OsExiter(1) - } - } - app.Flags = []cli.Flag{ - &cli.PathFlag{ - Name: "config", - Usage: "Configuration file to use", - EnvVars: []string{"MADDY_CONFIG"}, - Value: filepath.Join(maddy.ConfigDirectory, "maddy.conf"), - }, - } - - app.Commands = []*cli.Command{ - { - Name: "creds", - Usage: "Local credentials management", - Subcommands: []*cli.Command{ - { - Name: "list", - Usage: "List created credentials", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_authdb", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openUserDB(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return usersList(be, ctx) - }, - }, - { - Name: "create", - Usage: "Create user account", - Description: "Reads password from stdin", - ArgsUsage: "USERNAME", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_authdb", - }, - &cli.StringFlag{ - Name: "password", - Aliases: []string{"p"}, - Usage: "Use `PASSWORD instead of reading password from stdin.\n\t\tWARNING: Provided only for debugging convenience. Don't leave your passwords in shell history!", - }, - &cli.BoolFlag{ - Name: "null", - Aliases: []string{"n"}, - Usage: "Create account with null password", - }, - &cli.StringFlag{ - Name: "hash", - Usage: "Use specified hash algorithm. Valid values: sha3-512, bcrypt", - Value: "bcrypt", - }, - &cli.IntFlag{ - Name: "bcrypt-cost", - Usage: "Specify bcrypt cost value", - Value: bcrypt.DefaultCost, - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openUserDB(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return usersCreate(be, ctx) - }, - }, - { - Name: "remove", - Usage: "Delete user account", - ArgsUsage: "USERNAME", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_authdb", - }, - &cli.BoolFlag{ - Name: "yes", - Aliases: []string{"y"}, - Usage: "Don't ask for confirmation", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openUserDB(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return usersRemove(be, ctx) - }, - }, - { - Name: "password", - Usage: "Change account password", - Description: "Reads password from stdin", - ArgsUsage: "USERNAME", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_authdb", - }, - &cli.StringFlag{ - Name: "password", - Aliases: []string{"p"}, - Usage: "Use `PASSWORD` instead of reading password from stdin.\n\t\tWARNING: Provided only for debugging convenience. Don't leave your passwords in shell history!", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openUserDB(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return usersPassword(be, ctx) - }, - }, - }, - }, - { - Name: "imap-acct", - Usage: "IMAP storage accounts management", - Subcommands: []*cli.Command{ - { - Name: "list", - Usage: "List storage accounts", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return imapAcctList(be, ctx) - }, - }, - { - Name: "create", - Usage: "Create IMAP storage account", - ArgsUsage: "USERNAME", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.StringFlag{ - Name: "sent-name", - Usage: "Name of special mailbox for sent messages, use empty string to not create any", - Value: "Sent", - }, - &cli.StringFlag{ - Name: "trash-name", - Usage: "Name of special mailbox for trash, use empty string to not create any", - Value: "Trash", - }, - &cli.StringFlag{ - Name: "junk-name", - Usage: "Name of special mailbox for 'junk' (spam), use empty string to not create any", - Value: "Junk", - }, - &cli.StringFlag{ - Name: "drafts-name", - Usage: "Name of special mailbox for drafts, use empty string to not create any", - Value: "Drafts", - }, - &cli.StringFlag{ - Name: "archive-name", - Usage: "Name of special mailbox for archive, use empty string to not create any", - Value: "Archive", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return imapAcctCreate(be, ctx) - }, - }, - { - Name: "remove", - Usage: "Delete IMAP storage account", - ArgsUsage: "USERNAME", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.BoolFlag{ - Name: "yes", - Aliases: []string{"y"}, - Usage: "Don't ask for confirmation", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return imapAcctRemove(be, ctx) - }, - }, - { - Name: "appendlimit", - Usage: "Query or set accounts's APPENDLIMIT value", - ArgsUsage: "USERNAME", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.IntFlag{ - Name: "value", - Aliases: []string{"v"}, - Usage: "Set APPENDLIMIT to specified value (in bytes)", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return imapAcctAppendlimit(be, ctx) - }, - }, - }, - }, - { - Name: "imap-mboxes", - Usage: "IMAP mailboxes (folders) management", - Subcommands: []*cli.Command{ - { - Name: "list", - Usage: "Show mailboxes of user", - ArgsUsage: "USERNAME", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.BoolFlag{ - Name: "subscribed", - Aliases: []string{"s"}, - Usage: "List only subscribed mailboxes", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return mboxesList(be, ctx) - }, - }, - { - Name: "create", - Usage: "Create mailbox", - ArgsUsage: "USERNAME NAME", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.StringFlag{ - Name: "special", - Usage: "Set SPECIAL-USE attribute on mailbox; valid values: archive, drafts, junk, sent, trash", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return mboxesCreate(be, ctx) - }, - }, - { - Name: "remove", - Usage: "Remove mailbox", - Description: "WARNING: All contents of mailbox will be irrecoverably lost.", - ArgsUsage: "USERNAME MAILBOX", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.BoolFlag{ - Name: "yes", - Aliases: []string{"y"}, - Usage: "Don't ask for confirmation", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return mboxesRemove(be, ctx) - }, - }, - { - Name: "rename", - Usage: "Rename mailbox", - Description: "Rename may cause unexpected failures on client-side so be careful.", - ArgsUsage: "USERNAME OLDNAME NEWNAME", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return mboxesRename(be, ctx) - }, - }, - }, - }, - { - Name: "imap-msgs", - Usage: "IMAP messages management", - Subcommands: []*cli.Command{ - { - Name: "add", - Usage: "Add message to mailbox", - ArgsUsage: "USERNAME MAILBOX", - Description: "Reads message body (with headers) from stdin. Prints UID of created message on success.", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.StringSliceFlag{ - Name: "flag", - Aliases: []string{"f"}, - Usage: "Add flag to message. Can be specified multiple times", - }, - &cli.TimestampFlag{ - Layout: time.RFC3339, - Name: "date", - Aliases: []string{"d"}, - Usage: "Set internal date value to specified one in ISO 8601 format (2006-01-02T15:04:05Z07:00)", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return msgsAdd(be, ctx) - }, - }, - { - Name: "add-flags", - Usage: "Add flags to messages", - ArgsUsage: "USERNAME MAILBOX SEQ FLAGS...", - Description: "Add flags to all messages matched by SEQ.", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.BoolFlag{ - Name: "uid", - Aliases: []string{"u"}, - Usage: "Use UIDs for SEQSET instead of sequence numbers", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return msgsFlags(be, ctx) - }, - }, - { - Name: "rem-flags", - Usage: "Remove flags from messages", - ArgsUsage: "USERNAME MAILBOX SEQ FLAGS...", - Description: "Remove flags from all messages matched by SEQ.", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.BoolFlag{ - Name: "uid", - Aliases: []string{"u"}, - Usage: "Use UIDs for SEQSET instead of sequence numbers", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return msgsFlags(be, ctx) - }, - }, - { - Name: "set-flags", - Usage: "Set flags on messages", - ArgsUsage: "USERNAME MAILBOX SEQ FLAGS...", - Description: "Set flags on all messages matched by SEQ.", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.BoolFlag{ - Name: "uid", - Aliases: []string{"u"}, - Usage: "Use UIDs for SEQSET instead of sequence numbers", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return msgsFlags(be, ctx) - }, - }, - { - Name: "remove", - Usage: "Remove messages from mailbox", - ArgsUsage: "USERNAME MAILBOX SEQSET", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.BoolFlag{ - Name: "uid,u", - Aliases: []string{"u"}, - Usage: "Use UIDs for SEQSET instead of sequence numbers", - }, - &cli.BoolFlag{ - Name: "yes", - Aliases: []string{"y"}, - Usage: "Don't ask for confirmation", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return msgsRemove(be, ctx) - }, - }, - { - Name: "copy", - Usage: "Copy messages between mailboxes", - Description: "Note: You can't copy between mailboxes of different users. APPENDLIMIT of target mailbox is not enforced.", - ArgsUsage: "USERNAME SRCMAILBOX SEQSET TGTMAILBOX", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.BoolFlag{ - Name: "uid", - Aliases: []string{"u"}, - Usage: "Use UIDs for SEQSET instead of sequence numbers", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return msgsCopy(be, ctx) - }, - }, - { - Name: "move", - Usage: "Move messages between mailboxes", - Description: "Note: You can't move between mailboxes of different users. APPENDLIMIT of target mailbox is not enforced.", - ArgsUsage: "USERNAME SRCMAILBOX SEQSET TGTMAILBOX", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.BoolFlag{ - Name: "uid", - Aliases: []string{"u"}, - Usage: "Use UIDs for SEQSET instead of sequence numbers", - }, - &cli.BoolFlag{ - Name: "yes", - Aliases: []string{"y"}, - Usage: "Don't ask for confirmation", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return msgsMove(be, ctx) - }, - }, - { - Name: "list", - Usage: "List messages in mailbox", - Description: "If SEQSET is specified - only show messages that match it.", - ArgsUsage: "USERNAME MAILBOX [SEQSET]", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.BoolFlag{ - Name: "uid", - Aliases: []string{"u"}, - Usage: "Use UIDs for SEQSET instead of sequence numbers", - }, - &cli.BoolFlag{ - Name: "full,f", - Aliases: []string{"f"}, - Usage: "Show entire envelope and all server meta-data", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return msgsList(be, ctx) - }, - }, - { - Name: "dump", - Usage: "Dump message body", - Description: "If passed SEQ matches multiple messages - they will be joined.", - ArgsUsage: "USERNAME MAILBOX SEQ", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "cfg-block", - Usage: "Module configuration block to use", - EnvVars: []string{"MADDY_CFGBLOCK"}, - Value: "local_mailboxes", - }, - &cli.BoolFlag{ - Name: "uid", - Aliases: []string{"u"}, - Usage: "Use UIDs for SEQ instead of sequence numbers", - }, - }, - Action: func(ctx *cli.Context) error { - be, err := openStorage(ctx) - if err != nil { - return err - } - defer closeIfNeeded(be) - return msgsDump(be, ctx) - }, - }, - }, - }, - { - Name: "hash", - Usage: "Generate password hashes for use with pass_table", - Action: hashCommand, - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "password", - Aliases: []string{"p"}, - Usage: "Use `PASSWORD instead of reading password from stdin\n\t\tWARNING: Provided only for debugging convenience. Don't leave your passwords in shell history!", - }, - &cli.StringFlag{ - Name: "hash", - Usage: "Use specified hash algorithm", - Value: "bcrypt", - }, - &cli.IntFlag{ - Name: "bcrypt-cost", - Usage: "Specify bcrypt cost value", - Value: bcrypt.DefaultCost, - }, - &cli.IntFlag{ - Name: "argon2-time", - Usage: "Time factor for Argon2id", - Value: 3, - }, - &cli.IntFlag{ - Name: "argon2-memory", - Usage: "Memory in KiB to use for Argon2id", - Value: 1024, - }, - &cli.IntFlag{ - Name: "argon2-threads", - Usage: "Threads to use for Argon2id", - Value: 1, - }, - }, - }, - } - - if err := app.Run(os.Args); err != nil { - fmt.Fprintln(os.Stderr, err) - } -} - -func getCfgBlockModule(ctx *cli.Context) (map[string]interface{}, *maddy.ModInfo, error) { - cfgPath := ctx.String("config") - if cfgPath == "" { - return nil, nil, cli.Exit("Error: config is required", 2) - } - cfgFile, err := os.Open(cfgPath) - if err != nil { - return nil, nil, cli.Exit(fmt.Sprintf("Error: failed to open config: %v", err), 2) - } - defer cfgFile.Close() - cfgNodes, err := parser.Read(cfgFile, cfgFile.Name()) - if err != nil { - return nil, nil, cli.Exit(fmt.Sprintf("Error: failed to parse config: %v", err), 2) - } - - globals, cfgNodes, err := maddy.ReadGlobals(cfgNodes) - if err != nil { - return nil, nil, err - } - - if err := maddy.InitDirs(); err != nil { - return nil, nil, err - } - - module.NoRun = true - _, mods, err := maddy.RegisterModules(globals, cfgNodes) - if err != nil { - return nil, nil, err - } - defer hooks.RunHooks(hooks.EventShutdown) - - cfgBlock := ctx.String("cfg-block") - if cfgBlock == "" { - return nil, nil, cli.Exit("Error: cfg-block is required", 2) - } - var mod maddy.ModInfo - for _, m := range mods { - if m.Instance.InstanceName() == cfgBlock { - mod = m - break - } - } - if mod.Instance == nil { - return nil, nil, cli.Exit(fmt.Sprintf("Error: unknown configuration block: %s", cfgBlock), 2) - } - - return globals, &mod, nil -} - -func openStorage(ctx *cli.Context) (module.Storage, error) { - globals, mod, err := getCfgBlockModule(ctx) - if err != nil { - return nil, err - } - - storage, ok := mod.Instance.(module.Storage) - if !ok { - return nil, cli.Exit(fmt.Sprintf("Error: configuration block %s is not an IMAP storage", ctx.String("cfg-block")), 2) - } - - if err := mod.Instance.Init(config.NewMap(globals, mod.Cfg)); err != nil { - return nil, fmt.Errorf("Error: module initialization failed: %w", err) - } - - if updStore, ok := mod.Instance.(updatepipe.Backend); ok { - if err := updStore.EnableUpdatePipe(updatepipe.ModePush); err != nil && !errors.Is(err, os.ErrNotExist) { - fmt.Fprintf(os.Stderr, "Failed to initialize update pipe, do not remove messages from mailboxes open by clients: %v\n", err) - } - } else { - fmt.Fprintf(os.Stderr, "No update pipe support, do not remove messages from mailboxes open by clients\n") - } - - return storage, nil -} - -func openUserDB(ctx *cli.Context) (module.PlainUserDB, error) { - globals, mod, err := getCfgBlockModule(ctx) - if err != nil { - return nil, err - } - - userDB, ok := mod.Instance.(module.PlainUserDB) - if !ok { - return nil, cli.Exit(fmt.Sprintf("Error: configuration block %s is not a local credentials store", ctx.String("cfg-block")), 2) - } - - if err := mod.Instance.Init(config.NewMap(globals, mod.Cfg)); err != nil { - return nil, fmt.Errorf("Error: module initialization failed: %w", err) - } - - return userDB, nil -} diff --git a/cmd/maddyctl/users.go b/cmd/maddyctl/users.go deleted file mode 100644 index b83d64c..0000000 --- a/cmd/maddyctl/users.go +++ /dev/null @@ -1,100 +0,0 @@ -/* -Maddy Mail Server - Composable all-in-one email server. -Copyright © 2019-2020 Max Mazurov , Maddy Mail Server contributors - -This program is free software: you can redistribute it and/or modify -it under the terms of the GNU General Public License as published by -the Free Software Foundation, either version 3 of the License, or -(at your option) any later version. - -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU General Public License for more details. - -You should have received a copy of the GNU General Public License -along with this program. If not, see . -*/ - -package main - -import ( - "errors" - "fmt" - "os" - - "github.com/foxcpp/maddy/cmd/maddyctl/clitools" - "github.com/foxcpp/maddy/framework/module" - "github.com/urfave/cli/v2" -) - -func usersList(be module.PlainUserDB, ctx *cli.Context) error { - list, err := be.ListUsers() - if err != nil { - return err - } - - if len(list) == 0 && !ctx.Bool("quiet") { - fmt.Fprintln(os.Stderr, "No users.") - } - - for _, user := range list { - fmt.Println(user) - } - return nil -} - -func usersCreate(be module.PlainUserDB, ctx *cli.Context) error { - username := ctx.Args().First() - if username == "" { - return cli.Exit("Error: USERNAME is required", 2) - } - - var pass string - if ctx.IsSet("password") { - pass = ctx.String("password") - } else { - var err error - pass, err = clitools.ReadPassword("Enter password for new user") - if err != nil { - return err - } - } - - return be.CreateUser(username, pass) -} - -func usersRemove(be module.PlainUserDB, ctx *cli.Context) error { - username := ctx.Args().First() - if username == "" { - return errors.New("Error: USERNAME is required") - } - - if !ctx.Bool("yes") { - if !clitools.Confirmation("Are you sure you want to delete this user account?", false) { - return errors.New("Cancelled") - } - } - - return be.DeleteUser(username) -} - -func usersPassword(be module.PlainUserDB, ctx *cli.Context) error { - username := ctx.Args().First() - if username == "" { - return errors.New("Error: USERNAME is required") - } - - var pass string - if ctx.IsSet("password") { - pass = ctx.String("password") - } else { - var err error - pass, err = clitools.ReadPassword("Enter new password") - if err != nil { - return err - } - } - - return be.SetUserPassword(username, pass) -} diff --git a/dist/systemd/maddy.service b/dist/systemd/maddy.service index 2377a9e..0f5ace2 100644 --- a/dist/systemd/maddy.service +++ b/dist/systemd/maddy.service @@ -72,7 +72,7 @@ Restart=on-failure # ... Unless it is a configuration problem. RestartPreventExitStatus=2 -ExecStart=/usr/local/bin/maddy +ExecStart=/usr/local/bin/maddy run ExecReload=/bin/kill -USR1 $MAINPID ExecReload=/bin/kill -USR2 $MAINPID diff --git a/dist/systemd/maddy@.service b/dist/systemd/maddy@.service index b056b6d..cc77682 100644 --- a/dist/systemd/maddy@.service +++ b/dist/systemd/maddy@.service @@ -68,7 +68,7 @@ Restart=on-failure # ... Unless it is a configuration problem. RestartPreventExitStatus=2 -ExecStart=/usr/local/bin/maddy -config /etc/maddy/%i.conf +ExecStart=/usr/local/bin/maddy --config /etc/maddy/%i.conf run ExecReload=/bin/kill -USR1 $MAINPID ExecReload=/bin/kill -USR2 $MAINPID diff --git a/docs/man/maddy.5.scd b/docs/man/maddy.5.scd deleted file mode 100644 index 06926b4..0000000 --- a/docs/man/maddy.5.scd +++ /dev/null @@ -1,228 +0,0 @@ -maddy(1) "maddy mail server" "maddy reference documentation" - -; TITLE Introduction - -# Modules - -maddy is built of many small components called "modules". Each module does one -certain well-defined task. Modules can be connected to each other in arbitrary -ways to achieve wanted functionality. Default configuration file defines -set of modules that together implement typical email server stack. - -To specify the module that should be used by another module for something, look -for configuration directives with "module reference" argument. Then -put the module name as an argument for it. Optionally, if referenced module -needs that, put additional arguments after the name. You can also put a -configuration block with additional directives specifing the module -configuration. - -Here are some examples: - -``` -smtp ... { - # Deliver messages to the 'dummy' module with the default configuration. - deliver_to dummy - - # Deliver messages to the 'target.smtp' module with - # 'tcp://127.0.0.1:1125' argument as a configuration. - deliver_to smtp tcp://127.0.0.1:1125 - - # Deliver messages to the 'queue' module with the specified configuration. - deliver_to queue { - target ... - max_tries 10 - } -} -``` - -Additionally, module configuration can be placed in a separate named block -at the top-level and merely referenced by its name where it is needed. - -Here is the example: -``` -storage.imapsql local_mailboxes { - driver sqlite3 - dsn all.db -} - -smtp ... { - deliver_to &local_mailboxes -} -``` - -It is recommended to use this syntax for modules that are 'expensive' to -initialize such as storage backends and authentication providers. - -For top-level configuration block definition, syntax is as follows: -``` -namespace.module_name config_block_name... { - module_configuration -} -``` -If config_block_name is omitted, it will be the same as module_name. Multiple -names can be specified. All names must be unique. - -Note the "storage." prefix. The actual module name is this and includes -"namespace". It is a little cheating to make more concise names and can -be omitted when you reference the module where it is used since it can -be implied (e.g. putting module reference in "check{}" likely means you want -something with "check." prefix) - -Usual module arguments can't be specified when using this syntax, however, -modules usually provide explicit directives that allow to specify the needed -values. For example 'sql sqlite3 all.db' is equivalent to -``` -storage.imapsql { - driver sqlite3 - dsn all.db -} -``` - -# Reference documentation conventions - -## Syntax descriptions for directives - -Underlined values are placeholders and should be replaced by your values. -_boolean_ is either 'yes' or 'no' string. - -Ellipsis (_smth..._) means that multiple values can be specified - -Multiple values listed with '|' (pipe) separator mean that any of them -can be used. - -# Global directives - -These directives applied for all configuration blocks that don't override it. - -*Syntax*: state_dir _path_ ++ -*Default*: /var/lib/maddy - -The path to the state directory. This directory will be used to store all -persistent data and should be writable. - -*Syntax*: runtime_dir _path_ ++ -*Default*: /run/maddy - -The path to the runtime directory. Used for Unix sockets and other temporary -objects. Should be writable. - -*Syntax*: hostname _domain_ ++ -*Default*: not specified - -Internet hostname of this mail server. Typicall FQDN is used. It is recommended -to make sure domain specified here resolved to the public IP of the server. - -*Syntax*: autogenerated_msg_domain _domain_ ++ -*Default*: not specified - -Domain that is used in From field for auto-generated messages (such as Delivery -Status Notifications). - -*Syntax*: ++ - tls file _cert_file_ _pkey_file_ ++ - tls _module reference_ ++ - tls off ++ -*Default*: not specified - -Default TLS certificate to use for all endpoints. - -Must be present in either all endpoint modules configuration blocks or as -global directive. - -You can also specify other configuration options such as cipher suites and TLS -version. See maddy-tls(5) for details. maddy uses reasonable -cipher suites and TLS versions by default so you generally don't have to worry -about it. - -*Syntax*: tls_client { ... } ++ -*Default*: not specified - -This is optional block that specifies various TLS-related options to use when -making outbound connections. See TLS client configuration for details on -directives that can be used in it. maddy uses reasonable cipher suites and TLS -versions by default so you generally don't have to worry about it. - -*Syntax*: ++ - log _targets..._ ++ - log off ++ -*Default*: stderr - -Write log to one of more "targets". - -The target can be one or the following: - -- stderr - - Write logs to stderr. - -- stderr_ts - - Write logs to stderr with timestamps. - -- syslog - - Send logs to the local syslog daemon. - -- _file path_ - - Write (append) logs to file. - -Example: -``` -log syslog /var/log/maddy.log -``` - -*Note:* Maddy does not perform log files rotation, this is the job of the -logrotate daemon. Send SIGUSR1 to maddy process to make it reopen log files. - -*Syntax*: debug _boolean_ ++ -*Default*: no - -Enable verbose logging for all modules. You don't need that unless you are -reporting a bug. - -# Prometheus/OpenMetrics endpoint - -``` -openmetrics tcp://127.0.0.1:9749 { } -``` - -This will enable HTTP listener that will serve telemetry in OpenMetrics format. -(It is compatible with Prometheus). - -See openmetrics.md documentation page the list of metrics exposed. - -# Signals - -*SIGTERM, SIGINT, SIGHUP* - -Stop the server process gracefully. Send the signal second time to force -immediate shutdown (likely unclean). - -*SIGUSR1* - -Reopen log files, if any are used. - -*SIGUSR2* - -Reload some files from disk, including alias mappings and TLS certificates. -This does not include the main configuration, though. - -# Authors - -Maintained by Max Mazurov . Project includes contributions -made by other people. - -Source code is available at https://github.com/foxcpp/maddy. - -# See also - -*maddy-config*(5) - Detailed configuration syntax description ++ -*maddy-imap*(5) - IMAP endpoint module reference ++ -*maddy-smtp*(5) - SMTP & Submission endpoint module reference ++ -*maddy-targets*(5) - Delivery targets reference ++ -*maddy-storage*(5) - Storage modules reference ++ -*maddy-auth*(5) - Authentication modules reference ++ -*maddy-filters*(5) - Message filtering modules reference ++ -*maddy-tables*(5) - Table modules reference ++ -*maddy-tls*(5) - Advanced TLS client & server configuration diff --git a/framework/dns/debugflags.go b/framework/dns/debugflags.go index 41e30fd..5fd0df4 100644 --- a/framework/dns/debugflags.go +++ b/framework/dns/debugflags.go @@ -21,9 +21,15 @@ along with this program. If not, see . package dns import ( - "flag" + maddycli "github.com/foxcpp/maddy/internal/cli" + "github.com/urfave/cli/v2" ) func init() { - flag.StringVar(&overrideServ, "debug.dnsoverride", "system-default", "replace the DNS resolver address") + maddycli.AddGlobalFlag(&cli.StringFlag{ + Name: "debug.dnsoverride", + Usage: "replace the DNS resolver address", + Value: "system-default", + Destination: &overrideServ, + }) } diff --git a/internal/auth/pass_table/table.go b/internal/auth/pass_table/table.go index 0bef271..5b9057f 100644 --- a/internal/auth/pass_table/table.go +++ b/internal/auth/pass_table/table.go @@ -112,11 +112,21 @@ func (a *Auth) ListUsers() ([]string, error) { } func (a *Auth) CreateUser(username, password string) error { + return a.CreateUserHash(username, password, HashBcrypt, HashOpts{ + BcryptCost: bcrypt.DefaultCost, + }) +} + +func (a *Auth) CreateUserHash(username, password string, hashAlgo string, opts HashOpts) error { tbl, ok := a.table.(module.MutableTable) if !ok { return fmt.Errorf("%s: table is not mutable, no management functionality available", a.modName) } + if _, ok := HashCompute[hashAlgo]; !ok { + return fmt.Errorf("%s: unknown hash function: %v", a.modName, hashAlgo) + } + key, err := precis.UsernameCaseMapped.CompareKey(username) if err != nil { return fmt.Errorf("%s: create user %s (raw): %w", a.modName, username, err) @@ -130,15 +140,12 @@ func (a *Auth) CreateUser(username, password string) error { return fmt.Errorf("%s: credentials for %s already exist", a.modName, key) } - // TODO: Allow to customize hash function. - hash, err := HashCompute[HashBcrypt](HashOpts{ - BcryptCost: bcrypt.DefaultCost, - }, password) + hash, err := HashCompute[hashAlgo](opts, password) if err != nil { return fmt.Errorf("%s: create user %s: hash generation: %w", a.modName, key, err) } - if err := tbl.SetKey(key, "bcrypt:"+hash); err != nil { + if err := tbl.SetKey(key, hash+":"+hash); err != nil { return fmt.Errorf("%s: create user %s: %w", a.modName, key, err) } return nil diff --git a/internal/cli/app.go b/internal/cli/app.go new file mode 100644 index 0000000..78e6ec1 --- /dev/null +++ b/internal/cli/app.go @@ -0,0 +1,105 @@ +package maddycli + +import ( + "flag" + "fmt" + "os" + "strings" + + "github.com/foxcpp/maddy/framework/log" + "github.com/urfave/cli/v2" +) + +var app *cli.App + +func init() { + app = cli.NewApp() + app.Usage = "composable all-in-one mail server" + app.Description = `Maddy is Mail Transfer agent (MTA), Mail Delivery Agent (MDA), Mail Submission +Agent (MSA), IMAP server and a set of other essential protocols/schemes +necessary to run secure email server implemented in one executable. + +This executable can be used to start the server ('run') and to manipulate +databases used by it (all other subcommands). +` + app.Authors = []*cli.Author{ + { + Name: "Maddy Mail Server maintainers & contributors", + Email: "~foxcpp/maddy@lists.sr.ht", + }, + } + app.ExitErrHandler = func(c *cli.Context, err error) { + cli.HandleExitCoder(err) + if err != nil { + log.Println(err) + cli.OsExiter(1) + } + } + app.EnableBashCompletion = true + app.Commands = []*cli.Command{ + { + Name: "generate-man", + Hidden: true, + Action: func(c *cli.Context) error { + man, err := app.ToMan() + if err != nil { + return err + } + fmt.Println(man) + return nil + }, + }, + { + Name: "generate-fish-completion", + Hidden: true, + Action: func(c *cli.Context) error { + cp, err := app.ToFishCompletion() + if err != nil { + return err + } + fmt.Println(cp) + return nil + }, + }, + } +} + +func AddGlobalFlag(f cli.Flag) { + app.Flags = append(app.Flags, f) + if err := f.Apply(flag.CommandLine); err != nil { + log.Println("GlobalFlag", f, "could not be mapped to stdlib flag:", err) + } +} + +func AddSubcommand(cmd *cli.Command) { + app.Commands = append(app.Commands, cmd) + + if cmd.Name == "run" { + // Backward compatibility hack to start the server as just ./maddy + // Needs to be done here so we will register all known flags with + // stdlib before Run is called. + app.Action = func(c *cli.Context) error { + log.Println("WARNING: Starting server not via 'maddy run' is deprecated and will stop working in the next version") + return cmd.Action(c) + } + app.Flags = append(app.Flags, cmd.Flags...) + for _, f := range cmd.Flags { + if err := f.Apply(flag.CommandLine); err != nil { + log.Println("GlobalFlag", f, "could not be mapped to stdlib flag:", err) + } + } + } +} + +func Run() { + // Actual entry point is registered in maddy.go. + + // Print help when called via maddyctl executable. To be removed + // once backward compatbility hack for 'maddy run' is removed too. + if strings.Contains(os.Args[0], "maddyctl") && len(os.Args) == 1 { + app.Run([]string{os.Args[0], "help"}) + return + } + + app.Run(os.Args) +} diff --git a/cmd/maddyctl/clitools/clitools.go b/internal/cli/clitools/clitools.go similarity index 100% rename from cmd/maddyctl/clitools/clitools.go rename to internal/cli/clitools/clitools.go diff --git a/cmd/maddyctl/clitools/termios.go b/internal/cli/clitools/termios.go similarity index 100% rename from cmd/maddyctl/clitools/termios.go rename to internal/cli/clitools/termios.go diff --git a/cmd/maddyctl/clitools/termios_stub.go b/internal/cli/clitools/termios_stub.go similarity index 100% rename from cmd/maddyctl/clitools/termios_stub.go rename to internal/cli/clitools/termios_stub.go diff --git a/cmd/maddyctl/appendlimit.go b/internal/cli/ctl/appendlimit.go similarity index 99% rename from cmd/maddyctl/appendlimit.go rename to internal/cli/ctl/appendlimit.go index 86a519d..ce0e3c4 100644 --- a/cmd/maddyctl/appendlimit.go +++ b/internal/cli/ctl/appendlimit.go @@ -16,7 +16,7 @@ You should have received a copy of the GNU General Public License along with this program. If not, see . */ -package main +package ctl import ( "fmt" diff --git a/cmd/maddyctl/hash.go b/internal/cli/ctl/hash.go similarity index 67% rename from cmd/maddyctl/hash.go rename to internal/cli/ctl/hash.go index 35a2b88..7ccc164 100644 --- a/cmd/maddyctl/hash.go +++ b/internal/cli/ctl/hash.go @@ -16,19 +16,61 @@ You should have received a copy of the GNU General Public License along with this program. If not, see . */ -package main +package ctl import ( "fmt" "os" "strings" - "github.com/foxcpp/maddy/cmd/maddyctl/clitools" "github.com/foxcpp/maddy/internal/auth/pass_table" + maddycli "github.com/foxcpp/maddy/internal/cli" + clitools2 "github.com/foxcpp/maddy/internal/cli/clitools" "github.com/urfave/cli/v2" "golang.org/x/crypto/bcrypt" ) +func init() { + maddycli.AddSubcommand( + &cli.Command{ + Name: "hash", + Usage: "Generate password hashes for use with pass_table", + Action: hashCommand, + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "password", + Aliases: []string{"p"}, + Usage: "Use `PASSWORD instead of reading password from stdin\n\t\tWARNING: Provided only for debugging convenience. Don't leave your passwords in shell history!", + }, + &cli.StringFlag{ + Name: "hash", + Usage: "Use specified hash algorithm", + Value: "bcrypt", + }, + &cli.IntFlag{ + Name: "bcrypt-cost", + Usage: "Specify bcrypt cost value", + Value: bcrypt.DefaultCost, + }, + &cli.IntFlag{ + Name: "argon2-time", + Usage: "Time factor for Argon2id", + Value: 3, + }, + &cli.IntFlag{ + Name: "argon2-memory", + Usage: "Memory in KiB to use for Argon2id", + Value: 1024, + }, + &cli.IntFlag{ + Name: "argon2-threads", + Usage: "Threads to use for Argon2id", + Value: 1, + }, + }, + }) +} + func hashCommand(ctx *cli.Context) error { hashFunc := ctx.String("hash") if hashFunc == "" { @@ -75,7 +117,7 @@ func hashCommand(ctx *cli.Context) error { pass = ctx.String("password") } else { var err error - pass, err = clitools.ReadPassword("Password") + pass, err = clitools2.ReadPassword("Password") if err != nil { return err } diff --git a/cmd/maddyctl/imap.go b/internal/cli/ctl/imap.go similarity index 50% rename from cmd/maddyctl/imap.go rename to internal/cli/ctl/imap.go index 3681fc5..bc1de67 100644 --- a/cmd/maddyctl/imap.go +++ b/internal/cli/ctl/imap.go @@ -16,7 +16,7 @@ You should have received a copy of the GNU General Public License along with this program. If not, see . */ -package main +package ctl import ( "bytes" @@ -29,11 +29,386 @@ import ( "github.com/emersion/go-imap" imapsql "github.com/foxcpp/go-imap-sql" - "github.com/foxcpp/maddy/cmd/maddyctl/clitools" "github.com/foxcpp/maddy/framework/module" + maddycli "github.com/foxcpp/maddy/internal/cli" + clitools2 "github.com/foxcpp/maddy/internal/cli/clitools" "github.com/urfave/cli/v2" ) +func init() { + maddycli.AddSubcommand( + &cli.Command{ + Name: "imap-mboxes", + Usage: "IMAP mailboxes (folders) management", + Subcommands: []*cli.Command{ + { + Name: "list", + Usage: "Show mailboxes of user", + ArgsUsage: "USERNAME", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.BoolFlag{ + Name: "subscribed", + Aliases: []string{"s"}, + Usage: "List only subscribed mailboxes", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return mboxesList(be, ctx) + }, + }, + { + Name: "create", + Usage: "Create mailbox", + ArgsUsage: "USERNAME NAME", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.StringFlag{ + Name: "special", + Usage: "Set SPECIAL-USE attribute on mailbox; valid values: archive, drafts, junk, sent, trash", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return mboxesCreate(be, ctx) + }, + }, + { + Name: "remove", + Usage: "Remove mailbox", + Description: "WARNING: All contents of mailbox will be irrecoverably lost.", + ArgsUsage: "USERNAME MAILBOX", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.BoolFlag{ + Name: "yes", + Aliases: []string{"y"}, + Usage: "Don't ask for confirmation", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return mboxesRemove(be, ctx) + }, + }, + { + Name: "rename", + Usage: "Rename mailbox", + Description: "Rename may cause unexpected failures on client-side so be careful.", + ArgsUsage: "USERNAME OLDNAME NEWNAME", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return mboxesRename(be, ctx) + }, + }, + }, + }) + maddycli.AddSubcommand(&cli.Command{ + Name: "imap-msgs", + Usage: "IMAP messages management", + Subcommands: []*cli.Command{ + { + Name: "add", + Usage: "Add message to mailbox", + ArgsUsage: "USERNAME MAILBOX", + Description: "Reads message body (with headers) from stdin. Prints UID of created message on success.", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.StringSliceFlag{ + Name: "flag", + Aliases: []string{"f"}, + Usage: "Add flag to message. Can be specified multiple times", + }, + &cli.TimestampFlag{ + Layout: time.RFC3339, + Name: "date", + Aliases: []string{"d"}, + Usage: "Set internal date value to specified one in ISO 8601 format (2006-01-02T15:04:05Z07:00)", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return msgsAdd(be, ctx) + }, + }, + { + Name: "add-flags", + Usage: "Add flags to messages", + ArgsUsage: "USERNAME MAILBOX SEQ FLAGS...", + Description: "Add flags to all messages matched by SEQ.", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.BoolFlag{ + Name: "uid", + Aliases: []string{"u"}, + Usage: "Use UIDs for SEQSET instead of sequence numbers", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return msgsFlags(be, ctx) + }, + }, + { + Name: "rem-flags", + Usage: "Remove flags from messages", + ArgsUsage: "USERNAME MAILBOX SEQ FLAGS...", + Description: "Remove flags from all messages matched by SEQ.", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.BoolFlag{ + Name: "uid", + Aliases: []string{"u"}, + Usage: "Use UIDs for SEQSET instead of sequence numbers", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return msgsFlags(be, ctx) + }, + }, + { + Name: "set-flags", + Usage: "Set flags on messages", + ArgsUsage: "USERNAME MAILBOX SEQ FLAGS...", + Description: "Set flags on all messages matched by SEQ.", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.BoolFlag{ + Name: "uid", + Aliases: []string{"u"}, + Usage: "Use UIDs for SEQSET instead of sequence numbers", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return msgsFlags(be, ctx) + }, + }, + { + Name: "remove", + Usage: "Remove messages from mailbox", + ArgsUsage: "USERNAME MAILBOX SEQSET", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.BoolFlag{ + Name: "uid,u", + Aliases: []string{"u"}, + Usage: "Use UIDs for SEQSET instead of sequence numbers", + }, + &cli.BoolFlag{ + Name: "yes", + Aliases: []string{"y"}, + Usage: "Don't ask for confirmation", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return msgsRemove(be, ctx) + }, + }, + { + Name: "copy", + Usage: "Copy messages between mailboxes", + Description: "Note: You can't copy between mailboxes of different users. APPENDLIMIT of target mailbox is not enforced.", + ArgsUsage: "USERNAME SRCMAILBOX SEQSET TGTMAILBOX", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.BoolFlag{ + Name: "uid", + Aliases: []string{"u"}, + Usage: "Use UIDs for SEQSET instead of sequence numbers", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return msgsCopy(be, ctx) + }, + }, + { + Name: "move", + Usage: "Move messages between mailboxes", + Description: "Note: You can't move between mailboxes of different users. APPENDLIMIT of target mailbox is not enforced.", + ArgsUsage: "USERNAME SRCMAILBOX SEQSET TGTMAILBOX", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.BoolFlag{ + Name: "uid", + Aliases: []string{"u"}, + Usage: "Use UIDs for SEQSET instead of sequence numbers", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return msgsMove(be, ctx) + }, + }, + { + Name: "list", + Usage: "List messages in mailbox", + Description: "If SEQSET is specified - only show messages that match it.", + ArgsUsage: "USERNAME MAILBOX [SEQSET]", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.BoolFlag{ + Name: "uid", + Aliases: []string{"u"}, + Usage: "Use UIDs for SEQSET instead of sequence numbers", + }, + &cli.BoolFlag{ + Name: "full,f", + Aliases: []string{"f"}, + Usage: "Show entire envelope and all server meta-data", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return msgsList(be, ctx) + }, + }, + { + Name: "dump", + Usage: "Dump message body", + Description: "If passed SEQ matches multiple messages - they will be joined.", + ArgsUsage: "USERNAME MAILBOX SEQ", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.BoolFlag{ + Name: "uid", + Aliases: []string{"u"}, + Usage: "Use UIDs for SEQ instead of sequence numbers", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return msgsDump(be, ctx) + }, + }, + }, + }) +} + func FormatAddress(addr *imap.Address) string { return fmt.Sprintf("%s <%s@%s>", addr.PersonalName, addr.MailboxName, addr.HostName) } @@ -131,7 +506,7 @@ func mboxesRemove(be module.Storage, ctx *cli.Context) error { fmt.Fprintf(os.Stderr, "Mailbox %s contains %d messages.\n", name, status.Messages) } - if !clitools.Confirmation("Are you sure you want to delete that mailbox?", false) { + if !clitools2.Confirmation("Are you sure you want to delete that mailbox?", false) { return errors.New("Cancelled") } } @@ -183,7 +558,7 @@ func msgsAdd(be module.Storage, ctx *cli.Context) error { date := time.Now() if ctx.IsSet("date") { - date = time.Unix(ctx.Int64("date"), 0) + date = *ctx.Timestamp("date") } buf := bytes.Buffer{} @@ -240,7 +615,7 @@ func msgsRemove(be module.Storage, ctx *cli.Context) error { } if !ctx.Bool("yes") { - if !clitools.Confirmation("Are you sure you want to delete these messages?", false) { + if !clitools2.Confirmation("Are you sure you want to delete these messages?", false) { return errors.New("Cancelled") } } @@ -286,10 +661,6 @@ func msgsCopy(be module.Storage, ctx *cli.Context) error { } func msgsMove(be module.Storage, ctx *cli.Context) error { - if ctx.Bool("yes") || !clitools.Confirmation("Currently, it is unsafe to remove messages from mailboxes used by connected clients, continue?", false) { - return cli.Exit("Cancelled", 2) - } - username := ctx.Args().First() if username == "" { return cli.Exit("Error: USERNAME is required", 2) diff --git a/internal/cli/ctl/imapacct.go b/internal/cli/ctl/imapacct.go new file mode 100644 index 0000000..0be8e4d --- /dev/null +++ b/internal/cli/ctl/imapacct.go @@ -0,0 +1,292 @@ +/* +Maddy Mail Server - Composable all-in-one email server. +Copyright © 2019-2020 Max Mazurov , Maddy Mail Server contributors + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +package ctl + +import ( + "errors" + "fmt" + "os" + + "github.com/emersion/go-imap" + "github.com/foxcpp/maddy/framework/module" + maddycli "github.com/foxcpp/maddy/internal/cli" + clitools2 "github.com/foxcpp/maddy/internal/cli/clitools" + "github.com/urfave/cli/v2" +) + +func init() { + maddycli.AddSubcommand( + &cli.Command{ + Name: "imap-acct", + Usage: "IMAP storage accounts management", + Description: `These subcommands can be used to list/create/delete IMAP storage +accounts for any storage backend supported by maddy. + +The corresponding storage backend should be configured in maddy.conf and be +defined in a top-level configuration block. By default, the name of that +block should be local_mailboxes but this can be changed using --cfg-block +flag for subcommands. + +Note that in default configuration it is not enough to create an IMAP storage +account to grant server access. Additionally, user credentials should +be created using 'creds' subcommand. +`, + Subcommands: []*cli.Command{ + { + Name: "list", + Usage: "List storage accounts", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return imapAcctList(be, ctx) + }, + }, + { + Name: "create", + Usage: "Create IMAP storage account", + Description: `In addition to account creation, this command +creates a set of default folder (mailboxes) with special-use attribute set.`, + ArgsUsage: "USERNAME", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.StringFlag{ + Name: "sent-name", + Usage: "Name of special mailbox for sent messages, use empty string to not create any", + Value: "Sent", + }, + &cli.StringFlag{ + Name: "trash-name", + Usage: "Name of special mailbox for trash, use empty string to not create any", + Value: "Trash", + }, + &cli.StringFlag{ + Name: "junk-name", + Usage: "Name of special mailbox for 'junk' (spam), use empty string to not create any", + Value: "Junk", + }, + &cli.StringFlag{ + Name: "drafts-name", + Usage: "Name of special mailbox for drafts, use empty string to not create any", + Value: "Drafts", + }, + &cli.StringFlag{ + Name: "archive-name", + Usage: "Name of special mailbox for archive, use empty string to not create any", + Value: "Archive", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return imapAcctCreate(be, ctx) + }, + }, + { + Name: "remove", + Usage: "Delete IMAP storage account", + Description: `If IMAP connections are open and using the specified account, +messages access will be killed off immediately though connection will remain open. No cache +or other buffering takes effect.`, + ArgsUsage: "USERNAME", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.BoolFlag{ + Name: "yes", + Aliases: []string{"y"}, + Usage: "Don't ask for confirmation", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return imapAcctRemove(be, ctx) + }, + }, + { + Name: "appendlimit", + Usage: "Query or set accounts's APPENDLIMIT value", + Description: `APPENDLIMIT value determines the size of a message that +can be saved into a mailbox using IMAP APPEND command. This does not affect the size +of messages that can be delivered to the mailbox from non-IMAP sources (e.g. SMTP). + +Global APPENDLIMIT value set via server configuration takes precedence over +per-account values configured using this command. + +APPENDLIMIT value (either global or per-account) cannot be larger than +4 GiB due to IMAP protocol limitations. +`, + ArgsUsage: "USERNAME", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_mailboxes", + }, + &cli.IntFlag{ + Name: "value", + Aliases: []string{"v"}, + Usage: "Set APPENDLIMIT to specified value (in bytes)", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openStorage(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return imapAcctAppendlimit(be, ctx) + }, + }, + }, + }) +} + +type SpecialUseUser interface { + CreateMailboxSpecial(name, specialUseAttr string) error +} + +func imapAcctList(be module.Storage, ctx *cli.Context) error { + mbe, ok := be.(module.ManageableStorage) + if !ok { + return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2) + } + + list, err := mbe.ListIMAPAccts() + if err != nil { + return err + } + + if len(list) == 0 && !ctx.Bool("quiet") { + fmt.Fprintln(os.Stderr, "No users.") + } + + for _, user := range list { + fmt.Println(user) + } + return nil +} + +func imapAcctCreate(be module.Storage, ctx *cli.Context) error { + mbe, ok := be.(module.ManageableStorage) + if !ok { + return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2) + } + + username := ctx.Args().First() + if username == "" { + return cli.Exit("Error: USERNAME is required", 2) + } + + if err := mbe.CreateIMAPAcct(username); err != nil { + return err + } + + act, err := mbe.GetIMAPAcct(username) + if err != nil { + return fmt.Errorf("failed to get user: %w", err) + } + + suu, ok := act.(SpecialUseUser) + if !ok { + fmt.Fprintf(os.Stderr, "Note: Storage backend does not support SPECIAL-USE IMAP extension") + } + + createMbox := func(name, specialUseAttr string) error { + if suu == nil { + return act.CreateMailbox(name) + } + return suu.CreateMailboxSpecial(name, specialUseAttr) + } + + if name := ctx.String("sent-name"); name != "" { + if err := createMbox(name, imap.SentAttr); err != nil { + fmt.Fprintf(os.Stderr, "Failed to create sent folder: %v", err) + } + } + if name := ctx.String("trash-name"); name != "" { + if err := createMbox(name, imap.TrashAttr); err != nil { + fmt.Fprintf(os.Stderr, "Failed to create trash folder: %v", err) + } + } + if name := ctx.String("junk-name"); name != "" { + if err := createMbox(name, imap.JunkAttr); err != nil { + fmt.Fprintf(os.Stderr, "Failed to create junk folder: %v", err) + } + } + if name := ctx.String("drafts-name"); name != "" { + if err := createMbox(name, imap.DraftsAttr); err != nil { + fmt.Fprintf(os.Stderr, "Failed to create drafts folder: %v", err) + } + } + if name := ctx.String("archive-name"); name != "" { + if err := createMbox(name, imap.ArchiveAttr); err != nil { + fmt.Fprintf(os.Stderr, "Failed to create archive folder: %v", err) + } + } + + return nil +} + +func imapAcctRemove(be module.Storage, ctx *cli.Context) error { + mbe, ok := be.(module.ManageableStorage) + if !ok { + return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2) + } + + username := ctx.Args().First() + if username == "" { + return cli.Exit("Error: USERNAME is required", 2) + } + + if !ctx.Bool("yes") { + if !clitools2.Confirmation("Are you sure you want to delete this user account?", false) { + return errors.New("Cancelled") + } + } + + return mbe.DeleteIMAPAcct(username) +} diff --git a/internal/cli/ctl/moduleinit.go b/internal/cli/ctl/moduleinit.go new file mode 100644 index 0000000..23e79e5 --- /dev/null +++ b/internal/cli/ctl/moduleinit.go @@ -0,0 +1,133 @@ +/* +Maddy Mail Server - Composable all-in-one email server. +Copyright © 2019-2020 Max Mazurov , Maddy Mail Server contributors + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +package ctl + +import ( + "errors" + "fmt" + "io" + "os" + + "github.com/foxcpp/maddy" + parser "github.com/foxcpp/maddy/framework/cfgparser" + "github.com/foxcpp/maddy/framework/config" + "github.com/foxcpp/maddy/framework/hooks" + "github.com/foxcpp/maddy/framework/module" + "github.com/foxcpp/maddy/internal/updatepipe" + "github.com/urfave/cli/v2" +) + +func closeIfNeeded(i interface{}) { + if c, ok := i.(io.Closer); ok { + c.Close() + } +} + +func getCfgBlockModule(ctx *cli.Context) (map[string]interface{}, *maddy.ModInfo, error) { + cfgPath := ctx.String("config") + if cfgPath == "" { + return nil, nil, cli.Exit("Error: config is required", 2) + } + cfgFile, err := os.Open(cfgPath) + if err != nil { + return nil, nil, cli.Exit(fmt.Sprintf("Error: failed to open config: %v", err), 2) + } + defer cfgFile.Close() + cfgNodes, err := parser.Read(cfgFile, cfgFile.Name()) + if err != nil { + return nil, nil, cli.Exit(fmt.Sprintf("Error: failed to parse config: %v", err), 2) + } + + globals, cfgNodes, err := maddy.ReadGlobals(cfgNodes) + if err != nil { + return nil, nil, err + } + + if err := maddy.InitDirs(); err != nil { + return nil, nil, err + } + + module.NoRun = true + _, mods, err := maddy.RegisterModules(globals, cfgNodes) + if err != nil { + return nil, nil, err + } + defer hooks.RunHooks(hooks.EventShutdown) + + cfgBlock := ctx.String("cfg-block") + if cfgBlock == "" { + return nil, nil, cli.Exit("Error: cfg-block is required", 2) + } + var mod maddy.ModInfo + for _, m := range mods { + if m.Instance.InstanceName() == cfgBlock { + mod = m + break + } + } + if mod.Instance == nil { + return nil, nil, cli.Exit(fmt.Sprintf("Error: unknown configuration block: %s", cfgBlock), 2) + } + + return globals, &mod, nil +} + +func openStorage(ctx *cli.Context) (module.Storage, error) { + globals, mod, err := getCfgBlockModule(ctx) + if err != nil { + return nil, err + } + + storage, ok := mod.Instance.(module.Storage) + if !ok { + return nil, cli.Exit(fmt.Sprintf("Error: configuration block %s is not an IMAP storage", ctx.String("cfg-block")), 2) + } + + if err := mod.Instance.Init(config.NewMap(globals, mod.Cfg)); err != nil { + return nil, fmt.Errorf("Error: module initialization failed: %w", err) + } + + if updStore, ok := mod.Instance.(updatepipe.Backend); ok { + if err := updStore.EnableUpdatePipe(updatepipe.ModePush); err != nil && !errors.Is(err, os.ErrNotExist) { + fmt.Fprintf(os.Stderr, "Failed to initialize update pipe, do not remove messages from mailboxes open by clients: %v\n", err) + } + } else { + fmt.Fprintf(os.Stderr, "No update pipe support, do not remove messages from mailboxes open by clients\n") + } + + return storage, nil +} + +func openUserDB(ctx *cli.Context) (module.PlainUserDB, error) { + globals, mod, err := getCfgBlockModule(ctx) + if err != nil { + return nil, err + } + + userDB, ok := mod.Instance.(module.PlainUserDB) + if !ok { + return nil, cli.Exit(fmt.Sprintf("Error: configuration block %s is not a local credentials store", ctx.String("cfg-block")), 2) + } + + if err := mod.Instance.Init(config.NewMap(globals, mod.Cfg)); err != nil { + return nil, fmt.Errorf("Error: module initialization failed: %w", err) + } + + return userDB, nil +} diff --git a/internal/cli/ctl/users.go b/internal/cli/ctl/users.go new file mode 100644 index 0000000..924e433 --- /dev/null +++ b/internal/cli/ctl/users.go @@ -0,0 +1,246 @@ +/* +Maddy Mail Server - Composable all-in-one email server. +Copyright © 2019-2020 Max Mazurov , Maddy Mail Server contributors + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +package ctl + +import ( + "errors" + "fmt" + "os" + "strings" + + "github.com/foxcpp/maddy/framework/module" + "github.com/foxcpp/maddy/internal/auth/pass_table" + maddycli "github.com/foxcpp/maddy/internal/cli" + clitools2 "github.com/foxcpp/maddy/internal/cli/clitools" + "github.com/urfave/cli/v2" + "golang.org/x/crypto/bcrypt" +) + +func init() { + maddycli.AddSubcommand( + &cli.Command{ + Name: "creds", + Usage: "Local credentials management", + Description: `These commands manipulate credential databases used by +maddy mail server. + +Corresponding credential database should be defined in maddy.conf as +a top-level config block. By default the block name should be local_authdb ( +can be changed using --cfg-block argument for subcommands). + +Note that it is not enough to create user credentials in order to grant +IMAP access - IMAP account should be also created using 'imap-acct create' subcommand. +`, + Subcommands: []*cli.Command{ + { + Name: "list", + Usage: "List created credentials", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_authdb", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openUserDB(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return usersList(be, ctx) + }, + }, + { + Name: "create", + Usage: "Create user account", + Description: `Reads password from stdin. + +If configuration block uses auth.pass_table, then hash algorithm can be configured +using command flags. Otherwise, these options cannot be used. +`, + ArgsUsage: "USERNAME", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_authdb", + }, + &cli.StringFlag{ + Name: "password", + Aliases: []string{"p"}, + Usage: "Use `PASSWORD instead of reading password from stdin.\n\t\tWARNING: Provided only for debugging convenience. Don't leave your passwords in shell history!", + }, + &cli.StringFlag{ + Name: "hash", + Usage: "Use specified hash algorithm. Valid values: " + strings.Join(pass_table.Hashes, ", "), + Value: "bcrypt", + }, + &cli.IntFlag{ + Name: "bcrypt-cost", + Usage: "Specify bcrypt cost value", + Value: bcrypt.DefaultCost, + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openUserDB(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return usersCreate(be, ctx) + }, + }, + { + Name: "remove", + Usage: "Delete user account", + ArgsUsage: "USERNAME", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_authdb", + }, + &cli.BoolFlag{ + Name: "yes", + Aliases: []string{"y"}, + Usage: "Don't ask for confirmation", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openUserDB(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return usersRemove(be, ctx) + }, + }, + { + Name: "password", + Usage: "Change account password", + Description: "Reads password from stdin", + ArgsUsage: "USERNAME", + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: "cfg-block", + Usage: "Module configuration block to use", + EnvVars: []string{"MADDY_CFGBLOCK"}, + Value: "local_authdb", + }, + &cli.StringFlag{ + Name: "password", + Aliases: []string{"p"}, + Usage: "Use `PASSWORD` instead of reading password from stdin.\n\t\tWARNING: Provided only for debugging convenience. Don't leave your passwords in shell history!", + }, + }, + Action: func(ctx *cli.Context) error { + be, err := openUserDB(ctx) + if err != nil { + return err + } + defer closeIfNeeded(be) + return usersPassword(be, ctx) + }, + }, + }, + }) +} + +func usersList(be module.PlainUserDB, ctx *cli.Context) error { + list, err := be.ListUsers() + if err != nil { + return err + } + + if len(list) == 0 && !ctx.Bool("quiet") { + fmt.Fprintln(os.Stderr, "No users.") + } + + for _, user := range list { + fmt.Println(user) + } + return nil +} + +func usersCreate(be module.PlainUserDB, ctx *cli.Context) error { + username := ctx.Args().First() + if username == "" { + return cli.Exit("Error: USERNAME is required", 2) + } + + var pass string + if ctx.IsSet("password") { + pass = ctx.String("password") + } else { + var err error + pass, err = clitools2.ReadPassword("Enter password for new user") + if err != nil { + return err + } + } + + if be, ok := be.(*pass_table.Auth); ok { + return be.CreateUserHash(username, pass, ctx.String("hash"), pass_table.HashOpts{ + BcryptCost: ctx.Int("bcrypt-cost"), + }) + } else if ctx.IsSet("hash") || ctx.IsSet("bcrypt-cost") { + return cli.Exit("Error: --hash cannot be used with non-pass_table credentials DB", 2) + } else { + return be.CreateUser(username, pass) + } +} + +func usersRemove(be module.PlainUserDB, ctx *cli.Context) error { + username := ctx.Args().First() + if username == "" { + return errors.New("Error: USERNAME is required") + } + + if !ctx.Bool("yes") { + if !clitools2.Confirmation("Are you sure you want to delete this user account?", false) { + return errors.New("Cancelled") + } + } + + return be.DeleteUser(username) +} + +func usersPassword(be module.PlainUserDB, ctx *cli.Context) error { + username := ctx.Args().First() + if username == "" { + return errors.New("Error: USERNAME is required") + } + + var pass string + if ctx.IsSet("password") { + pass = ctx.String("password") + } else { + var err error + pass, err = clitools2.ReadPassword("Enter new password") + if err != nil { + return err + } + } + + return be.SetUserPassword(username, pass) +} diff --git a/internal/target/remote/debugflags.go b/internal/target/remote/debugflags.go index c79d931..76774b9 100644 --- a/internal/target/remote/debugflags.go +++ b/internal/target/remote/debugflags.go @@ -20,8 +20,15 @@ along with this program. If not, see . package remote -import "flag" +import ( + maddycli "github.com/foxcpp/maddy/internal/cli" + "github.com/urfave/cli/v2" +) func init() { - flag.StringVar(&smtpPort, "debug.smtpport", "25", "SMTP port to use for connections in tests") + maddycli.AddGlobalFlag(&cli.StringFlag{ + Name: "debug.smtpport", + Usage: "SMTP port to use for connections in tests", + Destination: &smtpPort, + }) } diff --git a/maddy.go b/maddy.go index 43df3db..d931814 100644 --- a/maddy.go +++ b/maddy.go @@ -20,7 +20,6 @@ package maddy import ( "errors" - "flag" "fmt" "io" "net/http" @@ -28,7 +27,6 @@ import ( "path/filepath" "runtime" "runtime/debug" - "strings" "github.com/caddyserver/certmagic" parser "github.com/foxcpp/maddy/framework/cfgparser" @@ -37,6 +35,8 @@ import ( "github.com/foxcpp/maddy/framework/hooks" "github.com/foxcpp/maddy/framework/log" "github.com/foxcpp/maddy/framework/module" + maddycli "github.com/foxcpp/maddy/internal/cli" + "github.com/urfave/cli/v2" // Import packages for side-effect of module registration. _ "github.com/foxcpp/maddy/internal/auth/dovecot_sasl" @@ -78,10 +78,7 @@ import ( var ( Version = "go-build" - enableDebugFlags = false - profileEndpoint *string - blockProfileRate *int - mutexProfileFract *int + enableDebugFlags = false ) func BuildInfo() string { @@ -101,94 +98,135 @@ default runtime_dir: %s`, DefaultRuntimeDirectory) } -// Run is the entry point for all maddy code. It takes care of command line arguments parsing, -// logging initialization, directives setup, configuration reading. After all that, it -// calls moduleMain to initialize and run modules. -func Run() int { - certmagic.UserAgent = "maddy/" + Version - - flag.StringVar(&config.LibexecDirectory, "libexec", DefaultLibexecDirectory, "path to the libexec directory") - flag.BoolVar(&log.DefaultLogger.Debug, "debug", false, "enable debug logging early") - - var ( - configPath = flag.String("config", filepath.Join(ConfigDirectory, "maddy.conf"), "path to configuration file") - logTargets = flag.String("log", "stderr", "default logging target(s)") - printVersion = flag.Bool("v", false, "print version and build metadata, then exit") +func init() { + maddycli.AddGlobalFlag( + &cli.PathFlag{ + Name: "config", + Usage: "Configuration file to use", + EnvVars: []string{"MADDY_CONFIG"}, + Value: filepath.Join(ConfigDirectory, "maddy.conf"), + }, ) + maddycli.AddSubcommand(&cli.Command{ + Name: "run", + Usage: "Start the server", + Flags: []cli.Flag{ + &cli.BoolFlag{ + Name: "debug", + Usage: "enable debug logging early", + Destination: &log.DefaultLogger.Debug, + }, + &cli.StringFlag{ + Name: "libexec", + Value: DefaultLibexecDirectory, + Usage: "path to the libexec directory", + Destination: &config.LibexecDirectory, + }, + &cli.StringSliceFlag{ + Name: "log", + Usage: "default logging target(s)", + Value: cli.NewStringSlice("stderr"), + }, + &cli.BoolFlag{ + Name: "v", + Usage: "print version and build metadata, then exit", + Hidden: true, + }, + }, + Action: Run, + }) + maddycli.AddSubcommand(&cli.Command{ + Name: "version", + Usage: "Print version and build metadata, then exit", + Action: func(c *cli.Context) error { + fmt.Println(BuildInfo()) + return nil + }, + }) if enableDebugFlags { - profileEndpoint = flag.String("debug.pprof", "", "enable live profiler HTTP endpoint and listen on the specified address") - blockProfileRate = flag.Int("debug.blockprofrate", 0, "set blocking profile rate") - mutexProfileFract = flag.Int("debug.mutexproffract", 0, "set mutex profile fraction") + maddycli.AddGlobalFlag(&cli.StringFlag{ + Name: "debug.pprof", + Usage: "enable live profiler HTTP endpoint and listen on the specified address", + }) + maddycli.AddGlobalFlag(&cli.IntFlag{ + Name: "debug.blockprofrate", + Usage: "set blocking profile rate", + }) + maddycli.AddGlobalFlag(&cli.IntFlag{ + Name: "debug.mutexproffract", + Usage: "set mutex profile fraction", + }) + } +} + +// Run is the entry point for all server-running code. It takes care of command line arguments processing, +// logging initialization, directives setup, configuration reading. After all that, it +// calls moduleMain to initialize and run modules. +func Run(c *cli.Context) error { + certmagic.UserAgent = "maddy/" + Version + + if c.NArg() != 0 { + return cli.Exit(fmt.Sprintln("usage:", os.Args[0], "[options]"), 2) } - flag.Parse() - - if len(flag.Args()) != 0 { - fmt.Println("usage:", os.Args[0], "[options]") - return 2 - } - - if *printVersion { + if c.Bool("v") { fmt.Println("maddy", BuildInfo()) - return 0 + return nil } var err error - log.DefaultLogger.Out, err = LogOutputOption(strings.Split(*logTargets, ",")) + log.DefaultLogger.Out, err = LogOutputOption(c.StringSlice("log")) if err != nil { systemdStatusErr(err) - log.Println(err) - return 2 + return cli.Exit(err.Error(), 2) } - initDebug() + initDebug(c) os.Setenv("PATH", config.LibexecDirectory+string(filepath.ListSeparator)+os.Getenv("PATH")) - f, err := os.Open(*configPath) + f, err := os.Open(c.Path("config")) if err != nil { systemdStatusErr(err) - log.Println(err) - return 2 + return cli.Exit(err.Error(), 2) } defer f.Close() - cfg, err := parser.Read(f, *configPath) + cfg, err := parser.Read(f, c.Path("config")) if err != nil { systemdStatusErr(err) - log.Println(err) - return 2 + return cli.Exit(err.Error(), 2) } if err := moduleMain(cfg); err != nil { systemdStatusErr(err) - log.Println(err) - return 2 + return cli.Exit(err.Error(), 1) } - return 0 + return nil } -func initDebug() { +func initDebug(c *cli.Context) { if !enableDebugFlags { return } - if *profileEndpoint != "" { + if c.IsSet("debug.pprof") { + profileEndpoint := c.String("debug.pprof") go func() { - log.Println("listening on", "http://"+*profileEndpoint, "for profiler requests") - log.Println("failed to listen on profiler endpoint:", http.ListenAndServe(*profileEndpoint, nil)) + log.Println("listening on", "http://"+profileEndpoint, "for profiler requests") + log.Println("failed to listen on profiler endpoint:", http.ListenAndServe(profileEndpoint, nil)) }() } // These values can also be affected by environment so set them // only if argument is specified. - if *mutexProfileFract != 0 { - runtime.SetMutexProfileFraction(*mutexProfileFract) + if c.IsSet("debug.mutexproffract") { + runtime.SetMutexProfileFraction(c.Int("debug.mutexproffract")) } - if *blockProfileRate != 0 { - runtime.SetBlockProfileRate(*blockProfileRate) + if c.IsSet("debug.blockprofrate") { + runtime.SetBlockProfileRate(c.Int("debug.blockprofrate")) } } diff --git a/tests/cover_test.go b/tests/cover_test.go index 1c9b5a7..b43d2d9 100644 --- a/tests/cover_test.go +++ b/tests/cover_test.go @@ -36,15 +36,16 @@ https://github.com/albertito/chasquid/blob/master/coverage_test.go */ import ( + "flag" "os" "testing" "github.com/foxcpp/maddy" + "github.com/urfave/cli/v2" ) func TestMain(m *testing.M) { - // -test.* flags are registered somewhere in init() in "testing" (?) - // so calling flag.Parse() in maddy.Run() catches them up. + // -test.* flags are registered somewhere in init() in "testing" (?). // maddy.Run changes the working directory, we need to change it back so // -test.coverprofile writes out profile in the right location. @@ -53,7 +54,16 @@ func TestMain(m *testing.M) { panic(err) } - code := maddy.Run() + flag.Parse() + + app := cli.NewApp() + // maddycli wrapper registers all necessary flags with flag.CommandLine by default + ctx := cli.NewContext(app, flag.CommandLine, nil) + err = maddy.Run(ctx) + code := 0 + if ec, ok := err.(cli.ExitCoder); ok { + code = ec.ExitCode() + } if err := os.Chdir(wd); err != nil { panic(err) From 1eb053e68d0bead7263f9ec2d294948f2fc26d39 Mon Sep 17 00:00:00 2001 From: delthas Date: Mon, 10 Jan 2022 18:16:04 +0100 Subject: [PATCH 15/41] docs: Fix trivial typo in target.smtp example --- docs/reference/targets/smtp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/targets/smtp.md b/docs/reference/targets/smtp.md index 6d4ca8b..a7dec17 100644 --- a/docs/reference/targets/smtp.md +++ b/docs/reference/targets/smtp.md @@ -25,7 +25,7 @@ target.smtp { ... } attempt_starttls yes - require_yes no + require_tls no auth off targets tcp://127.0.0.1:2525 connect_timeout 5m From eef54139b14a45bf5112da585de7a2aed9704b54 Mon Sep 17 00:00:00 2001 From: angelnu Date: Thu, 27 Jan 2022 22:25:27 +0000 Subject: [PATCH 16/41] 1-n recipent --- framework/module/modifier.go | 6 +- internal/modify/dkim/dkim.go | 4 +- internal/modify/group.go | 17 ++-- internal/modify/replace_addr.go | 55 +++++++----- internal/msgpipeline/msgpipeline.go | 126 +++++++++++++++------------- 5 files changed, 118 insertions(+), 90 deletions(-) diff --git a/framework/module/modifier.go b/framework/module/modifier.go index f4e5561..2a5b10f 100644 --- a/framework/module/modifier.go +++ b/framework/module/modifier.go @@ -63,12 +63,12 @@ type ModifierState interface { RewriteSender(ctx context.Context, mailFrom string) (string, error) // RewriteRcpt replaces RCPT TO value. - // If no changed are required, this method returns its argument, otherwise - // it returns a new value. + // If no changed are required, this method returns its argument as slice, + // otherwise it returns a slice with 1 or more new values. // // MsgPipeline will take of populating MsgMeta.OriginalRcpts. RewriteRcpt // doesn't do it. - RewriteRcpt(ctx context.Context, rcptTo string) (string, error) + RewriteRcpt(ctx context.Context, rcptTo string) ([]string, error) // RewriteBody modifies passed Header argument and may optionally // inspect the passed body buffer to make a decision on new header field values. diff --git a/internal/modify/dkim/dkim.go b/internal/modify/dkim/dkim.go index edf1ad6..4623398 100644 --- a/internal/modify/dkim/dkim.go +++ b/internal/modify/dkim/dkim.go @@ -283,8 +283,8 @@ func (s *state) RewriteSender(ctx context.Context, mailFrom string) (string, err return mailFrom, nil } -func (s state) RewriteRcpt(ctx context.Context, rcptTo string) (string, error) { - return rcptTo, nil +func (s state) RewriteRcpt(ctx context.Context, rcptTo string) ([]string, error) { + return []string{rcptTo}, nil } func (s *state) RewriteBody(ctx context.Context, h *textproto.Header, body buffer.Buffer) error { diff --git a/internal/modify/group.go b/internal/modify/group.go index 11439bc..440c0bf 100644 --- a/internal/modify/group.go +++ b/internal/modify/group.go @@ -91,15 +91,22 @@ func (gs groupState) RewriteSender(ctx context.Context, mailFrom string) (string return mailFrom, nil } -func (gs groupState) RewriteRcpt(ctx context.Context, rcptTo string) (string, error) { +func (gs groupState) RewriteRcpt(ctx context.Context, rcptTo string) ([]string, error) { var err error + var result = []string{rcptTo} for _, state := range gs.states { - rcptTo, err = state.RewriteRcpt(ctx, rcptTo) - if err != nil { - return "", err + var intermediate_result = []string{} + for _, part_result := range result { + var part_result_multi []string + part_result_multi, err = state.RewriteRcpt(ctx, part_result) + if err != nil { + return []string{""}, err + } + intermediate_result = append(intermediate_result, part_result_multi...) } + result = intermediate_result } - return rcptTo, nil + return result, nil } func (gs groupState) RewriteBody(ctx context.Context, h *textproto.Header, body buffer.Buffer) error { diff --git a/internal/modify/replace_addr.go b/internal/modify/replace_addr.go index 2f975ac..efbcd85 100644 --- a/internal/modify/replace_addr.go +++ b/internal/modify/replace_addr.go @@ -43,7 +43,7 @@ type replaceAddr struct { replaceSender bool replaceRcpt bool - table module.Table + table module.MultiTable } func NewReplaceAddr(modName, instName string, _, inlineArgs []string) (module.Module, error) { @@ -76,16 +76,20 @@ func (r replaceAddr) ModStateForMsg(ctx context.Context, msgMeta *module.MsgMeta func (r replaceAddr) RewriteSender(ctx context.Context, mailFrom string) (string, error) { if r.replaceSender { - return r.rewrite(ctx, mailFrom) + results, err := r.rewrite(ctx, mailFrom) + if err != nil { + return mailFrom, err + } + mailFrom = results [0] } return mailFrom, nil } -func (r replaceAddr) RewriteRcpt(ctx context.Context, rcptTo string) (string, error) { +func (r replaceAddr) RewriteRcpt(ctx context.Context, rcptTo string) ([]string, error) { if r.replaceRcpt { return r.rewrite(ctx, rcptTo) } - return rcptTo, nil + return []string{rcptTo}, nil } func (r replaceAddr) RewriteBody(ctx context.Context, h *textproto.Header, body buffer.Buffer) error { @@ -96,47 +100,54 @@ func (r replaceAddr) Close() error { return nil } -func (r replaceAddr) rewrite(ctx context.Context, val string) (string, error) { +func (r replaceAddr) rewrite(ctx context.Context, val string) ([]string, error) { normAddr, err := address.ForLookup(val) if err != nil { - return val, fmt.Errorf("malformed address: %v", err) + return []string{val}, fmt.Errorf("malformed address: %v", err) } - replacement, ok, err := r.table.Lookup(ctx, normAddr) + replacements, err := r.table.LookupMulti(ctx, normAddr) if err != nil { - return val, err + return []string{val}, err } - if ok { - if !address.Valid(replacement) { - return "", fmt.Errorf("refusing to replace recipient with the invalid address %s", replacement) + if len(replacements) > 0 { + for _, replacement := range replacements { + if !address.Valid(replacement) { + return []string{""}, fmt.Errorf("refusing to replace recipient with the invalid address %s", replacement) + } } - return replacement, nil + return replacements, nil } mbox, domain, err := address.Split(normAddr) if err != nil { // If we have malformed address here, something is really wrong, but let's // ignore it silently then anyway. - return val, nil + return []string{val}, nil } // mbox is already normalized, since it is a part of address.ForLookup // result. - replacement, ok, err = r.table.Lookup(ctx, mbox) + replacements, err = r.table.LookupMulti(ctx, mbox) if err != nil { - return val, err + return []string{val}, err } - if ok { - if strings.Contains(replacement, "@") && !strings.HasPrefix(replacement, `"`) && !strings.HasSuffix(replacement, `"`) { - if !address.Valid(replacement) { - return "", fmt.Errorf("refusing to replace recipient with invalid address %s", replacement) + if len(replacements) > 0 { + var results = make([]string, len(replacements)) + for i, replacement := range replacements { + if strings.Contains(replacement, "@") && !strings.HasPrefix(replacement, `"`) && !strings.HasSuffix(replacement, `"`) { + if !address.Valid(replacement) { + return []string{""}, fmt.Errorf("refusing to replace recipient with invalid address %s", replacement) + } + results[i] = replacement + } else { + results[i] = replacement + "@" + domain } - return replacement, nil } - return replacement + "@" + domain, nil + return results, nil } - return val, nil + return []string{val}, nil } func init() { diff --git a/internal/msgpipeline/msgpipeline.go b/internal/msgpipeline/msgpipeline.go index 9c589ab..3a54706 100644 --- a/internal/msgpipeline/msgpipeline.go +++ b/internal/msgpipeline/msgpipeline.go @@ -292,75 +292,85 @@ func (dd *msgpipelineDelivery) AddRcpt(ctx context.Context, to string) error { return err } dd.log.Debugln("global rcpt modifiers:", to, "=>", newTo) - to = newTo - newTo, err = dd.sourceModifiersState.RewriteRcpt(ctx, to) - if err != nil { - return err + resultTo := newTo + newTo = []string{} + + for _, to = range resultTo { + var tempTo []string + tempTo, err = dd.sourceModifiersState.RewriteRcpt(ctx, to) + if err != nil { + return err + } + newTo = append(newTo, tempTo...) } dd.log.Debugln("per-source rcpt modifiers:", to, "=>", newTo) - to = newTo + resultTo = newTo - wrapErr := func(err error) error { - return exterrors.WithFields(err, map[string]interface{}{ - "effective_rcpt": to, - }) - } - - rcptBlock, err := dd.rcptBlockForAddr(ctx, to) - if err != nil { - return wrapErr(err) - } - - if rcptBlock.rejectErr != nil { - return wrapErr(rcptBlock.rejectErr) - } - - if err := dd.checkRunner.checkRcpt(ctx, rcptBlock.checks, to); err != nil { - return wrapErr(err) - } - - rcptModifiersState, err := dd.getRcptModifiers(ctx, rcptBlock, to) - if err != nil { - return wrapErr(err) - } - - newTo, err = rcptModifiersState.RewriteRcpt(ctx, to) - if err != nil { - rcptModifiersState.Close() - return wrapErr(err) - } - dd.log.Debugln("per-rcpt modifiers:", to, "=>", newTo) - to = newTo - - wrapErr = func(err error) error { - return exterrors.WithFields(err, map[string]interface{}{ - "effective_rcpt": to, - }) - } - - if originalTo != to { - dd.msgMeta.OriginalRcpts[to] = originalTo - } - - for _, tgt := range rcptBlock.targets { - // Do not wrap errors coming from nested pipeline target delivery since - // that pipeline itself will insert effective_rcpt field and could do - // its own rewriting - we do not want to hide it from the admin in - // error messages. - wrapErr := wrapErr - if _, ok := tgt.(*MsgPipeline); ok { - wrapErr = func(err error) error { return err } + for _, to = range resultTo { + wrapErr := func(err error) error { + return exterrors.WithFields(err, map[string]interface{}{ + "effective_rcpt": to, + }) } - delivery, err := dd.getDelivery(ctx, tgt) + rcptBlock, err := dd.rcptBlockForAddr(ctx, to) if err != nil { return wrapErr(err) } - if err := delivery.AddRcpt(ctx, to); err != nil { + if rcptBlock.rejectErr != nil { + return wrapErr(rcptBlock.rejectErr) + } + + if err := dd.checkRunner.checkRcpt(ctx, rcptBlock.checks, to); err != nil { return wrapErr(err) } - delivery.recipients = append(delivery.recipients, originalTo) + + rcptModifiersState, err := dd.getRcptModifiers(ctx, rcptBlock, to) + if err != nil { + return wrapErr(err) + } + + newTo, err = rcptModifiersState.RewriteRcpt(ctx, to) + if err != nil { + rcptModifiersState.Close() + return wrapErr(err) + } + dd.log.Debugln("per-rcpt modifiers:", to, "=>", newTo) + + for _, to = range newTo { + + wrapErr = func(err error) error { + return exterrors.WithFields(err, map[string]interface{}{ + "effective_rcpt": to, + }) + } + + if originalTo != to { + dd.msgMeta.OriginalRcpts[to] = originalTo + } + + for _, tgt := range rcptBlock.targets { + // Do not wrap errors coming from nested pipeline target delivery since + // that pipeline itself will insert effective_rcpt field and could do + // its own rewriting - we do not want to hide it from the admin in + // error messages. + wrapErr := wrapErr + if _, ok := tgt.(*MsgPipeline); ok { + wrapErr = func(err error) error { return err } + } + + delivery, err := dd.getDelivery(ctx, tgt) + if err != nil { + return wrapErr(err) + } + + if err := delivery.AddRcpt(ctx, to); err != nil { + return wrapErr(err) + } + delivery.recipients = append(delivery.recipients, originalTo) + } + } } return nil From 6690f3369db4265c8ffeb1971b6e4cd61ce3e513 Mon Sep 17 00:00:00 2001 From: angelnu Date: Thu, 27 Jan 2022 23:13:56 +0000 Subject: [PATCH 17/41] addapt testcases --- framework/module/dummy.go | 4 ++ internal/modify/replace_addr_test.go | 75 +++++++++++----------- internal/msgpipeline/bodynonatomic_test.go | 4 +- internal/msgpipeline/modifier_test.go | 54 ++++++++-------- internal/testutils/modifier.go | 10 +-- internal/testutils/multitable.go | 35 ++++++++++ 6 files changed, 112 insertions(+), 70 deletions(-) create mode 100644 internal/testutils/multitable.go diff --git a/framework/module/dummy.go b/framework/module/dummy.go index 16ed150..ec73c93 100644 --- a/framework/module/dummy.go +++ b/framework/module/dummy.go @@ -41,6 +41,10 @@ func (d *Dummy) Lookup(_ context.Context, _ string) (string, bool, error) { return "", false, nil } +func (d *Dummy) LookupMulti(_ context.Context, _ string) ([]string, error) { + return []string{""}, nil +} + func (d *Dummy) Name() string { return "dummy" } diff --git a/internal/modify/replace_addr_test.go b/internal/modify/replace_addr_test.go index 6114a57..75e5ace 100644 --- a/internal/modify/replace_addr_test.go +++ b/internal/modify/replace_addr_test.go @@ -19,6 +19,7 @@ along with this program. If not, see . package modify import ( + "reflect" "context" "testing" @@ -27,7 +28,7 @@ import ( ) func testReplaceAddr(t *testing.T, modName string) { - test := func(addr, expected string, aliases map[string]string) { + test := func(addr string, expectedMulti []string, aliases map[string][]string) { t.Helper() mod, err := NewReplaceAddr(modName, "", nil, []string{"dummy"}) @@ -38,59 +39,61 @@ func testReplaceAddr(t *testing.T, modName string) { if err := m.Init(config.NewMap(nil, config.Node{})); err != nil { t.Fatal(err) } - m.table = testutils.Table{M: aliases} + m.table = testutils.MultiTable{M: aliases} - var actual string + var actualMulti []string if modName == "modify.replace_sender" { + var actual string actual, err = m.RewriteSender(context.Background(), addr) if err != nil { t.Fatal(err) } + actualMulti = []string{actual} } if modName == "modify.replace_rcpt" { - actual, err = m.RewriteRcpt(context.Background(), addr) + actualMulti, err = m.RewriteRcpt(context.Background(), addr) if err != nil { t.Fatal(err) } } - if actual != expected { - t.Errorf("want %s, got %s", expected, actual) + if ! reflect.DeepEqual(actualMulti,expectedMulti) { + t.Errorf("want %s, got %s", expectedMulti, actualMulti) } } - test("test@example.org", "test@example.org", nil) - test("postmaster", "postmaster", nil) - test("test@example.com", "test@example.org", - map[string]string{"test@example.com": "test@example.org"}) - test(`"\"test @ test\""@example.com`, "test@example.org", - map[string]string{`"\"test @ test\""@example.com`: "test@example.org"}) - test(`test@example.com`, `"\"test @ test\""@example.org`, - map[string]string{`test@example.com`: `"\"test @ test\""@example.org`}) - test(`"\"test @ test\""@example.com`, `"\"b @ b\""@example.com`, - map[string]string{`"\"test @ test\""`: `"\"b @ b\""`}) - test("TeSt@eXAMple.com", "test@example.org", - map[string]string{"test@example.com": "test@example.org"}) - test("test@example.com", "test2@example.com", - map[string]string{"test": "test2"}) - test("test@example.com", "test2@example.org", - map[string]string{"test": "test2@example.org"}) - test("postmaster", "test2@example.org", - map[string]string{"postmaster": "test2@example.org"}) - test("TeSt@examPLE.com", "test2@example.com", - map[string]string{"test": "test2"}) - test("test@example.com", "test3@example.com", - map[string]string{ - "test@example.com": "test3@example.com", - "test": "test2", + test("test@example.org", []string{"test@example.org"}, nil) + test("postmaster", []string{"postmaster"}, nil) + test("test@example.com", []string{"test@example.org"}, + map[string][]string{"test@example.com": []string{"test@example.org"}}) + test(`"\"test @ test\""@example.com`, []string{"test@example.org"}, + map[string][]string{`"\"test @ test\""@example.com`: []string{"test@example.org"}}) + test(`test@example.com`, []string{`"\"test @ test\""@example.org`}, + map[string][]string{`test@example.com`: []string{`"\"test @ test\""@example.org`}}) + test(`"\"test @ test\""@example.com`, []string{`"\"b @ b\""@example.com`}, + map[string][]string{`"\"test @ test\""`: []string{`"\"b @ b\""`}}) + test("TeSt@eXAMple.com", []string{"test@example.org"}, + map[string][]string{"test@example.com": []string{"test@example.org"}}) + test("test@example.com", []string{"test2@example.com"}, + map[string][]string{"test": []string{"test2"}}) + test("test@example.com", []string{"test2@example.org"}, + map[string][]string{"test": []string{"test2@example.org"}}) + test("postmaster", []string{"test2@example.org"}, + map[string][]string{"postmaster": []string{"test2@example.org"}}) + test("TeSt@examPLE.com", []string{"test2@example.com"}, + map[string][]string{"test": []string{"test2"}}) + test("test@example.com", []string{"test3@example.com"}, + map[string][]string{ + "test@example.com": []string{"test3@example.com"}, + "test": []string{"test2"}, }) - test("rcpt@E\u0301.example.com", "rcpt@foo.example.com", - map[string]string{ - "rcpt@\u00E9.example.com": "rcpt@foo.example.com", + test("rcpt@E\u0301.example.com", []string{"rcpt@foo.example.com"}, + map[string][]string{ + "rcpt@\u00E9.example.com": []string{"rcpt@foo.example.com"}, }) - test("E\u0301@foo.example.com", "rcpt@foo.example.com", - map[string]string{ - "\u00E9@foo.example.com": "rcpt@foo.example.com", + test("E\u0301@foo.example.com", []string{"rcpt@foo.example.com"}, + map[string][]string{ + "\u00E9@foo.example.com": []string{"rcpt@foo.example.com"}, }) } diff --git a/internal/msgpipeline/bodynonatomic_test.go b/internal/msgpipeline/bodynonatomic_test.go index 45da7b8..c441980 100644 --- a/internal/msgpipeline/bodynonatomic_test.go +++ b/internal/msgpipeline/bodynonatomic_test.go @@ -79,8 +79,8 @@ func TestMsgPipeline_BodyNonAtomic_ModifiedRcpt(t *testing.T) { Modifiers: []module.Modifier{ testutils.Modifier{ InstName: "test_modifier", - RcptTo: map[string]string{ - "tester@example.org": "tester-alias@example.org", + RcptTo: map[string][]string{ + "tester@example.org": []string{"tester-alias@example.org"}, }, }, }, diff --git a/internal/msgpipeline/modifier_test.go b/internal/msgpipeline/modifier_test.go index 02dc1e5..ac3a0d7 100644 --- a/internal/msgpipeline/modifier_test.go +++ b/internal/msgpipeline/modifier_test.go @@ -234,9 +234,9 @@ func TestMsgPipeline_RcptModifier(t *testing.T) { target := testutils.Target{} mod := testutils.Modifier{ InstName: "test_modifier", - RcptTo: map[string]string{ - "rcpt1@example.com": "rcpt1-alias@example.com", - "rcpt2@example.com": "rcpt2-alias@example.com", + RcptTo: map[string][]string{ + "rcpt1@example.com": []string{"rcpt1-alias@example.com"}, + "rcpt2@example.com": []string{"rcpt2-alias@example.com"}, }, } d := MsgPipeline{ @@ -272,9 +272,9 @@ func TestMsgPipeline_RcptModifier_OriginalRcpt(t *testing.T) { target := testutils.Target{} mod := testutils.Modifier{ InstName: "test_modifier", - RcptTo: map[string]string{ - "rcpt1@example.com": "rcpt1-alias@example.com", - "rcpt2@example.com": "rcpt2-alias@example.com", + RcptTo: map[string][]string{ + "rcpt1@example.com": []string{"rcpt1-alias@example.com"}, + "rcpt2@example.com": []string{"rcpt2-alias@example.com"}, }, } d := MsgPipeline{ @@ -318,15 +318,15 @@ func TestMsgPipeline_RcptModifier_OriginalRcpt_Multiple(t *testing.T) { target := testutils.Target{} mod1, mod2 := testutils.Modifier{ InstName: "first_modifier", - RcptTo: map[string]string{ - "rcpt1@example.com": "rcpt1-alias@example.com", - "rcpt2@example.com": "rcpt2-alias@example.com", + RcptTo: map[string][]string{ + "rcpt1@example.com": []string{"rcpt1-alias@example.com"}, + "rcpt2@example.com": []string{"rcpt2-alias@example.com"}, }, }, testutils.Modifier{ InstName: "second_modifier", - RcptTo: map[string]string{ - "rcpt1-alias@example.com": "rcpt1-alias2@example.com", - "rcpt2@example.com": "wtf@example.com", + RcptTo: map[string][]string{ + "rcpt1-alias@example.com": []string{"rcpt1-alias2@example.com"}, + "rcpt2@example.com": []string{"wtf@example.com"}, }, } d := MsgPipeline{ @@ -373,15 +373,15 @@ func TestMsgPipeline_RcptModifier_Multiple(t *testing.T) { target := testutils.Target{} mod1, mod2 := testutils.Modifier{ InstName: "first_modifier", - RcptTo: map[string]string{ - "rcpt1@example.com": "rcpt1-alias@example.com", - "rcpt2@example.com": "rcpt2-alias@example.com", + RcptTo: map[string][]string{ + "rcpt1@example.com": []string{"rcpt1-alias@example.com"}, + "rcpt2@example.com": []string{"rcpt2-alias@example.com"}, }, }, testutils.Modifier{ InstName: "second_modifier", - RcptTo: map[string]string{ - "rcpt1-alias@example.com": "rcpt1-alias2@example.com", - "rcpt2@example.com": "wtf@example.com", + RcptTo: map[string][]string{ + "rcpt1-alias@example.com": []string{"rcpt1-alias2@example.com"}, + "rcpt2@example.com": []string{"wtf@example.com"}, }, } d := MsgPipeline{ @@ -417,15 +417,15 @@ func TestMsgPipeline_RcptModifier_PreDispatch(t *testing.T) { target := testutils.Target{} mod1, mod2 := testutils.Modifier{ InstName: "first_modifier", - RcptTo: map[string]string{ - "rcpt1@example.com": "rcpt1-alias@example.com", - "rcpt2@example.com": "rcpt2-alias@example.com", + RcptTo: map[string][]string{ + "rcpt1@example.com": []string{"rcpt1-alias@example.com"}, + "rcpt2@example.com": []string{"rcpt2-alias@example.com"}, }, }, testutils.Modifier{ InstName: "second_modifier", - RcptTo: map[string]string{ - "rcpt1-alias@example.com": "rcpt1-alias2@example.com", - "rcpt2@example.com": "wtf@example.com", + RcptTo: map[string][]string{ + "rcpt1-alias@example.com": []string{"rcpt1-alias2@example.com"}, + "rcpt2@example.com": []string{"wtf@example.com"}, }, } d := MsgPipeline{ @@ -469,9 +469,9 @@ func TestMsgPipeline_RcptModifier_PostDispatch(t *testing.T) { target := testutils.Target{} mod := testutils.Modifier{ InstName: "test_modifier", - RcptTo: map[string]string{ - "rcpt1@example.com": "rcpt1@example.org", - "rcpt2@example.com": "rcpt2@example.org", + RcptTo: map[string][]string{ + "rcpt1@example.com": []string{"rcpt1@example.org"}, + "rcpt2@example.com": []string{"rcpt2@example.org"}, }, } d := MsgPipeline{ diff --git a/internal/testutils/modifier.go b/internal/testutils/modifier.go index bd13922..a96cbe4 100644 --- a/internal/testutils/modifier.go +++ b/internal/testutils/modifier.go @@ -36,7 +36,7 @@ type Modifier struct { BodyErr error MailFrom map[string]string - RcptTo map[string]string + RcptTo map[string][]string AddHdr textproto.Header UnclosedStates int @@ -82,20 +82,20 @@ func (ms modifierState) RewriteSender(ctx context.Context, mailFrom string) (str return mailFrom, nil } -func (ms modifierState) RewriteRcpt(ctx context.Context, rcptTo string) (string, error) { +func (ms modifierState) RewriteRcpt(ctx context.Context, rcptTo string) ([]string, error) { if ms.m.RcptToErr != nil { - return "", ms.m.RcptToErr + return []string{""}, ms.m.RcptToErr } if ms.m.RcptTo == nil { - return rcptTo, nil + return []string{rcptTo}, nil } newRcptTo, ok := ms.m.RcptTo[rcptTo] if ok { return newRcptTo, nil } - return rcptTo, nil + return []string{rcptTo}, nil } func (ms modifierState) RewriteBody(ctx context.Context, h *textproto.Header, body buffer.Buffer) error { diff --git a/internal/testutils/multitable.go b/internal/testutils/multitable.go new file mode 100644 index 0000000..9b84abe --- /dev/null +++ b/internal/testutils/multitable.go @@ -0,0 +1,35 @@ +/* +Maddy Mail Server - Composable all-in-one email server. +Copyright © 2019-2020 Max Mazurov , Maddy Mail Server contributors + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +package testutils + +import "context" + +type MultiTable struct { + M map[string][]string + Err error +} + +func (m MultiTable) LookupMulti(_ context.Context, a string) ([]string, error) { + b, ok := m.M[a] + if ok { + return b, m.Err + } else { + return []string{}, m.Err + } +} From f44b57351fb8c1851d8ae23c411f578e1cf51866 Mon Sep 17 00:00:00 2001 From: angelnu Date: Thu, 27 Jan 2022 23:35:59 +0000 Subject: [PATCH 18/41] add LookupMulti to table.static --- internal/table/static.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/internal/table/static.go b/internal/table/static.go index d3b293d..e55ffd5 100644 --- a/internal/table/static.go +++ b/internal/table/static.go @@ -68,6 +68,10 @@ func (s *Static) Lookup(ctx context.Context, key string) (string, bool, error) { return val[0], true, nil } +func (s *Static) LookupMulti(ctx context.Context, key string) ([]string, error) { + return s.m[key], nil +} + func init() { module.Register("table.static", NewStatic) } From c8d4ee8047be8421ca36e75ead449d2da3526bca Mon Sep 17 00:00:00 2001 From: angelnu Date: Fri, 28 Jan 2022 00:28:47 +0000 Subject: [PATCH 19/41] Add documentation --- docs/man/maddy-filters.5.scd | 14 +++++++++++--- docs/man/maddy-tables.5.scd | 4 +--- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/docs/man/maddy-filters.5.scd b/docs/man/maddy-filters.5.scd index 6fc4363..0439a6d 100644 --- a/docs/man/maddy-filters.5.scd +++ b/docs/man/maddy-filters.5.scd @@ -560,9 +560,8 @@ multiple times). # Envelope sender / recipient rewriting (modify.replace_sender, modify.replace_rcpt) 'replace_sender' and 'replace_rcpt' modules replace SMTP envelope addresses -based on the mapping defined by the table module (maddy-tables(5)). Currently, -only 1:1 mappings are supported (that is, it is not possible to specify -multiple replacements for a single address). +based on the mapping defined by the table module (maddy-tables(5)). It is possible +to specify 1:N mappings. This allows, for example, implementing mailing lists. The address is normalized before lookup (Punycode in domain-part is decoded, Unicode is normalized to NFC, the whole string is case-folded). @@ -592,8 +591,10 @@ modify { replace_rcpt file /etc/maddy/aliases replace_rcpt static { entry a@example.org b@example.org + entry c@example.org c1@example.org c2@example.org } replace_rcpt regexp "(.+)@example.net" "$1@example.org" + replace_rcpt regexp "(.+)@example.net" "$1@example.org" "$1@example.com" } ``` @@ -606,6 +607,13 @@ cat: dog # Replace cat@example.org with cat@example.com. # Takes priority over the previous line. cat@example.org: cat@example.com + +# Replace with multiple aliases +cat: dog +cat: mouse + +cat@example.org: cat@example.com +cat@example.org: cat@example.net ``` # System command filter (check.command) diff --git a/docs/man/maddy-tables.5.scd b/docs/man/maddy-tables.5.scd index 19a27e0..330e17d 100644 --- a/docs/man/maddy-tables.5.scd +++ b/docs/man/maddy-tables.5.scd @@ -58,9 +58,7 @@ aaa: bbb aaa # If the same key is used multiple times - table.file will return -# multiple values when queries. Note that this is not used by -# most modules. E.g. replace_rcpt does not (intentionally) support -# 1-to-N alias expansion. +# multiple values when queries. ddd: firstvalue ddd: secondvalue ``` From 639f1a609d3e30d326df1870423c9535c3fe338a Mon Sep 17 00:00:00 2001 From: angelnu Date: Fri, 28 Jan 2022 02:08:37 +0000 Subject: [PATCH 20/41] add test for 1-N --- docs/man/maddy-filters.5.scd | 14 ++++++--- internal/modify/replace_addr_test.go | 9 ++++++ internal/msgpipeline/msgpipeline_test.go | 39 ++++++++++++++++++++++++ internal/table/file.go | 6 ++-- internal/table/file_test.go | 3 +- 5 files changed, 63 insertions(+), 8 deletions(-) diff --git a/docs/man/maddy-filters.5.scd b/docs/man/maddy-filters.5.scd index 0439a6d..d1258f5 100644 --- a/docs/man/maddy-filters.5.scd +++ b/docs/man/maddy-filters.5.scd @@ -608,12 +608,16 @@ cat: dog # Takes priority over the previous line. cat@example.org: cat@example.com -# Replace with multiple aliases -cat: dog -cat: mouse +# Using aliases in multiple lines +cat2: dog +cat2: mouse -cat@example.org: cat@example.com -cat@example.org: cat@example.net +cat2@example.org: cat@example.com +cat2@example.org: cat@example.net + +# Comma-separated aliases in multiple lines +cat3: dog , mouse +cat3@example.org: cat@example.com , cat@example.net ``` # System command filter (check.command) diff --git a/internal/modify/replace_addr_test.go b/internal/modify/replace_addr_test.go index 75e5ace..7d632bc 100644 --- a/internal/modify/replace_addr_test.go +++ b/internal/modify/replace_addr_test.go @@ -95,6 +95,15 @@ func testReplaceAddr(t *testing.T, modName string) { map[string][]string{ "\u00E9@foo.example.com": []string{"rcpt@foo.example.com"}, }) + + if modName == "modify.replace_rcpt" { + //multiple aliases + test("test@example.com", []string{"test@example.org", "test@example.net"}, + map[string][]string{"test@example.com": []string{"test@example.org", "test@example.net"}}) + test("test@example.com", []string{"1@example.com", "2@example.com", "3@example.com"}, + map[string][]string{"test@example.com": []string{"1@example.com", "2@example.com", "3@example.com"}}) + } + } func TestReplaceAddr_RewriteSender(t *testing.T) { diff --git a/internal/msgpipeline/msgpipeline_test.go b/internal/msgpipeline/msgpipeline_test.go index 212a7ef..77b3fdb 100644 --- a/internal/msgpipeline/msgpipeline_test.go +++ b/internal/msgpipeline/msgpipeline_test.go @@ -27,6 +27,7 @@ import ( "github.com/foxcpp/maddy/framework/buffer" "github.com/foxcpp/maddy/framework/module" "github.com/foxcpp/maddy/internal/testutils" + "github.com/foxcpp/maddy/internal/modify" ) func TestMsgPipeline_AllToTarget(t *testing.T) { @@ -659,3 +660,41 @@ func TestMsgPipeline_TwoRcptToOneTarget(t *testing.T) { } testutils.CheckTestMessage(t, &target, 0, "sender@example.com", []string{"recipient@example.com", "recipient@example.org"}) } + +func TestMsgPipeline_multi_alias(t *testing.T) { + target := testutils.Target{} + mod := testutils.Modifier{ + RcptTo: map[string][]string { + "recipient@example.com": []string{ + "recipient-1@example.org", + "recipient-2@example.net", + }, + }, + } + d := MsgPipeline{ + msgpipelineCfg: msgpipelineCfg{ + perSource: map[string]sourceBlock{}, + defaultSource: sourceBlock{ + modifiers: modify.Group { + Modifiers: []module.Modifier {mod}, + }, + perRcpt: map[string]*rcptBlock{ + "example.org": { + targets: []module.DeliveryTarget{&target}, + }, + "example.net": { + targets: []module.DeliveryTarget{&target}, + }, + }, + }, + }, + Log: testutils.Logger(t, "msgpipeline"), + } + + testutils.DoTestDelivery(t, &d, "sender@example.com", []string{"recipient@example.com"}) + + if len(target.Messages) != 1 { + t.Fatalf("wrong amount of messages received for target, want %d, got %d", 1, len(target.Messages)) + } + testutils.CheckTestMessage(t, &target, 0, "sender@example.com", []string{"recipient-1@example.org", "recipient-2@example.net"}) +} diff --git a/internal/table/file.go b/internal/table/file.go index aec8930..87c481d 100644 --- a/internal/table/file.go +++ b/internal/table/file.go @@ -203,9 +203,11 @@ func readFile(path string, out map[string][]string) error { if len(from) == 0 { return parseErr("empty address before colon") } - to := strings.TrimSpace(parts[1]) - out[from] = append(out[from], to) + for _, to := range strings.Split(parts[1], ",") { + to := strings.TrimSpace(to) + out[from] = append(out[from], to) + } } return scnr.Err() } diff --git a/internal/table/file_test.go b/internal/table/file_test.go index 6d22c85..18bf65d 100644 --- a/internal/table/file_test.go +++ b/internal/table/file_test.go @@ -66,7 +66,8 @@ func TestReadFile(t *testing.T) { test(`"a @ a"@example.org: b@example.com`, map[string][]string{`"a @ a"@example.org`: {"b@example.com"}}) test(`a@example.org: "b @ b"@example.com`, map[string][]string{`a@example.org`: {`"b @ b"@example.com`}}) test(`"a @ a": "b @ b"`, map[string][]string{`"a @ a"`: {`"b @ b"`}}) - test("a: b, c", map[string][]string{"a": {"b, c"}}) + test("a: b, c", map[string][]string{"a": {"b", "c"}}) + test("a: b\na: c", map[string][]string{"a": {"b", "c"}}) test(": b", nil) test(":", nil) test("aaa", map[string][]string{"aaa": {""}}) From cbcbfa74e5e478c3e33fd0cf8b2f313cce6f80bc Mon Sep 17 00:00:00 2001 From: angelnu Date: Fri, 28 Jan 2022 02:13:08 +0000 Subject: [PATCH 21/41] improve test --- internal/msgpipeline/msgpipeline_test.go | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/internal/msgpipeline/msgpipeline_test.go b/internal/msgpipeline/msgpipeline_test.go index 77b3fdb..0afb7fb 100644 --- a/internal/msgpipeline/msgpipeline_test.go +++ b/internal/msgpipeline/msgpipeline_test.go @@ -662,7 +662,8 @@ func TestMsgPipeline_TwoRcptToOneTarget(t *testing.T) { } func TestMsgPipeline_multi_alias(t *testing.T) { - target := testutils.Target{} + target_1 := testutils.Target{} + target_2 := testutils.Target{} mod := testutils.Modifier{ RcptTo: map[string][]string { "recipient@example.com": []string{ @@ -680,10 +681,10 @@ func TestMsgPipeline_multi_alias(t *testing.T) { }, perRcpt: map[string]*rcptBlock{ "example.org": { - targets: []module.DeliveryTarget{&target}, + targets: []module.DeliveryTarget{&target_1}, }, "example.net": { - targets: []module.DeliveryTarget{&target}, + targets: []module.DeliveryTarget{&target_2}, }, }, }, @@ -693,8 +694,12 @@ func TestMsgPipeline_multi_alias(t *testing.T) { testutils.DoTestDelivery(t, &d, "sender@example.com", []string{"recipient@example.com"}) - if len(target.Messages) != 1 { - t.Fatalf("wrong amount of messages received for target, want %d, got %d", 1, len(target.Messages)) + if len(target_1.Messages) != 1 { + t.Fatalf("wrong amount of messages received for target, want %d, got %d", 1, len(target_1.Messages)) } - testutils.CheckTestMessage(t, &target, 0, "sender@example.com", []string{"recipient-1@example.org", "recipient-2@example.net"}) + if len(target_2.Messages) != 1 { + t.Fatalf("wrong amount of messages received for target, want %d, got %d", 1, len(target_2.Messages)) + } + testutils.CheckTestMessage(t, &target_1, 0, "sender@example.com", []string{"recipient-1@example.org"}) + testutils.CheckTestMessage(t, &target_2, 0, "sender@example.com", []string{"recipient-2@example.net"}) } From 7bea1fb6ff40115d96eaf02a2b215fb858f02ac2 Mon Sep 17 00:00:00 2001 From: angelnu Date: Fri, 28 Jan 2022 02:22:46 +0000 Subject: [PATCH 22/41] Date: Sun, 30 Jan 2022 03:30:46 +0000 Subject: [PATCH 23/41] extend to multi --- internal/table/chain.go | 55 ++++++++++++++++++++++++++++++---------- internal/table/regexp.go | 39 ++++++++++++++++++---------- 2 files changed, 68 insertions(+), 26 deletions(-) diff --git a/internal/table/chain.go b/internal/table/chain.go index 371aab9..6c2b2f8 100644 --- a/internal/table/chain.go +++ b/internal/table/chain.go @@ -78,20 +78,49 @@ func (s *Chain) InstanceName() string { } func (s *Chain) Lookup(ctx context.Context, key string) (string, bool, error) { - for i, step := range s.chain { - val, ok, err := step.Lookup(ctx, key) - if err != nil { - return "", false, err - } - if !ok { - if s.optional[i] { - continue - } - return "", false, nil - } - key = val + newVal, err := s.LookupMulti(ctx, key) + if err != nil { + return "", false, err } - return key, true, nil + if len(newVal) == 0 { + return "", false, nil + } + + return newVal[0], true, nil +} + +func (s *Chain) LookupMulti(ctx context.Context, key string) ([]string, error) { + result := []string{key} + STEP: + for i, step := range s.chain { + new_result := []string{} + for _, key = range result { + if step_multi, ok := step.(module.MultiTable); ok { + val, err := step_multi.LookupMulti(ctx, key) + if err != nil { + return []string{}, err + } + if len(val) == 0 { + continue STEP + } + new_result = append(new_result, val...) + } else { + val, ok, err := step.Lookup(ctx, key) + if err != nil { + return []string{}, err + } + if !ok { + if s.optional[i] { + continue STEP + } + return []string{}, nil + } + new_result = append(new_result, val) + } + } + result = new_result + } + return result, nil } func init() { diff --git a/internal/table/regexp.go b/internal/table/regexp.go index 5136c7d..644f6c7 100644 --- a/internal/table/regexp.go +++ b/internal/table/regexp.go @@ -33,8 +33,8 @@ type Regexp struct { instName string inlineArgs []string - re *regexp.Regexp - replacement string + re *regexp.Regexp + replacements []string expandPlaceholders bool } @@ -59,12 +59,9 @@ func (r *Regexp) Init(cfg *config.Map) error { return err } - if len(r.inlineArgs) > 2 { - return fmt.Errorf("%s: at most two arguments accepted", r.modName) - } regex := r.inlineArgs[0] - if len(r.inlineArgs) == 2 { - r.replacement = r.inlineArgs[1] + if len(r.inlineArgs) > 1 { + r.replacements = r.inlineArgs[1:] } if fullMatch { @@ -96,17 +93,33 @@ func (r *Regexp) InstanceName() string { return r.modName } -func (r *Regexp) Lookup(_ context.Context, key string) (string, bool, error) { +func (r *Regexp) LookupMulti(_ context.Context, key string) ([]string, error) { matches := r.re.FindStringSubmatchIndex(key) if matches == nil { + return []string{}, nil + } + + result := []string{} + for _,replacement := range r.replacements{ + if !r.expandPlaceholders { + result = append(result, replacement) + } else { + result = append(result, string(r.re.ExpandString([]byte{}, replacement, key, matches))) + } + } + return result, nil +} + +func (r *Regexp) Lookup(ctx context.Context, key string) (string, bool, error) { + newVal, err := r.LookupMulti(ctx, key) + if err != nil { + return "", false, err + } + if len(newVal) == 0 { return "", false, nil } - if !r.expandPlaceholders { - return r.replacement, true, nil - } - - return string(r.re.ExpandString([]byte{}, r.replacement, key, matches)), true, nil + return newVal[0], true, nil } func init() { From cd45490c166f192c578cd239c86715c4de7ac307 Mon Sep 17 00:00:00 2001 From: angelnu Date: Sun, 30 Jan 2022 03:31:07 +0000 Subject: [PATCH 24/41] support for multi --- internal/authz/lookup.go | 44 ++++++++++--------- .../authorize_sender/authorize_sender.go | 14 ++++-- 2 files changed, 34 insertions(+), 24 deletions(-) diff --git a/internal/authz/lookup.go b/internal/authz/lookup.go index 503244e..5549b3a 100644 --- a/internal/authz/lookup.go +++ b/internal/authz/lookup.go @@ -8,31 +8,33 @@ import ( "github.com/foxcpp/maddy/framework/module" ) -func AuthorizeEmailUse(ctx context.Context, username, addr string, mapping module.Table) (bool, error) { - _, domain, err := address.Split(addr) - if err != nil { - return false, fmt.Errorf("authz: %w", err) - } - - var validEmails []string - if multi, ok := mapping.(module.MultiTable); ok { - validEmails, err = multi.LookupMulti(ctx, username) +func AuthorizeEmailUse(ctx context.Context, username string, addrs []string, mapping module.Table) (bool, error) { + for _, addr := range addrs { + _, domain, err := address.Split(addr) if err != nil { return false, fmt.Errorf("authz: %w", err) } - } else { - validEmail, ok, err := mapping.Lookup(ctx, username) - if err != nil { - return false, fmt.Errorf("authz: %w", err) - } - if ok { - validEmails = []string{validEmail} - } - } - for _, ent := range validEmails { - if ent == domain || ent == "*" || ent == addr { - return true, nil + var validEmails []string + if multi, ok := mapping.(module.MultiTable); ok { + validEmails, err = multi.LookupMulti(ctx, username) + if err != nil { + return false, fmt.Errorf("authz: %w", err) + } + } else { + validEmail, ok, err := mapping.Lookup(ctx, username) + if err != nil { + return false, fmt.Errorf("authz: %w", err) + } + if ok { + validEmails = []string{validEmail} + } + } + + for _, ent := range validEmails { + if ent == domain || ent == "*" || ent == addr { + return true, nil + } } } diff --git a/internal/check/authorize_sender/authorize_sender.go b/internal/check/authorize_sender/authorize_sender.go index aa1c01e..d98bf2d 100644 --- a/internal/check/authorize_sender/authorize_sender.go +++ b/internal/check/authorize_sender/authorize_sender.go @@ -162,9 +162,17 @@ func (s *state) authzSender(ctx context.Context, authName, email string) module. }}) } + var preparedEmail []string + var ok bool s.log.DebugMsg("normalized names", "from", fromEmailNorm, "auth", authNameNorm) - - preparedEmail, ok, err := s.c.emailPrepare.Lookup(ctx, fromEmailNorm) + if emailPrepare_multi, isMulti := s.c.emailPrepare.(module.MultiTable); isMulti { + preparedEmail, err = emailPrepare_multi.LookupMulti(ctx, fromEmailNorm) + ok = len(preparedEmail) > 0 + } else { + var preparedEmail_single string + preparedEmail_single, ok, err = s.c.emailPrepare.Lookup(ctx, fromEmailNorm) + preparedEmail = []string{preparedEmail_single} + } if err != nil { return s.c.errAction.Apply(module.CheckResult{ Reason: &exterrors.SMTPError{ @@ -176,7 +184,7 @@ func (s *state) authzSender(ctx context.Context, authName, email string) module. }}) } if !ok { - preparedEmail = fromEmailNorm + preparedEmail = []string{fromEmailNorm} } ok, err = authz.AuthorizeEmailUse(ctx, authNameNorm, preparedEmail, s.c.userToEmail) From 9fee06b2476b69930d6b28476ac02947ee771b95 Mon Sep 17 00:00:00 2001 From: angelnu Date: Mon, 31 Jan 2022 12:21:15 +0000 Subject: [PATCH 25/41] add rcpts and address --- internal/imap_filter/command/command.go | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/internal/imap_filter/command/command.go b/internal/imap_filter/command/command.go index 730a479..d86737c 100644 --- a/internal/imap_filter/command/command.go +++ b/internal/imap_filter/command/command.go @@ -28,6 +28,7 @@ import ( "os" "os/exec" "regexp" + "strings" "github.com/emersion/go-message/textproto" "github.com/foxcpp/maddy/framework/buffer" @@ -127,15 +128,23 @@ func (c *Check) expandCommand(msgMeta *module.MsgMetadata, accountName string) ( valI, err := msgMeta.Conn.RDNSName.Get() if err != nil { return "" - } + }x if valI == nil { - return "" + return ""x } return valI.(string) case "{msg_id}": return msgMeta.ID case "{sender}": return msgMeta.OriginalFrom + case "{rcpts}": + rcpts := []string{} + for _, value := range msgMeta.OriginalRcpts { + rcpts = append(rcpts, value) + } + return strings.Join(rcpts, "\n") + case "{address}": + return msgMeta.OriginalRcpts[accountName] case "{account_name}": return accountName } From b9a99d96e57aab61ffa36d5c3ef4e4aca8a9fe6e Mon Sep 17 00:00:00 2001 From: angelnu Date: Mon, 31 Jan 2022 13:24:58 +0000 Subject: [PATCH 26/41] add docummentation --- docs/man/maddy-imap.5.scd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/man/maddy-imap.5.scd b/docs/man/maddy-imap.5.scd index e701a6e..eb06cda 100644 --- a/docs/man/maddy-imap.5.scd +++ b/docs/man/maddy-imap.5.scd @@ -96,8 +96,8 @@ command executable_name args... { } Same as check.command, following placeholders are supported for command arguments: {source_ip}, {source_host}, {source_rdns}, {msg_id}, {auth_user}, -{sender}. Note: placeholders in command name are not processed to avoid -possible command injection attacks. +{sender}, {rcpts}, {address}. Note: placeholders in command name are not +processed to avoid possible command injection attacks. Additionally, for imap.filter.command, {account_name} placeholder is replaced with effective IMAP account name. From a7941d856941179fb062857316881f849655dae2 Mon Sep 17 00:00:00 2001 From: angelnu Date: Mon, 31 Jan 2022 13:35:34 +0000 Subject: [PATCH 27/41] remove introduced characters --- internal/imap_filter/command/command.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/imap_filter/command/command.go b/internal/imap_filter/command/command.go index d86737c..2e76cb6 100644 --- a/internal/imap_filter/command/command.go +++ b/internal/imap_filter/command/command.go @@ -128,9 +128,9 @@ func (c *Check) expandCommand(msgMeta *module.MsgMetadata, accountName string) ( valI, err := msgMeta.Conn.RDNSName.Get() if err != nil { return "" - }x + } if valI == nil { - return ""x + return "" } return valI.(string) case "{msg_id}": From db569891a5dc0989bdfeea5552fe74b1f39b0f91 Mon Sep 17 00:00:00 2001 From: angelnu Date: Mon, 31 Jan 2022 21:59:27 +0000 Subject: [PATCH 28/41] go fmt --- internal/modify/replace_addr.go | 2 +- internal/modify/replace_addr_test.go | 12 ++++++------ internal/msgpipeline/msgpipeline.go | 4 ++-- internal/msgpipeline/msgpipeline_test.go | 10 +++++----- internal/table/chain.go | 4 ++-- internal/table/regexp.go | 2 +- 6 files changed, 17 insertions(+), 17 deletions(-) diff --git a/internal/modify/replace_addr.go b/internal/modify/replace_addr.go index efbcd85..50dd5df 100644 --- a/internal/modify/replace_addr.go +++ b/internal/modify/replace_addr.go @@ -80,7 +80,7 @@ func (r replaceAddr) RewriteSender(ctx context.Context, mailFrom string) (string if err != nil { return mailFrom, err } - mailFrom = results [0] + mailFrom = results[0] } return mailFrom, nil } diff --git a/internal/modify/replace_addr_test.go b/internal/modify/replace_addr_test.go index 7d632bc..fc6fd6f 100644 --- a/internal/modify/replace_addr_test.go +++ b/internal/modify/replace_addr_test.go @@ -19,8 +19,8 @@ along with this program. If not, see . package modify import ( - "reflect" "context" + "reflect" "testing" "github.com/foxcpp/maddy/framework/config" @@ -57,7 +57,7 @@ func testReplaceAddr(t *testing.T, modName string) { } } - if ! reflect.DeepEqual(actualMulti,expectedMulti) { + if !reflect.DeepEqual(actualMulti, expectedMulti) { t.Errorf("want %s, got %s", expectedMulti, actualMulti) } } @@ -95,15 +95,15 @@ func testReplaceAddr(t *testing.T, modName string) { map[string][]string{ "\u00E9@foo.example.com": []string{"rcpt@foo.example.com"}, }) - + if modName == "modify.replace_rcpt" { //multiple aliases test("test@example.com", []string{"test@example.org", "test@example.net"}, map[string][]string{"test@example.com": []string{"test@example.org", "test@example.net"}}) - test("test@example.com", []string{"1@example.com", "2@example.com", "3@example.com"}, - map[string][]string{"test@example.com": []string{"1@example.com", "2@example.com", "3@example.com"}}) + test("test@example.com", []string{"1@example.com", "2@example.com", "3@example.com"}, + map[string][]string{"test@example.com": []string{"1@example.com", "2@example.com", "3@example.com"}}) } - + } func TestReplaceAddr_RewriteSender(t *testing.T) { diff --git a/internal/msgpipeline/msgpipeline.go b/internal/msgpipeline/msgpipeline.go index 3a54706..31df782 100644 --- a/internal/msgpipeline/msgpipeline.go +++ b/internal/msgpipeline/msgpipeline.go @@ -301,7 +301,7 @@ func (dd *msgpipelineDelivery) AddRcpt(ctx context.Context, to string) error { if err != nil { return err } - newTo = append(newTo, tempTo...) + newTo = append(newTo, tempTo...) } dd.log.Debugln("per-source rcpt modifiers:", to, "=>", newTo) resultTo = newTo @@ -337,7 +337,7 @@ func (dd *msgpipelineDelivery) AddRcpt(ctx context.Context, to string) error { return wrapErr(err) } dd.log.Debugln("per-rcpt modifiers:", to, "=>", newTo) - + for _, to = range newTo { wrapErr = func(err error) error { diff --git a/internal/msgpipeline/msgpipeline_test.go b/internal/msgpipeline/msgpipeline_test.go index df58fc0..c9a4b1c 100644 --- a/internal/msgpipeline/msgpipeline_test.go +++ b/internal/msgpipeline/msgpipeline_test.go @@ -26,8 +26,8 @@ import ( "github.com/emersion/go-message/textproto" "github.com/foxcpp/maddy/framework/buffer" "github.com/foxcpp/maddy/framework/module" - "github.com/foxcpp/maddy/internal/testutils" "github.com/foxcpp/maddy/internal/modify" + "github.com/foxcpp/maddy/internal/testutils" ) func TestMsgPipeline_AllToTarget(t *testing.T) { @@ -664,7 +664,7 @@ func TestMsgPipeline_TwoRcptToOneTarget(t *testing.T) { func TestMsgPipeline_multi_alias(t *testing.T) { target1, target2 := testutils.Target{InstName: "target1"}, testutils.Target{InstName: "target2"} mod := testutils.Modifier{ - RcptTo: map[string][]string { + RcptTo: map[string][]string{ "recipient@example.com": []string{ "recipient-1@example.org", "recipient-2@example.net", @@ -674,9 +674,9 @@ func TestMsgPipeline_multi_alias(t *testing.T) { d := MsgPipeline{ msgpipelineCfg: msgpipelineCfg{ perSource: map[string]sourceBlock{}, - defaultSource: sourceBlock{ - modifiers: modify.Group { - Modifiers: []module.Modifier {mod}, + defaultSource: sourceBlock{ + modifiers: modify.Group{ + Modifiers: []module.Modifier{mod}, }, perRcpt: map[string]*rcptBlock{ "example.org": { diff --git a/internal/table/chain.go b/internal/table/chain.go index 6c2b2f8..e8fc410 100644 --- a/internal/table/chain.go +++ b/internal/table/chain.go @@ -91,7 +91,7 @@ func (s *Chain) Lookup(ctx context.Context, key string) (string, bool, error) { func (s *Chain) LookupMulti(ctx context.Context, key string) ([]string, error) { result := []string{key} - STEP: +STEP: for i, step := range s.chain { new_result := []string{} for _, key = range result { @@ -105,7 +105,7 @@ func (s *Chain) LookupMulti(ctx context.Context, key string) ([]string, error) { } new_result = append(new_result, val...) } else { - val, ok, err := step.Lookup(ctx, key) + val, ok, err := step.Lookup(ctx, key) if err != nil { return []string{}, err } diff --git a/internal/table/regexp.go b/internal/table/regexp.go index 644f6c7..069be6c 100644 --- a/internal/table/regexp.go +++ b/internal/table/regexp.go @@ -100,7 +100,7 @@ func (r *Regexp) LookupMulti(_ context.Context, key string) ([]string, error) { } result := []string{} - for _,replacement := range r.replacements{ + for _, replacement := range r.replacements { if !r.expandPlaceholders { result = append(result, replacement) } else { From 995e4e0bca2e5493e0f67b1d0cb33c9f08878b56 Mon Sep 17 00:00:00 2001 From: angelnu Date: Mon, 31 Jan 2022 22:07:20 +0000 Subject: [PATCH 29/41] review feedback --- internal/modify/group.go | 6 +++--- internal/table/chain.go | 5 ++++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/internal/modify/group.go b/internal/modify/group.go index 440c0bf..3e3d043 100644 --- a/internal/modify/group.go +++ b/internal/modify/group.go @@ -95,16 +95,16 @@ func (gs groupState) RewriteRcpt(ctx context.Context, rcptTo string) ([]string, var err error var result = []string{rcptTo} for _, state := range gs.states { - var intermediate_result = []string{} + var intermediateResult = []string{} for _, part_result := range result { var part_result_multi []string part_result_multi, err = state.RewriteRcpt(ctx, part_result) if err != nil { return []string{""}, err } - intermediate_result = append(intermediate_result, part_result_multi...) + intermediateResult = append(intermediateResult, part_result_multi...) } - result = intermediate_result + result = intermediateResult } return result, nil } diff --git a/internal/table/chain.go b/internal/table/chain.go index e8fc410..87128cb 100644 --- a/internal/table/chain.go +++ b/internal/table/chain.go @@ -101,7 +101,10 @@ STEP: return []string{}, err } if len(val) == 0 { - continue STEP + if s.optional[i] { + continue STEP + } + return []string{}, nil } new_result = append(new_result, val...) } else { From a40fcc81d9e4b5a5c741a156e96f476afff305fe Mon Sep 17 00:00:00 2001 From: angelnu Date: Mon, 31 Jan 2022 22:54:50 +0000 Subject: [PATCH 30/41] review feedback --- docs/man/maddy-imap.5.scd | 5 +++-- framework/module/imap_filter.go | 2 +- internal/imap_filter/command/command.go | 14 ++++++++------ internal/imap_filter/group.go | 4 ++-- internal/msgpipeline/msgpipeline.go | 5 ++--- internal/storage/imapsql/delivery.go | 15 ++++++++++----- 6 files changed, 26 insertions(+), 19 deletions(-) diff --git a/docs/man/maddy-imap.5.scd b/docs/man/maddy-imap.5.scd index eb06cda..f67dc92 100644 --- a/docs/man/maddy-imap.5.scd +++ b/docs/man/maddy-imap.5.scd @@ -96,8 +96,9 @@ command executable_name args... { } Same as check.command, following placeholders are supported for command arguments: {source_ip}, {source_host}, {source_rdns}, {msg_id}, {auth_user}, -{sender}, {rcpts}, {address}. Note: placeholders in command name are not -processed to avoid possible command injection attacks. +{sender}, {rcpt_to}, {original_rcpts}, {original_rcpt_to}, {address}. Note: +placeholders in command name are not processed to avoid possible command +injection attacks. Additionally, for imap.filter.command, {account_name} placeholder is replaced with effective IMAP account name. diff --git a/framework/module/imap_filter.go b/framework/module/imap_filter.go index 01b67ba..6b0fd46 100644 --- a/framework/module/imap_filter.go +++ b/framework/module/imap_filter.go @@ -39,5 +39,5 @@ type IMAPFilter interface { // // Errors returned by IMAPFilter will be just logged and will not cause delivery // to fail. - IMAPFilter(accountName string, meta *MsgMetadata, hdr textproto.Header, body buffer.Buffer) (folder string, flags []string, err error) + IMAPFilter(accountName string, rcptTo string, meta *MsgMetadata, hdr textproto.Header, body buffer.Buffer) (folder string, flags []string, err error) } diff --git a/internal/imap_filter/command/command.go b/internal/imap_filter/command/command.go index 2e76cb6..378b4c8 100644 --- a/internal/imap_filter/command/command.go +++ b/internal/imap_filter/command/command.go @@ -49,8 +49,8 @@ type Check struct { cmdArgs []string } -func (c *Check) IMAPFilter(accountName string, msgMeta *module.MsgMetadata, hdr textproto.Header, body buffer.Buffer) (folder string, flags []string, err error) { - cmd, args := c.expandCommand(msgMeta, accountName) +func (c *Check) IMAPFilter(accountName string, rcptTo string, msgMeta *module.MsgMetadata, hdr textproto.Header, body buffer.Buffer) (folder string, flags []string, err error) { + cmd, args := c.expandCommand(msgMeta, accountName, rcptTo) var buf bytes.Buffer _ = textproto.WriteHeader(&buf, hdr) @@ -96,7 +96,7 @@ func (c *Check) Init(cfg *config.Map) error { return err } -func (c *Check) expandCommand(msgMeta *module.MsgMetadata, accountName string) (string, []string) { +func (c *Check) expandCommand(msgMeta *module.MsgMetadata, accountName string, rcptTo string) (string, []string) { expArgs := make([]string, len(c.cmdArgs)) for i, arg := range c.cmdArgs { @@ -137,14 +137,16 @@ func (c *Check) expandCommand(msgMeta *module.MsgMetadata, accountName string) ( return msgMeta.ID case "{sender}": return msgMeta.OriginalFrom - case "{rcpts}": + case "{rcpt_to}": + return rcptTo + case "{original_rcpts}": rcpts := []string{} for _, value := range msgMeta.OriginalRcpts { rcpts = append(rcpts, value) } return strings.Join(rcpts, "\n") - case "{address}": - return msgMeta.OriginalRcpts[accountName] + case "{original_rcpt_to}": + return msgMeta.OriginalRcpts[rcptTo] case "{account_name}": return accountName } diff --git a/internal/imap_filter/group.go b/internal/imap_filter/group.go index 2b18579..c1c5ecc 100644 --- a/internal/imap_filter/group.go +++ b/internal/imap_filter/group.go @@ -44,7 +44,7 @@ func NewGroup(_, instName string, _, _ []string) (module.Module, error) { }, nil } -func (g *Group) IMAPFilter(accountName string, meta *module.MsgMetadata, hdr textproto.Header, body buffer.Buffer) (folder string, flags []string, err error) { +func (g *Group) IMAPFilter(accountName string, rcptTo string, meta *module.MsgMetadata, hdr textproto.Header, body buffer.Buffer) (folder string, flags []string, err error) { if g == nil { return "", nil, nil } @@ -53,7 +53,7 @@ func (g *Group) IMAPFilter(accountName string, meta *module.MsgMetadata, hdr tex finalFlags = make([]string, 0, len(g.Filters)) ) for _, f := range g.Filters { - folder, flags, err := f.IMAPFilter(accountName, meta, hdr, body) + folder, flags, err := f.IMAPFilter(accountName, rcptTo, meta, hdr, body) if err != nil { g.log.Error("IMAP filter failed", err) continue diff --git a/internal/msgpipeline/msgpipeline.go b/internal/msgpipeline/msgpipeline.go index 9c589ab..b6877b0 100644 --- a/internal/msgpipeline/msgpipeline.go +++ b/internal/msgpipeline/msgpipeline.go @@ -338,9 +338,8 @@ func (dd *msgpipelineDelivery) AddRcpt(ctx context.Context, to string) error { }) } - if originalTo != to { - dd.msgMeta.OriginalRcpts[to] = originalTo - } + //Always setting so it can be retrieved by imap_filter + dd.msgMeta.OriginalRcpts[to] = originalTo for _, tgt := range rcptBlock.targets { // Do not wrap errors coming from nested pipeline target delivery since diff --git a/internal/storage/imapsql/delivery.go b/internal/storage/imapsql/delivery.go index d7655c0..4229803 100644 --- a/internal/storage/imapsql/delivery.go +++ b/internal/storage/imapsql/delivery.go @@ -32,13 +32,16 @@ import ( "github.com/foxcpp/maddy/internal/target" ) +type addecRcpt struct { + rcptTo string +} type delivery struct { store *Storage msgMeta *module.MsgMetadata d imapsql.Delivery mailFrom string - addedRcpts map[string]struct{} + addedRcpts map[string]addecRcpt } func (d *delivery) String() string { @@ -89,7 +92,9 @@ func (d *delivery) AddRcpt(ctx context.Context, rcptTo string) error { return err } - d.addedRcpts[accountName] = struct{}{} + d.addedRcpts[accountName] = addecRcpt{ + rcptTo: rcptTo, + } return nil } @@ -97,8 +102,8 @@ func (d *delivery) Body(ctx context.Context, header textproto.Header, body buffe defer trace.StartRegion(ctx, "sql/Body").End() if !d.msgMeta.Quarantine && d.store.filters != nil { - for rcpt := range d.addedRcpts { - folder, flags, err := d.store.filters.IMAPFilter(rcpt, d.msgMeta, header, body) + for rcpt, rcptData := range d.addedRcpts { + folder, flags, err := d.store.filters.IMAPFilter(rcpt, rcptData.rcptTo, d.msgMeta, header, body) if err != nil { d.store.Log.Error("IMAPFilter failed", err, "rcpt", rcpt) continue @@ -157,6 +162,6 @@ func (store *Storage) Start(ctx context.Context, msgMeta *module.MsgMetadata, ma msgMeta: msgMeta, mailFrom: mailFrom, d: store.Back.NewDelivery(), - addedRcpts: map[string]struct{}{}, + addedRcpts: map[string]addecRcpt{}, }, nil } From 7df6b03fe6401c151e245cf56a1f52d5678781db Mon Sep 17 00:00:00 2001 From: angelnu Date: Thu, 3 Feb 2022 22:56:30 +0000 Subject: [PATCH 31/41] use camelCase --- internal/check/authorize_sender/authorize_sender.go | 4 ++-- internal/modify/group.go | 8 ++++---- internal/table/chain.go | 8 ++++---- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/internal/check/authorize_sender/authorize_sender.go b/internal/check/authorize_sender/authorize_sender.go index d98bf2d..bd6d84e 100644 --- a/internal/check/authorize_sender/authorize_sender.go +++ b/internal/check/authorize_sender/authorize_sender.go @@ -165,8 +165,8 @@ func (s *state) authzSender(ctx context.Context, authName, email string) module. var preparedEmail []string var ok bool s.log.DebugMsg("normalized names", "from", fromEmailNorm, "auth", authNameNorm) - if emailPrepare_multi, isMulti := s.c.emailPrepare.(module.MultiTable); isMulti { - preparedEmail, err = emailPrepare_multi.LookupMulti(ctx, fromEmailNorm) + if emailPrepareMulti, isMulti := s.c.emailPrepare.(module.MultiTable); isMulti { + preparedEmail, err = emailPrepareMulti.LookupMulti(ctx, fromEmailNorm) ok = len(preparedEmail) > 0 } else { var preparedEmail_single string diff --git a/internal/modify/group.go b/internal/modify/group.go index 3e3d043..3278b0f 100644 --- a/internal/modify/group.go +++ b/internal/modify/group.go @@ -96,13 +96,13 @@ func (gs groupState) RewriteRcpt(ctx context.Context, rcptTo string) ([]string, var result = []string{rcptTo} for _, state := range gs.states { var intermediateResult = []string{} - for _, part_result := range result { - var part_result_multi []string - part_result_multi, err = state.RewriteRcpt(ctx, part_result) + for _, partResult := range result { + var partResult_multi []string + partResult_multi, err = state.RewriteRcpt(ctx, partResult) if err != nil { return []string{""}, err } - intermediateResult = append(intermediateResult, part_result_multi...) + intermediateResult = append(intermediateResult, partResult_multi...) } result = intermediateResult } diff --git a/internal/table/chain.go b/internal/table/chain.go index 87128cb..72eceba 100644 --- a/internal/table/chain.go +++ b/internal/table/chain.go @@ -93,7 +93,7 @@ func (s *Chain) LookupMulti(ctx context.Context, key string) ([]string, error) { result := []string{key} STEP: for i, step := range s.chain { - new_result := []string{} + newResult := []string{} for _, key = range result { if step_multi, ok := step.(module.MultiTable); ok { val, err := step_multi.LookupMulti(ctx, key) @@ -106,7 +106,7 @@ STEP: } return []string{}, nil } - new_result = append(new_result, val...) + newResult = append(newResult, val...) } else { val, ok, err := step.Lookup(ctx, key) if err != nil { @@ -118,10 +118,10 @@ STEP: } return []string{}, nil } - new_result = append(new_result, val) + newResult = append(newResult, val) } } - result = new_result + result = newResult } return result, nil } From d78cf5a746d04e0af1e5276664b0edff726bf6cb Mon Sep 17 00:00:00 2001 From: angelnu Date: Thu, 3 Feb 2022 23:00:28 +0000 Subject: [PATCH 32/41] fix typo --- internal/storage/imapsql/delivery.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/storage/imapsql/delivery.go b/internal/storage/imapsql/delivery.go index 4229803..e64b08f 100644 --- a/internal/storage/imapsql/delivery.go +++ b/internal/storage/imapsql/delivery.go @@ -32,7 +32,7 @@ import ( "github.com/foxcpp/maddy/internal/target" ) -type addecRcpt struct { +type addedRcpt struct { rcptTo string } type delivery struct { @@ -41,7 +41,7 @@ type delivery struct { d imapsql.Delivery mailFrom string - addedRcpts map[string]addecRcpt + addedRcpts map[string]addedRcpt } func (d *delivery) String() string { @@ -92,7 +92,7 @@ func (d *delivery) AddRcpt(ctx context.Context, rcptTo string) error { return err } - d.addedRcpts[accountName] = addecRcpt{ + d.addedRcpts[accountName] = addedRcpt{ rcptTo: rcptTo, } return nil @@ -162,6 +162,6 @@ func (store *Storage) Start(ctx context.Context, msgMeta *module.MsgMetadata, ma msgMeta: msgMeta, mailFrom: mailFrom, d: store.Back.NewDelivery(), - addedRcpts: map[string]addecRcpt{}, + addedRcpts: map[string]addedRcpt{}, }, nil } From ef5ca38df497a92813dfeb5ca09b7219c58c45c6 Mon Sep 17 00:00:00 2001 From: angelnu Date: Fri, 4 Feb 2022 00:13:54 +0000 Subject: [PATCH 33/41] add additional debug log --- internal/check/authorize_sender/authorize_sender.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/check/authorize_sender/authorize_sender.go b/internal/check/authorize_sender/authorize_sender.go index bd6d84e..7b0e70a 100644 --- a/internal/check/authorize_sender/authorize_sender.go +++ b/internal/check/authorize_sender/authorize_sender.go @@ -173,6 +173,7 @@ func (s *state) authzSender(ctx context.Context, authName, email string) module. preparedEmail_single, ok, err = s.c.emailPrepare.Lookup(ctx, fromEmailNorm) preparedEmail = []string{preparedEmail_single} } + s.log.DebugMsg("authorized emails", "preparedEmail", preparedEmail, "ok", ok) if err != nil { return s.c.errAction.Apply(module.CheckResult{ Reason: &exterrors.SMTPError{ From e33c8d6f912c31f6492a54ebf91382bf7c4c1d83 Mon Sep 17 00:00:00 2001 From: angelnu Date: Sun, 6 Feb 2022 22:31:14 +0000 Subject: [PATCH 34/41] only pass true original_rcpt_to --- docs/man/maddy-imap.5.scd | 5 ++--- internal/imap_filter/command/command.go | 13 +++++-------- internal/msgpipeline/msgpipeline.go | 5 +++-- 3 files changed, 10 insertions(+), 13 deletions(-) diff --git a/docs/man/maddy-imap.5.scd b/docs/man/maddy-imap.5.scd index f67dc92..49dbf39 100644 --- a/docs/man/maddy-imap.5.scd +++ b/docs/man/maddy-imap.5.scd @@ -96,9 +96,8 @@ command executable_name args... { } Same as check.command, following placeholders are supported for command arguments: {source_ip}, {source_host}, {source_rdns}, {msg_id}, {auth_user}, -{sender}, {rcpt_to}, {original_rcpts}, {original_rcpt_to}, {address}. Note: -placeholders in command name are not processed to avoid possible command -injection attacks. +{sender}, {rcpt_to}, {original_rcpt_to}, {address}. Note: placeholders in command +name are not processed to avoid possible command injection attacks. Additionally, for imap.filter.command, {account_name} placeholder is replaced with effective IMAP account name. diff --git a/internal/imap_filter/command/command.go b/internal/imap_filter/command/command.go index 378b4c8..51495a1 100644 --- a/internal/imap_filter/command/command.go +++ b/internal/imap_filter/command/command.go @@ -28,7 +28,6 @@ import ( "os" "os/exec" "regexp" - "strings" "github.com/emersion/go-message/textproto" "github.com/foxcpp/maddy/framework/buffer" @@ -139,14 +138,12 @@ func (c *Check) expandCommand(msgMeta *module.MsgMetadata, accountName string, r return msgMeta.OriginalFrom case "{rcpt_to}": return rcptTo - case "{original_rcpts}": - rcpts := []string{} - for _, value := range msgMeta.OriginalRcpts { - rcpts = append(rcpts, value) - } - return strings.Join(rcpts, "\n") case "{original_rcpt_to}": - return msgMeta.OriginalRcpts[rcptTo] + oldestOriginalRcpt := rcptTo + for originalRcpt, ok := rcptTo, true; ok; originalRcpt, ok = msgMeta.OriginalRcpts[originalRcpt] { + oldestOriginalRcpt = originalRcpt + } + return oldestOriginalRcpt case "{account_name}": return accountName } diff --git a/internal/msgpipeline/msgpipeline.go b/internal/msgpipeline/msgpipeline.go index b6877b0..9c589ab 100644 --- a/internal/msgpipeline/msgpipeline.go +++ b/internal/msgpipeline/msgpipeline.go @@ -338,8 +338,9 @@ func (dd *msgpipelineDelivery) AddRcpt(ctx context.Context, to string) error { }) } - //Always setting so it can be retrieved by imap_filter - dd.msgMeta.OriginalRcpts[to] = originalTo + if originalTo != to { + dd.msgMeta.OriginalRcpts[to] = originalTo + } for _, tgt := range rcptBlock.targets { // Do not wrap errors coming from nested pipeline target delivery since From 7a06fa2012fa7668a3314454bae6227a2e368de4 Mon Sep 17 00:00:00 2001 From: angelnu Date: Sun, 6 Feb 2022 23:25:43 +0000 Subject: [PATCH 35/41] add subject --- docs/man/maddy-imap.5.scd | 4 ++-- internal/imap_filter/command/command.go | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/man/maddy-imap.5.scd b/docs/man/maddy-imap.5.scd index 49dbf39..782257b 100644 --- a/docs/man/maddy-imap.5.scd +++ b/docs/man/maddy-imap.5.scd @@ -96,8 +96,8 @@ command executable_name args... { } Same as check.command, following placeholders are supported for command arguments: {source_ip}, {source_host}, {source_rdns}, {msg_id}, {auth_user}, -{sender}, {rcpt_to}, {original_rcpt_to}, {address}. Note: placeholders in command -name are not processed to avoid possible command injection attacks. +{sender}, {rcpt_to}, {original_rcpt_to}, {address}, {subject}. Note: placeholders +in command name are not processed to avoid possible command injection attacks. Additionally, for imap.filter.command, {account_name} placeholder is replaced with effective IMAP account name. diff --git a/internal/imap_filter/command/command.go b/internal/imap_filter/command/command.go index 51495a1..58146dc 100644 --- a/internal/imap_filter/command/command.go +++ b/internal/imap_filter/command/command.go @@ -49,7 +49,7 @@ type Check struct { } func (c *Check) IMAPFilter(accountName string, rcptTo string, msgMeta *module.MsgMetadata, hdr textproto.Header, body buffer.Buffer) (folder string, flags []string, err error) { - cmd, args := c.expandCommand(msgMeta, accountName, rcptTo) + cmd, args := c.expandCommand(msgMeta, accountName, rcptTo, hdr) var buf bytes.Buffer _ = textproto.WriteHeader(&buf, hdr) @@ -95,7 +95,7 @@ func (c *Check) Init(cfg *config.Map) error { return err } -func (c *Check) expandCommand(msgMeta *module.MsgMetadata, accountName string, rcptTo string) (string, []string) { +func (c *Check) expandCommand(msgMeta *module.MsgMetadata, accountName string, rcptTo string, hdr textproto.Header) (string, []string) { expArgs := make([]string, len(c.cmdArgs)) for i, arg := range c.cmdArgs { @@ -144,6 +144,8 @@ func (c *Check) expandCommand(msgMeta *module.MsgMetadata, accountName string, r oldestOriginalRcpt = originalRcpt } return oldestOriginalRcpt + case "{subject}": + return hdr.Get("Subject") case "{account_name}": return accountName } From a59ef41f14089c65b304e9ac9d344a7e68597dce Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Sun, 13 Feb 2022 19:32:17 +0300 Subject: [PATCH 36/41] Test out GitHub Actions --- .github/workflows/cicd.yml | 107 +++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 .github/workflows/cicd.yml diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml new file mode 100644 index 0000000..27919a9 --- /dev/null +++ b/.github/workflows/cicd.yml @@ -0,0 +1,107 @@ +name: "Testing and release preparation" + +on: + push: + branches: [ master, dev ] + tags: [ "v*" ] + pull_request: + branches: [ master, dev ] + +jobs: + build-and-test: + name: "Build and test" + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - uses: actions/cache@v2 + with: + path: | + ~/.cache/go-build + ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: ${{ runner.os }}-go- + - uses: actions/setup-go@v2 + with: + go-version: 1.17.7 + - name: "Verify build.sh" + run: | + ./build.sh + ./build.sh --destdir destdir/ install + find destdir/ + - name: "Unit & module tests" + run: | + go test ./... -coverprofile=coverage.out -covermode=atomic + - name: "Integration tests" + run: | + cd tests/ + ./run.sh + - uses: codecov/codecov-action@v2 + with: + files: ./coverage.out + flags: unit + - uses: codecov/codecov-action@v2 + with: + files: ./tests/coverage.out + flags: integration + artifact-builder: + name: "Prepare release artifacts" + needs: build-and-test + if: github.ref_type == 'tag' + runs-on: ubuntu-latest + container: + image: alpine/edge + steps: + - uses: actions/checkout@v1 # v2 does not work with containers + - name: "Install build dependencies" + run: | + apk add --no-cache gcc go zstd + - name: "Create and package build tree" + run: | + ./build.sh --static build + ./build.sh --destdir ~/package-output/ install + mv ~/package-output/ ~/maddy-$(cat .version)-x86_64-linux-musl + tar c ~/maddy-$(cat .version)-x86_64-linux-musl | zstd > ~/maddy-$(cat .version)-x86_64-linux-musl.tar.zst + - name: "Save source tree" + run: | + rm -rf .git + cp -r . ~/maddy-$(cat .version)-src + tar c ~/maddy-$(cat .version)-src | zstd > ~/maddy-$(cat .version)-src.tar.zst + - name: "Upload source tree" + uses: actions/upload-artifact@v2 + with: + name: source + path: '~/maddy-*-src.tar.zst' + if-no-files-found: error + - name: "Upload binary tree" + uses: actions/upload-artifact@v2 + with: + name: binary + path: '~/maddy-*-x86_64-linux-musl.tar.zst' + if-no-files-found: error + docker-builder: + name: "Build Docker image" + needs: build-and-test + if: github.ref_type == 'tag' + runs-on: ubuntu-latest + steps: + - name: "Login to Docker Hub" + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: "Login to GitHub Container Registry" + uses: docker/login-action@v1 + with: + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: "Build and push" + uses: docker/build-push-action@v2 + with: + context: . + push: true + tags: | + foxcpp/maddy:${{ github.ref_name }} + foxcpp/maddy:latest + ghcr.io/foxcpp/maddy:${{ github.ref_name }} + ghcr.io/foxcpp/maddy:latest + From 165c6578a41617cea080bf14cd5038d9e305468a Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Sun, 13 Feb 2022 19:40:33 +0300 Subject: [PATCH 37/41] Fix tests using imapsql --- internal/storage/blob/test_blob.go | 1 - internal/storage/imapsql/bench_test.go | 1 - 2 files changed, 2 deletions(-) diff --git a/internal/storage/blob/test_blob.go b/internal/storage/blob/test_blob.go index eead14d..9984c61 100644 --- a/internal/storage/blob/test_blob.go +++ b/internal/storage/blob/test_blob.go @@ -40,7 +40,6 @@ func TestStore(t *testing.T, newStore func() module.BlobStore, cleanStore func(m b, err := imapsql.New("sqlite3", ":memory:", imapsql2.ExtBlobStore{Base: store}, imapsql.Opts{ - LazyUpdatesInit: true, PRNG: prng, Log: testutils.Logger(t, "imapsql"), }, diff --git a/internal/storage/imapsql/bench_test.go b/internal/storage/imapsql/bench_test.go index f18e915..9b3763a 100644 --- a/internal/storage/imapsql/bench_test.go +++ b/internal/storage/imapsql/bench_test.go @@ -46,7 +46,6 @@ func createTestDB(tb testing.TB, compAlgo string) *Storage { } db, err := imapsql.New(testDB, testDSN, &imapsql.FSStore{Root: testFsstore}, imapsql.Opts{ - LazyUpdatesInit: true, CompressAlgo: compAlgo, }) if err != nil { From a20a48e764a6106d9ff9bc2173979bf45e25d810 Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Sun, 13 Feb 2022 19:47:01 +0300 Subject: [PATCH 38/41] Add libpam to GH action --- .github/workflows/cicd.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 27919a9..5576fe3 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -13,6 +13,8 @@ jobs: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v2 + - name: "Install libpam" + run: sudo apt-get install -y libpam-dev - uses: actions/cache@v2 with: path: | From 52d48b912013d32bb4d00db4df83101880e98a5a Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Sun, 13 Feb 2022 20:03:04 +0300 Subject: [PATCH 39/41] More fixes for GH actions --- .github/workflows/cicd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 5576fe3..e9cf4e7 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -51,7 +51,7 @@ jobs: if: github.ref_type == 'tag' runs-on: ubuntu-latest container: - image: alpine/edge + image: "alpine:edge" steps: - uses: actions/checkout@v1 # v2 does not work with containers - name: "Install build dependencies" @@ -90,7 +90,7 @@ jobs: uses: docker/login-action@v1 with: username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: "Login to GitHub Container Registry" uses: docker/login-action@v1 with: From 0e80890860c9f72f53898a3ad01c4b939f4819d8 Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Sun, 13 Feb 2022 20:37:25 +0300 Subject: [PATCH 40/41] Even more fixes for GH actions --- .github/workflows/cicd.yml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index e9cf4e7..f10d48c 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -56,29 +56,33 @@ jobs: - uses: actions/checkout@v1 # v2 does not work with containers - name: "Install build dependencies" run: | - apk add --no-cache gcc go zstd + apk add --no-cache gcc go - name: "Create and package build tree" run: | ./build.sh --static build ./build.sh --destdir ~/package-output/ install mv ~/package-output/ ~/maddy-$(cat .version)-x86_64-linux-musl - tar c ~/maddy-$(cat .version)-x86_64-linux-musl | zstd > ~/maddy-$(cat .version)-x86_64-linux-musl.tar.zst + pushd ~ + tar c ./maddy-$(cat .version)-x86_64-linux-musl | zstd > ~/maddy-x86_64-linux-musl.tar.zst + popd - name: "Save source tree" run: | rm -rf .git cp -r . ~/maddy-$(cat .version)-src - tar c ~/maddy-$(cat .version)-src | zstd > ~/maddy-$(cat .version)-src.tar.zst + pushd ~ + tar c ./maddy-$(cat .version)-src | zstd > ~/maddy-src.tar.zst + popd - name: "Upload source tree" uses: actions/upload-artifact@v2 with: - name: source - path: '~/maddy-*-src.tar.zst' + name: maddy-src.tar.zst + path: '~/maddy-src.tar.zst' if-no-files-found: error - name: "Upload binary tree" uses: actions/upload-artifact@v2 with: - name: binary - path: '~/maddy-*-x86_64-linux-musl.tar.zst' + name: maddy-binary.tar.zst + path: '~/maddy-x86_64-linux-musl.tar.zst' if-no-files-found: error docker-builder: name: "Build Docker image" @@ -94,6 +98,7 @@ jobs: - name: "Login to GitHub Container Registry" uses: docker/login-action@v1 with: + registry: "ghcr.io" username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: "Build and push" @@ -103,7 +108,5 @@ jobs: push: true tags: | foxcpp/maddy:${{ github.ref_name }} - foxcpp/maddy:latest ghcr.io/foxcpp/maddy:${{ github.ref_name }} - ghcr.io/foxcpp/maddy:latest From 6adf1500a64480316abaabbfd209c25c12f60418 Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Sat, 19 Feb 2022 14:54:45 +0300 Subject: [PATCH 41/41] Remove .build.yml --- .build.yml | 36 ------------------------------------ 1 file changed, 36 deletions(-) delete mode 100644 .build.yml diff --git a/.build.yml b/.build.yml deleted file mode 100644 index 605b150..0000000 --- a/.build.yml +++ /dev/null @@ -1,36 +0,0 @@ -image: archlinux -packages: - - go - - pam - - scdoc - - curl -sources: - - https://github.com/foxcpp/maddy -tasks: - - build: | - cd maddy - go build ./... - - buildsh: | - cd maddy - ./build.sh - ./build.sh --destdir destdir/ install - find destdir/ - - test: | - cd maddy - go test ./... -coverprofile=coverage.out -covermode=atomic -race - - integration-test: | - cd maddy/tests - ./run.sh - - lint: | - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.33.0 - cd maddy/ - $(go env GOPATH)/bin/golangci-lint run || true - - build-man-pages: | - cd maddy/docs/man - for f in *.scd; do scdoc < $f > /dev/null; done - - upload-coverage: | - export CODECOV_TOKEN=a4598288-4c29-4da7-87cf-64a36e23d245 - cd maddy/ - bash <(curl https://codecov.io/bash) -f coverage.out -F unit - cd tests/ - bash <(curl https://codecov.io/bash) -f coverage.out -F integration