Merge pull request #568 from drdaeman/proxy-protocol

Proxy protocol support for SMTP and IMAP
2025-04-04 21:47:40 +03:00 · 2023-06-27 19:25:30 +03:00 · 2023-06-27 19:25:30 +03:00 · 4ad9cb5766
commit 4ad9cb5766
parent c102d6242b 3c4fe105cd
63 changed files with 1833 additions and 661 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@ -24,7 +24,7 @@ jobs:
        restore-keys: ${{ runner.os }}-go-
    - uses: actions/setup-go@v2
      with:
-        go-version: 1.17.11
+        go-version: 1.18.9
    - name: "Verify build.sh"
      run: |
        ./build.sh
--- a/.gitignore
+++ b/.gitignore
@ -22,10 +22,8 @@ _testmain.go
 # Compiled binaries
 cmd/maddy/maddy
 cmd/maddyctl/maddyctl
 cmd/maddy-*-helper/maddy-*-helper
 /maddy
 /maddyctl
 # Man pages
 docs/man/*.1
--- a/.mkdocs.yml
+++ b/.mkdocs.yml
@ -60,6 +60,7 @@ nav:
          - reference/table/sql_query.md
          - reference/table/chain.md
          - reference/table/email_localpart.md
          - reference/table/email_with_domains.md
          - reference/table/auth.md
      - Authentication providers:
          - reference/auth/pass_table.md
@ -69,6 +70,7 @@ nav:
          - reference/auth/ldap.md
          - reference/auth/dovecot_sasl.md
          - reference/auth/plain_separate.md
          - reference/auth/netauth.md
      - reference/config-syntax.md
  - Integration with software:
      - third-party/dovecot.md
--- a/.version
+++ b/.version
@ -1 +1 @@
-0.6.2
+0.7.0
--- a/6
+++ b/6
@ -1,4 +1,4 @@
-FROM golang:1.17-alpine AS build-env
+FROM golang:1.18-alpine AS build-env
 RUN set -ex && \
    apk upgrade --no-cache --available && \
@ -14,7 +14,7 @@ RUN mkdir -p /pkg/data && \
    cp maddy.conf.docker /pkg/data/maddy.conf && \
    ./build.sh --builddir /tmp --destdir /pkg/ --tags docker build install
-FROM alpine:3.16.0
+FROM alpine:3.17.0
 LABEL maintainer="fox.cpp@disroot.org"
 LABEL org.opencontainers.image.source=https://github.com/foxcpp/maddy
@ -22,7 +22,7 @@ RUN set -ex && \
    apk upgrade --no-cache --available && \
    apk --no-cache add ca-certificates
 COPY --from=build-env /pkg/data/maddy.conf /data/maddy.conf
-COPY --from=build-env /pkg/usr/local/bin/maddy /pkg/usr/local/bin/maddyctl /bin/
+COPY --from=build-env /pkg/usr/local/bin/maddy /bin/
 EXPOSE 25 143 993 587 465
 VOLUME ["/data"]
--- a/contrib/kubernetes/chart/files/maddy.conf
+++ b/contrib/kubernetes/chart/files/maddy.conf
@ -1,6 +1,6 @@
 ## maddy 0.3 - default configuration file (2020-05-31)
 # Suitable for small-scale deployments. Uses its own format for local users DB,
-# should be managed via maddyctl utility.
+# should be managed via maddy subcommands.
 #
 # See tutorials at https://foxcpp.dev/maddy for guidance on typical
 # configuration changes.
@ -28,7 +28,7 @@ tls file /etc/maddy/certs/fullchain.pem /etc/maddy/certs/privkey.pem
 # PAM, /etc/shadow file).
 #
 # If table module supports it (sql_table does) - credentials can be managed
-# using 'maddyctl creds' command.
+# using 'maddy creds' command.
 auth.pass_table local_authdb {
    table sql_table {
@ -43,7 +43,7 @@ auth.pass_table local_authdb {
 # also by SMTP & Submission endpoints for delivery of local messages.
 #
 # IMAP accounts, mailboxes and all message metadata can be inspected using
-# imap-* subcommands of maddyctl utility.
+# imap-* subcommands of maddy.
 storage.imapsql local_mailboxes {
    driver sqlite3
--- a/dist/apparmor/dev.foxcpp.maddyctl
+++ b/dist/apparmor/dev.foxcpp.maddyctl
@ -1,24 +0,0 @@
 # AppArmor profile for maddyctl management utility.
 # vim:syntax=apparmor:ts=2:sw=2:et
 #include <tunables/global>
 profile dev.foxcpp.maddyctl /usr{/local,}/bin/maddyctl {
  #include <abstractions/base>
  /etc/resolv.conf r,
  /proc/sys/net/core/somaxconn r,
  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  deny ptrace,
  network unix,
  deny unix,
  /etc/maddy/** r,
  owner /run/maddy/ rw,
  owner /run/maddy/** rwkl,
  owner /var/lib/maddy/ rw,
  owner /var/lib/maddy/** rwk,
  owner /var/lib/maddy/**.db-{wal,shm} rmk,
  #include if exists <local/dev.foxcpp.maddyctl>
 }
--- a/docs/docker.md
+++ b/docs/docker.md
@ -5,7 +5,7 @@ Official Docker image is available from Docker Hub.
 It expects configuration file to be available at /data/maddy.conf.
 If /data is a Docker volume, then default configuration will be placed there
-automatically. If it is used, then MADDY_HOSTNAME, MADDY_DOMAIN environment 
+automatically. If it is used, then MADDY_HOSTNAME, MADDY_DOMAIN environment
 variables control the host name and primary domain for the server. TLS
 certificate should be placed in /data/tls/fullchain.pem, private key in
 /data/tls/privkey.pem
@ -15,8 +15,8 @@ DKIM keys are generated in /data/dkim_keys directory.
 ## Image tags
 - `latest` - A latest stable release. May contain breaking changes.
- `X.Y` - A specific feature branch, it is recommended to use these tags to 
+- `X.Y` - A specific feature branch, it is recommended to use these tags to
-  receive bugfixes without the risk of feature-related regressions or breaking 
+  receive bugfixes without the risk of feature-related regressions or breaking
  changes.
 - `X.Y.Z` - A specific stable release
@ -30,8 +30,8 @@ All standard ports, as described in maddy docs.
 ## Volumes
-`/data` - maddy state directory. Databases, queues, etc are stored here. You 
+`/data` - maddy state directory. Databases, queues, etc are stored here. You
-might want to mount a named volume there. The main configuration file is stored 
+might want to mount a named volume there. The main configuration file is stored
 here too (`/data/maddy.conf`).
 ## Management utility
@ -47,7 +47,7 @@ docker run --rm -it -v maddydata:/data foxcpp/maddy:0.6.0 imap-acct create foxcp
 Use the same image version as the running server. Things may break badly
 otherwise.
-Note that, if you modify messages using maddyctl while the server is running -
+Note that, if you modify messages using maddy subcommands while the server is running -
 you must ensure that  /tmp from the server is accessible for the management
 command. One way to it is to run it using `docker exec` instead of `docker run`:
 ```
@ -70,6 +70,6 @@ docker run \
  foxcpp/maddy:0.6
 ```
-It will fail on first startup. Copy TLS certificate to /data/tls/fullchain.pem 
+It will fail on first startup. Copy TLS certificate to /data/tls/fullchain.pem
-and key to /data/tls/privkey.pem. Run the server again. Finish DNS configuration 
+and key to /data/tls/privkey.pem. Run the server again. Finish DNS configuration
-(DKIM keys, etc) as described in [tutorials/setting-up/](tutorials/setting-up/).
+(DKIM keys, etc) as described in [tutorials/setting-up/](tutorials/setting-up/).
--- a/docs/faq.md
+++ b/docs/faq.md
@ -5,7 +5,7 @@
 Unfortunately, GMail policies are opaque so we cannot tell why this happens.
 Verify that you have a rDNS record set for the IP used
-by sender server. Also some IPs may just happen to 
+by sender server. Also some IPs may just happen to
 have bad reputation - check it with various DNSBLs. In this
 case you do not have much of a choice but to replace it.
@ -21,19 +21,19 @@ all outbound messages via a "smart-host".
 ## What is resource usage of maddy?
-For a small personal server, you do not need much more than a 
+For a small personal server, you do not need much more than a
 single 1 GiB of RAM and disk space.
 ## How to setup a catchall address?
 https://github.com/foxcpp/maddy/issues/243#issuecomment-655694512
-## maddyctl prints a "permission denied" error
+## maddy command prints a "permission denied" error
-Run maddyctl under the same user as maddy itself.
+Run maddy command under the same user as maddy itself.
 E.g.
-``` 
+```
-sudo -u maddy maddyctl creds ...
+sudo -u maddy maddy creds ...
 ```
 ## How maddy compares to MailCow or Mail-In-The-Box?
@ -116,4 +116,4 @@ of bugs in one component.
 Besides, you are not required to use a single process, it is easy to launch
 maddy with a non-default configuration path and connect multiple instances
-together using off-the-shelf protocols.
+together using off-the-shelf protocols.
--- a/docs/multiple-domains.md
+++ b/docs/multiple-domains.md
@ -1,69 +1,157 @@
 # Multiple domains configuration
-## Separate account namespaces
+By default, maddy uses email addresses as account identifiers for both
 authentication and storage purposes. Therefore, account named `user@example.org`
 is completely independent from `user@example.com`. They must be created
 separately, may have different credentials and have separate IMAP mailboxes.
-Given two domains, example.org and example.com. foo@example.org and
+This makes it extremely easy to setup maddy to manage multiple otherwise
-foo@example.com are different and completely independent accounts.
+independent domains.
-All changes needed to make it work is to make sure all domains are specified in
+Default configuration file contains two macros - `$(primary_domain)` and
-the `$(local_domains)` macro in the main configuration file. Note that you need
+`$(local_domains)`. They are used to used in several places thorough the
-to pick one domain as a "primary" for use in auto-generated messages.
+file to configure message routing, security checks, etc.
 In general, you should just add all domains you want maddy to manage to
 `$(local_domains)`, like this:
 ```
 $(primary_domain) = example.org
 $(local_domains) = $(primary_domain) example.com
 ```
 Note that you need to pick one domain as a "primary" for use in
 auto-generated messages.
-The base configuration is done. You can create accounts using
+With that done, you can create accounts using both domains in the name, send
-both domains in the name, send and receive messages and so on.  Do not forget
+and receive messages and so on.  Do not forget to configure corresponding SPF,
-to configure corresponding SPF, DMARC and MTA-STS records as was
+DMARC and MTA-STS records as was recommended in
-recommended in the [introduction tutorial](tutorials/setting-up.md).
+the [introduction tutorial](tutorials/setting-up.md).
-## Single account namespace
+Also note that you do not really need a separate TLS certificate for each
 managed domain. You can have one hostname e.g. mail.example.org set as an MX
 record for mulitple domains.
-You can configure maddy to only use local part of the email
+**If you want multiple domains to share username namespace**, you should change
-as an account identifier instead of the complete email.
+several more options.
-This needs two changes to default configuration:
+You can make "user@example.org" and "user@example.com" users share the same
 credentials of user "user" but have different IMAP mailboxes ("user@example.org"
 and "user@example.com" correspondingly). For that, it is enough to set `auth_map`
 globally to use `email_localpart` table:
 ```
-storage.imapsql local_mailboxes {
+auth_map email_localpart
-    ...
+```
-    delivery_map email_localpart
+This way, when user logs in as "user@example.org", "user" will be passed
-    auth_normalize precis_casefold
+to the authentication provider, but "user@example.org" will be passed to the
 storage backend. You should create accounts like this:
 ```
 maddy creds create user
 maddy imap-acct create user@example.org
 maddy imap-acct create user@example.com
 ```
 **If you want accounts to also share the same IMAP storage of account named
 "user"**, you can set `storage_map` in IMAP endpoint and `delivery_map` in
 storage backend to use `email_locapart`:
 ```
 straoge.imapsql local_mailboxes {
   ...
   delivery_map email_localpart # deliver "user@*" to "user"
 }
 imap tls://0.0.0.0:993 {
   ...
   storage &local_mailboxes
   ...
   storage_map email_localpart # "user@*" accesses "user" mailbox
 }
 ```
-This way, when authenticating as `foxcpp`, it will be mapped to
+You also might want to make it possible to log in without
-`foxcpp` storage account. E.g. you will need to run
+specifying a domain at all. In this case, use `email_localpart_optional` for
-`maddy imap-accts create foxcpp`, without the domain part.
+both `auth_map` and `storage_map`.
 If you have existing accounts, you will need to rename them.
 Change to `auth_normalize` is necessary so that normalization function
 will not attempt to parse authentication identity as a email.
 When a email is received, `delivery_map email_localpart` will strip
 the domain part before looking up the account. That is,
 `foxcpp@example.org` will be become just `foxcpp`.
 You also need to make `authorize_sender` check (used in `submission` endpoint)
 accept non-email usernames:
 ```
 authorize_sender {
  ...
-  auth_normalize precis_casefold
+  user_to_email chain {
-  user_to_email regexp "(.*)" "$1@$(primary_domain)"
+    step email_localpart_optional            # remove domain from username if present
    step email_with_domains $(local_domains) # expand username with all allowed domains
  }
 }
 ```
 Note that is would work only if clients use only one domain as sender (`$(primary_domain)`).
 If you want to allow sending from all domains, you need to remove `authorize_sender` check
 altogether since it is not currently supported.
-After that you can create accounts without specifying the domain part:
+## TL;DR
 ```
 maddyctl imap-acct create foxcpp
 maddyctl creds create foxcpp
 ```
 And authenticate using "foxcpp" in email clients.
-Messages for any foxcpp@* address with a domain in `$(local_domains)`
+Your options:
-will be delivered to that mailbox.
+
 **"user@example.org" and "user@example.com" have distinct credentials and
 distinct mailboxes.**
 ```
 $(primary_domain) = example.org
 $(local_domains) = example.org example.com
 ```
 Create accounts as:
 ```shell
 maddy creds create user@example.org
 maddy imap-acct create user@example.org
 maddy creds create user@example.com
 maddy imap-acct create user@example.com
 ```
 **"user@example.org" and "user@example.com" have same credentials but
 distinct mailboxes.**
 ```
 $(primary_domain) = example.org
 $(local_domains) = example.org example.com
 auth_map email_localpart
 ```
 Create accounts as:
 ```shell
 maddy creds create user
 maddy imap-acct create user@example.org
 maddy imap-acct create user@example.com
 ```
 **"user@example.org", "user@example.com", "user" have same credentials and same
 mailboxes.**
 ```
   $(primary_domain) = example.org
   $(local_domains) = example.org example.com
   auth_map email_localpart_optional # authenticating as "user@*" checks credentials for "user"
   storage.imapsql local_mailboxes {
      ...
      delivery_map email_localpart_optional # deliver "user@*" to "user" mailbox
   }
   imap tls://0.0.0.0:993 {
      ...
      storage_map email_localpart_optional # authenticating as "user@*" accesses "user" mailboxes
   }
   submission tls://0.0.0.0:465 {
      check {
        authorize_sender {
          ...
          user_to_email chain {
            step email_localpart_optional            # remove domain from username if present
            step email_with_domains $(local_domains) # expand username with all allowed domains
          }
        }
      }
      ...
   }
 ```
 Create accounts as:
 ```shell
 maddy creds create user
 maddy imap-acct create user
 ```
--- a/docs/reference/auth/netauth.md
+++ b/docs/reference/auth/netauth.md
@ -0,0 +1,47 @@
 # Native NetAuth
 maddy supports authentication via NetAuth using direct entity
 authentication checks.  Passwords are verified by the NetAuth server.
 maddy needs to know the Entity ID to use for authentication.  It must
 match the string the user provides for the Local Atom part of their
 mail address.
 Note that storage backends conventionally use email addresses.  Since
 NetAuth recommends *nix compatible usernames, you will need to map the
 email identifiers to NetAuth Entity IDs using auth\_map (see
 documentation page for used storage backend).
 auth.netauth also can be used as a table module.  This way you can
 check whether the account exists.
 Note that the configuration fragment provided below is very sparse.
 This is because NetAuth expects to read most of its common
 configuration values from the system NetAuth config file located at
 `/etc/netauth/config.toml`.
 ```
 auth.netauth {
  require_group "maddy-users"
  debug off
 }
 ```
 ```
 auth.netauth {}
 ```
 ## Configuration directives
 **Syntax:** require\_group _group_
 OPTIONAL.
 Group that entities must posess to be able to use maddy services.
 This can be used to provide email to just a subset of the entities
 present in NetAuth.
 **Syntax** debug off <br>
 debug on <br>
 debug off <br>
 **Default:** off
--- a/docs/reference/auth/pass_table.md
+++ b/docs/reference/auth/pass_table.md
@ -33,12 +33,12 @@ smtp tcp://0.0.0.0:587 {
 pass\_table expects the used table to contain certain structured values with
 hash algorithm name, salt and other necessary parameters.
-You should use 'maddyctl hash' command to generate suitable values.
+You should use 'maddy hash' command to generate suitable values.
-See 'maddyctl hash --help' for details.
+See 'maddy hash --help' for details.
-## maddyctl creds
+## maddy creds
 If the underlying table is a "mutable" table (see maddy-tables(5)) then
-the 'maddyctl creds' command can be used to modify the underlying tables
+the 'maddy creds' command can be used to modify the underlying tables
 via pass\_table module. It will act on a "local credentials store" and will write
 appropriate hash values to the table.
--- a/docs/reference/blob/s3.md
+++ b/docs/reference/blob/s3.md
@ -13,6 +13,7 @@ storage.blob.s3 {
    # optional
    region eu-central-1
    object_prefix maddy/
    creds access_key
 }
 ```
@ -26,6 +27,7 @@ storage.imapsql local_mailboxes {
        secret_key "..."
        bucket maddy-messages
        region us-west-2
        creds access_key
    }
 }
 ```
@ -69,3 +71,16 @@ in some manuals.
 String to add to all keys stored by maddy.
 Can be useful when S3 is used as a file system.
 **Syntax:** creds _string_ <br>
 **Default:** access_key
 Credentials to use for accessing the S3 Bucket.
 Credential Types:
 - access_key: use AWS access key and secret access key 
 - file_minio: use credentials for Minio present at ~/.mc/config.json
 - file_aws: use credentials for AWS S3 present at ~/.aws/credentials
 - iam: use AWS IAM instance profile for credentials.
 By default, access_key is used with the access key and secret access key present in the config.
--- a/docs/reference/checks/authorize_sender.md
+++ b/docs/reference/checks/authorize_sender.md
@ -16,8 +16,8 @@ check.authorize_sender {
    malformed_action reject
    err_action reject
-    auth_normalize precis_casefold_email
+    auth_normalize auto
-    from_normalize precis_casefold_email
+    from_normalize auto
 }
 ```
 ```
@ -31,10 +31,33 @@ check {
 **Syntax:** user\_to\_email _table_ <br>
 **Default:** identity
-Table to use for lookups. Result of the lookup should contain either the
+Table that maps authorization username to the list of sender emails
-domain name, the full email address or "*" string. If it is just domain - user
+the user is allowed to use.
-will be allowed to use any mailbox within a domain as a sender address.
+
-If result contains "*" - user will be allowed to use any address.
+In additional to email addresses, the table can contain domain names or
 special string "\*" as a value. If the value is a domain - user
 will be allowed to use any mailbox within it as a sender address.
 If it is "\*" - user will be allowed to use any address.
 By default, table.identity is used, meaning that username should
 be equal to the sender email.
 Before username is looked up via the table, normalization algorithm
 defined by auth_normalize is applied to it.
 **Syntax:** prepare\_email _table_ <br>
 **Default:** identity
 Table that is used to translate email addresses before they
 are matched against user_to_email values.
 Typically used to allow users to use their aliases as sender
 addresses - prepare_email in this case should translate
 aliases to "canonical" addresses. This is how it is
 done in default configuration.
 If table does not contain any mapping for the used sender
 address, it will be used as is.
 **Syntax:** check\_header _boolean_ <br>
 **Default:** yes
@ -65,21 +88,26 @@ What to do if From or Sender header fields contain malformed values.
 What to do if error happens during prepare\_email or user\_to\_email lookup.
 **Syntax:** auth\_normalize _action_ <br>
-**Default:** precis\_casefold\_email
+**Default:** auto
 Normalization function to apply to authorization username before
 further processing.
 Available options:
- precis\_casefold\_email   PRECIS UsernameCaseMapped profile + U-labels form for domain
+- `auto`                    `precis_casefold_email` for valid emails, `precise_casefold` otherwise.
- precis\_casefold         PRECIS UsernameCaseMapped profile for the entire string
+- `precis_casefold_email`   PRECIS UsernameCaseMapped profile + U-labels form for domain
- precis\_email            PRECIS UsernameCasePreserved profile + U-labels form for domain
+- `precis_casefold`         PRECIS UsernameCaseMapped profile for the entire string
- precis                  PRECIS UsernameCasePreserved profile for the entire string
+- `precis_email`            PRECIS UsernameCasePreserved profile + U-labels form for domain
- casefold                Convert to lower case
+- `precis`                  PRECIS UsernameCasePreserved profile for the entire string
- noop                    Nothing
+- `casefold`                Convert to lower case
 - `noop`                    Nothing
 PRECIS profiles are defined by RFC 8265. In short, they make sure
 that Unicode strings that look the same will be compared as if they were
 the same. CaseMapped profiles also convert strings to lower case.
 **Syntax:** from\_normalize _action_ <br>
-**Default:** precis\_casefold\_email
+**Default:** auto
 Normalization function to apply to email addresses before
 further processing.
--- a/docs/reference/endpoints/imap.md
+++ b/docs/reference/endpoints/imap.md
@ -20,6 +20,10 @@ imap tcp://0.0.0.0:143 tls://0.0.0.0:993 {
    insecure_auth no
    auth pam
    storage &local_mailboxes
    auth_map identity
    auth_map_normalize auto
    storage_map identity
    storage_map_normalize auto
 }
 ```
@ -36,6 +40,25 @@ tls cert.crt key.key {
 See [TLS configuration / Server](/reference/tls/#server-side) for details.
 **Syntax**: proxy_protocol _trusted ips..._ { ... } <br>
 **Default**: not enabled
 Enable use of HAProxy PROXY protocol. Supports both v1 and v2 protocols.
 If a list of trusted IP addresses or subnets is provided, only connections
 from those will be trusted.
 TLS for the channel between the proxies and maddy can be configured
 using a 'tls' directive:
 ```
 proxy_protocol {
    trust 127.0.0.1 ::1 192.168.0.1/24
    tls &proxy_tls
 }
 ```
 Note that the top-level 'tls' directive is not inherited here. If you
 need TLS on top of the PROXY protocol, securing the protocol header,
 you must declare TLS explicitly.
 **Syntax**: io\_debug _boolean_ <br>
 **Default**: no
@ -62,4 +85,46 @@ Use the specified module for authentication.
 **Syntax**: storage _module\_reference\_
 Use the specified module for message storage.
-**Required.**
+**Required.**
 **Syntax**: storage\_map _module\_reference_ <br>
 **Default**: identity
 Use the specified table to map SASL usernames to storage account names.
 Before username is looked up, it is normalized using function defined by
 `storage_map_normalize`.
 This directive is useful if you want users user@example.org and user@example.com
 to share the same storage account named "user". In this case, use
 ```
    storage_map email_localpart
 ```
 Note that `storage_map` does not affect the username passed to the
 authentication provider.
 It also does not affect how message delivery is handled, you should specify
 `delivery_map` in storage module to define how to map email addresses
 to storage accounts. E.g.
 ```
    storage.imapsql local_mailboxes {
        ...
        delivery_map email_localpart # deliver "user@*" to mailbox for "user"
    }
 ```
 **Syntax**: storage\_map_normalize _function_ <br>
 **Default**: auto
 Same as `auth_map_normalize` but for `storage_map`.
 **Syntax**: auth\_map_normalize _function_ <br>
 **Default**: auto
 Overrides global `auth_map_normalize` value for this endpoint.
 See [Global configuration](/reference/global-config) for details.
--- a/docs/reference/endpoints/smtp.md
+++ b/docs/reference/endpoints/smtp.md
@ -58,6 +58,21 @@ tls cert.crt key.key {
 See [TLS configuration / Server](/reference/tls/#server-side) for details.
 **Syntax**: proxy_protocol _trusted ips..._ { ... } <br>
 **Default**: not enabled
 Enable use of HAProxy PROXY protocol. Supports both v1 and v2 protocols.
 If a list of trusted IP addresses or subnets is provided, only connections
 from those will be trusted.
 TLS for the channel between the proxies and maddy can be configured
 using a 'tls' directive:
 ```
 proxy_protocol {
    trust 127.0.0.1 ::1 192.168.0.1/24
    tls &proxy_tls
 }
 ```
 **Syntax**: io\_debug _boolean_ <br>
 **Default**: no
--- a/docs/reference/global-config.md
+++ b/docs/reference/global-config.md
@ -1,6 +1,6 @@
 # Global configuration directives
-These directives can be specified outside of any 
+These directives can be specified outside of any
 configuration blocks and they are applied to all modules.
 Some directives can be overridden on per-module basis (e.g. hostname).
@ -23,6 +23,56 @@ objects. Should be writable.
 Internet hostname of this mail server. Typicall FQDN is used. It is recommended
 to make sure domain specified here resolved to the public IP of the server.
 **Syntax**: auth\_map _module\_reference_ <br>
 **Default**: identity
 Use the specified table to translate SASL usernames before passing it to the
 authentication provider.
 Before username is looked up, it is normalized using function defined by
 `auth_map_normalize`.
 Note that `auth_map` does not affect the storage account name used. You probably
 should also use `storage_map` in IMAP config block to handle this.
 This directive is useful if used authentication provider does not support
 using emails as usernames but you still want users to have separate mailboxes
 on separate domains. In this case, use it with `email_localpart` table:
 ```
    auth_map email_localpart
 ```
 With this configuration, `user@example.org` and `user@example.com` will use
 `user` credentials when authenticating, but will access `user@example.org` and
 `user@example.com` mailboxes correspondingly. If you want to also accept
 `user` as a username, use `auth_map email_localpart_optional`.
 If you want `user@example.org` and `user@example.com` to have the same mailbox,
 also set `storage_map` in IMAP config block to use `email_localpart`
 (or `email_localpart_optional` if you want to also accept just "user"):
 ```
    storage_map email_localpart
 ```
 In this case you will need to create storage accounts without domain part in
 the name:
 ```
 maddy imap-acct create user # instead of user@example.org
 ```
 **Syntax**: auth\_map_normalize _function_ <br>
 **Default**: auto
 Normalization function to apply to SASL usernames before mapping
 them to storage accounts.
 Available options:
 - `auto`                    `precis_casefold_email` for valid emails, `precise_casefold` otherwise.
 - `precis_casefold_email`   PRECIS UsernameCaseMapped profile + U-labels form for domain
 - `precis_casefold`         PRECIS UsernameCaseMapped profile for the entire string
 - `precis_email`            PRECIS UsernameCasePreserved profile + U-labels form for domain
 - `precis`                  PRECIS UsernameCasePreserved profile for the entire string
 - `casefold`                Convert to lower case
 - `noop`                    Nothing
 **Syntax**: autogenerated\_msg\_domain _domain_ <br>
 **Default**: not specified
--- a/docs/reference/storage/imapsql.md
+++ b/docs/reference/storage/imapsql.md
@ -156,6 +156,8 @@ See auth\_normalize.
 **Syntax**: auth\_map **table** <br>
 **Default**: identity
 **DEPRECATED:** Use `storage_map` in imap config instead.
 Use specified table module to map authentication
 usernames to mailbox names.
@ -165,6 +167,8 @@ auth\_map.
 **Syntax**: auth\_normalize _name_ <br>
 **Default**: precis\_casefold\_email
 **DEPRECATED:** Use `storage_map_normalize` in imap config instead.
 Normalization function to apply to authentication usernames before mapping
 them to mailboxes.
--- a/docs/reference/table/email_localpart.md
+++ b/docs/reference/table/email_localpart.md
@ -1,12 +1,19 @@
 # Email local part
-The module 'table.email\_localpart' extracts and unescaped local ("username") part
+The module 'table.email\_localpart' extracts and unescapes local ("username") part
 of the email address.
 E.g.
 test@example.org => test
 "test @ a"@example.org => test @ a
 Mappings for invalid emails are not defined (will be treated as non-existing
 values).
 ```
 table.email_localpart { }
 ```
 `table.email_localpart_optional` works the same, but returns non-email strings
 as is. This can be used if you want to accept both `user@example.org` and
 `user` somewhere and treat it the same.
--- a/docs/reference/table/email_with_domains.md
+++ b/docs/reference/table/email_with_domains.md
@ -0,0 +1,33 @@
 # Email with domain
 The table module 'table.email\_with\_domain' appends one or more
 domains (allowing 1:N expansion) to the specified value.
 ```
 table.email_with_domains DOMAIN DOMAIN... { }
 ```
 It can be used to implement domain-level expansion for aliases if used together
 with `table.chain`. Example:
 ```
 modify {
    replace_rcpt chain {
        step email_local_part
        step email_with_domains example.org example.com
    }
 }
 ```
 This configuration will alias `anything@anydomain` to `anything@example.org`
 and `anything@example.com`.
 It is also useful with `authorize_sender` to authorize sending using multiple
 addresses under different domains if non-email usernames are used for
 authentication:
 ```
 check.authorize_sender {
   ...
   user_to_email email_with_domain example.org example.com
 }
 ```
 This way, user authenticated as `user` will be allowed to use
 `user@example.org` or `user@example.com` as a sender address.
--- a/docs/tutorials/building-from-source.md
+++ b/docs/tutorials/building-from-source.md
@ -6,12 +6,12 @@ You need C toolchain, Go toolchain and Make:
 On Debian-based system this should work:
 ```
-apt-get install golang-1.17 gcc libc6-dev make
+apt-get install golang-1.18 gcc libc6-dev make
 ```
 Additionally, if you want manual pages, you should also have scdoc installed.
 Figuring out the appropriate way to get scdoc is left as an exercise for
-reader (for Ubuntu 19.10 it is in repositories).
+reader (for Ubuntu 22.04 LTS it is in repositories).
 ## Recent Go toolchain
@ -20,8 +20,8 @@ available in some distributions (*cough* Debian *cough*).
 It should not be hard to grab a recent built toolchain from golang.org:
 ```
-wget "https://dl.google.com/go/go1.17.11.linux-amd64.tar.gz"
+wget "https://dl.google.com/go/go1.18.9.linux-amd64.tar.gz"
-tar xf "go1.17.11.linux-amd64.tar.gz"
+tar xf "go1.18.19.linux-amd64.tar.gz"
 export GOROOT="$PWD/go"
 export PATH="$PWD/go/bin:$PATH"
 ```
--- a/docs/tutorials/pam.md
+++ b/docs/tutorials/pam.md
@ -65,42 +65,12 @@ auth.pam local_authdb {
 ## Account names
-Since PAM does not use emails for authentication you should also
+Since PAM does not use emails for authentication you should configure
-configure storage backend to use username only as an account identifier,
+maddy to either strip domain part when checking credentials or do not
-not full email addresses:
+use email when authenticating.
 ```
 storage.imapsql local_mailboxes {
    ...
    delivery_map email_localpart
    auth_normalize precis_casefold
 }
 ```
-This way, when authenticating as `foxcpp`, it will be mapped to
+See [Multiple domains configuration](/multiple-domains) for how to configure
-`foxcpp` storage account. E.g. you will need to run
+authentication.
 `maddy imap-accts create foxcpp`, without the domain part.
 If you have existing accounts, you will need to rename them.
 Change to `auth_normalize` is necessary so that normalization function
 will not attempt to parse authentication identity as a email.
 When a email is received, `delivery_map email_localpart` will strip
 the domain part before looking up the account. That is,
 `foxcpp@example.org` will be become just `foxcpp`.
 You also need to make `authorize_sender` check (used in `submission` endpoint)
 accept non-email usernames:
 ```
 authorize_sender {
  ...
  auth_normalize precis_casefold
  user_to_email regexp "(.*)" "$1@$(primary_domain)"
 }
 ```
 Note that is would work only if clients use only one domain as sender (`$(primary_domain)`).
 If you want to allow sending from all domains, you need to remove `authorize_sender` check
 altogether since it is not currently supported.
 ## PAM service
--- a/docs/tutorials/setting-up.md
+++ b/docs/tutorials/setting-up.md
@ -35,7 +35,7 @@ Your options are:
    Available on [GitHub](https://github.com/foxcpp/maddy/releases) or
    [maddy.email/builds](https://maddy.email/builds/).
-	The tarball includes maddy and maddyctl executables you can
+	The tarball includes maddy executable you can
 	copy into /usr/local/bin as well as systemd unit file you can
 	use on systemd-based distributions for automatic startup and service
 	supervision. You should also create "maddy" user and group.
@ -215,14 +215,14 @@ mx: mx2.example.org
 ```
 It is also recommended to set a TLSA (DANE) record.
-Use https://www.huque.com/bin/gen_tlsa to generate one. 
+Use https://www.huque.com/bin/gen_tlsa to generate one.
 Set port to 25, Transport Protocol to "tcp" and Domain Name to **the MX hostname**.
 Example of a valid record:
 ```
 _25._tcp.mx1.example.org. TLSA 3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96e3498238
 ```
-## User accounts and maddyctl
+## User accounts and maddy command
 A mail server is useless without mailboxes, right? Unlike software like postfix
 and dovecot, maddy uses "virtual users" by default, meaning it does not care or
@ -230,10 +230,10 @@ know about system users.
 IMAP mailboxes ("accounts") and authentication credentials are kept separate.
-To register user credentials, use `maddyctl creds create` command.
+To register user credentials, use `maddy creds create` command.
 Like that:
 ```
-$ maddyctl creds create postmaster@example.org
+$ maddy creds create postmaster@example.org
 ```
 Note the username is a e-mail address. This is required as username is used to
@ -243,14 +243,14 @@ described here).
 After registering the user credentials, you also need to create a local
 storage account:
 ```
-$ maddyctl imap-acct create postmaster@example.org
+$ maddy imap-acct create postmaster@example.org
 ```
 That is it. Now you have your first e-mail address. when authenticating using
 your e-mail client, do not forget the username is "postmaster@example.org", not
 just "postmaster".
-You may find running `maddyctl creds --help` and `maddyctl imap-acct --help`
+You may find running `maddy creds --help` and `maddy imap-acct --help`
 useful to learn about other commands. Note that IMAP accounts and credentials
 are managed separately yet usernames should match by default for things to
 work.
--- a/docs/upgrading.md
+++ b/docs/upgrading.md
@ -74,7 +74,7 @@ pass_table local_authdb {
 }
 ```
-6. Use `maddyctl creds create ACCOUNT_NAME` to add credentials to `pass_table`
+6. Use `maddy creds create ACCOUNT_NAME` to add credentials to `pass_table`
   store.
 7. Start the server back.
--- a/framework/address/split.go
+++ b/framework/address/split.go
@ -101,3 +101,32 @@ func UnquoteMbox(mbox string) (string, error) {
 	return mailboxB.String(), nil
 }
 // "specials" from RFC5322 grammar with dot removed (it is defined in grammar separately, for some reason)
 var mboxSpecial = map[rune]struct{}{
 	'(': {}, ')': {}, '<': {}, '>': {},
 	'[': {}, ']': {}, ':': {}, ';': {},
 	'@': {}, '\\': {}, ',': {},
 	'"': {}, ' ': {},
 }
 func QuoteMbox(mbox string) string {
 	var mailboxEsc strings.Builder
 	mailboxEsc.Grow(len(mbox))
 	quoted := false
 	for _, ch := range mbox {
 		if _, ok := mboxSpecial[ch]; ok {
 			if ch == '\\' || ch == '"' {
 				mailboxEsc.WriteRune('\\')
 			}
 			mailboxEsc.WriteRune(ch)
 			quoted = true
 		} else {
 			mailboxEsc.WriteRune(ch)
 		}
 	}
 	if quoted {
 		return `"` + mailboxEsc.String() + `"`
 	}
 	return mbox
 }
--- a/framework/address/split_test.go
+++ b/framework/address/split_test.go
@ -90,3 +90,21 @@ func TestUnquoteMbox(t *testing.T) {
 	test(`postmaster`, "postmaster", false)
 	test(`foo`, "foo", false)
 }
 func TestQuoteMbox(t *testing.T) {
 	test := func(inputMbox, expectedMbox string) {
 		t.Helper()
 		actualMbox := QuoteMbox(inputMbox)
 		if actualMbox != expectedMbox {
 			t.Errorf("wrong local part, want %s, got %s", actualMbox, actualMbox)
 		}
 	}
 	test(`no"no`, `"no\"no"`)
 	test(`no@no`, `"no@no"`)
 	test(`no no`, `"no no"`)
 	test(`no\no`, `"no\\no"`)
 	test("postmaster", `postmaster`)
 	test("foo", `foo`)
 }
--- a/framework/address/validation.go
+++ b/framework/address/validation.go
@ -20,6 +20,8 @@ package address
 import (
 	"strings"
 	"golang.org/x/net/idna"
 )
 /*
@ -109,17 +111,23 @@ func ValidMailboxName(mbox string) bool {
 // ValidDomain checks whether the specified string is a valid DNS domain.
 func ValidDomain(domain string) bool {
-	if len(domain) > 255 {
+	if len(domain) > 255 || len(domain) == 0 {
 		return false
 	}
-	if strings.HasPrefix(domain, ".") || strings.HasSuffix(domain, ".") {
+	if strings.HasPrefix(domain, ".") {
 		return false
 	}
 	if strings.Contains(domain, "..") {
 		return false
 	}
-	labels := strings.Split(domain, ".")
+	// Length checks are to be applied to A-labels form.
 	// maddy uses U-labels representation across the code (for lookups, etc).
 	domainASCII, err := idna.ToASCII(domain)
 	if err != nil {
 		return false
 	}
 	labels := strings.Split(domainASCII, ".")
 	for _, label := range labels {
 		if len(label) > 64 {
 			return false
--- a/framework/address/validation_test.go
+++ b/framework/address/validation_test.go
@ -1,6 +1,7 @@
 package address_test
 import (
 	"strings"
 	"testing"
 	"github.com/foxcpp/maddy/framework/address"
@ -11,3 +12,22 @@ func TestValidMailboxName(t *testing.T) {
 		t.Error("caddy.bug should be valid mailbox name")
 	}
 }
 func TestValidDomain(t *testing.T) {
 	for _, c := range []struct {
 		Domain string
 		Valid  bool
 	}{
 		{Domain: "maddy.email", Valid: true},
 		{Domain: "", Valid: false},
 		{Domain: "maddy.email.", Valid: true},
 		{Domain: "..", Valid: false},
 		{Domain: strings.Repeat("a", 256), Valid: false},
 		{Domain: "äõäoaõoäaõaäõaoäaoaäõoaäooaoaoiuaiauäõiuüõaõäiauõaaa.tld", Valid: true},            // https://github.com/foxcpp/maddy/issues/554
 		{Domain: "xn--oaoaaaoaoaoaooaoaoiuaiauiuaiauaaa-f1cadccdcmd01eddchqcbe07a.tld", Valid: true}, // https://github.com/foxcpp/maddy/issues/554
 	} {
 		if actual := address.ValidDomain(c.Domain); actual != c.Valid {
 			t.Errorf("expected domain %v to be valid=%v, but got %v", c.Domain, c.Valid, actual)
 		}
 	}
 }
--- a/framework/config/map.go
+++ b/framework/config/map.go
@ -134,6 +134,59 @@ func (m *Map) Enum(name string, inheritGlobal, required bool, allowed []string,
 	}, store)
 }
 // EnumMapped is similar to Map.Enum but maps a stirng to a custom type.
 func EnumMapped[V any](m *Map, name string, inheritGlobal, required bool, mapped map[string]V, defaultVal V, store *V) {
 	m.Custom(name, inheritGlobal, required, func() (interface{}, error) {
 		return defaultVal, nil
 	}, func(_ *Map, node Node) (interface{}, error) {
 		if len(node.Children) != 0 {
 			return nil, NodeErr(node, "can't declare a block here")
 		}
 		if len(node.Args) != 1 {
 			return nil, NodeErr(node, "expected exactly one argument")
 		}
 		val, ok := mapped[node.Args[0]]
 		if !ok {
 			validValues := make([]string, 0, len(mapped))
 			for k := range mapped {
 				validValues = append(validValues, k)
 			}
 			return nil, NodeErr(node, "invalid argument, valid values are: %v", validValues)
 		}
 		return val, nil
 	}, store)
 }
 // EnumListMapped is similar to Map.EnumList but maps a stirng to a custom type.
 func EnumListMapped[V any](m *Map, name string, inheritGlobal, required bool, mapped map[string]V, defaultVal []V, store *[]V) {
 	m.Custom(name, inheritGlobal, required, func() (interface{}, error) {
 		return defaultVal, nil
 	}, func(_ *Map, node Node) (interface{}, error) {
 		if len(node.Children) != 0 {
 			return nil, NodeErr(node, "can't declare a block here")
 		}
 		if len(node.Args) == 0 {
 			return nil, NodeErr(node, "expected at least one argument")
 		}
 		values := make([]V, 0, len(node.Args))
 		for _, arg := range node.Args {
 			val, ok := mapped[arg]
 			if !ok {
 				validValues := make([]string, 0, len(mapped))
 				for k := range mapped {
 					validValues = append(validValues, k)
 				}
 				return nil, NodeErr(node, "invalid argument, valid values are: %v", validValues)
 			}
 			values = append(values, val)
 		}
 		return values, nil
 	}, store)
 }
 // Duration maps configuration directive to a time.Duration variable.
 //
 // Directive must be in form 'name duration' where duration is any string accepted by
--- a/framework/config/module/interfaces.go
+++ b/framework/config/module/interfaces.go
@ -31,13 +31,14 @@ func MessageCheck(globals map[string]interface{}, args []string, block config.No
 	return check, nil
 }
-// deliveryDirective is a callback for use in config.Map.Custom.
+// DeliveryDirective is a callback for use in config.Map.Custom.
 //
 // It does all work necessary to create a module instance from the config
 // directive with the following structure:
-// directive_name mod_name [inst_name] [{
+//
-//   inline_mod_config
+//	directive_name mod_name [inst_name] [{
-// }]
+//	  inline_mod_config
 //	}]
 //
 // Note that if used configuration structure lacks directive_name before mod_name - this function
 // should not be used (call DeliveryTarget directly).
@ -77,6 +78,17 @@ func StorageDirective(m *config.Map, node config.Node) (interface{}, error) {
 	return backend, nil
 }
 // Table is a convenience wrapper for TableDirective.
 //
 //	cfg.Bool(...)
 //	modconfig.Table(cfg, "auth_map", false, false, nil, &mod.authMap)
 //	cfg.Process()
 func Table(cfg *config.Map, name string, inheritGlobal, required bool, defaultVal module.Table, store *module.Table) {
 	cfg.Custom(name, inheritGlobal, required, func() (interface{}, error) {
 		return defaultVal, nil
 	}, TableDirective, store)
 }
 func TableDirective(m *config.Map, node config.Node) (interface{}, error) {
 	var tbl module.Table
 	if err := ModuleFromNode("table", node.Args, node, m.Globals, &tbl); err != nil {
--- a/framework/module/auth.go
+++ b/framework/module/auth.go
@ -33,7 +33,7 @@ type PlainAuth interface {
 	AuthPlain(username, password string) error
 }
-// PlainUserDB is a local credentials store that can be managed using maddyctl
+// PlainUserDB is a local credentials store that can be managed using maddy command
 // utility.
 type PlainUserDB interface {
 	PlainAuth
--- a/framework/module/module_specific_data.go
+++ b/framework/module/module_specific_data.go
@ -49,6 +49,9 @@ func (msd *ModSpecificData) Set(m Module, perInstance bool, value interface{}) {
 	key := msd.modKey(m, perInstance)
 	msd.modDataLck.Lock()
 	defer msd.modDataLck.Unlock()
 	if msd.modData == nil {
 		msd.modData = make(map[string]interface{})
 	}
 	msd.modData[key] = value
 }
--- a/go.mod
+++ b/go.mod
@ -1,129 +1,147 @@
 module github.com/foxcpp/maddy
-go 1.17
+go 1.18
 require (
-	blitiri.com.ar/go/spf v1.4.0
+	blitiri.com.ar/go/spf v1.5.1
 	github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962
-	github.com/caddyserver/certmagic v0.16.1
+	github.com/caddyserver/certmagic v0.17.2
-	github.com/emersion/go-imap v1.2.1
+	github.com/emersion/go-imap v1.2.2-0.20220928192137-6fac715be9cf
 	github.com/emersion/go-imap-compress v0.0.0-20201103190257-14809af1d1b9
 	github.com/emersion/go-imap-sortthread v1.2.0
 	github.com/emersion/go-message v0.16.0
 	github.com/emersion/go-milter v0.3.3
 	github.com/emersion/go-msgauth v0.6.6
-	github.com/emersion/go-sasl v0.0.0-20211008083017-0b9dcfb154ac
+	github.com/emersion/go-sasl v0.0.0-20220912192320-0145f2c60ead
-	github.com/emersion/go-smtp v0.15.1-0.20220709111538-3b81564ed77e
+	github.com/emersion/go-smtp v0.16.0
 	github.com/foxcpp/go-dovecot-sasl v0.0.0-20200522223722-c4699d7a24bf
 	github.com/foxcpp/go-imap-backend-tests v0.0.0-20220105184719-e80aa29a5e16
 	github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005
-	github.com/foxcpp/go-imap-mess v0.0.0-20220625145025-3c40e241d099
+	github.com/foxcpp/go-imap-mess v0.0.0-20230108134257-b7ec3a649613
 	github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed
-	github.com/foxcpp/go-imap-sql v0.5.1-0.20220627220518-df3b66a5b04f
+	github.com/foxcpp/go-imap-sql v0.5.1-0.20230313080458-c0176dad679c
 	github.com/foxcpp/go-mockdns v1.0.0
 	github.com/foxcpp/go-mtasts v0.0.0-20191219193356-62bc3f1f74b8
-	github.com/go-ldap/ldap/v3 v3.4.3
+	github.com/go-ldap/ldap/v3 v3.4.4
-	github.com/go-sql-driver/mysql v1.6.0
+	github.com/go-sql-driver/mysql v1.7.0
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-hclog v1.4.0
 	github.com/johannesboyne/gofakes3 v0.0.0-20210704111953-6a9f95c2941c
 	github.com/lib/pq v1.10.6
-	github.com/libdns/alidns v1.0.2
+	github.com/libdns/alidns v1.0.3-0.20220501125541-4a895238a95d
-	github.com/libdns/cloudflare v0.1.0
+	github.com/libdns/cloudflare v0.1.1-0.20221006221909-9d3ab3c3cddd
 	github.com/libdns/digitalocean v0.0.0-20220518195853-a541bc8aa80f
-	github.com/libdns/gandi v1.0.2
+	github.com/libdns/gandi v1.0.3-0.20220921161957-dcd0274d2c79
-	github.com/libdns/googleclouddns v1.0.2
+	github.com/libdns/googleclouddns v1.1.0
 	github.com/libdns/hetzner v0.0.1
-	github.com/libdns/leaseweb v0.2.1
+	github.com/libdns/leaseweb v0.3.1
-	github.com/libdns/libdns v0.2.1
+	github.com/libdns/libdns v0.2.2-0.20221006221142-3ef90aee33fd
 	github.com/libdns/metaname v0.3.0
 	github.com/libdns/namecheap v0.0.0-20211109042440-fc7440785c8e
 	github.com/libdns/namedotcom v0.3.3
-	github.com/libdns/route53 v1.1.2
+	github.com/libdns/route53 v1.3.0
-	github.com/libdns/vultr v0.0.0-20211122184636-cd4cb5c12e51
+	github.com/libdns/vultr v0.0.0-20220906182619-5ea9da3d9625
 	github.com/mattn/go-sqlite3 v2.0.3+incompatible
 	github.com/miekg/dns v1.1.50
-	github.com/minio/minio-go/v7 v7.0.29
+	github.com/minio/minio-go/v7 v7.0.47
-	github.com/prometheus/client_golang v1.12.2
+	github.com/netauth/netauth v0.6.2-0.20220831214440-1df568cd25d6
-	github.com/urfave/cli/v2 v2.10.2
+	github.com/prometheus/client_golang v1.14.0
-	go.uber.org/zap v1.21.0
+	github.com/urfave/cli/v2 v2.24.3
-	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
+	go.uber.org/zap v1.24.0
-	golang.org/x/net v0.0.0-20220622184535-263ec571b305
+	golang.org/x/crypto v0.5.0
-	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
+	golang.org/x/net v0.7.0
-	golang.org/x/text v0.3.7
+	golang.org/x/sync v0.1.0
 	golang.org/x/text v0.7.0
 )
 require (
-	cloud.google.com/go/compute v1.7.0 // indirect
+	cloud.google.com/go/compute v1.18.0 // indirect
-	github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/aws/aws-sdk-go v1.44.40 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.17.4 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.18.12 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.13.12 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.22 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.28 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.22 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.29 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.22 // indirect
 	github.com/aws/aws-sdk-go-v2/service/route53 v1.27.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.12.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.18.3 // indirect
 	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/c0va23/go-proxyprotocol v0.9.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/digitalocean/godo v1.81.0 // indirect
+	github.com/digitalocean/godo v1.96.0 // indirect
-	github.com/dustin/go-humanize v1.0.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emersion/go-textwrapper v0.0.0-20200911093747-65d896831594 // indirect
-	github.com/fsnotify/fsnotify v1.4.9 // indirect
+	github.com/fatih/color v1.14.1 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.1 // indirect
-	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.7.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-hclog v0.9.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.15.6 // indirect
+	github.com/klauspost/compress v1.15.15 // indirect
-	github.com/klauspost/cpuid/v2 v2.0.14 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.3 // indirect
-	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mholt/acmez v1.0.2 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mholt/acmez v1.0.4 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/minio/sha256-simd v1.0.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/mapstructure v1.4.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/netauth/netauth v0.6.2-0.20220831214440-1df568cd25d6 // indirect
 	github.com/netauth/protocol v0.0.0-20210918062754-7fee492ffcbd // indirect
-	github.com/pelletier/go-toml v1.9.3 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
 	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/common v0.35.0 // indirect
+	github.com/prometheus/common v0.39.0 // indirect
-	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/rs/xid v1.4.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/ryszard/goskiplist v0.0.0-20150312221310-2dfbae5fcf46 // indirect
 	github.com/shabbyrobe/gocovmerge v0.0.0-20180507124511-f6ea450bfb63 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/spf13/afero v1.6.0 // indirect
+	github.com/spf13/afero v1.9.3 // indirect
-	github.com/spf13/cast v1.3.1 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.8.1 // indirect
+	github.com/spf13/viper v1.15.0 // indirect
-	github.com/subosito/gotenv v1.2.0 // indirect
+	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/vultr/govultr/v2 v2.17.2 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
-	go.opencensus.io v0.23.0 // indirect
+	go.opencensus.io v0.24.0 // indirect
-	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/atomic v1.10.0 // indirect
-	go.uber.org/multierr v1.8.0 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
-	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
+	golang.org/x/mod v0.7.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2 // indirect
+	golang.org/x/oauth2 v0.4.0 // indirect
-	golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664 // indirect
+	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/tools v0.1.11 // indirect
+	golang.org/x/time v0.3.0 // indirect
-	google.golang.org/api v0.85.0 // indirect
+	golang.org/x/tools v0.5.0 // indirect
 	google.golang.org/api v0.109.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220622171453-ea41d75dfa0f // indirect
+	google.golang.org/genproto v0.0.0-20230202175211-008b39050e57 // indirect
-	google.golang.org/grpc v1.47.0 // indirect
+	google.golang.org/grpc v1.52.3 // indirect
-	google.golang.org/protobuf v1.28.0 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
-	gopkg.in/ini.v1 v1.66.6 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools v2.2.0+incompatible // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/auth/ldap/ldap.go
+++ b/internal/auth/ldap/ldap.go
@ -183,6 +183,7 @@ func (a *Auth) getConn() (*ldap.Conn, error) {
 	if a.conn == nil {
 		conn, err := a.newConn()
 		if err != nil {
 			a.connLock.Unlock()
 			return nil, err
 		}
 		a.conn = conn
@ -191,6 +192,7 @@ func (a *Auth) getConn() (*ldap.Conn, error) {
 		a.conn.Close()
 		conn, err := a.newConn()
 		if err != nil {
 			a.connLock.Unlock()
 			return nil, err
 		}
 		a.conn = conn
--- a/internal/auth/sasl.go
+++ b/internal/auth/sasl.go
@ -19,6 +19,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 package auth
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net"
@ -28,6 +29,7 @@ import (
 	modconfig "github.com/foxcpp/maddy/framework/config/module"
 	"github.com/foxcpp/maddy/framework/log"
 	"github.com/foxcpp/maddy/framework/module"
 	"github.com/foxcpp/maddy/internal/authz"
 )
 var (
@ -38,12 +40,18 @@ var (
 // SASLAuth is a wrapper that initializes sasl.Server using authenticators that
 // call maddy module objects.
 //
 // It also handles username translation using auth_map and auth_map_normalize
 // (AuthMap and AuthMapNormalize should be set).
 //
 // It supports reporting of multiple authorization identities so multiple
 // accounts can be associated with a single set of credentials.
 type SASLAuth struct {
 	Log         log.Logger
 	OnlyFirstID bool
 	AuthMap       module.Table
 	AuthNormalize authz.NormalizeFunc
 	Plain []module.PlainAuth
 }
@ -57,6 +65,34 @@ func (s *SASLAuth) SASLMechanisms() []string {
 	return mechs
 }
 func (s *SASLAuth) usernameForAuth(ctx context.Context, saslUsername string) (string, error) {
 	if s.AuthNormalize != nil {
 		var err error
 		saslUsername, err = s.AuthNormalize(saslUsername)
 		if err != nil {
 			return "", err
 		}
 	}
 	if s.AuthMap == nil {
 		return saslUsername, nil
 	}
 	mapped, ok, err := s.AuthMap.Lookup(ctx, saslUsername)
 	if err != nil {
 		return "", err
 	}
 	if !ok {
 		return "", ErrInvalidAuthCred
 	}
 	if saslUsername != mapped {
 		s.Log.DebugMsg("using mapped username for authentication", "username", saslUsername, "mapped_username", mapped)
 	}
 	return mapped, nil
 }
 func (s *SASLAuth) AuthPlain(username, password string) error {
 	if len(s.Plain) == 0 {
 		return ErrUnsupportedMech
@ -64,6 +100,11 @@ func (s *SASLAuth) AuthPlain(username, password string) error {
 	var lastErr error
 	for _, p := range s.Plain {
 		username, err := s.usernameForAuth(context.TODO(), username)
 		if err != nil {
 			return err
 		}
 		lastErr = p.AuthPlain(username, password)
 		if lastErr == nil {
 			return nil
@ -81,6 +122,9 @@ func (s *SASLAuth) CreateSASL(mech string, remoteAddr net.Addr, successCb func(i
 			if identity == "" {
 				identity = username
 			}
 			if identity != username {
 				return ErrInvalidAuthCred
 			}
 			err := s.AuthPlain(username, password)
 			if err != nil {
--- a/internal/auth/sasl_test.go
+++ b/internal/auth/sasl_test.go
@ -75,13 +75,13 @@ func TestCreateSASL(t *testing.T) {
 	t.Run("PLAIN with authorization identity", func(t *testing.T) {
 		srv := a.CreateSASL("PLAIN", &net.TCPAddr{}, func(id string) error {
-			if id != "user1a" {
+			if id != "user1" {
 				t.Fatal("Wrong authorization identity passed:", id)
 			}
 			return nil
 		})
-		_, _, err := srv.Next([]byte("user1a\x00user1\x00aa"))
+		_, _, err := srv.Next([]byte("user1\x00user1\x00aa"))
 		if err != nil {
 			t.Error("Unexpected error:", err)
 		}
--- a/internal/authz/lookup.go
+++ b/internal/authz/lookup.go
@ -9,28 +9,30 @@ import (
 )
 func AuthorizeEmailUse(ctx context.Context, username string, addrs []string, mapping module.Table) (bool, error) {
 	var validEmails []string
 	if multi, ok := mapping.(module.MultiTable); ok {
 		var err error
 		validEmails, err = multi.LookupMulti(ctx, username)
 		if err != nil {
 			return false, fmt.Errorf("authz: %w", err)
 		}
 	} else {
 		validEmail, ok, err := mapping.Lookup(ctx, username)
 		if err != nil {
 			return false, fmt.Errorf("authz: %w", err)
 		}
 		if ok {
 			validEmails = []string{validEmail}
 		}
 	}
 	for _, addr := range addrs {
 		_, domain, err := address.Split(addr)
 		if err != nil {
 			return false, fmt.Errorf("authz: %w", err)
 		}
 		var validEmails []string
 		if multi, ok := mapping.(module.MultiTable); ok {
 			validEmails, err = multi.LookupMulti(ctx, username)
 			if err != nil {
 				return false, fmt.Errorf("authz: %w", err)
 			}
 		} else {
 			validEmail, ok, err := mapping.Lookup(ctx, username)
 			if err != nil {
 				return false, fmt.Errorf("authz: %w", err)
 			}
 			if ok {
 				validEmails = []string{validEmail}
 			}
 		}
 		for _, ent := range validEmails {
 			if ent == domain || ent == "*" || ent == addr {
 				return true, nil
--- a/internal/authz/normalization.go
+++ b/internal/authz/normalization.go
@ -7,9 +7,25 @@ import (
 	"golang.org/x/text/secure/precis"
 )
 type NormalizeFunc func(string) (string, error)
 func NormalizeNoop(s string) (string, error) {
 	return s, nil
 }
 // NormalizeAuto applies address.PRECISFold to valid emails and
 // plain UsernameCaseMapped profile to other strings.
 func NormalizeAuto(s string) (string, error) {
 	if address.Valid(s) {
 		return address.PRECISFold(s)
 	}
 	return precis.UsernameCaseMapped.CompareKey(s)
 }
 // NormalizeFuncs defines configurable normalization functions to be used
 // in authentication and authorization routines.
-var NormalizeFuncs = map[string]func(string) (string, error){
+var NormalizeFuncs = map[string]NormalizeFunc{
 	"auto":                  NormalizeAuto,
 	"precis_casefold_email": address.PRECISFold,
 	"precis_casefold":       precis.UsernameCaseMapped.CompareKey,
 	"precis_email":          address.PRECIS,
@ -17,7 +33,5 @@ var NormalizeFuncs = map[string]func(string) (string, error){
 	"casefold": func(s string) (string, error) {
 		return strings.ToLower(s), nil
 	},
-	"noop": func(s string) (string, error) {
+	"noop": NormalizeNoop,
 		return s, nil
 	},
 }
--- a/internal/check/authorize_sender/authorize_sender.go
+++ b/internal/check/authorize_sender/authorize_sender.go
@ -20,7 +20,6 @@ package authorize_sender
 import (
 	"context"
 	"fmt"
 	"net/mail"
 	"github.com/emersion/go-message/textproto"
@ -49,8 +48,8 @@ type Check struct {
 	noMatchAction modconfig.FailAction
 	errAction     modconfig.FailAction
-	fromNorm func(string) (string, error)
+	fromNorm authz.NormalizeFunc
-	authNorm func(string) (string, error)
+	authNorm authz.NormalizeFunc
 }
 func New(_, instName string, _, inlineArgs []string) (module.Module, error) {
@ -89,29 +88,15 @@ func (c *Check) Init(cfg *config.Map) error {
 		return modconfig.FailAction{Reject: true}, nil
 	}, modconfig.FailActionDirective, &c.errAction)
-	var (
+	config.EnumMapped(cfg, "auth_normalize", true, false, authz.NormalizeFuncs, authz.NormalizeAuto,
-		authNormalize string
+		&c.authNorm)
-		fromNormalize string
+	config.EnumMapped(cfg, "from_normalize", true, false, authz.NormalizeFuncs, authz.NormalizeAuto,
-		ok            bool
+		&c.fromNorm)
 	)
 	cfg.String("auth_normalize", false, false,
 		"precis_casefold_email", &authNormalize)
 	cfg.String("from_normalize", false, false,
 		"precis_casefold_email", &fromNormalize)
 	if _, err := cfg.Process(); err != nil {
 		return err
 	}
 	c.authNorm, ok = authz.NormalizeFuncs[authNormalize]
 	if !ok {
 		return fmt.Errorf("%v: unknown normalization function: %v", modName, authNormalize)
 	}
 	c.fromNorm, ok = authz.NormalizeFuncs[fromNormalize]
 	if !ok {
 		return fmt.Errorf("%v: unknown normalization function: %v", modName, fromNormalize)
 	}
 	return nil
 }
--- a/internal/cli/ctl/imapacct.go
+++ b/internal/cli/ctl/imapacct.go
@ -148,7 +148,7 @@ or other buffering takes effect.`,
 				{
 					Name:  "appendlimit",
 					Usage: "Query or set accounts's APPENDLIMIT value",
-					Description: `APPENDLIMIT value determines the size of a message that 
+					Description: `APPENDLIMIT value determines the size of a message that
 can be saved into a mailbox using IMAP APPEND command. This does not affect the size
 of messages that can be delivered to the mailbox from non-IMAP sources (e.g. SMTP).
@ -192,7 +192,7 @@ type SpecialUseUser interface {
 func imapAcctList(be module.Storage, ctx *cli.Context) error {
 	mbe, ok := be.(module.ManageableStorage)
 	if !ok {
-		return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2)
+		return cli.Exit("Error: storage backend does not support accounts management using maddy command", 2)
 	}
 	list, err := mbe.ListIMAPAccts()
@ -213,7 +213,7 @@ func imapAcctList(be module.Storage, ctx *cli.Context) error {
 func imapAcctCreate(be module.Storage, ctx *cli.Context) error {
 	mbe, ok := be.(module.ManageableStorage)
 	if !ok {
-		return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2)
+		return cli.Exit("Error: storage backend does not support accounts management using maddy command", 2)
 	}
 	username := ctx.Args().First()
@ -274,7 +274,7 @@ func imapAcctCreate(be module.Storage, ctx *cli.Context) error {
 func imapAcctRemove(be module.Storage, ctx *cli.Context) error {
 	mbe, ok := be.(module.ManageableStorage)
 	if !ok {
-		return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2)
+		return cli.Exit("Error: storage backend does not support accounts management using maddy command", 2)
 	}
 	username := ctx.Args().First()
--- a/internal/endpoint/dovecot_sasld/dovecot_sasl.go
+++ b/internal/endpoint/dovecot_sasld/dovecot_sasl.go
@ -28,9 +28,11 @@ import (
 	"github.com/emersion/go-sasl"
 	dovecotsasl "github.com/foxcpp/go-dovecot-sasl"
 	"github.com/foxcpp/maddy/framework/config"
 	modconfig "github.com/foxcpp/maddy/framework/config/module"
 	"github.com/foxcpp/maddy/framework/log"
 	"github.com/foxcpp/maddy/framework/module"
 	"github.com/foxcpp/maddy/internal/auth"
 	"github.com/foxcpp/maddy/internal/authz"
 )
 const modName = "dovecot_sasld"
@ -42,6 +44,9 @@ type Endpoint struct {
 	listenersWg sync.WaitGroup
 	authNormalize authz.NormalizeFunc
 	authMap       module.Table
 	srv *dovecotsasl.Server
 }
@ -67,6 +72,9 @@ func (endp *Endpoint) Init(cfg *config.Map) error {
 	cfg.Callback("auth", func(m *config.Map, node config.Node) error {
 		return endp.saslAuth.AddProvider(m, node)
 	})
 	config.EnumMapped(cfg, "auth_map_normalize", true, false, authz.NormalizeFuncs, authz.NormalizeAuto,
 		&endp.authNormalize)
 	modconfig.Table(cfg, "auth_map", true, false, nil, &endp.authMap)
 	if _, err := cfg.Process(); err != nil {
 		return err
 	}
@ -74,6 +82,8 @@ func (endp *Endpoint) Init(cfg *config.Map) error {
 	endp.srv = dovecotsasl.NewServer()
 	endp.srv.Log = stdlog.New(endp.log, "", 0)
 	endp.saslAuth.AuthMap = endp.authMap
 	endp.saslAuth.AuthNormalize = endp.authNormalize
 	for _, mech := range endp.saslAuth.SASLMechanisms() {
 		mech := mech
 		endp.srv.AddMechanism(mech, mechInfo[mech], func(req *dovecotsasl.AuthReq) sasl.Server {
--- a/internal/endpoint/imap/imap.go
+++ b/internal/endpoint/imap/imap.go
@ -19,6 +19,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 package imap
 import (
 	"context"
 	"crypto/tls"
 	"errors"
 	"fmt"
@ -42,20 +43,28 @@ import (
 	"github.com/foxcpp/maddy/framework/log"
 	"github.com/foxcpp/maddy/framework/module"
 	"github.com/foxcpp/maddy/internal/auth"
 	"github.com/foxcpp/maddy/internal/authz"
 	"github.com/foxcpp/maddy/internal/proxy_protocol"
 	"github.com/foxcpp/maddy/internal/updatepipe"
 )
 type Endpoint struct {
-	addrs     []string
+	addrs         []string
-	serv      *imapserver.Server
+	serv          *imapserver.Server
-	listeners []net.Listener
+	listeners     []net.Listener
-	Store     module.Storage
+	proxyProtocol *proxy_protocol.ProxyProtocol
 	Store         module.Storage
 	tlsConfig   *tls.Config
 	listenersWg sync.WaitGroup
 	saslAuth auth.SASLAuth
 	storageNormalize authz.NormalizeFunc
 	storageMap       module.Table
 	authNormalize    authz.NormalizeFunc
 	authMap          module.Table
 	Log log.Logger
 }
@ -83,10 +92,17 @@ func (endp *Endpoint) Init(cfg *config.Map) error {
 	})
 	cfg.Custom("storage", false, true, nil, modconfig.StorageDirective, &endp.Store)
 	cfg.Custom("tls", true, true, nil, tls2.TLSDirective, &endp.tlsConfig)
 	cfg.Custom("proxy_protocol", false, false, nil, proxy_protocol.ProxyProtocolDirective, &endp.proxyProtocol)
 	cfg.Bool("insecure_auth", false, false, &insecureAuth)
 	cfg.Bool("io_debug", false, false, &ioDebug)
 	cfg.Bool("io_errors", false, false, &ioErrors)
 	cfg.Bool("debug", true, false, &endp.Log.Debug)
 	config.EnumMapped(cfg, "storage_map_normalize", false, false, authz.NormalizeFuncs, authz.NormalizeAuto,
 		&endp.storageNormalize)
 	modconfig.Table(cfg, "storage_map", false, false, nil, &endp.storageMap)
 	config.EnumMapped(cfg, "auth_map_normalize", true, false, authz.NormalizeFuncs, authz.NormalizeAuto,
 		&endp.authNormalize)
 	modconfig.Table(cfg, "auth_map", true, false, nil, &endp.authMap)
 	if _, err := cfg.Process(); err != nil {
 		return err
 	}
@ -123,6 +139,8 @@ func (endp *Endpoint) Init(cfg *config.Map) error {
 		return err
 	}
 	endp.saslAuth.AuthNormalize = endp.authNormalize
 	endp.saslAuth.AuthMap = endp.authMap
 	for _, mech := range endp.saslAuth.SASLMechanisms() {
 		mech := mech
 		endp.serv.EnableAuth(mech, func(c imapserver.Conn) sasl.Server {
@ -152,6 +170,10 @@ func (endp *Endpoint) setupListeners(addresses []config.Endpoint) error {
 			l = tls.NewListener(l, endp.tlsConfig)
 		}
 		if endp.proxyProtocol != nil {
 			l = proxy_protocol.NewListener(l, endp.proxyProtocol, endp.Log)
 		}
 		endp.listeners = append(endp.listeners, l)
 		endp.listenersWg.Add(1)
@ -194,8 +216,63 @@ func (endp *Endpoint) Close() error {
 	return nil
 }
 func (endp *Endpoint) usernameForAuth(ctx context.Context, saslUsername string) (string, error) {
 	saslUsername, err := endp.authNormalize(saslUsername)
 	if err != nil {
 		return "", err
 	}
 	if endp.authMap == nil {
 		return saslUsername, nil
 	}
 	mapped, ok, err := endp.authMap.Lookup(ctx, saslUsername)
 	if err != nil {
 		return "", err
 	}
 	if !ok {
 		return "", imapbackend.ErrInvalidCredentials
 	}
 	return mapped, nil
 }
 func (endp *Endpoint) usernameForStorage(ctx context.Context, saslUsername string) (string, error) {
 	saslUsername, err := endp.storageNormalize(saslUsername)
 	if err != nil {
 		return "", err
 	}
 	if endp.storageMap == nil {
 		return saslUsername, nil
 	}
 	mapped, ok, err := endp.storageMap.Lookup(ctx, saslUsername)
 	if err != nil {
 		return "", err
 	}
 	if !ok {
 		return "", imapbackend.ErrInvalidCredentials
 	}
 	if saslUsername != mapped {
 		endp.Log.DebugMsg("using mapped username for storage", "username", saslUsername, "mapped_username", mapped)
 	}
 	return mapped, nil
 }
 func (endp *Endpoint) openAccount(c imapserver.Conn, identity string) error {
-	u, err := endp.Store.GetOrCreateIMAPAcct(identity)
+	username, err := endp.usernameForStorage(context.TODO(), identity)
 	if err != nil {
 		if errors.Is(err, imapbackend.ErrInvalidCredentials) {
 			return err
 		}
 		endp.Log.Error("failed to determine storage account name", err, "username", username)
 		return fmt.Errorf("internal server error")
 	}
 	u, err := endp.Store.GetOrCreateIMAPAcct(username)
 	if err != nil {
 		return err
 	}
@ -206,13 +283,23 @@ func (endp *Endpoint) openAccount(c imapserver.Conn, identity string) error {
 }
 func (endp *Endpoint) Login(connInfo *imap.ConnInfo, username, password string) (imapbackend.User, error) {
 	// saslAuth handles AuthMap calling.
 	err := endp.saslAuth.AuthPlain(username, password)
 	if err != nil {
 		endp.Log.Error("authentication failed", err, "username", username, "src_ip", connInfo.RemoteAddr)
 		return nil, imapbackend.ErrInvalidCredentials
 	}
-	return endp.Store.GetOrCreateIMAPAcct(username)
+	storageUsername, err := endp.usernameForStorage(context.TODO(), username)
 	if err != nil {
 		if errors.Is(err, imapbackend.ErrInvalidCredentials) {
 			return nil, err
 		}
 		endp.Log.Error("authentication failed due to an internal error", err, "username", username, "src_ip", connInfo.RemoteAddr)
 		return nil, fmt.Errorf("internal server error")
 	}
 	return endp.Store.GetOrCreateIMAPAcct(storageUsername)
 }
 func (endp *Endpoint) I18NLevel() int {
--- a/internal/endpoint/smtp/session.go
+++ b/internal/endpoint/smtp/session.go
@ -107,10 +107,15 @@ func (s *Session) Reset() {
 }
 func (s *Session) releaseLimits() {
-	_, domain, err := address.Split(s.mailFrom)
+	domain := ""
-	if err != nil {
+	if s.mailFrom != "" {
-		return
+		var err error
 		_, domain, err = address.Split(s.mailFrom)
 		if err != nil {
 			return
 		}
 	}
 	addr, ok := s.msgMeta.Conn.RemoteAddr.(*net.TCPAddr)
 	if !ok {
 		addr = &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1)}
@ -149,6 +154,7 @@ func (s *Session) AuthPlain(username, password string) error {
 		return s.endp.wrapErr("", true, "AUTH", err)
 	}
 	// saslAuth will handle AuthMap and AuthNormalize.
 	err := s.endp.saslAuth.AuthPlain(username, password)
 	if err != nil {
 		s.endp.Log.Error("authentication failed", err, "username", username, "src_ip", s.connState.RemoteAddr)
--- a/internal/endpoint/smtp/smtp.go
+++ b/internal/endpoint/smtp/smtp.go
@ -43,20 +43,23 @@ import (
 	"github.com/foxcpp/maddy/framework/log"
 	"github.com/foxcpp/maddy/framework/module"
 	"github.com/foxcpp/maddy/internal/auth"
 	"github.com/foxcpp/maddy/internal/authz"
 	"github.com/foxcpp/maddy/internal/limits"
 	"github.com/foxcpp/maddy/internal/msgpipeline"
 	"github.com/foxcpp/maddy/internal/proxy_protocol"
 	"golang.org/x/net/idna"
 )
 type Endpoint struct {
-	saslAuth  auth.SASLAuth
+	saslAuth      auth.SASLAuth
-	serv      *smtp.Server
+	serv          *smtp.Server
-	name      string
+	name          string
-	addrs     []string
+	addrs         []string
-	listeners []net.Listener
+	listeners     []net.Listener
-	pipeline  *msgpipeline.MsgPipeline
+	proxyProtocol *proxy_protocol.ProxyProtocol
-	resolver  dns.Resolver
+	pipeline      *msgpipeline.MsgPipeline
-	limits    *limits.Group
+	resolver      dns.Resolver
 	limits        *limits.Group
 	buffer func(r io.Reader) (buffer.Buffer, error)
@ -68,6 +71,9 @@ type Endpoint struct {
 	maxReceived         int
 	maxHeaderBytes      int
 	authNormalize authz.NormalizeFunc
 	authMap       module.Table
 	listenersWg sync.WaitGroup
 	Log log.Logger
@ -242,6 +248,9 @@ func (endp *Endpoint) setConfig(cfg *config.Map) error {
 		return endp.saslAuth.AddProvider(m, node)
 	})
 	cfg.String("hostname", true, true, "", &hostname)
 	config.EnumMapped(cfg, "auth_map_normalize", true, false, authz.NormalizeFuncs, authz.NormalizeAuto,
 		&endp.authNormalize)
 	modconfig.Table(cfg, "auth_map", true, false, nil, &endp.authMap)
 	cfg.Duration("write_timeout", false, false, 1*time.Minute, &endp.serv.WriteTimeout)
 	cfg.Duration("read_timeout", false, false, 10*time.Minute, &endp.serv.ReadTimeout)
 	cfg.DataSize("max_message_size", false, false, 32*1024*1024, &endp.serv.MaxMessageBytes)
@ -256,6 +265,7 @@ func (endp *Endpoint) setConfig(cfg *config.Map) error {
 		return autoBufferMode(1*1024*1024 /* 1 MiB */, path), nil
 	}, bufferModeDirective, &endp.buffer)
 	cfg.Custom("tls", true, endp.name != "lmtp", nil, tls2.TLSDirective, &endp.serv.TLSConfig)
 	cfg.Custom("proxy_protocol", false, false, nil, proxy_protocol.ProxyProtocolDirective, &endp.proxyProtocol)
 	cfg.Bool("insecure_auth", endp.name == "lmtp", false, &endp.serv.AllowInsecureAuth)
 	cfg.Int("smtp_max_line_length", false, false, 4000, &endp.serv.MaxLineLength)
 	cfg.Bool("io_debug", false, false, &ioDebug)
@ -299,6 +309,8 @@ func (endp *Endpoint) setConfig(cfg *config.Map) error {
 			return fmt.Errorf("%s: auth. provider must be set for submission endpoint", endp.name)
 		}
 	}
 	endp.saslAuth.AuthNormalize = endp.authNormalize
 	endp.saslAuth.AuthMap = endp.authMap
 	for _, mech := range endp.saslAuth.SASLMechanisms() {
 		// The code below lacks handling to set AuthPassword. Don't
 		// override sasl.Plain handler so Login() will be called as usual.
@ -341,6 +353,10 @@ func (endp *Endpoint) setupListeners(addresses []config.Endpoint) error {
 			l = tls.NewListener(l, endp.serv.TLSConfig)
 		}
 		if endp.proxyProtocol != nil {
 			l = proxy_protocol.NewListener(l, endp.proxyProtocol, endp.Log)
 		}
 		endp.listeners = append(endp.listeners, l)
 		endp.listenersWg.Add(1)
@ -356,6 +372,31 @@ func (endp *Endpoint) setupListeners(addresses []config.Endpoint) error {
 	return nil
 }
 func (endp *Endpoint) usernameForAuth(ctx context.Context, saslUsername string) (string, error) {
 	saslUsername, err := endp.authNormalize(saslUsername)
 	if err != nil {
 		return "", err
 	}
 	if endp.authMap == nil {
 		return saslUsername, nil
 	}
 	mapped, ok, err := endp.authMap.Lookup(ctx, saslUsername)
 	if err != nil {
 		return "", err
 	}
 	if !ok {
 		return "", &smtp.SMTPError{
 			Code:         535,
 			EnhancedCode: smtp.EnhancedCode{5, 7, 8},
 			Message:      "Invalid credentials",
 		}
 	}
 	return mapped, nil
 }
 func (endp *Endpoint) NewSession(conn *smtp.Conn) (smtp.Session, error) {
 	sess := endp.newSession(conn)
--- a/internal/proxy_protocol/proxy_protocol.go
+++ b/internal/proxy_protocol/proxy_protocol.go
@ -0,0 +1,86 @@
 package proxy_protocol
 import (
 	"crypto/tls"
 	"net"
 	"strings"
 	"github.com/c0va23/go-proxyprotocol"
 	"github.com/foxcpp/maddy/framework/config"
 	tls2 "github.com/foxcpp/maddy/framework/config/tls"
 	"github.com/foxcpp/maddy/framework/log"
 )
 type ProxyProtocol struct {
 	trust     []net.IPNet
 	tlsConfig *tls.Config
 }
 func ProxyProtocolDirective(_ *config.Map, node config.Node) (interface{}, error) {
 	p := ProxyProtocol{}
 	childM := config.NewMap(nil, node)
 	var trustList []string
 	childM.StringList("trust", false, false, nil, &trustList)
 	childM.Custom("tls", true, false, nil, tls2.TLSDirective, &p.tlsConfig)
 	if _, err := childM.Process(); err != nil {
 		return nil, err
 	}
 	if len(node.Args) > 0 {
 		if trustList == nil {
 			trustList = make([]string, 0)
 		}
 		trustList = append(trustList, node.Args...)
 	}
 	for _, trust := range trustList {
 		if !strings.Contains(trust, "/") {
 			trust += "/32"
 		}
 		_, ipNet, err := net.ParseCIDR(trust)
 		if err != nil {
 			return nil, err
 		}
 		p.trust = append(p.trust, *ipNet)
 	}
 	return &p, nil
 }
 func NewListener(inner net.Listener, p *ProxyProtocol, logger log.Logger) net.Listener {
 	var listener net.Listener
 	sourceChecker := func(upstream net.Addr) (bool, error) {
 		if tcpAddr, ok := upstream.(*net.TCPAddr); ok {
 			if len(p.trust) == 0 {
 				return true, nil
 			}
 			for _, trusted := range p.trust {
 				if trusted.Contains(tcpAddr.IP) {
 					return true, nil
 				}
 			}
 		} else if _, ok := upstream.(*net.UnixAddr); ok {
 			// UNIX local socket connection, always trusted
 			return true, nil
 		}
 		logger.Printf("proxy_protocol: connection from untrusted source %s", upstream)
 		return false, nil
 	}
 	listener = proxyprotocol.NewDefaultListener(inner).
 		WithLogger(proxyprotocol.LoggerFunc(func(format string, v ...interface{}) {
 			logger.Debugf("proxy_protocol: "+format, v...)
 		})).
 		WithSourceChecker(sourceChecker)
 	if p.tlsConfig != nil {
 		listener = tls.NewListener(listener, p.tlsConfig)
 	}
 	return listener
 }
--- a/internal/storage/blob/s3/s3.go
+++ b/internal/storage/blob/s3/s3.go
@ -15,6 +15,14 @@ import (
 const modName = "storage.blob.s3"
 const (
 	credsTypeFileMinio = "file_minio"
 	credsTypeFileAWS   = "file_aws"
 	credsTypeAccessKey = "access_key"
 	credsTypeIAM       = "iam"
 	credsTypeDefault   = credsTypeAccessKey
 )
 type Store struct {
 	instName string
 	log      log.Logger
@ -42,6 +50,7 @@ func (s *Store) Init(cfg *config.Map) error {
 		secure          bool
 		accessKeyID     string
 		secretAccessKey string
 		credsType       string
 		location        string
 	)
 	cfg.String("endpoint", false, true, "", &s.endpoint)
@ -51,6 +60,7 @@ func (s *Store) Init(cfg *config.Map) error {
 	cfg.String("bucket", false, true, "", &s.bucketName)
 	cfg.String("region", false, false, "", &location)
 	cfg.String("object_prefix", false, false, "", &s.objectPrefix)
 	cfg.String("creds", false, false, credsTypeDefault, &credsType)
 	if _, err := cfg.Process(); err != nil {
 		return err
@ -59,8 +69,23 @@ func (s *Store) Init(cfg *config.Map) error {
 		return fmt.Errorf("%s: endpoint not set", modName)
 	}
 	var creds *credentials.Credentials
 	switch credsType {
 	case credsTypeFileMinio:
 		creds = credentials.NewFileMinioClient("", "")
 	case credsTypeFileAWS:
 		creds = credentials.NewFileAWSCredentials("", "")
 	case credsTypeIAM:
 		creds = credentials.NewIAM("")
 	case credsTypeAccessKey:
 		creds = credentials.NewStaticV4(accessKeyID, secretAccessKey, "")
 	default:
 		creds = credentials.NewStaticV4(accessKeyID, secretAccessKey, "")
 	}
 	cl, err := minio.New(s.endpoint, &minio.Options{
-		Creds:  credentials.NewStaticV4(accessKeyID, secretAccessKey, ""),
+		Creds:  creds,
 		Secure: secure,
 		Region: location,
 	})
--- a/internal/storage/imapsql/imapsql.go
+++ b/internal/storage/imapsql/imapsql.go
@ -151,7 +151,7 @@ func (store *Storage) Init(cfg *config.Map) error {
 	cfg.Custom("auth_map", false, false, func() (interface{}, error) {
 		return nil, nil
 	}, modconfig.TableDirective, &store.authMap)
-	cfg.String("auth_normalize", false, false, "precis_casefold_email", &authNormalize)
+	cfg.String("auth_normalize", false, false, "auto", &authNormalize)
 	cfg.Custom("delivery_map", false, false, func() (interface{}, error) {
 		return nil, nil
 	}, modconfig.TableDirective, &store.deliveryMap)
@ -189,6 +189,9 @@ func (store *Storage) Init(cfg *config.Map) error {
 		}
 	}
 	if authNormalize != "auto" {
 		store.Log.Msg("auth_normalize in storage.imapsql is deprecated and will be removed in the next release, use storage_map in imap config instead")
 	}
 	authNormFunc, ok := authz.NormalizeFuncs[authNormalize]
 	if !ok {
 		return errors.New("imapsql: unknown normalization function: " + authNormalize)
@ -197,6 +200,7 @@ func (store *Storage) Init(cfg *config.Map) error {
 		return authNormFunc(s)
 	}
 	if store.authMap != nil {
 		store.Log.Msg("auth_map in storage.imapsql is deprecated and will be removed in the next release, use storage_map in imap config instead")
 		store.authNormalize = func(ctx context.Context, username string) (string, error) {
 			username, err := authNormFunc(username)
 			if err != nil {
@ -397,8 +401,8 @@ func (store *Storage) Close() error {
 	store.Back.Close()
 	// Wait for 'updates replicate' goroutine to actually stop so we will send
-	// all updates before shuting down (this is especially important for
+	// all updates before shutting down (this is especially important for
-	// maddyctl).
+	// maddy subcommands).
 	if store.updPipe != nil {
 		close(store.outboundUpds)
 		<-store.updPushStop
--- a/internal/table/email_localpart.go
+++ b/internal/table/email_localpart.go
@ -27,14 +27,16 @@ import (
 )
 type EmailLocalpart struct {
-	modName  string
+	modName       string
-	instName string
+	instName      string
 	allowNonEmail bool
 }
 func NewEmailLocalpart(modName, instName string, _, _ []string) (module.Module, error) {
 	return &EmailLocalpart{
-		modName:  modName,
+		modName:       modName,
-		instName: instName,
+		instName:      instName,
 		allowNonEmail: modName == "table.email_localpart_optional",
 	}, nil
 }
@ -53,6 +55,9 @@ func (s *EmailLocalpart) InstanceName() string {
 func (s *EmailLocalpart) Lookup(ctx context.Context, key string) (string, bool, error) {
 	mbox, _, err := address.Split(key)
 	if err != nil {
 		if s.allowNonEmail {
 			return key, true, nil
 		}
 		// Invalid email, no local part mapping.
 		return "", false, nil
 	}
@ -61,4 +66,5 @@ func (s *EmailLocalpart) Lookup(ctx context.Context, key string) (string, bool,
 func init() {
 	module.Register("table.email_localpart", NewEmailLocalpart)
 	module.Register("table.email_localpart_optional", NewEmailLocalpart)
 }
--- a/internal/table/email_with_domain.go
+++ b/internal/table/email_with_domain.go
@ -0,0 +1,89 @@
 /*
 Maddy Mail Server - Composable all-in-one email server.
 Copyright © 2019-2020 Max Mazurov <fox.cpp@disroot.org>, Maddy Mail Server contributors
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation, either version 3 of the License, or
 (at your option) any later version.
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */
 package table
 import (
 	"context"
 	"fmt"
 	"github.com/foxcpp/maddy/framework/address"
 	"github.com/foxcpp/maddy/framework/config"
 	"github.com/foxcpp/maddy/framework/log"
 	"github.com/foxcpp/maddy/framework/module"
 )
 type EmailWithDomain struct {
 	modName  string
 	instName string
 	domains  []string
 	log      log.Logger
 }
 func NewEmailWithDomain(modName, instName string, _, inlineArgs []string) (module.Module, error) {
 	return &EmailWithDomain{
 		modName:  modName,
 		instName: instName,
 		domains:  inlineArgs,
 		log:      log.Logger{Name: modName},
 	}, nil
 }
 func (s *EmailWithDomain) Init(cfg *config.Map) error {
 	for _, d := range s.domains {
 		if !address.ValidDomain(d) {
 			return fmt.Errorf("%s: invalid domain: %s", s.modName, d)
 		}
 	}
 	if len(s.domains) == 0 {
 		return fmt.Errorf("%s: at least one domain is required", s.modName)
 	}
 	return nil
 }
 func (s *EmailWithDomain) Name() string {
 	return s.modName
 }
 func (s *EmailWithDomain) InstanceName() string {
 	return s.modName
 }
 func (s *EmailWithDomain) Lookup(ctx context.Context, key string) (string, bool, error) {
 	quotedMbox := address.QuoteMbox(key)
 	if len(s.domains) == 0 {
 		s.log.Msg("only first domain is used when expanding key", "key", key, "domain", s.domains[0])
 	}
 	return quotedMbox + "@" + s.domains[0], true, nil
 }
 func (s *EmailWithDomain) LookupMulti(ctx context.Context, key string) ([]string, error) {
 	quotedMbox := address.QuoteMbox(key)
 	emails := make([]string, len(s.domains))
 	for i, domain := range s.domains {
 		emails[i] = quotedMbox + "@" + domain
 	}
 	return emails, nil
 }
 func init() {
 	module.Register("table.email_with_domain", NewEmailWithDomain)
 }
--- a/internal/table/file.go
+++ b/internal/table/file.go
@ -124,44 +124,61 @@ func (f *File) reloader() {
 	for {
 		select {
 		case <-t.C:
-			info, err := os.Stat(f.file)
+			f.reload()
-			if err != nil {
+
 				if os.IsNotExist(err) {
 					f.mLck.Lock()
 					f.m = map[string][]string{}
 					f.mStamp = time.Now()
 					f.mLck.Unlock()
 					continue
 				}
 				f.log.Error("os stat", err)
 			}
 			if info.ModTime().Before(f.mStamp) {
 				continue // reload not necessary
 			}
 		case <-f.forceReload:
 			f.reload()
 		case <-f.stopReloader:
 			f.stopReloader <- struct{}{}
 			return
 		}
 	}
 }
-		f.log.Debugf("reloading")
+func (f *File) reload() {
 	info, err := os.Stat(f.file)
 	if err != nil {
 		if os.IsNotExist(err) {
 			f.mLck.Lock()
 			f.m = map[string][]string{}
 			f.mLck.Unlock()
 			return
 		}
 		f.log.Error("os stat", err)
 	}
 	if info.ModTime().Before(f.mStamp) || time.Since(info.ModTime()) < (reloadInterval/2) {
 		return // reload not necessary
 	}
-		newm := make(map[string][]string, len(f.m)+5)
+	f.log.Debugf("reloading")
 		if err := readFile(f.file, newm); err != nil {
 			if os.IsNotExist(err) {
 				f.log.Printf("ignoring non-existent file: %s", f.file)
 				continue
 			}
-			f.log.Println(err)
+	newm := make(map[string][]string, len(f.m)+5)
-			continue
+	if err := readFile(f.file, newm); err != nil {
 		if os.IsNotExist(err) {
 			f.log.Printf("ignoring non-existent file: %s", f.file)
 			return
 		}
-		f.mLck.Lock()
+		f.log.Println(err)
-		f.m = newm
+		return
 		f.mStamp = time.Now()
 		f.mLck.Unlock()
 	}
 	// after reading we need to check whether file has changed in between
 	info2, err := os.Stat(f.file)
 	if err != nil {
 		f.log.Println(err)
 		return
 	}
 	if !info2.ModTime().Equal(info.ModTime()) {
 		// file has changed in the meantime
 		return
 	}
 	f.mLck.Lock()
 	f.m = newm
 	f.mStamp = info.ModTime()
 	f.mLck.Unlock()
 }
 func (f *File) Close() error {
--- a/internal/table/file_test.go
+++ b/internal/table/file_test.go
@ -111,28 +111,27 @@ func TestFileReload(t *testing.T) {
 		t.Fatal(err)
 	}
-	// This delay is somehow important. Not sure why.
+	// ensure it is correctly loaded at first time.
-	time.Sleep(500 * time.Millisecond)
+	m.mLck.RLock()
-
+	if m.m["cat"] == nil {
-	if err := ioutil.WriteFile(f.Name(), []byte("dog: cat"), os.ModePerm); err != nil {
+		t.Fatalf("wrong content loaded, new m were not loaded, %v", m.m)
 		t.Fatal(err)
 	}
 	m.mLck.RUnlock()
-	for i := 0; i < 10; i++ {
+	for i := 0; i < 100; i++ {
-		time.Sleep(reloadInterval + 50*time.Millisecond)
+		// try to provoke race condition on file writing
 		if i%2 == 0 {
 			if err := os.WriteFile(f.Name(), []byte("dog: cat"), os.ModePerm); err != nil {
 				t.Fatal(err)
 			}
 		}
 		time.Sleep(reloadInterval + 5*time.Millisecond)
 		m.mLck.RLock()
-		if m.m["dog"] != nil {
+		if m.m["dog"] == nil {
-			m.mLck.RUnlock()
+			t.Fatalf("wrong content loaded, new m were not loaded, %v", m.m)
 			break
 		}
 		m.mLck.RUnlock()
 	}
 	m.mLck.RLock()
 	defer m.mLck.RUnlock()
 	if m.m["dog"] == nil {
 		t.Fatal("New m were not loaded")
 	}
 }
 func TestFileReload_Broken(t *testing.T) {
@ -208,9 +207,6 @@ func TestFileReload_Removed(t *testing.T) {
 		t.Fatal(err)
 	}
 	// This delay is somehow important. Not sure why.
 	time.Sleep(250 * time.Millisecond)
 	os.Remove(f.Name())
 	time.Sleep(3 * reloadInterval)
@ -223,5 +219,5 @@ func TestFileReload_Removed(t *testing.T) {
 }
 func init() {
-	reloadInterval = 250 * time.Millisecond
+	reloadInterval = 10 * time.Millisecond
 }
--- a/internal/target/remote/connect.go
+++ b/internal/target/remote/connect.go
@ -238,7 +238,7 @@ func (rd *remoteDelivery) connectionForDomain(ctx context.Context, domain string
 			return nil, &exterrors.SMTPError{
 				Code:         550,
 				EnhancedCode: exterrors.EnhancedCode{5, 7, 30},
-				Message:      "Failed to estabilish the MX record authenticity (REQUIRETLS)",
+				Message:      "Failed to establish the MX record authenticity (REQUIRETLS)",
 				Misc: map[string]interface{}{
 					"mx_level": conn.mxLevel,
 				},
--- a/internal/target/remote/remote_test.go
+++ b/internal/target/remote/remote_test.go
@ -982,7 +982,8 @@ func TestRemoteDelivery_TLS_FallbackNoVerify(t *testing.T) {
 	be.CheckMsg(t, 0, "test@example.com", []string{"test@example.invalid"})
 	// But it should still be delivered over TLS.
-	if !be.Messages[0].State.TLS.HandshakeComplete {
+	tlsState, ok := be.Messages[0].Conn.TLSConnectionState()
 	if !ok || !tlsState.HandshakeComplete {
 		t.Fatal("Message was not delivered over TLS")
 	}
 }
--- a/internal/target/remote/security.go
+++ b/internal/target/remote/security.go
@ -180,7 +180,7 @@ func (c *mtastsDelivery) CheckMX(ctx context.Context, mxLevel module.MXLevel, do
 			return module.MXNone, &exterrors.SMTPError{
 				Code:         550,
 				EnhancedCode: exterrors.EnhancedCode{5, 7, 0},
-				Message:      "Failed to estabilish the module.MX record authenticity (MTA-STS)",
+				Message:      "Failed to establish the module.MX record authenticity (MTA-STS)",
 			}
 		}
 		c.log.Msg("MX does not match published non-enforced MTA-STS policy", "mx", mx, "domain", c.domain)
@ -608,7 +608,7 @@ func (l localPolicy) CheckMX(ctx context.Context, mxLevel module.MXLevel, domain
 			// a temporary error (we can't know with the current design).
 			Code:         451,
 			EnhancedCode: exterrors.EnhancedCode{4, 7, 0},
-			Message:      "Failed to estabilish the module.MX record authenticity",
+			Message:      "Failed to establish the module.MX record authenticity",
 			Misc: map[string]interface{}{
 				"mx_level": mxLevel,
 			},
--- a/internal/target/smtp/smtp_downstream_test.go
+++ b/internal/target/smtp/smtp_downstream_test.go
@ -229,8 +229,10 @@ func TestDownstreamDelivery_AttemptTLS(t *testing.T) {
 	testutils.DoTestDelivery(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
 	be.CheckMsg(t, 0, "test@example.invalid", []string{"rcpt@example.invalid"})
-	if !be.Messages[0].State.TLS.HandshakeComplete {
+
-		t.Error("Expected TLS to be used, but it was not")
+	tlsState, ok := be.Messages[0].Conn.TLSConnectionState()
 	if !ok || !tlsState.HandshakeComplete {
 		t.Fatal("Message was not delivered over TLS")
 	}
 }
@ -278,8 +280,9 @@ func TestDownstreamDelivery_RequireTLS(t *testing.T) {
 	testutils.DoTestDelivery(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
 	be.CheckMsg(t, 0, "test@example.invalid", []string{"rcpt@example.invalid"})
-	if !be.Messages[0].State.TLS.HandshakeComplete {
+	tlsState, ok := be.Messages[0].Conn.TLSConnectionState()
-		t.Error("Expected TLS to be used, but it was not")
+	if !ok || !tlsState.HandshakeComplete {
 		t.Fatal("Message was not delivered over TLS")
 	}
 }
@ -305,8 +308,9 @@ func TestDownstreamDelivery_RequireTLS_Implicit(t *testing.T) {
 	testutils.DoTestDelivery(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
 	be.CheckMsg(t, 0, "test@example.invalid", []string{"rcpt@example.invalid"})
-	if !be.Messages[0].State.TLS.HandshakeComplete {
+	tlsState, ok := be.Messages[0].Conn.TLSConnectionState()
-		t.Error("Expected TLS to be used, but it was not")
+	if !ok || !tlsState.HandshakeComplete {
 		t.Fatal("Message was not delivered over TLS")
 	}
 }
--- a/internal/target/smtp/smtputf8_test.go
+++ b/internal/target/smtp/smtputf8_test.go
@ -51,7 +51,7 @@ func TestDownstreamDelivery_EHLO_ALabel(t *testing.T) {
 	testutils.DoTestDelivery(t, tgt, "test@example.com", []string{"test@example.invalid"})
 	be.CheckMsg(t, 0, "test@example.com", []string{"test@example.invalid"})
-	if be.Messages[0].State.Hostname != "xn--e1aybc.invalid" {
+	if be.Messages[0].Conn.Hostname() != "xn--e1aybc.invalid" {
 		t.Error("target/remote should use use Punycode in EHLO")
 	}
 }
--- a/internal/updatepipe/update_pipe.go
+++ b/internal/updatepipe/update_pipe.go
@ -19,10 +19,10 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 // Package updatepipe implements utilities for serialization and transport of
 // IMAP update objects between processes and machines.
 //
-// Its main goal is provide maddyctl with ability to properly notify the server
+// Its main goal is provide maddy command with ability to properly notify the
-// about changes without relying on it to coordinate access in the first place
+// server about changes without relying on it to coordinate access in the
-// (so maddyctl can work without a running server or with a broken server
+// first place (so maddy command can work without a running server or with a
-// instance).
+// broken server instance).
 //
 // Additionally, it can be used to transfer IMAP updates between replicated
 // nodes.
--- a/maddy.conf
+++ b/maddy.conf
@ -1,6 +1,6 @@
 ## Maddy Mail Server - default configuration file (2022-06-18)
 # Suitable for small-scale deployments. Uses its own format for local users DB,
-# should be managed via maddyctl utility.
+# should be managed via maddy subcommands.
 #
 # See tutorials at https://maddy.email for guidance on typical
 # configuration changes.
@ -25,7 +25,7 @@ tls file /etc/maddy/certs/$(hostname)/fullchain.pem /etc/maddy/certs/$(hostname)
 # PAM, /etc/shadow file).
 #
 # If table module supports it (sql_table does) - credentials can be managed
-# using 'maddyctl creds' command.
+# using 'maddy creds' command.
 auth.pass_table local_authdb {
    table sql_table {
@ -40,7 +40,7 @@ auth.pass_table local_authdb {
 # also by SMTP & Submission endpoints for delivery of local messages.
 #
 # IMAP accounts, mailboxes and all message metadata can be inspected using
-# imap-* subcommands of maddyctl utility.
+# imap-* subcommands of maddy.
 storage.imapsql local_mailboxes {
    driver sqlite3
--- a/maddy.conf.docker
+++ b/maddy.conf.docker
@ -1,7 +1,7 @@
 ## Maddy Mail Server - default configuration file (2022-06-18)
 ## This is the copy of maddy.conf with changes necessary to run it in Docker.
 # Suitable for small-scale deployments. Uses its own format for local users DB,
-# should be managed via maddyctl utility.
+# should be managed via maddy subcommands.
 #
 # See tutorials at https://maddy.email for guidance on typical
 # configuration changes.
@ -26,7 +26,7 @@ tls file /data/tls/fullchain.pem /data/tls/privkey.pem
 # PAM, /etc/shadow file).
 #
 # If table module supports it (sql_table does) - credentials can be managed
-# using 'maddyctl creds' command.
+# using 'maddy creds' command.
 auth.pass_table local_authdb {
    table sql_table {
@ -41,7 +41,7 @@ auth.pass_table local_authdb {
 # also by SMTP & Submission endpoints for delivery of local messages.
 #
 # IMAP accounts, mailboxes and all message metadata can be inspected using
-# imap-* subcommands of maddyctl utility.
+# imap-* subcommands of maddy.
 storage.imapsql local_mailboxes {
    driver sqlite3
--- a/maddy.go
+++ b/maddy.go
@ -31,10 +31,12 @@ import (
 	"github.com/caddyserver/certmagic"
 	parser "github.com/foxcpp/maddy/framework/cfgparser"
 	"github.com/foxcpp/maddy/framework/config"
 	modconfig "github.com/foxcpp/maddy/framework/config/module"
 	"github.com/foxcpp/maddy/framework/config/tls"
 	"github.com/foxcpp/maddy/framework/hooks"
 	"github.com/foxcpp/maddy/framework/log"
 	"github.com/foxcpp/maddy/framework/module"
 	"github.com/foxcpp/maddy/internal/authz"
 	maddycli "github.com/foxcpp/maddy/internal/cli"
 	"github.com/urfave/cli/v2"
@ -297,6 +299,8 @@ func ReadGlobals(cfg []config.Node) (map[string]interface{}, []config.Node, erro
 	globals.StringList("auth_domains", false, false, nil, nil)
 	globals.Custom("log", false, false, defaultLogOutput, logOutput, &log.DefaultLogger.Out)
 	globals.Bool("debug", false, log.DefaultLogger.Debug, &log.DefaultLogger.Debug)
 	config.EnumMapped(globals, "auth_map_normalize", true, false, authz.NormalizeFuncs, authz.NormalizeAuto, nil)
 	modconfig.Table(globals, "auth_map", true, false, nil, nil)
 	globals.AllowUnknown()
 	unknown, err := globals.Process()
 	return globals.Values, unknown, err
--- a/tests/imap_test.go
+++ b/tests/imap_test.go
@ -0,0 +1,96 @@
 //go:build integration && cgo && !nosqlite3
 // +build integration,cgo,!nosqlite3
 package tests_test
 import (
 	"testing"
 	"github.com/foxcpp/maddy/tests"
 )
 func TestIMAPEndpointAuthMap(tt *testing.T) {
 	tt.Parallel()
 	t := tests.NewT(tt)
 	t.DNS(nil)
 	t.Port("imap")
 	t.Config(`
 		storage.imapsql test_store {
 			driver sqlite3
 			dsn imapsql.db
 		}
 		imap tcp://127.0.0.1:{env:TEST_PORT_imap} {
 			tls off
 			auth_map email_localpart
 			auth pass_table static {
 				entry "user" "bcrypt:$2a$10$E.AuCH3oYbaRrETXfXwc0.4jRAQBbanpZiCfudsJz9bHzLr/qj6ti" # password: 123
 			}
 			storage &test_store
 		}
 	`)
 	t.Run(1)
 	defer t.Close()
 	imapConn := t.Conn("imap")
 	defer imapConn.Close()
 	imapConn.ExpectPattern(`\* OK *`)
 	imapConn.Writeln(". LOGIN user@example.org 123")
 	imapConn.ExpectPattern(". OK *")
 	imapConn.Writeln(". SELECT INBOX")
 	imapConn.ExpectPattern(`\* *`)
 	imapConn.ExpectPattern(`\* *`)
 	imapConn.ExpectPattern(`\* *`)
 	imapConn.ExpectPattern(`\* *`)
 	imapConn.ExpectPattern(`\* *`)
 	imapConn.ExpectPattern(`\* *`)
 	imapConn.ExpectPattern(`. OK *`)
 }
 func TestIMAPEndpointStorageMap(tt *testing.T) {
 	tt.Parallel()
 	t := tests.NewT(tt)
 	t.DNS(nil)
 	t.Port("imap")
 	t.Config(`
 		storage.imapsql test_store {
 			driver sqlite3
 			dsn imapsql.db
 		}
 		imap tcp://127.0.0.1:{env:TEST_PORT_imap} {
 			tls off
 			storage_map email_localpart
 			auth_map email_localpart
 			auth pass_table static {
 				entry "user" "bcrypt:$2a$10$z9SvUwUjkY8wKOWd9IbISeEmbJua2cXRPqw7s2BnLXJuc6pIMPncK" # password: 123
 			}
 			storage &test_store
 		}
 	`)
 	t.Run(1)
 	defer t.Close()
 	imapConn := t.Conn("imap")
 	defer imapConn.Close()
 	imapConn.ExpectPattern(`\* OK *`)
 	imapConn.Writeln(". LOGIN user@example.org 123")
 	imapConn.ExpectPattern(". OK *")
 	imapConn.Writeln(". CREATE testbox")
 	imapConn.ExpectPattern(". OK *")
 	imapConn2 := t.Conn("imap")
 	defer imapConn2.Close()
 	imapConn2.ExpectPattern(`\* OK *`)
 	imapConn2.Writeln(". LOGIN user@example.com 123")
 	imapConn2.ExpectPattern(". OK *")
 	imapConn2.Writeln(`. LIST "" "*"`)
 	imapConn2.Expect(`* LIST (\HasNoChildren) "." INBOX`)
 	imapConn2.Expect(`* LIST (\HasNoChildren) "." "testbox"`)
 	imapConn2.ExpectPattern(". OK *")
 }
--- a/tests/smtp_test.go
+++ b/tests/smtp_test.go
@ -23,6 +23,7 @@ package tests_test
 import (
 	"errors"
 	"fmt"
 	"io/ioutil"
 	"path/filepath"
 	"strings"
@ -68,6 +69,94 @@ func TestCheckRequireTLS(tt *testing.T) {
 	conn.ExpectPattern("221 *")
 }
 func TestProxyProtocolTrustedSource(tt *testing.T) {
 	tt.Parallel()
 	t := tests.NewT(tt)
 	t.DNS(map[string]mockdns.Zone{
 		"one.maddy.test.": {
 			TXT: []string{"v=spf1 ip4:127.0.0.17 -all"},
 		},
 	})
 	t.Port("smtp")
 	t.Config(`
 		smtp tcp://127.0.0.1:{env:TEST_PORT_smtp} {
 			hostname mx.maddy.test
 			tls off
 			proxy_protocol {
 				trust ` + tests.DefaultSourceIP.String() + ` ::1/128
 				tls off
 			}
 			defer_sender_reject no
 			check {
 				spf {
 					enforce_early yes
 					fail_action reject
 				}
 			}
 			deliver_to dummy
 		}
 	`)
 	t.Run(1)
 	defer t.Close()
 	conn := t.Conn("smtp")
 	defer conn.Close()
 	conn.Writeln(fmt.Sprintf("PROXY TCP4 127.0.0.17 %s 12345 %d", tests.DefaultSourceIP.String(), t.Port("smtp")))
 	conn.SMTPNegotation("localhost", nil, nil)
 	conn.Writeln("MAIL FROM:<testing@one.maddy.test>")
 	conn.ExpectPattern("250 *")
 	conn.Writeln("QUIT")
 	conn.ExpectPattern("221 *")
 }
 func TestProxyProtocolUntrustedSource(tt *testing.T) {
 	tt.Parallel()
 	t := tests.NewT(tt)
 	t.DNS(map[string]mockdns.Zone{
 		"one.maddy.test.": {
 			TXT: []string{"v=spf1 ip4:127.0.0.17 -all"},
 		},
 	})
 	t.Port("smtp")
 	t.Config(`
 		smtp tcp://127.0.0.1:{env:TEST_PORT_smtp} {
 			hostname mx.maddy.test
 			tls off
 			proxy_protocol {
 				trust fe80::bad/128
 				tls off
 			}
 			defer_sender_reject no
 			check {
 				spf {
 					enforce_early yes
 					fail_action reject
 				}
 			}
 			deliver_to dummy
 		}
 	`)
 	t.Run(1)
 	defer t.Close()
 	conn := t.Conn("smtp")
 	defer conn.Close()
 	conn.Writeln(fmt.Sprintf("PROXY TCP4 127.0.0.17 %s 12345 %d", tests.DefaultSourceIP.String(), t.Port("smtp")))
 	conn.SMTPNegotation("localhost", nil, nil)
 	conn.Writeln("MAIL FROM:<testing@one.maddy.test>")
 	conn.ExpectPattern("550 *")
 	conn.Writeln("QUIT")
 	conn.ExpectPattern("221 *")
 }
 func TestCheckSPF(tt *testing.T) {
 	tt.Parallel()
 	t := tests.NewT(tt)