mirrors/maddy
1
0
Fork 0
mirror of https://github.com/foxcpp/maddy.git synced 2025-04-04 21:47:40 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #568 from drdaeman/proxy-protocol

Browse source 
Proxy protocol support for SMTP and IMAP
This commit is contained in:
Max Mazurov 2023-06-27 19:25:30 +03:00 committed by GitHub
commit 4ad9cb5766
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
63 changed files with 1833 additions and 661 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/cicd.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
restore-keys: ${{ runner.os }}-go-
- uses: actions/setup-go@v2
with:
go-version: 1.17.11
go-version: 1.18.9
- name: "Verify build.sh"
run: |
./build.sh

2
.gitignore vendored
View file

@ -22,10 +22,8 @@ _testmain.go
# Compiled binaries
cmd/maddy/maddy
cmd/maddyctl/maddyctl
cmd/maddy-*-helper/maddy-*-helper
/maddy
/maddyctl
# Man pages
docs/man/*.1

2
.mkdocs.yml
View file

@ -60,6 +60,7 @@ nav:
- reference/table/sql_query.md
- reference/table/chain.md
- reference/table/email_localpart.md
- reference/table/email_with_domains.md
- reference/table/auth.md
- Authentication providers:
- reference/auth/pass_table.md
@ -69,6 +70,7 @@ nav:
- reference/auth/ldap.md
- reference/auth/dovecot_sasl.md
- reference/auth/plain_separate.md
- reference/auth/netauth.md
- reference/config-syntax.md
- Integration with software:
- third-party/dovecot.md

2
.version
View file

@ -1 +1 @@
0.6.2
0.7.0

6
Dockerfile
View file

@ -1,4 +1,4 @@
FROM golang:1.17-alpine AS build-env
FROM golang:1.18-alpine AS build-env
RUN set -ex && \
apk upgrade --no-cache --available && \
@ -14,7 +14,7 @@ RUN mkdir -p /pkg/data && \
cp maddy.conf.docker /pkg/data/maddy.conf && \
./build.sh --builddir /tmp --destdir /pkg/ --tags docker build install
FROM alpine:3.16.0
FROM alpine:3.17.0
LABEL maintainer="fox.cpp@disroot.org"
LABEL org.opencontainers.image.source=https://github.com/foxcpp/maddy
@ -22,7 +22,7 @@ RUN set -ex && \
apk upgrade --no-cache --available && \
apk --no-cache add ca-certificates
COPY --from=build-env /pkg/data/maddy.conf /data/maddy.conf
COPY --from=build-env /pkg/usr/local/bin/maddy /pkg/usr/local/bin/maddyctl /bin/
COPY --from=build-env /pkg/usr/local/bin/maddy /bin/
EXPOSE 25 143 993 587 465
VOLUME ["/data"]

6
contrib/kubernetes/chart/files/maddy.conf
View file

@ -1,6 +1,6 @@
## maddy 0.3 - default configuration file (2020-05-31)
# Suitable for small-scale deployments. Uses its own format for local users DB,
# should be managed via maddyctl utility.
# should be managed via maddy subcommands.
#
# See tutorials at https://foxcpp.dev/maddy for guidance on typical
# configuration changes.
@ -28,7 +28,7 @@ tls file /etc/maddy/certs/fullchain.pem /etc/maddy/certs/privkey.pem
# PAM, /etc/shadow file).
#
# If table module supports it (sql_table does) - credentials can be managed
# using 'maddyctl creds' command.
# using 'maddy creds' command.
auth.pass_table local_authdb {
table sql_table {
@ -43,7 +43,7 @@ auth.pass_table local_authdb {
# also by SMTP & Submission endpoints for delivery of local messages.
#
# IMAP accounts, mailboxes and all message metadata can be inspected using
# imap-* subcommands of maddyctl utility.
# imap-* subcommands of maddy.
storage.imapsql local_mailboxes {
driver sqlite3

24
dist/apparmor/dev.foxcpp.maddyctl vendored
View file

@ -1,24 +0,0 @@
# AppArmor profile for maddyctl management utility.
# vim:syntax=apparmor:ts=2:sw=2:et
#include <tunables/global>
profile dev.foxcpp.maddyctl /usr{/local,}/bin/maddyctl {
#include <abstractions/base>
/etc/resolv.conf r,
/proc/sys/net/core/somaxconn r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
deny ptrace,
network unix,
deny unix,
/etc/maddy/** r,
owner /run/maddy/ rw,
owner /run/maddy/** rwkl,
owner /var/lib/maddy/ rw,
owner /var/lib/maddy/** rwk,
owner /var/lib/maddy/**.db-{wal,shm} rmk,
#include if exists <local/dev.foxcpp.maddyctl>
}

2
docs/docker.md
View file

@ -47,7 +47,7 @@ docker run --rm -it -v maddydata:/data foxcpp/maddy:0.6.0 imap-acct create foxcp
Use the same image version as the running server. Things may break badly
otherwise.
Note that, if you modify messages using maddyctl while the server is running -
Note that, if you modify messages using maddy subcommands while the server is running -
you must ensure that /tmp from the server is accessible for the management
command. One way to it is to run it using `docker exec` instead of `docker run`:
```

6
docs/faq.md
View file

@ -28,12 +28,12 @@ single 1 GiB of RAM and disk space.
https://github.com/foxcpp/maddy/issues/243#issuecomment-655694512
## maddyctl prints a "permission denied" error
## maddy command prints a "permission denied" error
Run maddyctl under the same user as maddy itself.
Run maddy command under the same user as maddy itself.
E.g.
```
sudo -u maddy maddyctl creds ...
sudo -u maddy maddy creds ...
```
## How maddy compares to MailCow or Mail-In-The-Box?

172
docs/multiple-domains.md
View file

@ -1,69 +1,157 @@
# Multiple domains configuration
## Separate account namespaces
By default, maddy uses email addresses as account identifiers for both
authentication and storage purposes. Therefore, account named `user@example.org`
is completely independent from `user@example.com`. They must be created
separately, may have different credentials and have separate IMAP mailboxes.
Given two domains, example.org and example.com. foo@example.org and
foo@example.com are different and completely independent accounts.
This makes it extremely easy to setup maddy to manage multiple otherwise
independent domains.
All changes needed to make it work is to make sure all domains are specified in
the `$(local_domains)` macro in the main configuration file. Note that you need
to pick one domain as a "primary" for use in auto-generated messages.
Default configuration file contains two macros - `$(primary_domain)` and
`$(local_domains)`. They are used to used in several places thorough the
file to configure message routing, security checks, etc.
In general, you should just add all domains you want maddy to manage to
`$(local_domains)`, like this:
```
$(primary_domain) = example.org
$(local_domains) = $(primary_domain) example.com
```
Note that you need to pick one domain as a "primary" for use in
auto-generated messages.
The base configuration is done. You can create accounts using
both domains in the name, send and receive messages and so on. Do not forget
to configure corresponding SPF, DMARC and MTA-STS records as was
recommended in the [introduction tutorial](tutorials/setting-up.md).
With that done, you can create accounts using both domains in the name, send
and receive messages and so on. Do not forget to configure corresponding SPF,
DMARC and MTA-STS records as was recommended in
the [introduction tutorial](tutorials/setting-up.md).
## Single account namespace
Also note that you do not really need a separate TLS certificate for each
managed domain. You can have one hostname e.g. mail.example.org set as an MX
record for mulitple domains.
You can configure maddy to only use local part of the email
as an account identifier instead of the complete email.
**If you want multiple domains to share username namespace**, you should change
several more options.
This needs two changes to default configuration:
You can make "user@example.org" and "user@example.com" users share the same
credentials of user "user" but have different IMAP mailboxes ("user@example.org"
and "user@example.com" correspondingly). For that, it is enough to set `auth_map`
globally to use `email_localpart` table:
```
storage.imapsql local_mailboxes {
auth_map email_localpart
```
This way, when user logs in as "user@example.org", "user" will be passed
to the authentication provider, but "user@example.org" will be passed to the
storage backend. You should create accounts like this:
```
maddy creds create user
maddy imap-acct create user@example.org
maddy imap-acct create user@example.com
```
**If you want accounts to also share the same IMAP storage of account named
"user"**, you can set `storage_map` in IMAP endpoint and `delivery_map` in
storage backend to use `email_locapart`:
```
straoge.imapsql local_mailboxes {
...
delivery_map email_localpart
auth_normalize precis_casefold
delivery_map email_localpart # deliver "user@*" to "user"
}
imap tls://0.0.0.0:993 {
...
storage &local_mailboxes
...
storage_map email_localpart # "user@*" accesses "user" mailbox
}
```
This way, when authenticating as `foxcpp`, it will be mapped to
`foxcpp` storage account. E.g. you will need to run
`maddy imap-accts create foxcpp`, without the domain part.
If you have existing accounts, you will need to rename them.
Change to `auth_normalize` is necessary so that normalization function
will not attempt to parse authentication identity as a email.
When a email is received, `delivery_map email_localpart` will strip
the domain part before looking up the account. That is,
`foxcpp@example.org` will be become just `foxcpp`.
You also might want to make it possible to log in without
specifying a domain at all. In this case, use `email_localpart_optional` for
both `auth_map` and `storage_map`.
You also need to make `authorize_sender` check (used in `submission` endpoint)
accept non-email usernames:
```
authorize_sender {
...
auth_normalize precis_casefold
user_to_email regexp "(.*)" "$1@$(primary_domain)"
user_to_email chain {
step email_localpart_optional # remove domain from username if present
step email_with_domains $(local_domains) # expand username with all allowed domains
}
}
```
Note that is would work only if clients use only one domain as sender (`$(primary_domain)`).
If you want to allow sending from all domains, you need to remove `authorize_sender` check
altogether since it is not currently supported.
After that you can create accounts without specifying the domain part:
```
maddyctl imap-acct create foxcpp
maddyctl creds create foxcpp
```
And authenticate using "foxcpp" in email clients.
## TL;DR
Messages for any foxcpp@* address with a domain in `$(local_domains)`
will be delivered to that mailbox.
Your options:
**"user@example.org" and "user@example.com" have distinct credentials and
distinct mailboxes.**
```
$(primary_domain) = example.org
$(local_domains) = example.org example.com
```
Create accounts as:
```shell
maddy creds create user@example.org
maddy imap-acct create user@example.org
maddy creds create user@example.com
maddy imap-acct create user@example.com
```
**"user@example.org" and "user@example.com" have same credentials but
distinct mailboxes.**
```
$(primary_domain) = example.org
$(local_domains) = example.org example.com
auth_map email_localpart
```
Create accounts as:
```shell
maddy creds create user
maddy imap-acct create user@example.org
maddy imap-acct create user@example.com
```
**"user@example.org", "user@example.com", "user" have same credentials and same
mailboxes.**
```
$(primary_domain) = example.org
$(local_domains) = example.org example.com
auth_map email_localpart_optional # authenticating as "user@*" checks credentials for "user"
storage.imapsql local_mailboxes {
...
delivery_map email_localpart_optional # deliver "user@*" to "user" mailbox
}
imap tls://0.0.0.0:993 {
...
storage_map email_localpart_optional # authenticating as "user@*" accesses "user" mailboxes
}
submission tls://0.0.0.0:465 {
check {
authorize_sender {
...
user_to_email chain {
step email_localpart_optional # remove domain from username if present
step email_with_domains $(local_domains) # expand username with all allowed domains
}
}
}
...
}
```
Create accounts as:
```shell
maddy creds create user
maddy imap-acct create user
```

47
docs/reference/auth/netauth.md Normal file
View file

@ -0,0 +1,47 @@
# Native NetAuth
maddy supports authentication via NetAuth using direct entity
authentication checks. Passwords are verified by the NetAuth server.
maddy needs to know the Entity ID to use for authentication. It must
match the string the user provides for the Local Atom part of their
mail address.
Note that storage backends conventionally use email addresses. Since
NetAuth recommends *nix compatible usernames, you will need to map the
email identifiers to NetAuth Entity IDs using auth\_map (see
documentation page for used storage backend).
auth.netauth also can be used as a table module. This way you can
check whether the account exists.
Note that the configuration fragment provided below is very sparse.
This is because NetAuth expects to read most of its common
configuration values from the system NetAuth config file located at
`/etc/netauth/config.toml`.
```
auth.netauth {
require_group "maddy-users"
debug off
}
```
```
auth.netauth {}
```
## Configuration directives
**Syntax:** require\_group _group_
OPTIONAL.
Group that entities must posess to be able to use maddy services.
This can be used to provide email to just a subset of the entities
present in NetAuth.
**Syntax** debug off <br>
debug on <br>
debug off <br>
**Default:** off

8
docs/reference/auth/pass_table.md
View file

@ -33,12 +33,12 @@ smtp tcp://0.0.0.0:587 {
pass\_table expects the used table to contain certain structured values with
hash algorithm name, salt and other necessary parameters.
You should use 'maddyctl hash' command to generate suitable values.
See 'maddyctl hash --help' for details.
You should use 'maddy hash' command to generate suitable values.
See 'maddy hash --help' for details.
## maddyctl creds
## maddy creds
If the underlying table is a "mutable" table (see maddy-tables(5)) then
the 'maddyctl creds' command can be used to modify the underlying tables
the 'maddy creds' command can be used to modify the underlying tables
via pass\_table module. It will act on a "local credentials store" and will write
appropriate hash values to the table.

15
docs/reference/blob/s3.md
View file

@ -13,6 +13,7 @@ storage.blob.s3 {
# optional
region eu-central-1
object_prefix maddy/
creds access_key
}
```
@ -26,6 +27,7 @@ storage.imapsql local_mailboxes {
secret_key "..."
bucket maddy-messages
region us-west-2
creds access_key
}
}
```
@ -69,3 +71,16 @@ in some manuals.
String to add to all keys stored by maddy.
Can be useful when S3 is used as a file system.
**Syntax:** creds _string_ <br>
**Default:** access_key
Credentials to use for accessing the S3 Bucket.
Credential Types:
- access_key: use AWS access key and secret access key
- file_minio: use credentials for Minio present at ~/.mc/config.json
- file_aws: use credentials for AWS S3 present at ~/.aws/credentials
- iam: use AWS IAM instance profile for credentials.
By default, access_key is used with the access key and secret access key present in the config.

56
docs/reference/checks/authorize_sender.md
View file

@ -16,8 +16,8 @@ check.authorize_sender {
malformed_action reject
err_action reject
auth_normalize precis_casefold_email
from_normalize precis_casefold_email
auth_normalize auto
from_normalize auto
}
```
```
@ -31,10 +31,33 @@ check {
**Syntax:** user\_to\_email _table_ <br>
**Default:** identity
Table to use for lookups. Result of the lookup should contain either the
domain name, the full email address or "*" string. If it is just domain - user
will be allowed to use any mailbox within a domain as a sender address.
If result contains "*" - user will be allowed to use any address.
Table that maps authorization username to the list of sender emails
the user is allowed to use.
In additional to email addresses, the table can contain domain names or
special string "\*" as a value. If the value is a domain - user
will be allowed to use any mailbox within it as a sender address.
If it is "\*" - user will be allowed to use any address.
By default, table.identity is used, meaning that username should
be equal to the sender email.
Before username is looked up via the table, normalization algorithm
defined by auth_normalize is applied to it.
**Syntax:** prepare\_email _table_ <br>
**Default:** identity
Table that is used to translate email addresses before they
are matched against user_to_email values.
Typically used to allow users to use their aliases as sender
addresses - prepare_email in this case should translate
aliases to "canonical" addresses. This is how it is
done in default configuration.
If table does not contain any mapping for the used sender
address, it will be used as is.
**Syntax:** check\_header _boolean_ <br>
**Default:** yes
@ -65,21 +88,26 @@ What to do if From or Sender header fields contain malformed values.
What to do if error happens during prepare\_email or user\_to\_email lookup.
**Syntax:** auth\_normalize _action_ <br>
**Default:** precis\_casefold\_email
**Default:** auto
Normalization function to apply to authorization username before
further processing.
Available options:
- precis\_casefold\_email PRECIS UsernameCaseMapped profile + U-labels form for domain
- precis\_casefold PRECIS UsernameCaseMapped profile for the entire string
- precis\_email PRECIS UsernameCasePreserved profile + U-labels form for domain
- precis PRECIS UsernameCasePreserved profile for the entire string
- casefold Convert to lower case
- noop Nothing
- `auto` `precis_casefold_email` for valid emails, `precise_casefold` otherwise.
- `precis_casefold_email` PRECIS UsernameCaseMapped profile + U-labels form for domain
- `precis_casefold` PRECIS UsernameCaseMapped profile for the entire string
- `precis_email` PRECIS UsernameCasePreserved profile + U-labels form for domain
- `precis` PRECIS UsernameCasePreserved profile for the entire string
- `casefold` Convert to lower case
- `noop` Nothing
PRECIS profiles are defined by RFC 8265. In short, they make sure
that Unicode strings that look the same will be compared as if they were
the same. CaseMapped profiles also convert strings to lower case.
**Syntax:** from\_normalize _action_ <br>
**Default:** precis\_casefold\_email
**Default:** auto
Normalization function to apply to email addresses before
further processing.

65
docs/reference/endpoints/imap.md
View file

@ -20,6 +20,10 @@ imap tcp://0.0.0.0:143 tls://0.0.0.0:993 {
insecure_auth no
auth pam
storage &local_mailboxes
auth_map identity
auth_map_normalize auto
storage_map identity
storage_map_normalize auto
}
```
@ -36,6 +40,25 @@ tls cert.crt key.key {
See [TLS configuration / Server](/reference/tls/#server-side) for details.
**Syntax**: proxy_protocol _trusted ips..._ { ... } <br>
**Default**: not enabled
Enable use of HAProxy PROXY protocol. Supports both v1 and v2 protocols.
If a list of trusted IP addresses or subnets is provided, only connections
from those will be trusted.
TLS for the channel between the proxies and maddy can be configured
using a 'tls' directive:
```
proxy_protocol {
trust 127.0.0.1 ::1 192.168.0.1/24
tls &proxy_tls
}
```
Note that the top-level 'tls' directive is not inherited here. If you
need TLS on top of the PROXY protocol, securing the protocol header,
you must declare TLS explicitly.
**Syntax**: io\_debug _boolean_ <br>
**Default**: no
@ -63,3 +86,45 @@ Use the specified module for authentication.
Use the specified module for message storage.
**Required.**
**Syntax**: storage\_map _module\_reference_ <br>
**Default**: identity
Use the specified table to map SASL usernames to storage account names.
Before username is looked up, it is normalized using function defined by
`storage_map_normalize`.
This directive is useful if you want users user@example.org and user@example.com
to share the same storage account named "user". In this case, use
```
storage_map email_localpart
```
Note that `storage_map` does not affect the username passed to the
authentication provider.
It also does not affect how message delivery is handled, you should specify
`delivery_map` in storage module to define how to map email addresses
to storage accounts. E.g.
```
storage.imapsql local_mailboxes {
...
delivery_map email_localpart # deliver "user@*" to mailbox for "user"
}
```
**Syntax**: storage\_map_normalize _function_ <br>
**Default**: auto
Same as `auth_map_normalize` but for `storage_map`.
**Syntax**: auth\_map_normalize _function_ <br>
**Default**: auto
Overrides global `auth_map_normalize` value for this endpoint.
See [Global configuration](/reference/global-config) for details.

15
docs/reference/endpoints/smtp.md
View file

@ -58,6 +58,21 @@ tls cert.crt key.key {
See [TLS configuration / Server](/reference/tls/#server-side) for details.
**Syntax**: proxy_protocol _trusted ips..._ { ... } <br>
**Default**: not enabled
Enable use of HAProxy PROXY protocol. Supports both v1 and v2 protocols.
If a list of trusted IP addresses or subnets is provided, only connections
from those will be trusted.
TLS for the channel between the proxies and maddy can be configured
using a 'tls' directive:
```
proxy_protocol {
trust 127.0.0.1 ::1 192.168.0.1/24
tls &proxy_tls
}
```
**Syntax**: io\_debug _boolean_ <br>
**Default**: no

50
docs/reference/global-config.md
View file

@ -23,6 +23,56 @@ objects. Should be writable.
Internet hostname of this mail server. Typicall FQDN is used. It is recommended
to make sure domain specified here resolved to the public IP of the server.
**Syntax**: auth\_map _module\_reference_ <br>
**Default**: identity
Use the specified table to translate SASL usernames before passing it to the
authentication provider.
Before username is looked up, it is normalized using function defined by
`auth_map_normalize`.
Note that `auth_map` does not affect the storage account name used. You probably
should also use `storage_map` in IMAP config block to handle this.
This directive is useful if used authentication provider does not support
using emails as usernames but you still want users to have separate mailboxes
on separate domains. In this case, use it with `email_localpart` table:
```
auth_map email_localpart
```
With this configuration, `user@example.org` and `user@example.com` will use
`user` credentials when authenticating, but will access `user@example.org` and
`user@example.com` mailboxes correspondingly. If you want to also accept
`user` as a username, use `auth_map email_localpart_optional`.
If you want `user@example.org` and `user@example.com` to have the same mailbox,
also set `storage_map` in IMAP config block to use `email_localpart`
(or `email_localpart_optional` if you want to also accept just "user"):
```
storage_map email_localpart
```
In this case you will need to create storage accounts without domain part in
the name:
```
maddy imap-acct create user # instead of user@example.org
```
**Syntax**: auth\_map_normalize _function_ <br>
**Default**: auto
Normalization function to apply to SASL usernames before mapping
them to storage accounts.
Available options:
- `auto` `precis_casefold_email` for valid emails, `precise_casefold` otherwise.
- `precis_casefold_email` PRECIS UsernameCaseMapped profile + U-labels form for domain
- `precis_casefold` PRECIS UsernameCaseMapped profile for the entire string
- `precis_email` PRECIS UsernameCasePreserved profile + U-labels form for domain
- `precis` PRECIS UsernameCasePreserved profile for the entire string
- `casefold` Convert to lower case
- `noop` Nothing
**Syntax**: autogenerated\_msg\_domain _domain_ <br>
**Default**: not specified

4
docs/reference/storage/imapsql.md
View file

@ -156,6 +156,8 @@ See auth\_normalize.
**Syntax**: auth\_map **table** <br>
**Default**: identity
**DEPRECATED:** Use `storage_map` in imap config instead.
Use specified table module to map authentication
usernames to mailbox names.
@ -165,6 +167,8 @@ auth\_map.
**Syntax**: auth\_normalize _name_ <br>
**Default**: precis\_casefold\_email
**DEPRECATED:** Use `storage_map_normalize` in imap config instead.
Normalization function to apply to authentication usernames before mapping
them to mailboxes.

9
docs/reference/table/email_localpart.md
View file

@ -1,12 +1,19 @@
# Email local part
The module 'table.email\_localpart' extracts and unescaped local ("username") part
The module 'table.email\_localpart' extracts and unescapes local ("username") part
of the email address.
E.g.
test@example.org => test
"test @ a"@example.org => test @ a
Mappings for invalid emails are not defined (will be treated as non-existing
values).
```
table.email_localpart { }
```
`table.email_localpart_optional` works the same, but returns non-email strings
as is. This can be used if you want to accept both `user@example.org` and
`user` somewhere and treat it the same.

33
docs/reference/table/email_with_domains.md Normal file
View file

@ -0,0 +1,33 @@
# Email with domain
The table module 'table.email\_with\_domain' appends one or more
domains (allowing 1:N expansion) to the specified value.
```
table.email_with_domains DOMAIN DOMAIN... { }
```
It can be used to implement domain-level expansion for aliases if used together
with `table.chain`. Example:
```
modify {
replace_rcpt chain {
step email_local_part
step email_with_domains example.org example.com
}
}
```
This configuration will alias `anything@anydomain` to `anything@example.org`
and `anything@example.com`.
It is also useful with `authorize_sender` to authorize sending using multiple
addresses under different domains if non-email usernames are used for
authentication:
```
check.authorize_sender {
...
user_to_email email_with_domain example.org example.com
}
```
This way, user authenticated as `user` will be allowed to use
`user@example.org` or `user@example.com` as a sender address.

8
docs/tutorials/building-from-source.md
View file

@ -6,12 +6,12 @@ You need C toolchain, Go toolchain and Make:
On Debian-based system this should work:
```
apt-get install golang-1.17 gcc libc6-dev make
apt-get install golang-1.18 gcc libc6-dev make
```
Additionally, if you want manual pages, you should also have scdoc installed.
Figuring out the appropriate way to get scdoc is left as an exercise for
reader (for Ubuntu 19.10 it is in repositories).
reader (for Ubuntu 22.04 LTS it is in repositories).
## Recent Go toolchain
@ -20,8 +20,8 @@ available in some distributions (*cough* Debian *cough*).
It should not be hard to grab a recent built toolchain from golang.org:
```
wget "https://dl.google.com/go/go1.17.11.linux-amd64.tar.gz"
tar xf "go1.17.11.linux-amd64.tar.gz"
wget "https://dl.google.com/go/go1.18.9.linux-amd64.tar.gz"
tar xf "go1.18.19.linux-amd64.tar.gz"
export GOROOT="$PWD/go"
export PATH="$PWD/go/bin:$PATH"
```

40
docs/tutorials/pam.md
View file

@ -65,42 +65,12 @@ auth.pam local_authdb {
## Account names
Since PAM does not use emails for authentication you should also
configure storage backend to use username only as an account identifier,
not full email addresses:
```
storage.imapsql local_mailboxes {
...
delivery_map email_localpart
auth_normalize precis_casefold
}
```
Since PAM does not use emails for authentication you should configure
maddy to either strip domain part when checking credentials or do not
use email when authenticating.
This way, when authenticating as `foxcpp`, it will be mapped to
`foxcpp` storage account. E.g. you will need to run
`maddy imap-accts create foxcpp`, without the domain part.
If you have existing accounts, you will need to rename them.
Change to `auth_normalize` is necessary so that normalization function
will not attempt to parse authentication identity as a email.
When a email is received, `delivery_map email_localpart` will strip
the domain part before looking up the account. That is,
`foxcpp@example.org` will be become just `foxcpp`.
You also need to make `authorize_sender` check (used in `submission` endpoint)
accept non-email usernames:
```
authorize_sender {
...
auth_normalize precis_casefold
user_to_email regexp "(.*)" "$1@$(primary_domain)"
}
```
Note that is would work only if clients use only one domain as sender (`$(primary_domain)`).
If you want to allow sending from all domains, you need to remove `authorize_sender` check
altogether since it is not currently supported.
See [Multiple domains configuration](/multiple-domains) for how to configure
authentication.
## PAM service

12
docs/tutorials/setting-up.md
View file

@ -35,7 +35,7 @@ Your options are:
Available on [GitHub](https://github.com/foxcpp/maddy/releases) or
[maddy.email/builds](https://maddy.email/builds/).
The tarball includes maddy and maddyctl executables you can
The tarball includes maddy executable you can
copy into /usr/local/bin as well as systemd unit file you can
use on systemd-based distributions for automatic startup and service
supervision. You should also create "maddy" user and group.
@ -222,7 +222,7 @@ Example of a valid record:
_25._tcp.mx1.example.org. TLSA 3 1 1 7f59d873a70e224b184c95a4eb54caa9621e47d48b4a25d312d83d96e3498238
```
## User accounts and maddyctl
## User accounts and maddy command
A mail server is useless without mailboxes, right? Unlike software like postfix
and dovecot, maddy uses "virtual users" by default, meaning it does not care or
@ -230,10 +230,10 @@ know about system users.
IMAP mailboxes ("accounts") and authentication credentials are kept separate.
To register user credentials, use `maddyctl creds create` command.
To register user credentials, use `maddy creds create` command.
Like that:
```
$ maddyctl creds create postmaster@example.org
$ maddy creds create postmaster@example.org
```
Note the username is a e-mail address. This is required as username is used to
@ -243,14 +243,14 @@ described here).
After registering the user credentials, you also need to create a local
storage account:
```
$ maddyctl imap-acct create postmaster@example.org
$ maddy imap-acct create postmaster@example.org
```
That is it. Now you have your first e-mail address. when authenticating using
your e-mail client, do not forget the username is "postmaster@example.org", not
just "postmaster".
You may find running `maddyctl creds --help` and `maddyctl imap-acct --help`
You may find running `maddy creds --help` and `maddy imap-acct --help`
useful to learn about other commands. Note that IMAP accounts and credentials
are managed separately yet usernames should match by default for things to
work.

2
docs/upgrading.md
View file

@ -74,7 +74,7 @@ pass_table local_authdb {
}
```
6. Use `maddyctl creds create ACCOUNT_NAME` to add credentials to `pass_table`
6. Use `maddy creds create ACCOUNT_NAME` to add credentials to `pass_table`
store.
7. Start the server back.

29
framework/address/split.go
View file

@ -101,3 +101,32 @@ func UnquoteMbox(mbox string) (string, error) {
return mailboxB.String(), nil
}
// "specials" from RFC5322 grammar with dot removed (it is defined in grammar separately, for some reason)
var mboxSpecial = map[rune]struct{}{
'(': {}, ')': {}, '<': {}, '>': {},
'[': {}, ']': {}, ':': {}, ';': {},
'@': {}, '\\': {}, ',': {},
'"': {}, ' ': {},
}
func QuoteMbox(mbox string) string {
var mailboxEsc strings.Builder
mailboxEsc.Grow(len(mbox))
quoted := false
for _, ch := range mbox {
if _, ok := mboxSpecial[ch]; ok {
if ch == '\\' || ch == '"' {
mailboxEsc.WriteRune('\\')
}
mailboxEsc.WriteRune(ch)
quoted = true
} else {
mailboxEsc.WriteRune(ch)
}
}
if quoted {
return `"` + mailboxEsc.String() + `"`
}
return mbox
}

18
framework/address/split_test.go
View file

@ -90,3 +90,21 @@ func TestUnquoteMbox(t *testing.T) {
test(`postmaster`, "postmaster", false)
test(`foo`, "foo", false)
}
func TestQuoteMbox(t *testing.T) {
test := func(inputMbox, expectedMbox string) {
t.Helper()
actualMbox := QuoteMbox(inputMbox)
if actualMbox != expectedMbox {
t.Errorf("wrong local part, want %s, got %s", actualMbox, actualMbox)
}
}
test(`no"no`, `"no\"no"`)
test(`no@no`, `"no@no"`)
test(`no no`, `"no no"`)
test(`no\no`, `"no\\no"`)
test("postmaster", `postmaster`)
test("foo", `foo`)
}

14
framework/address/validation.go
View file

@ -20,6 +20,8 @@ package address
import (
"strings"
"golang.org/x/net/idna"
)
/*
@ -109,17 +111,23 @@ func ValidMailboxName(mbox string) bool {
// ValidDomain checks whether the specified string is a valid DNS domain.
func ValidDomain(domain string) bool {
if len(domain) > 255 {
if len(domain) > 255 || len(domain) == 0 {
return false
}
if strings.HasPrefix(domain, ".") || strings.HasSuffix(domain, ".") {
if strings.HasPrefix(domain, ".") {
return false
}
if strings.Contains(domain, "..") {
return false
}
labels := strings.Split(domain, ".")
// Length checks are to be applied to A-labels form.
// maddy uses U-labels representation across the code (for lookups, etc).
domainASCII, err := idna.ToASCII(domain)
if err != nil {
return false
}
labels := strings.Split(domainASCII, ".")
for _, label := range labels {
if len(label) > 64 {
return false

20
framework/address/validation_test.go
View file

@ -1,6 +1,7 @@
package address_test
import (
"strings"
"testing"
"github.com/foxcpp/maddy/framework/address"
@ -11,3 +12,22 @@ func TestValidMailboxName(t *testing.T) {
t.Error("caddy.bug should be valid mailbox name")
}
}
func TestValidDomain(t *testing.T) {
for _, c := range []struct {
Domain string
Valid bool
}{
{Domain: "maddy.email", Valid: true},
{Domain: "", Valid: false},
{Domain: "maddy.email.", Valid: true},
{Domain: "..", Valid: false},
{Domain: strings.Repeat("a", 256), Valid: false},
{Domain: "äõäoaõoäaõaäõaoäaoaäõoaäooaoaoiuaiauäõiuüõaõäiauõaaa.tld", Valid: true}, // https://github.com/foxcpp/maddy/issues/554
{Domain: "xn--oaoaaaoaoaoaooaoaoiuaiauiuaiauaaa-f1cadccdcmd01eddchqcbe07a.tld", Valid: true}, // https://github.com/foxcpp/maddy/issues/554
} {
if actual := address.ValidDomain(c.Domain); actual != c.Valid {
t.Errorf("expected domain %v to be valid=%v, but got %v", c.Domain, c.Valid, actual)
}
}
}

53
framework/config/map.go
View file

@ -134,6 +134,59 @@ func (m *Map) Enum(name string, inheritGlobal, required bool, allowed []string,
}, store)
}
// EnumMapped is similar to Map.Enum but maps a stirng to a custom type.
func EnumMapped[V any](m *Map, name string, inheritGlobal, required bool, mapped map[string]V, defaultVal V, store *V) {
m.Custom(name, inheritGlobal, required, func() (interface{}, error) {
return defaultVal, nil
}, func(_ *Map, node Node) (interface{}, error) {
if len(node.Children) != 0 {
return nil, NodeErr(node, "can't declare a block here")
}
if len(node.Args) != 1 {
return nil, NodeErr(node, "expected exactly one argument")
}
val, ok := mapped[node.Args[0]]
if !ok {
validValues := make([]string, 0, len(mapped))
for k := range mapped {
validValues = append(validValues, k)
}
return nil, NodeErr(node, "invalid argument, valid values are: %v", validValues)
}
return val, nil
}, store)
}
// EnumListMapped is similar to Map.EnumList but maps a stirng to a custom type.
func EnumListMapped[V any](m *Map, name string, inheritGlobal, required bool, mapped map[string]V, defaultVal []V, store *[]V) {
m.Custom(name, inheritGlobal, required, func() (interface{}, error) {
return defaultVal, nil
}, func(_ *Map, node Node) (interface{}, error) {
if len(node.Children) != 0 {
return nil, NodeErr(node, "can't declare a block here")
}
if len(node.Args) == 0 {
return nil, NodeErr(node, "expected at least one argument")
}
values := make([]V, 0, len(node.Args))
for _, arg := range node.Args {
val, ok := mapped[arg]
if !ok {
validValues := make([]string, 0, len(mapped))
for k := range mapped {
validValues = append(validValues, k)
}
return nil, NodeErr(node, "invalid argument, valid values are: %v", validValues)
}
values = append(values, val)
}
return values, nil
}, store)
}
// Duration maps configuration directive to a time.Duration variable.
//
// Directive must be in form 'name duration' where duration is any string accepted by

14
framework/config/module/interfaces.go
View file

@ -31,10 +31,11 @@ func MessageCheck(globals map[string]interface{}, args []string, block config.No
return check, nil
}
// deliveryDirective is a callback for use in config.Map.Custom.
// DeliveryDirective is a callback for use in config.Map.Custom.
//
// It does all work necessary to create a module instance from the config
// directive with the following structure:
//
// directive_name mod_name [inst_name] [{
// inline_mod_config
// }]
@ -77,6 +78,17 @@ func StorageDirective(m *config.Map, node config.Node) (interface{}, error) {
return backend, nil
}
// Table is a convenience wrapper for TableDirective.
//
// cfg.Bool(...)
// modconfig.Table(cfg, "auth_map", false, false, nil, &mod.authMap)
// cfg.Process()
func Table(cfg *config.Map, name string, inheritGlobal, required bool, defaultVal module.Table, store *module.Table) {
cfg.Custom(name, inheritGlobal, required, func() (interface{}, error) {
return defaultVal, nil
}, TableDirective, store)
}
func TableDirective(m *config.Map, node config.Node) (interface{}, error) {
var tbl module.Table
if err := ModuleFromNode("table", node.Args, node, m.Globals, &tbl); err != nil {

2
framework/module/auth.go
View file

@ -33,7 +33,7 @@ type PlainAuth interface {
AuthPlain(username, password string) error
}
// PlainUserDB is a local credentials store that can be managed using maddyctl
// PlainUserDB is a local credentials store that can be managed using maddy command
// utility.
type PlainUserDB interface {
PlainAuth

3
framework/module/module_specific_data.go
View file

@ -49,6 +49,9 @@ func (msd *ModSpecificData) Set(m Module, perInstance bool, value interface{}) {
key := msd.modKey(m, perInstance)
msd.modDataLck.Lock()
defer msd.modDataLck.Unlock()
if msd.modData == nil {
msd.modData = make(map[string]interface{})
}
msd.modData[key] = value
}

152
go.mod
View file

@ -1,129 +1,147 @@
module github.com/foxcpp/maddy
go 1.17
go 1.18
require (
blitiri.com.ar/go/spf v1.4.0
blitiri.com.ar/go/spf v1.5.1
github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962
github.com/caddyserver/certmagic v0.16.1
github.com/emersion/go-imap v1.2.1
github.com/caddyserver/certmagic v0.17.2
github.com/emersion/go-imap v1.2.2-0.20220928192137-6fac715be9cf
github.com/emersion/go-imap-compress v0.0.0-20201103190257-14809af1d1b9
github.com/emersion/go-imap-sortthread v1.2.0
github.com/emersion/go-message v0.16.0
github.com/emersion/go-milter v0.3.3
github.com/emersion/go-msgauth v0.6.6
github.com/emersion/go-sasl v0.0.0-20211008083017-0b9dcfb154ac
github.com/emersion/go-smtp v0.15.1-0.20220709111538-3b81564ed77e
github.com/emersion/go-sasl v0.0.0-20220912192320-0145f2c60ead
github.com/emersion/go-smtp v0.16.0
github.com/foxcpp/go-dovecot-sasl v0.0.0-20200522223722-c4699d7a24bf
github.com/foxcpp/go-imap-backend-tests v0.0.0-20220105184719-e80aa29a5e16
github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005
github.com/foxcpp/go-imap-mess v0.0.0-20220625145025-3c40e241d099
github.com/foxcpp/go-imap-mess v0.0.0-20230108134257-b7ec3a649613
github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed
github.com/foxcpp/go-imap-sql v0.5.1-0.20220627220518-df3b66a5b04f
github.com/foxcpp/go-imap-sql v0.5.1-0.20230313080458-c0176dad679c
github.com/foxcpp/go-mockdns v1.0.0
github.com/foxcpp/go-mtasts v0.0.0-20191219193356-62bc3f1f74b8
github.com/go-ldap/ldap/v3 v3.4.3
github.com/go-sql-driver/mysql v1.6.0
github.com/go-ldap/ldap/v3 v3.4.4
github.com/go-sql-driver/mysql v1.7.0
github.com/google/uuid v1.3.0
github.com/hashicorp/go-hclog v1.4.0
github.com/johannesboyne/gofakes3 v0.0.0-20210704111953-6a9f95c2941c
github.com/lib/pq v1.10.6
github.com/libdns/alidns v1.0.2
github.com/libdns/cloudflare v0.1.0
github.com/libdns/alidns v1.0.3-0.20220501125541-4a895238a95d
github.com/libdns/cloudflare v0.1.1-0.20221006221909-9d3ab3c3cddd
github.com/libdns/digitalocean v0.0.0-20220518195853-a541bc8aa80f
github.com/libdns/gandi v1.0.2
github.com/libdns/googleclouddns v1.0.2
github.com/libdns/gandi v1.0.3-0.20220921161957-dcd0274d2c79
github.com/libdns/googleclouddns v1.1.0
github.com/libdns/hetzner v0.0.1
github.com/libdns/leaseweb v0.2.1
github.com/libdns/libdns v0.2.1
github.com/libdns/leaseweb v0.3.1
github.com/libdns/libdns v0.2.2-0.20221006221142-3ef90aee33fd
github.com/libdns/metaname v0.3.0
github.com/libdns/namecheap v0.0.0-20211109042440-fc7440785c8e
github.com/libdns/namedotcom v0.3.3
github.com/libdns/route53 v1.1.2
github.com/libdns/vultr v0.0.0-20211122184636-cd4cb5c12e51
github.com/libdns/route53 v1.3.0
github.com/libdns/vultr v0.0.0-20220906182619-5ea9da3d9625
github.com/mattn/go-sqlite3 v2.0.3+incompatible
github.com/miekg/dns v1.1.50
github.com/minio/minio-go/v7 v7.0.29
github.com/prometheus/client_golang v1.12.2
github.com/urfave/cli/v2 v2.10.2
go.uber.org/zap v1.21.0
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
golang.org/x/net v0.0.0-20220622184535-263ec571b305
golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
golang.org/x/text v0.3.7
github.com/minio/minio-go/v7 v7.0.47
github.com/netauth/netauth v0.6.2-0.20220831214440-1df568cd25d6
github.com/prometheus/client_golang v1.14.0
github.com/urfave/cli/v2 v2.24.3
go.uber.org/zap v1.24.0
golang.org/x/crypto v0.5.0
golang.org/x/net v0.7.0
golang.org/x/sync v0.1.0
golang.org/x/text v0.7.0
)
require (
cloud.google.com/go/compute v1.7.0 // indirect
github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e // indirect
cloud.google.com/go/compute v1.18.0 // indirect
cloud.google.com/go/compute/metadata v0.2.3 // indirect
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
github.com/aws/aws-sdk-go v1.44.40 // indirect
github.com/aws/aws-sdk-go-v2 v1.17.4 // indirect
github.com/aws/aws-sdk-go-v2/config v1.18.12 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.13.12 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.22 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.28 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.22 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.29 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.22 // indirect
github.com/aws/aws-sdk-go-v2/service/route53 v1.27.1 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.12.1 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.1 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.18.3 // indirect
github.com/aws/smithy-go v1.13.5 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/c0va23/go-proxyprotocol v0.9.1 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
github.com/digitalocean/godo v1.81.0 // indirect
github.com/dustin/go-humanize v1.0.0 // indirect
github.com/digitalocean/godo v1.96.0 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/emersion/go-textwrapper v0.0.0-20200911093747-65d896831594 // indirect
github.com/fsnotify/fsnotify v1.4.9 // indirect
github.com/fatih/color v1.14.1 // indirect
github.com/fsnotify/fsnotify v1.6.0 // indirect
github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/google/go-cmp v0.5.8 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
github.com/googleapis/gax-go/v2 v2.4.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.2.1 // indirect
github.com/googleapis/gax-go/v2 v2.7.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-hclog v0.9.2 // indirect
github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
github.com/hashicorp/go-retryablehttp v0.7.2 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/compress v1.15.6 // indirect
github.com/klauspost/cpuid/v2 v2.0.14 // indirect
github.com/magiconair/properties v1.8.5 // indirect
github.com/klauspost/compress v1.15.15 // indirect
github.com/klauspost/cpuid/v2 v2.2.3 // indirect
github.com/magiconair/properties v1.8.7 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
github.com/mholt/acmez v1.0.2 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.17 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
github.com/mholt/acmez v1.0.4 // indirect
github.com/minio/md5-simd v1.1.2 // indirect
github.com/minio/sha256-simd v1.0.0 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/mapstructure v1.4.1 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/netauth/netauth v0.6.2-0.20220831214440-1df568cd25d6 // indirect
github.com/netauth/protocol v0.0.0-20210918062754-7fee492ffcbd // indirect
github.com/pelletier/go-toml v1.9.3 // indirect
github.com/pelletier/go-toml/v2 v2.0.6 // indirect
github.com/pierrec/lz4 v2.6.1+incompatible // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/common v0.35.0 // indirect
github.com/prometheus/procfs v0.7.3 // indirect
github.com/prometheus/client_model v0.3.0 // indirect
github.com/prometheus/common v0.39.0 // indirect
github.com/prometheus/procfs v0.9.0 // indirect
github.com/rs/xid v1.4.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/ryszard/goskiplist v0.0.0-20150312221310-2dfbae5fcf46 // indirect
github.com/shabbyrobe/gocovmerge v0.0.0-20180507124511-f6ea450bfb63 // indirect
github.com/sirupsen/logrus v1.8.1 // indirect
github.com/spf13/afero v1.6.0 // indirect
github.com/spf13/cast v1.3.1 // indirect
github.com/sirupsen/logrus v1.9.0 // indirect
github.com/spf13/afero v1.9.3 // indirect
github.com/spf13/cast v1.5.0 // indirect
github.com/spf13/jwalterweatherman v1.1.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/spf13/viper v1.8.1 // indirect
github.com/subosito/gotenv v1.2.0 // indirect
github.com/spf13/viper v1.15.0 // indirect
github.com/subosito/gotenv v1.4.2 // indirect
github.com/vultr/govultr/v2 v2.17.2 // indirect
github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
go.opencensus.io v0.23.0 // indirect
go.uber.org/atomic v1.9.0 // indirect
go.uber.org/multierr v1.8.0 // indirect
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2 // indirect
golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664 // indirect
golang.org/x/tools v0.1.11 // indirect
google.golang.org/api v0.85.0 // indirect
go.opencensus.io v0.24.0 // indirect
go.uber.org/atomic v1.10.0 // indirect
go.uber.org/multierr v1.9.0 // indirect
golang.org/x/mod v0.7.0 // indirect
golang.org/x/oauth2 v0.4.0 // indirect
golang.org/x/sys v0.5.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.5.0 // indirect
google.golang.org/api v0.109.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220622171453-ea41d75dfa0f // indirect
google.golang.org/grpc v1.47.0 // indirect
google.golang.org/protobuf v1.28.0 // indirect
gopkg.in/ini.v1 v1.66.6 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
google.golang.org/genproto v0.0.0-20230202175211-008b39050e57 // indirect
google.golang.org/grpc v1.52.3 // indirect
google.golang.org/protobuf v1.28.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
gotest.tools v2.2.0+incompatible // indirect
)

675
go.sum
View file

File diff suppressed because it is too large Load diff

2
internal/auth/ldap/ldap.go
View file

@ -183,6 +183,7 @@ func (a *Auth) getConn() (*ldap.Conn, error) {
if a.conn == nil {
conn, err := a.newConn()
if err != nil {
a.connLock.Unlock()
return nil, err
}
a.conn = conn
@ -191,6 +192,7 @@ func (a *Auth) getConn() (*ldap.Conn, error) {
a.conn.Close()
conn, err := a.newConn()
if err != nil {
a.connLock.Unlock()
return nil, err
}
a.conn = conn

44
internal/auth/sasl.go
View file

@ -19,6 +19,7 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
package auth
import (
"context"
"errors"
"fmt"
"net"
@ -28,6 +29,7 @@ import (
modconfig "github.com/foxcpp/maddy/framework/config/module"
"github.com/foxcpp/maddy/framework/log"
"github.com/foxcpp/maddy/framework/module"
"github.com/foxcpp/maddy/internal/authz"
)
var (
@ -38,12 +40,18 @@ var (
// SASLAuth is a wrapper that initializes sasl.Server using authenticators that
// call maddy module objects.
//
// It also handles username translation using auth_map and auth_map_normalize
// (AuthMap and AuthMapNormalize should be set).
//
// It supports reporting of multiple authorization identities so multiple
// accounts can be associated with a single set of credentials.
type SASLAuth struct {
Log log.Logger
OnlyFirstID bool
AuthMap module.Table
AuthNormalize authz.NormalizeFunc
Plain []module.PlainAuth
}
@ -57,6 +65,34 @@ func (s *SASLAuth) SASLMechanisms() []string {
return mechs
}
func (s *SASLAuth) usernameForAuth(ctx context.Context, saslUsername string) (string, error) {
if s.AuthNormalize != nil {
var err error
saslUsername, err = s.AuthNormalize(saslUsername)
if err != nil {
return "", err
}
}
if s.AuthMap == nil {
return saslUsername, nil
}
mapped, ok, err := s.AuthMap.Lookup(ctx, saslUsername)
if err != nil {
return "", err
}
if !ok {
return "", ErrInvalidAuthCred
}
if saslUsername != mapped {
s.Log.DebugMsg("using mapped username for authentication", "username", saslUsername, "mapped_username", mapped)
}
return mapped, nil
}
func (s *SASLAuth) AuthPlain(username, password string) error {
if len(s.Plain) == 0 {
return ErrUnsupportedMech
@ -64,6 +100,11 @@ func (s *SASLAuth) AuthPlain(username, password string) error {
var lastErr error
for _, p := range s.Plain {
username, err := s.usernameForAuth(context.TODO(), username)
if err != nil {
return err
}
lastErr = p.AuthPlain(username, password)
if lastErr == nil {
return nil
@ -81,6 +122,9 @@ func (s *SASLAuth) CreateSASL(mech string, remoteAddr net.Addr, successCb func(i
if identity == "" {
identity = username
}
if identity != username {
return ErrInvalidAuthCred
}
err := s.AuthPlain(username, password)
if err != nil {

4
internal/auth/sasl_test.go
View file

@ -75,13 +75,13 @@ func TestCreateSASL(t *testing.T) {
t.Run("PLAIN with authorization identity", func(t *testing.T) {
srv := a.CreateSASL("PLAIN", &net.TCPAddr{}, func(id string) error {
if id != "user1a" {
if id != "user1" {
t.Fatal("Wrong authorization identity passed:", id)
}
return nil
})
_, _, err := srv.Next([]byte("user1a\x00user1\x00aa"))
_, _, err := srv.Next([]byte("user1\x00user1\x00aa"))
if err != nil {
t.Error("Unexpected error:", err)
}

14
internal/authz/lookup.go
View file

@ -9,14 +9,10 @@ import (
)
func AuthorizeEmailUse(ctx context.Context, username string, addrs []string, mapping module.Table) (bool, error) {
for _, addr := range addrs {
_, domain, err := address.Split(addr)
if err != nil {
return false, fmt.Errorf("authz: %w", err)
}
var validEmails []string
if multi, ok := mapping.(module.MultiTable); ok {
var err error
validEmails, err = multi.LookupMulti(ctx, username)
if err != nil {
return false, fmt.Errorf("authz: %w", err)
@ -31,6 +27,12 @@ func AuthorizeEmailUse(ctx context.Context, username string, addrs []string, map
}
}
for _, addr := range addrs {
_, domain, err := address.Split(addr)
if err != nil {
return false, fmt.Errorf("authz: %w", err)
}
for _, ent := range validEmails {
if ent == domain || ent == "*" || ent == addr {
return true, nil

22
internal/authz/normalization.go
View file

@ -7,9 +7,25 @@ import (
"golang.org/x/text/secure/precis"
)
type NormalizeFunc func(string) (string, error)
func NormalizeNoop(s string) (string, error) {
return s, nil
}
// NormalizeAuto applies address.PRECISFold to valid emails and
// plain UsernameCaseMapped profile to other strings.
func NormalizeAuto(s string) (string, error) {
if address.Valid(s) {
return address.PRECISFold(s)
}
return precis.UsernameCaseMapped.CompareKey(s)
}
// NormalizeFuncs defines configurable normalization functions to be used
// in authentication and authorization routines.
var NormalizeFuncs = map[string]func(string) (string, error){
var NormalizeFuncs = map[string]NormalizeFunc{
"auto": NormalizeAuto,
"precis_casefold_email": address.PRECISFold,
"precis_casefold": precis.UsernameCaseMapped.CompareKey,
"precis_email": address.PRECIS,
@ -17,7 +33,5 @@ var NormalizeFuncs = map[string]func(string) (string, error){
"casefold": func(s string) (string, error) {
return strings.ToLower(s), nil
},
"noop": func(s string) (string, error) {
return s, nil
},
"noop": NormalizeNoop,
}

27
internal/check/authorize_sender/authorize_sender.go
View file

@ -20,7 +20,6 @@ package authorize_sender
import (
"context"
"fmt"
"net/mail"
"github.com/emersion/go-message/textproto"
@ -49,8 +48,8 @@ type Check struct {
noMatchAction modconfig.FailAction
errAction modconfig.FailAction
fromNorm func(string) (string, error)
authNorm func(string) (string, error)
fromNorm authz.NormalizeFunc
authNorm authz.NormalizeFunc
}
func New(_, instName string, _, inlineArgs []string) (module.Module, error) {
@ -89,29 +88,15 @@ func (c *Check) Init(cfg *config.Map) error {
return modconfig.FailAction{Reject: true}, nil
}, modconfig.FailActionDirective, &c.errAction)
var (
authNormalize string
fromNormalize string
ok bool
)
cfg.String("auth_normalize", false, false,
"precis_casefold_email", &authNormalize)
cfg.String("from_normalize", false, false,
"precis_casefold_email", &fromNormalize)
config.EnumMapped(cfg, "auth_normalize", true, false, authz.NormalizeFuncs, authz.NormalizeAuto,
&c.authNorm)
config.EnumMapped(cfg, "from_normalize", true, false, authz.NormalizeFuncs, authz.NormalizeAuto,
&c.fromNorm)
if _, err := cfg.Process(); err != nil {
return err
}
c.authNorm, ok = authz.NormalizeFuncs[authNormalize]
if !ok {
return fmt.Errorf("%v: unknown normalization function: %v", modName, authNormalize)
}
c.fromNorm, ok = authz.NormalizeFuncs[fromNormalize]
if !ok {
return fmt.Errorf("%v: unknown normalization function: %v", modName, fromNormalize)
}
return nil
}

6
internal/cli/ctl/imapacct.go
View file

@ -192,7 +192,7 @@ type SpecialUseUser interface {
func imapAcctList(be module.Storage, ctx *cli.Context) error {
mbe, ok := be.(module.ManageableStorage)
if !ok {
return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2)
return cli.Exit("Error: storage backend does not support accounts management using maddy command", 2)
}
list, err := mbe.ListIMAPAccts()
@ -213,7 +213,7 @@ func imapAcctList(be module.Storage, ctx *cli.Context) error {
func imapAcctCreate(be module.Storage, ctx *cli.Context) error {
mbe, ok := be.(module.ManageableStorage)
if !ok {
return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2)
return cli.Exit("Error: storage backend does not support accounts management using maddy command", 2)
}
username := ctx.Args().First()
@ -274,7 +274,7 @@ func imapAcctCreate(be module.Storage, ctx *cli.Context) error {
func imapAcctRemove(be module.Storage, ctx *cli.Context) error {
mbe, ok := be.(module.ManageableStorage)
if !ok {
return cli.Exit("Error: storage backend does not support accounts management using maddyctl", 2)
return cli.Exit("Error: storage backend does not support accounts management using maddy command", 2)
}
username := ctx.Args().First()

10
internal/endpoint/dovecot_sasld/dovecot_sasl.go
View file

@ -28,9 +28,11 @@ import (
"github.com/emersion/go-sasl"
dovecotsasl "github.com/foxcpp/go-dovecot-sasl"
"github.com/foxcpp/maddy/framework/config"
modconfig "github.com/foxcpp/maddy/framework/config/module"
"github.com/foxcpp/maddy/framework/log"
"github.com/foxcpp/maddy/framework/module"
"github.com/foxcpp/maddy/internal/auth"
"github.com/foxcpp/maddy/internal/authz"
)
const modName = "dovecot_sasld"
@ -42,6 +44,9 @@ type Endpoint struct {
listenersWg sync.WaitGroup
authNormalize authz.NormalizeFunc
authMap module.Table
srv *dovecotsasl.Server
}
@ -67,6 +72,9 @@ func (endp *Endpoint) Init(cfg *config.Map) error {
cfg.Callback("auth", func(m *config.Map, node config.Node) error {
return endp.saslAuth.AddProvider(m, node)
})
config.EnumMapped(cfg, "auth_map_normalize", true, false, authz.NormalizeFuncs, authz.NormalizeAuto,
&endp.authNormalize)
modconfig.Table(cfg, "auth_map", true, false, nil, &endp.authMap)
if _, err := cfg.Process(); err != nil {
return err
}
@ -74,6 +82,8 @@ func (endp *Endpoint) Init(cfg *config.Map) error {
endp.srv = dovecotsasl.NewServer()
endp.srv.Log = stdlog.New(endp.log, "", 0)
endp.saslAuth.AuthMap = endp.authMap
endp.saslAuth.AuthNormalize = endp.authNormalize
for _, mech := range endp.saslAuth.SASLMechanisms() {
mech := mech
endp.srv.AddMechanism(mech, mechInfo[mech], func(req *dovecotsasl.AuthReq) sasl.Server {

91
internal/endpoint/imap/imap.go
View file

@ -19,6 +19,7 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
package imap
import (
"context"
"crypto/tls"
"errors"
"fmt"
@ -42,6 +43,8 @@ import (
"github.com/foxcpp/maddy/framework/log"
"github.com/foxcpp/maddy/framework/module"
"github.com/foxcpp/maddy/internal/auth"
"github.com/foxcpp/maddy/internal/authz"
"github.com/foxcpp/maddy/internal/proxy_protocol"
"github.com/foxcpp/maddy/internal/updatepipe"
)
@ -49,6 +52,7 @@ type Endpoint struct {
addrs []string
serv *imapserver.Server
listeners []net.Listener
proxyProtocol *proxy_protocol.ProxyProtocol
Store module.Storage
tlsConfig *tls.Config
@ -56,6 +60,11 @@ type Endpoint struct {
saslAuth auth.SASLAuth
storageNormalize authz.NormalizeFunc
storageMap module.Table
authNormalize authz.NormalizeFunc
authMap module.Table
Log log.Logger
}
@ -83,10 +92,17 @@ func (endp *Endpoint) Init(cfg *config.Map) error {
})
cfg.Custom("storage", false, true, nil, modconfig.StorageDirective, &endp.Store)
cfg.Custom("tls", true, true, nil, tls2.TLSDirective, &endp.tlsConfig)
cfg.Custom("proxy_protocol", false, false, nil, proxy_protocol.ProxyProtocolDirective, &endp.proxyProtocol)
cfg.Bool("insecure_auth", false, false, &insecureAuth)
cfg.Bool("io_debug", false, false, &ioDebug)
cfg.Bool("io_errors", false, false, &ioErrors)
cfg.Bool("debug", true, false, &endp.Log.Debug)
config.EnumMapped(cfg, "storage_map_normalize", false, false, authz.NormalizeFuncs, authz.NormalizeAuto,
&endp.storageNormalize)
modconfig.Table(cfg, "storage_map", false, false, nil, &endp.storageMap)
config.EnumMapped(cfg, "auth_map_normalize", true, false, authz.NormalizeFuncs, authz.NormalizeAuto,
&endp.authNormalize)
modconfig.Table(cfg, "auth_map", true, false, nil, &endp.authMap)
if _, err := cfg.Process(); err != nil {
return err
}
@ -123,6 +139,8 @@ func (endp *Endpoint) Init(cfg *config.Map) error {
return err
}
endp.saslAuth.AuthNormalize = endp.authNormalize
endp.saslAuth.AuthMap = endp.authMap
for _, mech := range endp.saslAuth.SASLMechanisms() {
mech := mech
endp.serv.EnableAuth(mech, func(c imapserver.Conn) sasl.Server {
@ -152,6 +170,10 @@ func (endp *Endpoint) setupListeners(addresses []config.Endpoint) error {
l = tls.NewListener(l, endp.tlsConfig)
}
if endp.proxyProtocol != nil {
l = proxy_protocol.NewListener(l, endp.proxyProtocol, endp.Log)
}
endp.listeners = append(endp.listeners, l)
endp.listenersWg.Add(1)
@ -194,8 +216,63 @@ func (endp *Endpoint) Close() error {
return nil
}
func (endp *Endpoint) usernameForAuth(ctx context.Context, saslUsername string) (string, error) {
saslUsername, err := endp.authNormalize(saslUsername)
if err != nil {
return "", err
}
if endp.authMap == nil {
return saslUsername, nil
}
mapped, ok, err := endp.authMap.Lookup(ctx, saslUsername)
if err != nil {
return "", err
}
if !ok {
return "", imapbackend.ErrInvalidCredentials
}
return mapped, nil
}
func (endp *Endpoint) usernameForStorage(ctx context.Context, saslUsername string) (string, error) {
saslUsername, err := endp.storageNormalize(saslUsername)
if err != nil {
return "", err
}
if endp.storageMap == nil {
return saslUsername, nil
}
mapped, ok, err := endp.storageMap.Lookup(ctx, saslUsername)
if err != nil {
return "", err
}
if !ok {
return "", imapbackend.ErrInvalidCredentials
}
if saslUsername != mapped {
endp.Log.DebugMsg("using mapped username for storage", "username", saslUsername, "mapped_username", mapped)
}
return mapped, nil
}
func (endp *Endpoint) openAccount(c imapserver.Conn, identity string) error {
u, err := endp.Store.GetOrCreateIMAPAcct(identity)
username, err := endp.usernameForStorage(context.TODO(), identity)
if err != nil {
if errors.Is(err, imapbackend.ErrInvalidCredentials) {
return err
}
endp.Log.Error("failed to determine storage account name", err, "username", username)
return fmt.Errorf("internal server error")
}
u, err := endp.Store.GetOrCreateIMAPAcct(username)
if err != nil {
return err
}
@ -206,13 +283,23 @@ func (endp *Endpoint) openAccount(c imapserver.Conn, identity string) error {
}
func (endp *Endpoint) Login(connInfo *imap.ConnInfo, username, password string) (imapbackend.User, error) {
// saslAuth handles AuthMap calling.
err := endp.saslAuth.AuthPlain(username, password)
if err != nil {
endp.Log.Error("authentication failed", err, "username", username, "src_ip", connInfo.RemoteAddr)
return nil, imapbackend.ErrInvalidCredentials
}
return endp.Store.GetOrCreateIMAPAcct(username)
storageUsername, err := endp.usernameForStorage(context.TODO(), username)
if err != nil {
if errors.Is(err, imapbackend.ErrInvalidCredentials) {
return nil, err
}
endp.Log.Error("authentication failed due to an internal error", err, "username", username, "src_ip", connInfo.RemoteAddr)
return nil, fmt.Errorf("internal server error")
}
return endp.Store.GetOrCreateIMAPAcct(storageUsername)
}
func (endp *Endpoint) I18NLevel() int {

8
internal/endpoint/smtp/session.go
View file

@ -107,10 +107,15 @@ func (s *Session) Reset() {
}
func (s *Session) releaseLimits() {
_, domain, err := address.Split(s.mailFrom)
domain := ""
if s.mailFrom != "" {
var err error
_, domain, err = address.Split(s.mailFrom)
if err != nil {
return
}
}
addr, ok := s.msgMeta.Conn.RemoteAddr.(*net.TCPAddr)
if !ok {
addr = &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1)}
@ -149,6 +154,7 @@ func (s *Session) AuthPlain(username, password string) error {
return s.endp.wrapErr("", true, "AUTH", err)
}
// saslAuth will handle AuthMap and AuthNormalize.
err := s.endp.saslAuth.AuthPlain(username, password)
if err != nil {
s.endp.Log.Error("authentication failed", err, "username", username, "src_ip", s.connState.RemoteAddr)

41
internal/endpoint/smtp/smtp.go
View file

@ -43,8 +43,10 @@ import (
"github.com/foxcpp/maddy/framework/log"
"github.com/foxcpp/maddy/framework/module"
"github.com/foxcpp/maddy/internal/auth"
"github.com/foxcpp/maddy/internal/authz"
"github.com/foxcpp/maddy/internal/limits"
"github.com/foxcpp/maddy/internal/msgpipeline"
"github.com/foxcpp/maddy/internal/proxy_protocol"
"golang.org/x/net/idna"
)
@ -54,6 +56,7 @@ type Endpoint struct {
name string
addrs []string
listeners []net.Listener
proxyProtocol *proxy_protocol.ProxyProtocol
pipeline *msgpipeline.MsgPipeline
resolver dns.Resolver
limits *limits.Group
@ -68,6 +71,9 @@ type Endpoint struct {
maxReceived int
maxHeaderBytes int
authNormalize authz.NormalizeFunc
authMap module.Table
listenersWg sync.WaitGroup
Log log.Logger
@ -242,6 +248,9 @@ func (endp *Endpoint) setConfig(cfg *config.Map) error {
return endp.saslAuth.AddProvider(m, node)
})
cfg.String("hostname", true, true, "", &hostname)
config.EnumMapped(cfg, "auth_map_normalize", true, false, authz.NormalizeFuncs, authz.NormalizeAuto,
&endp.authNormalize)
modconfig.Table(cfg, "auth_map", true, false, nil, &endp.authMap)
cfg.Duration("write_timeout", false, false, 1*time.Minute, &endp.serv.WriteTimeout)
cfg.Duration("read_timeout", false, false, 10*time.Minute, &endp.serv.ReadTimeout)
cfg.DataSize("max_message_size", false, false, 32*1024*1024, &endp.serv.MaxMessageBytes)
@ -256,6 +265,7 @@ func (endp *Endpoint) setConfig(cfg *config.Map) error {
return autoBufferMode(1*1024*1024 /* 1 MiB */, path), nil
}, bufferModeDirective, &endp.buffer)
cfg.Custom("tls", true, endp.name != "lmtp", nil, tls2.TLSDirective, &endp.serv.TLSConfig)
cfg.Custom("proxy_protocol", false, false, nil, proxy_protocol.ProxyProtocolDirective, &endp.proxyProtocol)
cfg.Bool("insecure_auth", endp.name == "lmtp", false, &endp.serv.AllowInsecureAuth)
cfg.Int("smtp_max_line_length", false, false, 4000, &endp.serv.MaxLineLength)
cfg.Bool("io_debug", false, false, &ioDebug)
@ -299,6 +309,8 @@ func (endp *Endpoint) setConfig(cfg *config.Map) error {
return fmt.Errorf("%s: auth. provider must be set for submission endpoint", endp.name)
}
}
endp.saslAuth.AuthNormalize = endp.authNormalize
endp.saslAuth.AuthMap = endp.authMap
for _, mech := range endp.saslAuth.SASLMechanisms() {
// The code below lacks handling to set AuthPassword. Don't
// override sasl.Plain handler so Login() will be called as usual.
@ -341,6 +353,10 @@ func (endp *Endpoint) setupListeners(addresses []config.Endpoint) error {
l = tls.NewListener(l, endp.serv.TLSConfig)
}
if endp.proxyProtocol != nil {
l = proxy_protocol.NewListener(l, endp.proxyProtocol, endp.Log)
}
endp.listeners = append(endp.listeners, l)
endp.listenersWg.Add(1)
@ -356,6 +372,31 @@ func (endp *Endpoint) setupListeners(addresses []config.Endpoint) error {
return nil
}
func (endp *Endpoint) usernameForAuth(ctx context.Context, saslUsername string) (string, error) {
saslUsername, err := endp.authNormalize(saslUsername)
if err != nil {
return "", err
}
if endp.authMap == nil {
return saslUsername, nil
}
mapped, ok, err := endp.authMap.Lookup(ctx, saslUsername)
if err != nil {
return "", err
}
if !ok {
return "", &smtp.SMTPError{
Code: 535,
EnhancedCode: smtp.EnhancedCode{5, 7, 8},
Message: "Invalid credentials",
}
}
return mapped, nil
}
func (endp *Endpoint) NewSession(conn *smtp.Conn) (smtp.Session, error) {
sess := endp.newSession(conn)

86
internal/proxy_protocol/proxy_protocol.go Normal file
View file

@ -0,0 +1,86 @@
package proxy_protocol
import (
"crypto/tls"
"net"
"strings"
"github.com/c0va23/go-proxyprotocol"
"github.com/foxcpp/maddy/framework/config"
tls2 "github.com/foxcpp/maddy/framework/config/tls"
"github.com/foxcpp/maddy/framework/log"
)
type ProxyProtocol struct {
trust []net.IPNet
tlsConfig *tls.Config
}
func ProxyProtocolDirective(_ *config.Map, node config.Node) (interface{}, error) {
p := ProxyProtocol{}
childM := config.NewMap(nil, node)
var trustList []string
childM.StringList("trust", false, false, nil, &trustList)
childM.Custom("tls", true, false, nil, tls2.TLSDirective, &p.tlsConfig)
if _, err := childM.Process(); err != nil {
return nil, err
}
if len(node.Args) > 0 {
if trustList == nil {
trustList = make([]string, 0)
}
trustList = append(trustList, node.Args...)
}
for _, trust := range trustList {
if !strings.Contains(trust, "/") {
trust += "/32"
}
_, ipNet, err := net.ParseCIDR(trust)
if err != nil {
return nil, err
}
p.trust = append(p.trust, *ipNet)
}
return &p, nil
}
func NewListener(inner net.Listener, p *ProxyProtocol, logger log.Logger) net.Listener {
var listener net.Listener
sourceChecker := func(upstream net.Addr) (bool, error) {
if tcpAddr, ok := upstream.(*net.TCPAddr); ok {
if len(p.trust) == 0 {
return true, nil
}
for _, trusted := range p.trust {
if trusted.Contains(tcpAddr.IP) {
return true, nil
}
}
} else if _, ok := upstream.(*net.UnixAddr); ok {
// UNIX local socket connection, always trusted
return true, nil
}
logger.Printf("proxy_protocol: connection from untrusted source %s", upstream)
return false, nil
}
listener = proxyprotocol.NewDefaultListener(inner).
WithLogger(proxyprotocol.LoggerFunc(func(format string, v ...interface{}) {
logger.Debugf("proxy_protocol: "+format, v...)
})).
WithSourceChecker(sourceChecker)
if p.tlsConfig != nil {
listener = tls.NewListener(listener, p.tlsConfig)
}
return listener
}

27
internal/storage/blob/s3/s3.go
View file

@ -15,6 +15,14 @@ import (
const modName = "storage.blob.s3"
const (
credsTypeFileMinio = "file_minio"
credsTypeFileAWS = "file_aws"
credsTypeAccessKey = "access_key"
credsTypeIAM = "iam"
credsTypeDefault = credsTypeAccessKey
)
type Store struct {
instName string
log log.Logger
@ -42,6 +50,7 @@ func (s *Store) Init(cfg *config.Map) error {
secure bool
accessKeyID string
secretAccessKey string
credsType string
location string
)
cfg.String("endpoint", false, true, "", &s.endpoint)
@ -51,6 +60,7 @@ func (s *Store) Init(cfg *config.Map) error {
cfg.String("bucket", false, true, "", &s.bucketName)
cfg.String("region", false, false, "", &location)
cfg.String("object_prefix", false, false, "", &s.objectPrefix)
cfg.String("creds", false, false, credsTypeDefault, &credsType)
if _, err := cfg.Process(); err != nil {
return err
@ -59,8 +69,23 @@ func (s *Store) Init(cfg *config.Map) error {
return fmt.Errorf("%s: endpoint not set", modName)
}
var creds *credentials.Credentials
switch credsType {
case credsTypeFileMinio:
creds = credentials.NewFileMinioClient("", "")
case credsTypeFileAWS:
creds = credentials.NewFileAWSCredentials("", "")
case credsTypeIAM:
creds = credentials.NewIAM("")
case credsTypeAccessKey:
creds = credentials.NewStaticV4(accessKeyID, secretAccessKey, "")
default:
creds = credentials.NewStaticV4(accessKeyID, secretAccessKey, "")
}
cl, err := minio.New(s.endpoint, &minio.Options{
Creds: credentials.NewStaticV4(accessKeyID, secretAccessKey, ""),
Creds: creds,
Secure: secure,
Region: location,
})

10
internal/storage/imapsql/imapsql.go
View file

@ -151,7 +151,7 @@ func (store *Storage) Init(cfg *config.Map) error {
cfg.Custom("auth_map", false, false, func() (interface{}, error) {
return nil, nil
}, modconfig.TableDirective, &store.authMap)
cfg.String("auth_normalize", false, false, "precis_casefold_email", &authNormalize)
cfg.String("auth_normalize", false, false, "auto", &authNormalize)
cfg.Custom("delivery_map", false, false, func() (interface{}, error) {
return nil, nil
}, modconfig.TableDirective, &store.deliveryMap)
@ -189,6 +189,9 @@ func (store *Storage) Init(cfg *config.Map) error {
}
}
if authNormalize != "auto" {
store.Log.Msg("auth_normalize in storage.imapsql is deprecated and will be removed in the next release, use storage_map in imap config instead")
}
authNormFunc, ok := authz.NormalizeFuncs[authNormalize]
if !ok {
return errors.New("imapsql: unknown normalization function: " + authNormalize)
@ -197,6 +200,7 @@ func (store *Storage) Init(cfg *config.Map) error {
return authNormFunc(s)
}
if store.authMap != nil {
store.Log.Msg("auth_map in storage.imapsql is deprecated and will be removed in the next release, use storage_map in imap config instead")
store.authNormalize = func(ctx context.Context, username string) (string, error) {
username, err := authNormFunc(username)
if err != nil {
@ -397,8 +401,8 @@ func (store *Storage) Close() error {
store.Back.Close()
// Wait for 'updates replicate' goroutine to actually stop so we will send
// all updates before shuting down (this is especially important for
// maddyctl).
// all updates before shutting down (this is especially important for
// maddy subcommands).
if store.updPipe != nil {
close(store.outboundUpds)
<-store.updPushStop

6
internal/table/email_localpart.go
View file

@ -29,12 +29,14 @@ import (
type EmailLocalpart struct {
modName string
instName string
allowNonEmail bool
}
func NewEmailLocalpart(modName, instName string, _, _ []string) (module.Module, error) {
return &EmailLocalpart{
modName: modName,
instName: instName,
allowNonEmail: modName == "table.email_localpart_optional",
}, nil
}
@ -53,6 +55,9 @@ func (s *EmailLocalpart) InstanceName() string {
func (s *EmailLocalpart) Lookup(ctx context.Context, key string) (string, bool, error) {
mbox, _, err := address.Split(key)
if err != nil {
if s.allowNonEmail {
return key, true, nil
}
// Invalid email, no local part mapping.
return "", false, nil
}
@ -61,4 +66,5 @@ func (s *EmailLocalpart) Lookup(ctx context.Context, key string) (string, bool,
func init() {
module.Register("table.email_localpart", NewEmailLocalpart)
module.Register("table.email_localpart_optional", NewEmailLocalpart)
}

89
internal/table/email_with_domain.go Normal file
View file

@ -0,0 +1,89 @@
/*
Maddy Mail Server - Composable all-in-one email server.
Copyright © 2019-2020 Max Mazurov <fox.cpp@disroot.org>, Maddy Mail Server contributors
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
package table
import (
"context"
"fmt"
"github.com/foxcpp/maddy/framework/address"
"github.com/foxcpp/maddy/framework/config"
"github.com/foxcpp/maddy/framework/log"
"github.com/foxcpp/maddy/framework/module"
)
type EmailWithDomain struct {
modName string
instName string
domains []string
log log.Logger
}
func NewEmailWithDomain(modName, instName string, _, inlineArgs []string) (module.Module, error) {
return &EmailWithDomain{
modName: modName,
instName: instName,
domains: inlineArgs,
log: log.Logger{Name: modName},
}, nil
}
func (s *EmailWithDomain) Init(cfg *config.Map) error {
for _, d := range s.domains {
if !address.ValidDomain(d) {
return fmt.Errorf("%s: invalid domain: %s", s.modName, d)
}
}
if len(s.domains) == 0 {
return fmt.Errorf("%s: at least one domain is required", s.modName)
}
return nil
}
func (s *EmailWithDomain) Name() string {
return s.modName
}
func (s *EmailWithDomain) InstanceName() string {
return s.modName
}
func (s *EmailWithDomain) Lookup(ctx context.Context, key string) (string, bool, error) {
quotedMbox := address.QuoteMbox(key)
if len(s.domains) == 0 {
s.log.Msg("only first domain is used when expanding key", "key", key, "domain", s.domains[0])
}
return quotedMbox + "@" + s.domains[0], true, nil
}
func (s *EmailWithDomain) LookupMulti(ctx context.Context, key string) ([]string, error) {
quotedMbox := address.QuoteMbox(key)
emails := make([]string, len(s.domains))
for i, domain := range s.domains {
emails[i] = quotedMbox + "@" + domain
}
return emails, nil
}
func init() {
module.Register("table.email_with_domain", NewEmailWithDomain)
}

43
internal/table/file.go
View file

@ -124,24 +124,31 @@ func (f *File) reloader() {
for {
select {
case <-t.C:
f.reload()
case <-f.forceReload:
f.reload()
case <-f.stopReloader:
f.stopReloader <- struct{}{}
return
}
}
}
func (f *File) reload() {
info, err := os.Stat(f.file)
if err != nil {
if os.IsNotExist(err) {
f.mLck.Lock()
f.m = map[string][]string{}
f.mStamp = time.Now()
f.mLck.Unlock()
continue
return
}
f.log.Error("os stat", err)
}
if info.ModTime().Before(f.mStamp) {
continue // reload not necessary
}
case <-f.forceReload:
case <-f.stopReloader:
f.stopReloader <- struct{}{}
return
if info.ModTime().Before(f.mStamp) || time.Since(info.ModTime()) < (reloadInterval/2) {
return // reload not necessary
}
f.log.Debugf("reloading")
@ -150,18 +157,28 @@ func (f *File) reloader() {
if err := readFile(f.file, newm); err != nil {
if os.IsNotExist(err) {
f.log.Printf("ignoring non-existent file: %s", f.file)
continue
return
}
f.log.Println(err)
continue
return
}
// after reading we need to check whether file has changed in between
info2, err := os.Stat(f.file)
if err != nil {
f.log.Println(err)
return
}
if !info2.ModTime().Equal(info.ModTime()) {
// file has changed in the meantime
return
}
f.mLck.Lock()
f.m = newm
f.mStamp = time.Now()
f.mStamp = info.ModTime()
f.mLck.Unlock()
}
}
func (f *File) Close() error {

34
internal/table/file_test.go
View file

@ -111,27 +111,26 @@ func TestFileReload(t *testing.T) {
t.Fatal(err)
}
// This delay is somehow important. Not sure why.
time.Sleep(500 * time.Millisecond)
// ensure it is correctly loaded at first time.
m.mLck.RLock()
if m.m["cat"] == nil {
t.Fatalf("wrong content loaded, new m were not loaded, %v", m.m)
}
m.mLck.RUnlock()
if err := ioutil.WriteFile(f.Name(), []byte("dog: cat"), os.ModePerm); err != nil {
for i := 0; i < 100; i++ {
// try to provoke race condition on file writing
if i%2 == 0 {
if err := os.WriteFile(f.Name(), []byte("dog: cat"), os.ModePerm); err != nil {
t.Fatal(err)
}
for i := 0; i < 10; i++ {
time.Sleep(reloadInterval + 50*time.Millisecond)
m.mLck.RLock()
if m.m["dog"] != nil {
m.mLck.RUnlock()
break
}
m.mLck.RUnlock()
}
time.Sleep(reloadInterval + 5*time.Millisecond)
m.mLck.RLock()
defer m.mLck.RUnlock()
if m.m["dog"] == nil {
t.Fatal("New m were not loaded")
t.Fatalf("wrong content loaded, new m were not loaded, %v", m.m)
}
m.mLck.RUnlock()
}
}
@ -208,9 +207,6 @@ func TestFileReload_Removed(t *testing.T) {
t.Fatal(err)
}
// This delay is somehow important. Not sure why.
time.Sleep(250 * time.Millisecond)
os.Remove(f.Name())
time.Sleep(3 * reloadInterval)
@ -223,5 +219,5 @@ func TestFileReload_Removed(t *testing.T) {
}
func init() {
reloadInterval = 250 * time.Millisecond
reloadInterval = 10 * time.Millisecond
}

2
internal/target/remote/connect.go
View file

@ -238,7 +238,7 @@ func (rd *remoteDelivery) connectionForDomain(ctx context.Context, domain string
return nil, &exterrors.SMTPError{
Code: 550,
EnhancedCode: exterrors.EnhancedCode{5, 7, 30},
Message: "Failed to estabilish the MX record authenticity (REQUIRETLS)",
Message: "Failed to establish the MX record authenticity (REQUIRETLS)",
Misc: map[string]interface{}{
"mx_level": conn.mxLevel,
},

3
internal/target/remote/remote_test.go
View file

@ -982,7 +982,8 @@ func TestRemoteDelivery_TLS_FallbackNoVerify(t *testing.T) {
be.CheckMsg(t, 0, "test@example.com", []string{"test@example.invalid"})
// But it should still be delivered over TLS.
if !be.Messages[0].State.TLS.HandshakeComplete {
tlsState, ok := be.Messages[0].Conn.TLSConnectionState()
if !ok || !tlsState.HandshakeComplete {
t.Fatal("Message was not delivered over TLS")
}
}

4
internal/target/remote/security.go
View file

@ -180,7 +180,7 @@ func (c *mtastsDelivery) CheckMX(ctx context.Context, mxLevel module.MXLevel, do
return module.MXNone, &exterrors.SMTPError{
Code: 550,
EnhancedCode: exterrors.EnhancedCode{5, 7, 0},
Message: "Failed to estabilish the module.MX record authenticity (MTA-STS)",
Message: "Failed to establish the module.MX record authenticity (MTA-STS)",
}
}
c.log.Msg("MX does not match published non-enforced MTA-STS policy", "mx", mx, "domain", c.domain)
@ -608,7 +608,7 @@ func (l localPolicy) CheckMX(ctx context.Context, mxLevel module.MXLevel, domain
// a temporary error (we can't know with the current design).
Code: 451,
EnhancedCode: exterrors.EnhancedCode{4, 7, 0},
Message: "Failed to estabilish the module.MX record authenticity",
Message: "Failed to establish the module.MX record authenticity",
Misc: map[string]interface{}{
"mx_level": mxLevel,
},

16
internal/target/smtp/smtp_downstream_test.go
View file

@ -229,8 +229,10 @@ func TestDownstreamDelivery_AttemptTLS(t *testing.T) {
testutils.DoTestDelivery(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
be.CheckMsg(t, 0, "test@example.invalid", []string{"rcpt@example.invalid"})
if !be.Messages[0].State.TLS.HandshakeComplete {
t.Error("Expected TLS to be used, but it was not")
tlsState, ok := be.Messages[0].Conn.TLSConnectionState()
if !ok || !tlsState.HandshakeComplete {
t.Fatal("Message was not delivered over TLS")
}
}
@ -278,8 +280,9 @@ func TestDownstreamDelivery_RequireTLS(t *testing.T) {
testutils.DoTestDelivery(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
be.CheckMsg(t, 0, "test@example.invalid", []string{"rcpt@example.invalid"})
if !be.Messages[0].State.TLS.HandshakeComplete {
t.Error("Expected TLS to be used, but it was not")
tlsState, ok := be.Messages[0].Conn.TLSConnectionState()
if !ok || !tlsState.HandshakeComplete {
t.Fatal("Message was not delivered over TLS")
}
}
@ -305,8 +308,9 @@ func TestDownstreamDelivery_RequireTLS_Implicit(t *testing.T) {
testutils.DoTestDelivery(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
be.CheckMsg(t, 0, "test@example.invalid", []string{"rcpt@example.invalid"})
if !be.Messages[0].State.TLS.HandshakeComplete {
t.Error("Expected TLS to be used, but it was not")
tlsState, ok := be.Messages[0].Conn.TLSConnectionState()
if !ok || !tlsState.HandshakeComplete {
t.Fatal("Message was not delivered over TLS")
}
}

2
internal/target/smtp/smtputf8_test.go
View file

@ -51,7 +51,7 @@ func TestDownstreamDelivery_EHLO_ALabel(t *testing.T) {
testutils.DoTestDelivery(t, tgt, "test@example.com", []string{"test@example.invalid"})
be.CheckMsg(t, 0, "test@example.com", []string{"test@example.invalid"})
if be.Messages[0].State.Hostname != "xn--e1aybc.invalid" {
if be.Messages[0].Conn.Hostname() != "xn--e1aybc.invalid" {
t.Error("target/remote should use use Punycode in EHLO")
}
}

8
internal/updatepipe/update_pipe.go
View file

@ -19,10 +19,10 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
// Package updatepipe implements utilities for serialization and transport of
// IMAP update objects between processes and machines.
//
// Its main goal is provide maddyctl with ability to properly notify the server
// about changes without relying on it to coordinate access in the first place
// (so maddyctl can work without a running server or with a broken server
// instance).
// Its main goal is provide maddy command with ability to properly notify the
// server about changes without relying on it to coordinate access in the
// first place (so maddy command can work without a running server or with a
// broken server instance).
//
// Additionally, it can be used to transfer IMAP updates between replicated
// nodes.

6
maddy.conf
View file

@ -1,6 +1,6 @@
## Maddy Mail Server - default configuration file (2022-06-18)
# Suitable for small-scale deployments. Uses its own format for local users DB,
# should be managed via maddyctl utility.
# should be managed via maddy subcommands.
#
# See tutorials at https://maddy.email for guidance on typical
# configuration changes.
@ -25,7 +25,7 @@ tls file /etc/maddy/certs/$(hostname)/fullchain.pem /etc/maddy/certs/$(hostname)
# PAM, /etc/shadow file).
#
# If table module supports it (sql_table does) - credentials can be managed
# using 'maddyctl creds' command.
# using 'maddy creds' command.
auth.pass_table local_authdb {
table sql_table {
@ -40,7 +40,7 @@ auth.pass_table local_authdb {
# also by SMTP & Submission endpoints for delivery of local messages.
#
# IMAP accounts, mailboxes and all message metadata can be inspected using
# imap-* subcommands of maddyctl utility.
# imap-* subcommands of maddy.
storage.imapsql local_mailboxes {
driver sqlite3

6
maddy.conf.docker
View file

@ -1,7 +1,7 @@
## Maddy Mail Server - default configuration file (2022-06-18)
## This is the copy of maddy.conf with changes necessary to run it in Docker.
# Suitable for small-scale deployments. Uses its own format for local users DB,
# should be managed via maddyctl utility.
# should be managed via maddy subcommands.
#
# See tutorials at https://maddy.email for guidance on typical
# configuration changes.
@ -26,7 +26,7 @@ tls file /data/tls/fullchain.pem /data/tls/privkey.pem
# PAM, /etc/shadow file).
#
# If table module supports it (sql_table does) - credentials can be managed
# using 'maddyctl creds' command.
# using 'maddy creds' command.
auth.pass_table local_authdb {
table sql_table {
@ -41,7 +41,7 @@ auth.pass_table local_authdb {
# also by SMTP & Submission endpoints for delivery of local messages.
#
# IMAP accounts, mailboxes and all message metadata can be inspected using
# imap-* subcommands of maddyctl utility.
# imap-* subcommands of maddy.
storage.imapsql local_mailboxes {
driver sqlite3

4
maddy.go
View file

@ -31,10 +31,12 @@ import (
"github.com/caddyserver/certmagic"
parser "github.com/foxcpp/maddy/framework/cfgparser"
"github.com/foxcpp/maddy/framework/config"
modconfig "github.com/foxcpp/maddy/framework/config/module"
"github.com/foxcpp/maddy/framework/config/tls"
"github.com/foxcpp/maddy/framework/hooks"
"github.com/foxcpp/maddy/framework/log"
"github.com/foxcpp/maddy/framework/module"
"github.com/foxcpp/maddy/internal/authz"
maddycli "github.com/foxcpp/maddy/internal/cli"
"github.com/urfave/cli/v2"
@ -297,6 +299,8 @@ func ReadGlobals(cfg []config.Node) (map[string]interface{}, []config.Node, erro
globals.StringList("auth_domains", false, false, nil, nil)
globals.Custom("log", false, false, defaultLogOutput, logOutput, &log.DefaultLogger.Out)
globals.Bool("debug", false, log.DefaultLogger.Debug, &log.DefaultLogger.Debug)
config.EnumMapped(globals, "auth_map_normalize", true, false, authz.NormalizeFuncs, authz.NormalizeAuto, nil)
modconfig.Table(globals, "auth_map", true, false, nil, nil)
globals.AllowUnknown()
unknown, err := globals.Process()
return globals.Values, unknown, err

96
tests/imap_test.go Normal file
View file

@ -0,0 +1,96 @@
//go:build integration && cgo && !nosqlite3
// +build integration,cgo,!nosqlite3
package tests_test
import (
"testing"
"github.com/foxcpp/maddy/tests"
)
func TestIMAPEndpointAuthMap(tt *testing.T) {
tt.Parallel()
t := tests.NewT(tt)
t.DNS(nil)
t.Port("imap")
t.Config(`
storage.imapsql test_store {
driver sqlite3
dsn imapsql.db
}
imap tcp://127.0.0.1:{env:TEST_PORT_imap} {
tls off
auth_map email_localpart
auth pass_table static {
entry "user" "bcrypt:$2a$10$E.AuCH3oYbaRrETXfXwc0.4jRAQBbanpZiCfudsJz9bHzLr/qj6ti" # password: 123
}
storage &test_store
}
`)
t.Run(1)
defer t.Close()
imapConn := t.Conn("imap")
defer imapConn.Close()
imapConn.ExpectPattern(`\* OK *`)
imapConn.Writeln(". LOGIN user@example.org 123")
imapConn.ExpectPattern(". OK *")
imapConn.Writeln(". SELECT INBOX")
imapConn.ExpectPattern(`\* *`)
imapConn.ExpectPattern(`\* *`)
imapConn.ExpectPattern(`\* *`)
imapConn.ExpectPattern(`\* *`)
imapConn.ExpectPattern(`\* *`)
imapConn.ExpectPattern(`\* *`)
imapConn.ExpectPattern(`. OK *`)
}
func TestIMAPEndpointStorageMap(tt *testing.T) {
tt.Parallel()
t := tests.NewT(tt)
t.DNS(nil)
t.Port("imap")
t.Config(`
storage.imapsql test_store {
driver sqlite3
dsn imapsql.db
}
imap tcp://127.0.0.1:{env:TEST_PORT_imap} {
tls off
storage_map email_localpart
auth_map email_localpart
auth pass_table static {
entry "user" "bcrypt:$2a$10$z9SvUwUjkY8wKOWd9IbISeEmbJua2cXRPqw7s2BnLXJuc6pIMPncK" # password: 123
}
storage &test_store
}
`)
t.Run(1)
defer t.Close()
imapConn := t.Conn("imap")
defer imapConn.Close()
imapConn.ExpectPattern(`\* OK *`)
imapConn.Writeln(". LOGIN user@example.org 123")
imapConn.ExpectPattern(". OK *")
imapConn.Writeln(". CREATE testbox")
imapConn.ExpectPattern(". OK *")
imapConn2 := t.Conn("imap")
defer imapConn2.Close()
imapConn2.ExpectPattern(`\* OK *`)
imapConn2.Writeln(". LOGIN user@example.com 123")
imapConn2.ExpectPattern(". OK *")
imapConn2.Writeln(`. LIST "" "*"`)
imapConn2.Expect(`* LIST (\HasNoChildren) "." INBOX`)
imapConn2.Expect(`* LIST (\HasNoChildren) "." "testbox"`)
imapConn2.ExpectPattern(". OK *")
}

89
tests/smtp_test.go
View file

@ -23,6 +23,7 @@ package tests_test
import (
"errors"
"fmt"
"io/ioutil"
"path/filepath"
"strings"
@ -68,6 +69,94 @@ func TestCheckRequireTLS(tt *testing.T) {
conn.ExpectPattern("221 *")
}
func TestProxyProtocolTrustedSource(tt *testing.T) {
tt.Parallel()
t := tests.NewT(tt)
t.DNS(map[string]mockdns.Zone{
"one.maddy.test.": {
TXT: []string{"v=spf1 ip4:127.0.0.17 -all"},
},
})
t.Port("smtp")
t.Config(`
smtp tcp://127.0.0.1:{env:TEST_PORT_smtp} {
hostname mx.maddy.test
tls off
proxy_protocol {
trust ` + tests.DefaultSourceIP.String() + ` ::1/128
tls off
}
defer_sender_reject no
check {
spf {
enforce_early yes
fail_action reject
}
}
deliver_to dummy
}
`)
t.Run(1)
defer t.Close()
conn := t.Conn("smtp")
defer conn.Close()
conn.Writeln(fmt.Sprintf("PROXY TCP4 127.0.0.17 %s 12345 %d", tests.DefaultSourceIP.String(), t.Port("smtp")))
conn.SMTPNegotation("localhost", nil, nil)
conn.Writeln("MAIL FROM:<testing@one.maddy.test>")
conn.ExpectPattern("250 *")
conn.Writeln("QUIT")
conn.ExpectPattern("221 *")
}
func TestProxyProtocolUntrustedSource(tt *testing.T) {
tt.Parallel()
t := tests.NewT(tt)
t.DNS(map[string]mockdns.Zone{
"one.maddy.test.": {
TXT: []string{"v=spf1 ip4:127.0.0.17 -all"},
},
})
t.Port("smtp")
t.Config(`
smtp tcp://127.0.0.1:{env:TEST_PORT_smtp} {
hostname mx.maddy.test
tls off
proxy_protocol {
trust fe80::bad/128
tls off
}
defer_sender_reject no
check {
spf {
enforce_early yes
fail_action reject
}
}
deliver_to dummy
}
`)
t.Run(1)
defer t.Close()
conn := t.Conn("smtp")
defer conn.Close()
conn.Writeln(fmt.Sprintf("PROXY TCP4 127.0.0.17 %s 12345 %d", tests.DefaultSourceIP.String(), t.Port("smtp")))
conn.SMTPNegotation("localhost", nil, nil)
conn.Writeln("MAIL FROM:<testing@one.maddy.test>")
conn.ExpectPattern("550 *")
conn.Writeln("QUIT")
conn.ExpectPattern("221 *")
}
func TestCheckSPF(tt *testing.T) {
tt.Parallel()
t := tests.NewT(tt)