mirrors/maddy
1
0
Fork 0
mirror of https://github.com/foxcpp/maddy.git synced 2025-04-04 05:37:34 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' into dev

Browse source
This commit is contained in:
fox.cpp 2022-09-13 12:42:47 +03:00
commit ab4aefa955
No known key found for this signature in database
GPG key ID: 5B991F6215D2FCC0
6 changed files with 68 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

19
docs/multiple-domains.md
View file

@ -13,7 +13,7 @@ $(primary_domain) = example.org
$(local_domains) = $(primary_domain) example.com
```
The base configuration is done. You can create accounts using maddyctl using
The base configuration is done. You can create accounts using
both domains in the name, send and receive messages and so on. Do not forget
to configure corresponding SPF, DMARC and MTA-STS records as was
recommended in the [introduction tutorial](tutorials/setting-up.md).
@ -24,7 +24,7 @@ You can configure maddy to only use local part of the email
as an account identifier instead of the complete email.
This needs two changes to default configuration:
```
```
storage.imapsql local_mailboxes {
...
delivery_map email_localpart
@ -32,6 +32,19 @@ storage.imapsql local_mailboxes {
}
```
This way, when authenticating as `foxcpp`, it will be mapped to
`foxcpp` storage account. E.g. you will need to run
`maddy imap-accts create foxcpp`, without the domain part.
If you have existing accounts, you will need to rename them.
Change to `auth_normalize` is necessary so that normalization function
will not attempt to parse authentication identity as a email.
When a email is received, `delivery_map email_localpart` will strip
the domain part before looking up the account. That is,
`foxcpp@example.org` will be become just `foxcpp`.
You also need to make `authorize_sender` check (used in `submission` endpoint)
accept non-email usernames:
```
@ -46,7 +59,7 @@ If you want to allow sending from all domains, you need to remove `authorize_sen
altogether since it is not currently supported.
After that you can create accounts without specifying the domain part:
```
```
maddyctl imap-acct create foxcpp
maddyctl creds create foxcpp
```

2
docs/reference/modifiers/dkim.md
View file

@ -160,6 +160,8 @@ sha256 is the only supported algorithm now.
Algorithm to use when generating a new key.
Currently ed25519 is NOT supported by most platforms.
**Syntax**: require\_sender\_match _ids..._ <br>
**Default**: envelope auth

10
docs/reference/tls.md
View file

@ -10,7 +10,7 @@ below.
```
tls file cert.pem key.pem {
protocols tls1.2 tls1.3
curve X25519
curves X25519
ciphers ...
}
@ -19,7 +19,7 @@ tls {
# Options for loader go here.
}
protocols tls1.2 tls1.3
curve X25519
curves X25519
ciphers ...
}
```
@ -88,7 +88,7 @@ Valid values:
- ECDHE-RSA-WITH-CHACHA20-POLY1305
- ECDHE-ECDSA-WITH-CHACHA20-POLY1305
**Syntax**: curve _curves..._ <br>
**Syntax**: curves _curves..._ <br>
**Default**: defined by Go version
The elliptic curves that will be used in an ECDHE handshake, in preference
@ -106,7 +106,7 @@ enabling TLS client authentication.
tls_client {
protocols tls1.2 tls1.3
ciphers ...
curve X25519
curves X25519
root_ca /etc/ssl/cert.pem
cert /etc/ssl/private/maddy-client.pem
@ -132,7 +132,7 @@ List of supported cipher suites, in preference order. Not used with TLS 1.3.
See TLS server configuration for list of supported values.
**Syntax**: curve _curves..._ <br>
**Syntax**: curves _curves..._ <br>
**Default**: defined by Go version
The elliptic curves that will be used in an ECDHE handshake, in preference

44
docs/tutorials/pam.md
View file

@ -4,7 +4,7 @@ maddy supports user authentication using PAM infrastructure via `auth.pam`
module.
In order to use it, however, either maddy itself should be compiled
with libpam support or a helper executable should be built and
with libpam support or a helper executable should be built and
installed into an appropriate directory.
It is recommended to use builtin libpam support if you are using
@ -13,7 +13,7 @@ supported by maddy.
If PAM authentication requires privileged access on the host system
(e.g. pam_unix.so aka /etc/shadow) then it is recommended to use
a privileged helper executable since maddy process itself won't
a privileged helper executable since maddy process itself won't
have access to it.
## Built-in PAM support
@ -23,7 +23,7 @@ libpam support. You should build maddy from source.
See [here](../building-from-source) for detailed instructions.
You should have libpam development files installed (`libpam-dev`
You should have libpam development files installed (`libpam-dev`
package on Ubuntu/Debian).
Then add `--tags 'libpam'` to the build command:
@ -48,9 +48,9 @@ cd maddy/cmd/maddy-pam-helper
gcc pam.c main.c -lpam -o maddy-pam-helper
```
Copy the resulting executable into /usr/lib/maddy/ and make
Copy the resulting executable into /usr/lib/maddy/ and make
it setuid-root so it can read /etc/shadow (if that's necessary):
```
```
chown root:maddy /usr/lib/maddy/maddy-pam-helper
chmod u+xs,g+x,o-x /usr/lib/maddy/maddy-pam-helper
```
@ -66,7 +66,8 @@ auth.pam local_authdb {
## Account names
Since PAM does not use emails for authentication you should also
switch storage backend to using usernames for authentication:
configure storage backend to use username only as an account identifier,
not full email addresses:
```
storage.imapsql local_mailboxes {
...
@ -74,14 +75,39 @@ storage.imapsql local_mailboxes {
auth_normalize precis_casefold
}
```
(See [Multiple domains](../../multiple-domains) for details)
This way, when authenticating as `foxcpp`, it will be mapped to
`foxcpp` storage account. E.g. you will need to run
`maddy imap-accts create foxcpp`, without the domain part.
If you have existing accounts, you will need to rename them.
Change to `auth_normalize` is necessary so that normalization function
will not attempt to parse authentication identity as a email.
When a email is received, `delivery_map email_localpart` will strip
the domain part before looking up the account. That is,
`foxcpp@example.org` will be become just `foxcpp`.
You also need to make `authorize_sender` check (used in `submission` endpoint)
accept non-email usernames:
```
authorize_sender {
...
auth_normalize precis_casefold
user_to_email regexp "(.*)" "$1@$(primary_domain)"
}
```
Note that is would work only if clients use only one domain as sender (`$(primary_domain)`).
If you want to allow sending from all domains, you need to remove `authorize_sender` check
altogether since it is not currently supported.
## PAM service
You should create a PAM configuration file for maddy to use.
Place it into /etc/pam.d/maddy.
Here is the minimal example using pam_unix (shadow database).
```
```
#%PAM-1.0
auth required pam_unix.so
account required pam_unix.so
@ -89,7 +115,7 @@ account required pam_unix.so
Here is the configuration example you could use on Ubuntu
to use the authentication config system itself uses:
```
```
#%PAM-1.0
@include common-auth

11
internal/auth/ldap/ldap.go
View file

@ -107,7 +107,14 @@ func readBindDirective(c *config.Map, n config.Node) (interface{}, error) {
case "off":
return func(*ldap.Conn) error { return nil }, nil
case "unauth":
return (*ldap.Conn).UnauthenticatedBind, nil
if len(n.Args) == 2 {
return func(c *ldap.Conn) error {
return c.UnauthenticatedBind(n.Args[1])
}, nil
}
return func(c *ldap.Conn) error {
return c.UnauthenticatedBind("")
}, nil
case "plain":
if len(n.Args) != 3 {
return nil, fmt.Errorf("auth.ldap: username and password expected for plaintext bind")
@ -145,7 +152,7 @@ func (a *Auth) newConn() (*ldap.Conn, error) {
conn, err = ldap.DialURL(u, ldap.DialWithDialer(a.dialer), ldap.DialWithTLSConfig(tlsCfg))
if err != nil {
a.log.Msg("cannot contact directory server", err, "url", u)
a.log.Error("cannot contact directory server", err, "url", u)
continue
}
break

1
internal/endpoint/openmetrics/om.go
View file

@ -80,6 +80,7 @@ func (e *Endpoint) Init(cfg *config.Map) error {
if err != nil && !errors.Is(err, http.ErrServerClosed) {
e.logger.Error("serve failed", err, "endpoint", a)
}
e.listenersWg.Done()
}()
}