Merge branch 'master' into dev

docs/multiple-domains.md

@@ -13,7 +13,7 @@ $(primary_domain) = example.org
 $(local_domains) = $(primary_domain) example.com
 ```
 
-The base configuration is done. You can create accounts using maddyctl using
+The base configuration is done. You can create accounts using
 both domains in the name, send and receive messages and so on.  Do not forget
 to configure corresponding SPF, DMARC and MTA-STS records as was
 recommended in the [introduction tutorial](tutorials/setting-up.md).
@@ -24,7 +24,7 @@ You can configure maddy to only use local part of the email
 as an account identifier instead of the complete email.
 
 This needs two changes to default configuration:
-``` 
+```
 storage.imapsql local_mailboxes {
     ...
     delivery_map email_localpart
@@ -32,6 +32,19 @@ storage.imapsql local_mailboxes {
 }
 ```
 
+This way, when authenticating as `foxcpp`, it will be mapped to
+`foxcpp` storage account. E.g. you will need to run
+`maddy imap-accts create foxcpp`, without the domain part.
+
+If you have existing accounts, you will need to rename them.
+
+Change to `auth_normalize` is necessary so that normalization function
+will not attempt to parse authentication identity as a email.
+
+When a email is received, `delivery_map email_localpart` will strip
+the domain part before looking up the account. That is,
+`foxcpp@example.org` will be become just `foxcpp`.
+
 You also need to make `authorize_sender` check (used in `submission` endpoint)
 accept non-email usernames:
 ```
@@ -46,7 +59,7 @@ If you want to allow sending from all domains, you need to remove `authorize_sen
 altogether since it is not currently supported.
 
 After that you can create accounts without specifying the domain part:
-``` 
+```
 maddyctl imap-acct create foxcpp
 maddyctl creds create foxcpp
 ```

docs/reference/modifiers/dkim.md

@@ -160,6 +160,8 @@ sha256 is the only supported algorithm now.
 
 Algorithm to use when generating a new key.
 
+Currently ed25519 is NOT supported by most platforms.
+
 **Syntax**: require\_sender\_match _ids..._ <br>
 **Default**: envelope auth
 

docs/reference/tls.md

@@ -10,7 +10,7 @@ below.
 ```
 tls file cert.pem key.pem {
 	protocols tls1.2 tls1.3
-	curve X25519
+	curves X25519
 	ciphers ...
 }
 
@@ -19,7 +19,7 @@ tls {
 		# Options for loader go here.
 	}
 	protocols tls1.2 tls1.3
-	curve X25519
+	curves X25519
 	ciphers ...
 }
 ```
@@ -88,7 +88,7 @@ Valid values:
 - ECDHE-RSA-WITH-CHACHA20-POLY1305
 - ECDHE-ECDSA-WITH-CHACHA20-POLY1305
 
-**Syntax**: curve _curves..._ <br>
+**Syntax**: curves _curves..._ <br>
 **Default**: defined by Go version
 
 The elliptic curves that will be used in an ECDHE handshake, in preference
@@ -106,7 +106,7 @@ enabling TLS client authentication.
 tls_client {
     protocols tls1.2 tls1.3
     ciphers ...
-    curve X25519
+    curves X25519
     root_ca /etc/ssl/cert.pem
 
     cert /etc/ssl/private/maddy-client.pem
@@ -132,7 +132,7 @@ List of supported cipher suites, in preference order. Not used with TLS 1.3.
 
 See TLS server configuration for list of supported values.
 
-**Syntax**: curve _curves..._ <br>
+**Syntax**: curves _curves..._ <br>
 **Default**: defined by Go version
 
 The elliptic curves that will be used in an ECDHE handshake, in preference

docs/tutorials/pam.md

@@ -4,7 +4,7 @@ maddy supports user authentication using PAM infrastructure via `auth.pam`
 module.
 
 In order to use it, however, either maddy itself should be compiled
-with libpam support or a helper executable should be built and 
+with libpam support or a helper executable should be built and
 installed into an appropriate directory.
 
 It is recommended to use builtin libpam support if you are using
@@ -13,7 +13,7 @@ supported by maddy.
 
 If PAM authentication requires privileged access on the host system
 (e.g. pam_unix.so aka /etc/shadow) then it is recommended to use
-a privileged helper executable since maddy process itself won't 
+a privileged helper executable since maddy process itself won't
 have access to it.
 
 ## Built-in PAM support
@@ -23,7 +23,7 @@ libpam support. You should build maddy from source.
 
 See [here](../building-from-source) for detailed instructions.
 
-You should have libpam development files installed (`libpam-dev` 
+You should have libpam development files installed (`libpam-dev`
 package on Ubuntu/Debian).
 
 Then add `--tags 'libpam'` to the build command:
@@ -48,9 +48,9 @@ cd maddy/cmd/maddy-pam-helper
 gcc pam.c main.c -lpam -o maddy-pam-helper
 ```
 
-Copy the resulting executable into /usr/lib/maddy/ and make 
+Copy the resulting executable into /usr/lib/maddy/ and make
 it setuid-root so it can read /etc/shadow (if that's necessary):
-``` 
+```
 chown root:maddy /usr/lib/maddy/maddy-pam-helper
 chmod u+xs,g+x,o-x /usr/lib/maddy/maddy-pam-helper
 ```
@@ -66,7 +66,8 @@ auth.pam local_authdb {
 ## Account names
 
 Since PAM does not use emails for authentication you should also
-switch storage backend to using usernames for authentication:
+configure storage backend to use username only as an account identifier,
+not full email addresses:
 ```
 storage.imapsql local_mailboxes {
     ...
@@ -74,14 +75,39 @@ storage.imapsql local_mailboxes {
     auth_normalize precis_casefold
 }
 ```
-(See [Multiple domains](../../multiple-domains) for details)
+
+This way, when authenticating as `foxcpp`, it will be mapped to
+`foxcpp` storage account. E.g. you will need to run
+`maddy imap-accts create foxcpp`, without the domain part.
+
+If you have existing accounts, you will need to rename them.
+
+Change to `auth_normalize` is necessary so that normalization function
+will not attempt to parse authentication identity as a email.
+
+When a email is received, `delivery_map email_localpart` will strip
+the domain part before looking up the account. That is,
+`foxcpp@example.org` will be become just `foxcpp`.
+
+You also need to make `authorize_sender` check (used in `submission` endpoint)
+accept non-email usernames:
+```
+authorize_sender {
+  ...
+  auth_normalize precis_casefold
+  user_to_email regexp "(.*)" "$1@$(primary_domain)"
+}
+```
+Note that is would work only if clients use only one domain as sender (`$(primary_domain)`).
+If you want to allow sending from all domains, you need to remove `authorize_sender` check
+altogether since it is not currently supported.
 
 ## PAM service
 
 You should create a PAM configuration file for maddy to use.
 Place it into /etc/pam.d/maddy.
 Here is the minimal example using pam_unix (shadow database).
-``` 
+```
 #%PAM-1.0
 auth	required	pam_unix.so
 account	required	pam_unix.so
@@ -89,7 +115,7 @@ account	required	pam_unix.so
 
 Here is the configuration example you could use on Ubuntu
 to use the authentication config system itself uses:
-``` 
+```
 #%PAM-1.0
 
 @include common-auth

internal/auth/ldap/ldap.go

@@ -107,7 +107,14 @@ func readBindDirective(c *config.Map, n config.Node) (interface{}, error) {
 	case "off":
 		return func(*ldap.Conn) error { return nil }, nil
 	case "unauth":
-		return (*ldap.Conn).UnauthenticatedBind, nil
+		if len(n.Args) == 2 {
+			return func(c *ldap.Conn) error {
+				return c.UnauthenticatedBind(n.Args[1])
+			}, nil
+		}
+		return func(c *ldap.Conn) error {
+			return c.UnauthenticatedBind("")
+		}, nil
 	case "plain":
 		if len(n.Args) != 3 {
 			return nil, fmt.Errorf("auth.ldap: username and password expected for plaintext bind")
@@ -145,7 +152,7 @@ func (a *Auth) newConn() (*ldap.Conn, error) {
 
 		conn, err = ldap.DialURL(u, ldap.DialWithDialer(a.dialer), ldap.DialWithTLSConfig(tlsCfg))
 		if err != nil {
-			a.log.Msg("cannot contact directory server", err, "url", u)
+			a.log.Error("cannot contact directory server", err, "url", u)
 			continue
 		}
 		break

internal/endpoint/openmetrics/om.go

@@ -80,6 +80,7 @@ func (e *Endpoint) Init(cfg *config.Map) error {
 			if err != nil && !errors.Is(err, http.ErrServerClosed) {
 				e.logger.Error("serve failed", err, "endpoint", a)
 			}
+			e.listenersWg.Done()
 		}()
 	}