Merge branch 'master' into dev

2025-04-04 21:47:40 +03:00 · 2022-09-13 12:42:47 +03:00 · 2022-09-13 12:42:47 +03:00 · ab4aefa955
commit ab4aefa955
parent 1d0d9915a0 f7107d4a92
6 changed files with 68 additions and 19 deletions
--- a/docs/multiple-domains.md
+++ b/docs/multiple-domains.md
@ -13,7 +13,7 @@ $(primary_domain) = example.org
 $(local_domains) = $(primary_domain) example.com
 ```

-The base configuration is done. You can create accounts using maddyctl using
+The base configuration is done. You can create accounts using
 both domains in the name, send and receive messages and so on.  Do not forget
 to configure corresponding SPF, DMARC and MTA-STS records as was
 recommended in the [introduction tutorial](tutorials/setting-up.md).
@ -32,6 +32,19 @@ storage.imapsql local_mailboxes {
 }
 ```

+This way, when authenticating as `foxcpp`, it will be mapped to
+`foxcpp` storage account. E.g. you will need to run
+`maddy imap-accts create foxcpp`, without the domain part.
+
+If you have existing accounts, you will need to rename them.
+
+Change to `auth_normalize` is necessary so that normalization function
+will not attempt to parse authentication identity as a email.
+
+When a email is received, `delivery_map email_localpart` will strip
+the domain part before looking up the account. That is,
+`foxcpp@example.org` will be become just `foxcpp`.
+
 You also need to make `authorize_sender` check (used in `submission` endpoint)
 accept non-email usernames:
 ```
--- a/docs/reference/modifiers/dkim.md
+++ b/docs/reference/modifiers/dkim.md
@ -160,6 +160,8 @@ sha256 is the only supported algorithm now.

 Algorithm to use when generating a new key.

+Currently ed25519 is NOT supported by most platforms.
+
 **Syntax**: require\_sender\_match _ids..._ <br>
 **Default**: envelope auth

--- a/docs/reference/tls.md
+++ b/docs/reference/tls.md
@ -10,7 +10,7 @@ below.
 ```
 tls file cert.pem key.pem {
 	protocols tls1.2 tls1.3
-	curve X25519
+	curves X25519
 	ciphers ...
 }

@ -19,7 +19,7 @@ tls {
 		# Options for loader go here.
 	}
 	protocols tls1.2 tls1.3
-	curve X25519
+	curves X25519
 	ciphers ...
 }
 ```
@ -88,7 +88,7 @@ Valid values:
 - ECDHE-RSA-WITH-CHACHA20-POLY1305
 - ECDHE-ECDSA-WITH-CHACHA20-POLY1305

-**Syntax**: curve _curves..._ <br>
+**Syntax**: curves _curves..._ <br>
 **Default**: defined by Go version

 The elliptic curves that will be used in an ECDHE handshake, in preference
@ -106,7 +106,7 @@ enabling TLS client authentication.
 tls_client {
    protocols tls1.2 tls1.3
    ciphers ...
-    curve X25519
+    curves X25519
    root_ca /etc/ssl/cert.pem

    cert /etc/ssl/private/maddy-client.pem
@ -132,7 +132,7 @@ List of supported cipher suites, in preference order. Not used with TLS 1.3.

 See TLS server configuration for list of supported values.

-**Syntax**: curve _curves..._ <br>
+**Syntax**: curves _curves..._ <br>
 **Default**: defined by Go version

 The elliptic curves that will be used in an ECDHE handshake, in preference
--- a/docs/tutorials/pam.md
+++ b/docs/tutorials/pam.md
@ -66,7 +66,8 @@ auth.pam local_authdb {
 ## Account names

 Since PAM does not use emails for authentication you should also
-switch storage backend to using usernames for authentication:
+configure storage backend to use username only as an account identifier,
+not full email addresses:
 ```
 storage.imapsql local_mailboxes {
    ...
@ -74,7 +75,32 @@ storage.imapsql local_mailboxes {
    auth_normalize precis_casefold
 }
 ```
-(See [Multiple domains](../../multiple-domains) for details)
+
+This way, when authenticating as `foxcpp`, it will be mapped to
+`foxcpp` storage account. E.g. you will need to run
+`maddy imap-accts create foxcpp`, without the domain part.
+
+If you have existing accounts, you will need to rename them.
+
+Change to `auth_normalize` is necessary so that normalization function
+will not attempt to parse authentication identity as a email.
+
+When a email is received, `delivery_map email_localpart` will strip
+the domain part before looking up the account. That is,
+`foxcpp@example.org` will be become just `foxcpp`.
+
+You also need to make `authorize_sender` check (used in `submission` endpoint)
+accept non-email usernames:
+```
+authorize_sender {
+  ...
+  auth_normalize precis_casefold
+  user_to_email regexp "(.*)" "$1@$(primary_domain)"
+}
+```
+Note that is would work only if clients use only one domain as sender (`$(primary_domain)`).
+If you want to allow sending from all domains, you need to remove `authorize_sender` check
+altogether since it is not currently supported.

 ## PAM service

--- a/internal/auth/ldap/ldap.go
+++ b/internal/auth/ldap/ldap.go
@ -107,7 +107,14 @@ func readBindDirective(c *config.Map, n config.Node) (interface{}, error) {
 	case "off":
 		return func(*ldap.Conn) error { return nil }, nil
 	case "unauth":
-		return (*ldap.Conn).UnauthenticatedBind, nil
+		if len(n.Args) == 2 {
+			return func(c *ldap.Conn) error {
+				return c.UnauthenticatedBind(n.Args[1])
+			}, nil
+		}
+		return func(c *ldap.Conn) error {
+			return c.UnauthenticatedBind("")
+		}, nil
 	case "plain":
 		if len(n.Args) != 3 {
 			return nil, fmt.Errorf("auth.ldap: username and password expected for plaintext bind")
@ -145,7 +152,7 @@ func (a *Auth) newConn() (*ldap.Conn, error) {

 		conn, err = ldap.DialURL(u, ldap.DialWithDialer(a.dialer), ldap.DialWithTLSConfig(tlsCfg))
 		if err != nil {
-			a.log.Msg("cannot contact directory server", err, "url", u)
+			a.log.Error("cannot contact directory server", err, "url", u)
 			continue
 		}
 		break
--- a/internal/endpoint/openmetrics/om.go
+++ b/internal/endpoint/openmetrics/om.go
@ -80,6 +80,7 @@ func (e *Endpoint) Init(cfg *config.Map) error {
 			if err != nil && !errors.Is(err, http.ErrServerClosed) {
 				e.logger.Error("serve failed", err, "endpoint", a)
 			}
+			e.listenersWg.Done()
 		}()
 	}