Merge remote-tracking branch 'origin/dev'

Dockerfile

@@ -1,5 +1,7 @@
 FROM golang:1.19-alpine AS build-env
 
+ARG ADDITIONAL_BUILD_TAGS=""
+
 RUN set -ex && \
     apk upgrade --no-cache --available && \
     apk add --no-cache build-base
@@ -12,7 +14,7 @@ RUN go mod download
 COPY . ./
 RUN mkdir -p /pkg/data && \
     cp maddy.conf.docker /pkg/data/maddy.conf && \
-    ./build.sh --builddir /tmp --destdir /pkg/ --tags docker build install
+    ./build.sh --builddir /tmp --destdir /pkg/ --tags "docker ${ADDITIONAL_BUILD_TAGS}" build install
 
 FROM alpine:3.18.4
 LABEL maintainer="fox.cpp@disroot.org"

build.sh

@@ -3,6 +3,7 @@
 destdir=/
 builddir="$PWD/build"
 prefix=/usr/local
+configdir="${destdir}etc/maddy"
 version=
 static=0
 if [ "${GOFLAGS}" = "" ]; then
@@ -139,9 +140,18 @@ install() {
 
 	command install -m 0755 -d "${destdir}/${prefix}/bin/"
 	command install -m 0755 "${builddir}/maddy" "${destdir}/${prefix}/bin/"
-	command ln -s maddy "${destdir}/${prefix}/bin/maddyctl"
+	command ln -sf maddy "${destdir}/${prefix}/bin/maddyctl"
-	command install -m 0755 -d "${destdir}/etc/maddy/"
+	command install -m 0755 -d "${configdir}"
-	command install -m 0644 ./maddy.conf "${destdir}/etc/maddy/maddy.conf"
+
+
+	# We do not want to overwrite existing configuration.
+	# If the file exists, then save it with .default suffix and warn user.
+	if [ ! -e "${configdir}/maddy.conf" ]; then
+		command install -m 0644 ./maddy.conf "${configdir}/maddy.conf"
+	else
+		echo "-- [!] Configuration file ${configdir}/maddy.conf exists, saving to ${configdir}/maddy.conf.default" >&2
+		command install -m 0644 ./maddy.conf "${configdir}/maddy.conf.default"
+	fi
 
 	# Attempt to install systemd units only for Linux.
 	# Check is done using GOOS instead of uname -s to account for possible
@@ -150,19 +160,19 @@ install() {
 	# with sudo and go installation is user-specific, so fallback
 	# to using uname -s in the end.
 	set +e
-  if command -v go >/dev/null 2>/dev/null; then
+	if command -v go >/dev/null 2>/dev/null; then
-    set -e
+		set -e
-    if [ "$(go env GOOS)" = "linux" ]; then
+		if [ "$(go env GOOS)" = "linux" ]; then
-    		command install -m 0755 -d "${destdir}/${prefix}/lib/systemd/system/"
+			command install -C -m 0755 -d "${destdir}/${prefix}/lib/systemd/system/"
-    		command install -m 0644 "${builddir}"/systemd/*.service "${destdir}/${prefix}/lib/systemd/system/"
+			command install -C -m 0644 "${builddir}"/systemd/*.service "${destdir}/${prefix}/lib/systemd/system/"
-    fi
+		fi
-  else
+	else
-    set -e
+		set -e
-    if [ "$(uname -s)" = "Linux" ]; then
+		if [ "$(uname -s)" = "Linux" ]; then
-        		command install -m 0755 -d "${destdir}/${prefix}/lib/systemd/system/"
+			command install -C -m 0755 -d "${destdir}/${prefix}/lib/systemd/system/"
-        		command install -m 0644 "${builddir}"/systemd/*.service "${destdir}/${prefix}/lib/systemd/system/"
+			command install -C -m 0644 "${builddir}"/systemd/*.service "${destdir}/${prefix}/lib/systemd/system/"
-        fi
+		fi
-  fi
+	fi
 
 	if [ -e "${builddir}"/man ]; then
 		command install -m 0755 -d "${destdir}/${prefix}/share/man/man1/"

dist/fail2ban/jail.d/maddy-dictonary-attack.conf

@@ -2,6 +2,6 @@
 port     = 993,465,25
 filter   = maddy-dictonary-attack
 bantime  = 72h
-maxtries = 3
+maxretry = 3
 findtime = 6h
 backend  = systemd

docs/docker.md

@@ -54,6 +54,11 @@ command. One way to it is to run it using `docker exec` instead of `docker run`:
 docker exec -it container_name_here maddy creds create foxcpp@maddy.test
 ```
 
+## Build Tags
+
+Some Maddy features (such as automatic certificate management via ACME with [a non-default libdns provider](../reference/tls-acme/#dns-providers)) require build tags to be passed to Maddy's `build.sh`, as this is run in the Dockerfile you must compile your own Docker image. Build tags can be set via the docker build argument `ADDITIONAL_BUILD_TAGS` e.g. `docker build --build-arg ADDITIONAL_BUILD_TAGS="libdns_acmedns libdns_route53" -t yourorgname/maddy:yourtagname .`.
+
+
 ## TL;DR
 
 ```

docs/reference/endpoints/imap.md

@@ -43,6 +43,27 @@ See [TLS configuration / Server](/reference/tls/#server-side) for details.
 
 ---
 
+### proxy_protocol _trusted ips..._ { ... }
+Default: not enabled
+
+Enable use of HAProxy PROXY protocol. Supports both v1 and v2 protocols.
+If a list of trusted IP addresses or subnets is provided, only connections
+from those will be trusted.
+
+TLS for the channel between the proxies and maddy can be configured
+using a 'tls' directive:
+```
+proxy_protocol {
+    trust 127.0.0.1 ::1 192.168.0.1/24
+    tls &proxy_tls
+}
+```
+Note that the top-level 'tls' directive is not inherited here. If you
+need TLS on top of the PROXY protocol, securing the protocol header,
+you must declare TLS explicitly.
+
+---
+
 ### io_debug _boolean_
 Default: `no`
 

docs/reference/endpoints/smtp.md

@@ -63,6 +63,24 @@ See [TLS configuration / Server](/reference/tls/#server-side) for details.
 
 ---
 
+### proxy_protocol _trusted ips..._ { ... } <br>
+Default: not enabled
+
+Enable use of HAProxy PROXY protocol. Supports both v1 and v2 protocols.
+If a list of trusted IP addresses or subnets is provided, only connections
+from those will be trusted.
+
+TLS for the channel between the proxies and maddy can be configured
+using a 'tls' directive:
+```
+proxy_protocol {
+    trust 127.0.0.1 ::1 192.168.0.1/24
+    tls &proxy_tls
+}
+```
+
+---
+
 ### io_debug _boolean_
 Default: `no`
 

docs/reference/tls-acme.md

@@ -149,7 +149,7 @@ To be able to use these, you need to compile maddy
 with "libdns_PROVIDER" build tag.
 E.g.
 ```
-./build.sh -tags 'libdns_googleclouddns'
+./build.sh --tags 'libdns_googleclouddns'
 ```
 
 - gandi
@@ -263,3 +263,28 @@ dns namedotcom {
 }
 ```
 
+- rfc2136 (non-default)
+
+```
+dns rfc2136 {
+    key_name "..."
+    # Secret
+    key "..."
+    # HMAC algorithm used to generate the key, lowercase, e.g. hmac-sha512
+    key_alg "..."
+    # server to which the dynamic update will be sent, e.g. 127.0.0.1
+    # you can also specify the port: 127.0.0.1:53
+    server "..."
+}
+```
+
+- acmedns (non-default)
+
+```
+dns acmedns {
+    username "..."
+    password "..."
+    subdomain "..."
+    server_url "..."
+}
+```

docs/third-party/rspamd.md

@@ -7,7 +7,7 @@ If rspamd is running locally, it is enough to just add `rspamd` check
 with default configuration into appropriate check block (probably in
 local_routing):
 ```
-checks {
+check {
     ...
     rspamd
 }

go.mod

@@ -5,6 +5,7 @@ go 1.19
 require (
 	blitiri.com.ar/go/spf v1.5.1
 	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5
+	github.com/c0va23/go-proxyprotocol v0.9.1
 	github.com/caddyserver/certmagic v0.20.0
 	github.com/emersion/go-imap v1.2.2-0.20220928192137-6fac715be9cf
 	github.com/emersion/go-imap-compress v0.0.0-20201103190257-14809af1d1b9
@@ -39,6 +40,7 @@ require (
 	github.com/libdns/metaname v0.3.0
 	github.com/libdns/namecheap v0.0.0-20211109042440-fc7440785c8e
 	github.com/libdns/namedotcom v0.3.3
+	github.com/libdns/rfc2136 v0.1.0
 	github.com/libdns/route53 v1.3.3
 	github.com/libdns/vultr v1.0.0
 	github.com/mattn/go-sqlite3 v1.14.19
@@ -102,6 +104,7 @@ require (
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
+	github.com/libdns/acmedns v0.2.0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect

go.sum

@@ -238,6 +238,10 @@ github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/c0va23/go-proxyprotocol v0.9.1 h1:5BCkp0fDJOhzzH1lhjUgHhmZz9VvRMMif1U2D31hb34=
+github.com/c0va23/go-proxyprotocol v0.9.1/go.mod h1:TNjUV+llvk8TvWJxlPYAeAYZgSzT/iicNr3nWBWX320=
+github.com/caddyserver/certmagic v0.17.2 h1:o30seC1T/dBqBCNNGNHWwj2i5/I/FMjBbTAhjADP3nE=
+github.com/caddyserver/certmagic v0.17.2/go.mod h1:ouWUuC490GOLJzkyN35eXfV8bSbwMwSf4bdhkIxtdQE=
 github.com/caddyserver/certmagic v0.20.0 h1:bTw7LcEZAh9ucYCRXyCpIrSAGplplI0vGYJ4BpCQ/Fc=
 github.com/caddyserver/certmagic v0.20.0/go.mod h1:N4sXgpICQUskEWpj7zVzvWD41p3NYacrNoZYiRM2jTg=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -504,6 +508,8 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/libdns/acmedns v0.2.0 h1:zTXdHZwe3r2issdVRyqt5/4X2yHpiBVmFnTrwBA29ik=
+github.com/libdns/acmedns v0.2.0/go.mod h1:XlKHilQQK/IGHYY//vCb903PdG4Wc/XnDQzcMp2hV3g=
 github.com/libdns/alidns v1.0.3-0.20230628155627-8d5d630d5516 h1:tPVSANkA4lo+K65YjsQcaQ1uh6sb0zRBQDz78l1Fo4Y=
 github.com/libdns/alidns v1.0.3-0.20230628155627-8d5d630d5516/go.mod h1:e18uAG6GanfRhcJj6/tps2rCMzQJaYVcGKT+ELjdjGE=
 github.com/libdns/cloudflare v0.1.1-0.20221006221909-9d3ab3c3cddd h1:c5hc0b5/pFqFeyQaOTVmYJbyr+QwZZFcMnjgtZGIk6k=
@@ -527,6 +533,8 @@ github.com/libdns/namecheap v0.0.0-20211109042440-fc7440785c8e h1:WCcKyxiiK/sJnS
 github.com/libdns/namecheap v0.0.0-20211109042440-fc7440785c8e/go.mod h1:dED6sMLZxIcilF1GjrcpwgVoCglXGMn86irqQzRhqRY=
 github.com/libdns/namedotcom v0.3.3 h1:R10C7+IqQGVeC4opHHMiFNBxdNBg1bi65ZwqLESl+jE=
 github.com/libdns/namedotcom v0.3.3/go.mod h1:GbYzsAF2yRUpI0WgIK5fs5UX+kDVUPaYCFLpTnKQm0s=
+github.com/libdns/rfc2136 v0.1.0 h1:BlGOPfx/R3xqKrgHT9TlreA8Ulw8ti8+VtJj8E0H9hE=
+github.com/libdns/rfc2136 v0.1.0/go.mod h1:tgXWavE+5OiAfdKxBnuG8OBEwQFAu7uuiS3+laspAGs=
 github.com/libdns/route53 v1.3.3 h1:16sTxbbRGm0zODz0p0aVHHIyTqtHzEn3j0s4dGzQvNI=
 github.com/libdns/route53 v1.3.3/go.mod h1:n1Xy55lpfdxMIx4CVWAM16GQac+/OZcnm1xBjMyhZAo=
 github.com/libdns/vultr v1.0.0 h1:W8B4+k2bm9ro3bZLSZV9hMOQI+uO6Svu+GmD+Olz7ZI=
@@ -581,7 +589,6 @@ github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
 github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -595,7 +602,6 @@ github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/rs/xid v1.5.0 h1:mKX4bl4iPYJtEIxp6CYiUuLQ/8DYMoz0PUdtGgMFRVc=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
@@ -606,7 +612,6 @@ github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6ke
 github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
 github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
-github.com/shabbyrobe/gocovmerge v0.0.0-20180507124511-f6ea450bfb63 h1:J6qvD6rbmOil46orKqJaRPG+zTpoGlBTUdyv8ki63L0=
 github.com/shabbyrobe/gocovmerge v0.0.0-20180507124511-f6ea450bfb63/go.mod h1:n+VKSARF5y/tS9XFSP7vWDfS+GUC5vs/YT7M5XDTUEM=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
@@ -637,7 +642,6 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
@@ -654,11 +658,9 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
 github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
 github.com/zeebo/blake3 v0.2.3/go.mod h1:mjJjZpnsyIVtVgTOSpJ9vmRE4wgDeyt2HU3qXvvKCaQ=
-github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -679,7 +681,6 @@ go.opentelemetry.io/otel/metric v1.22.0/go.mod h1:evJGjVpZv0mQ5QBRJoBF64yMuOf4xC
 go.opentelemetry.io/otel/trace v1.22.0 h1:Hg6pPujv0XG9QaVbGOBVHunyuLcCC3jN7WEhPx83XD0=
 go.opentelemetry.io/otel/trace v1.22.0/go.mod h1:RbbHXVqKES9QhzZq/fE5UnOSILqRt40a21sPw2He1xo=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
-go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
@@ -1162,8 +1163,6 @@ google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqw
 google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
 google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
 google.golang.org/genproto v0.0.0-20221018160656-63c7b68cfc55/go.mod h1:45EK0dUbEZ2NHjCeAd2LXmyjAgGUGrpGROgjhC3ADck=
-google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917 h1:nz5NESFLZbJGPFxDT/HCn+V1mZ8JGNoY4nUpmW/Y2eg=
-google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 h1:rcS6EyEaoCO52hQDupoSfrxI3R6C2Tq741is7X8OvnM=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac h1:nUQEQmH/csSvFECKYRv6HWEyypysidKl2I6Qpsglq/0=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac/go.mod h1:daQN87bsDqDoe316QbbvX60nMoJQa4r6Ds0ZuoAe5yA=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@@ -1223,7 +1222,6 @@ google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7
 google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
@@ -1231,7 +1229,6 @@ gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce/go.mod h1:yeKp02qBN3iKW1OzL3M
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
@@ -1251,8 +1248,6 @@ modernc.org/cc/v3 v3.41.0 h1:QoR1Sn3YWlmA1T4vLaKZfawdVtSiGx8H+cEojbC7v1Q=
 modernc.org/cc/v3 v3.41.0/go.mod h1:Ni4zjJYJ04CDOhG7dn640WGfwBzfE0ecX8TyMB0Fv0Y=
 modernc.org/ccgo/v3 v3.16.15 h1:KbDR3ZAVU+wiLyMESPtbtE/Add4elztFyfsWoNTgxS0=
 modernc.org/ccgo/v3 v3.16.15/go.mod h1:yT7B+/E2m43tmMOT51GMoM98/MtHIcQQSleGnddkUNI=
-modernc.org/ccorpus v1.11.6 h1:J16RXiiqiCgua6+ZvQot4yUuUy8zxgqbqEEUuGPlISk=
-modernc.org/httpfs v1.0.6 h1:AAgIpFZRXuYnkjftxTAZwMIiwEqAfk8aVB2/oA6nAeM=
 modernc.org/libc v1.40.6 h1:141JHq3SjhOOCjECBgD4K8VgTFOy19CnHwroC08DAig=
 modernc.org/libc v1.40.6/go.mod h1:YAXkAZ8ktnkCKaN9sw/UDeUVkGYJ/YquGO4FTi5nmHE=
 modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
@@ -1265,10 +1260,8 @@ modernc.org/sqlite v1.28.0 h1:Zx+LyDDmXczNnEQdvPuEfcFVA2ZPyaD7UCZDjef3BHQ=
 modernc.org/sqlite v1.28.0/go.mod h1:Qxpazz0zH8Z1xCFyi5GSL3FzbtZ3fvbjmywNogldEW0=
 modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
 modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
-modernc.org/tcl v1.15.2 h1:C4ybAYCGJw968e+Me18oW55kD/FexcHbqH2xak1ROSY=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
 modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
-modernc.org/z v1.7.3 h1:zDJf6iHjrnB+WRD88stbXokugjyc0/pB91ri1gO6LZY=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

internal/check/milter/milter.go

@@ -90,9 +90,6 @@ func (c *Check) Init(cfg *config.Map) error {
 	default:
 		return fmt.Errorf("%s: scheme unsupported: %v", modName, endp.Scheme)
 	}
-	if endp.Path != "" {
-		return fmt.Errorf("%s: stray path in endpoint: %v", modName, endp)
-	}
 
 	c.cl = milter.NewClientWithOptions(endp.Network(), endp.Address(), milter.ClientOptions{
 		Dialer: &net.Dialer{

internal/check/milter/milter_test.go

@@ -0,0 +1,61 @@
+/*
+Maddy Mail Server - Composable all-in-one email server.
+Copyright © 2019-2020 Max Mazurov <fox.cpp@disroot.org>, Maddy Mail Server contributors
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
+package milter
+
+import (
+	"testing"
+
+	"github.com/foxcpp/maddy/framework/config"
+)
+
+func TestAcceptValidEndpoints(t *testing.T) {
+	for _, endpoint := range []string{
+		"tcp://0.0.0.0:10025",
+		"tcp://[::]:10025",
+		"tcp:127.0.0.1:10025",
+		"unix://path",
+		"unix:path",
+		"unix:/path",
+		"unix:///path",
+		"unix://also/path",
+		"unix:///also/path",
+	} {
+		c := &Check{milterUrl: endpoint}
+
+		err := c.Init(&config.Map{})
+		if err != nil {
+			t.Errorf("Unexpected failure for %s: %v", endpoint, err)
+			return
+		}
+	}
+}
+
+func TestRejectInvalidEndpoints(t *testing.T) {
+	for _, endpoint := range []string{
+		"tls://0.0.0.0:10025",
+		"tls:0.0.0.0:10025",
+	} {
+		c := &Check{milterUrl: endpoint}
+		err := c.Init(&config.Map{})
+		if err == nil {
+			t.Errorf("Accepted invalid endpoint: %s", endpoint)
+			return
+		}
+	}
+}

internal/endpoint/imap/imap.go

@@ -44,14 +44,16 @@ import (
 	"github.com/foxcpp/maddy/framework/module"
 	"github.com/foxcpp/maddy/internal/auth"
 	"github.com/foxcpp/maddy/internal/authz"
+	"github.com/foxcpp/maddy/internal/proxy_protocol"
 	"github.com/foxcpp/maddy/internal/updatepipe"
 )
 
 type Endpoint struct {
-	addrs     []string
+	addrs         []string
-	serv      *imapserver.Server
+	serv          *imapserver.Server
-	listeners []net.Listener
+	listeners     []net.Listener
-	Store     module.Storage
+	proxyProtocol *proxy_protocol.ProxyProtocol
+	Store         module.Storage
 
 	tlsConfig   *tls.Config
 	listenersWg sync.WaitGroup
@@ -90,6 +92,7 @@ func (endp *Endpoint) Init(cfg *config.Map) error {
 	})
 	cfg.Custom("storage", false, true, nil, modconfig.StorageDirective, &endp.Store)
 	cfg.Custom("tls", true, true, nil, tls2.TLSDirective, &endp.tlsConfig)
+	cfg.Custom("proxy_protocol", false, false, nil, proxy_protocol.ProxyProtocolDirective, &endp.proxyProtocol)
 	cfg.Bool("insecure_auth", false, false, &insecureAuth)
 	cfg.Bool("io_debug", false, false, &ioDebug)
 	cfg.Bool("io_errors", false, false, &ioErrors)
@@ -167,6 +170,10 @@ func (endp *Endpoint) setupListeners(addresses []config.Endpoint) error {
 			l = tls.NewListener(l, endp.tlsConfig)
 		}
 
+		if endp.proxyProtocol != nil {
+			l = proxy_protocol.NewListener(l, endp.proxyProtocol, endp.Log)
+		}
+
 		endp.listeners = append(endp.listeners, l)
 
 		endp.listenersWg.Add(1)

internal/endpoint/smtp/smtp.go

@@ -47,18 +47,20 @@ import (
 	"github.com/foxcpp/maddy/internal/authz"
 	"github.com/foxcpp/maddy/internal/limits"
 	"github.com/foxcpp/maddy/internal/msgpipeline"
+	"github.com/foxcpp/maddy/internal/proxy_protocol"
 	"golang.org/x/net/idna"
 )
 
 type Endpoint struct {
-	saslAuth  auth.SASLAuth
+	saslAuth      auth.SASLAuth
-	serv      *smtp.Server
+	serv          *smtp.Server
-	name      string
+	name          string
-	addrs     []string
+	addrs         []string
-	listeners []net.Listener
+	listeners     []net.Listener
-	pipeline  *msgpipeline.MsgPipeline
+	proxyProtocol *proxy_protocol.ProxyProtocol
-	resolver  dns.Resolver
+	pipeline      *msgpipeline.MsgPipeline
-	limits    *limits.Group
+	resolver      dns.Resolver
+	limits        *limits.Group
 
 	buffer func(r io.Reader) (buffer.Buffer, error)
 
@@ -266,6 +268,7 @@ func (endp *Endpoint) setConfig(cfg *config.Map) error {
 		return autoBufferMode(1*1024*1024 /* 1 MiB */, path), nil
 	}, bufferModeDirective, &endp.buffer)
 	cfg.Custom("tls", true, endp.name != "lmtp", nil, tls2.TLSDirective, &endp.serv.TLSConfig)
+	cfg.Custom("proxy_protocol", false, false, nil, proxy_protocol.ProxyProtocolDirective, &endp.proxyProtocol)
 	cfg.Bool("insecure_auth", endp.name == "lmtp", false, &endp.serv.AllowInsecureAuth)
 	cfg.Int("smtp_max_line_length", false, false, 4000, &endp.serv.MaxLineLength)
 	cfg.Bool("io_debug", false, false, &ioDebug)
@@ -353,6 +356,10 @@ func (endp *Endpoint) setupListeners(addresses []config.Endpoint) error {
 			l = tls.NewListener(l, endp.serv.TLSConfig)
 		}
 
+		if endp.proxyProtocol != nil {
+			l = proxy_protocol.NewListener(l, endp.proxyProtocol, endp.Log)
+		}
+
 		endp.listeners = append(endp.listeners, l)
 
 		endp.listenersWg.Add(1)

internal/libdns/acmedns.go

@@ -0,0 +1,28 @@
+//go:build libdns_acmedns || libdns_all
+// +build libdns_acmedns libdns_all
+
+package libdns
+
+import (
+	"github.com/foxcpp/maddy/framework/config"
+	"github.com/foxcpp/maddy/framework/module"
+	"github.com/libdns/acmedns"
+)
+
+func init() {
+	module.Register("libdns.acmedns", func(modName, instName string, _, _ []string) (module.Module, error) {
+		p := acmedns.Provider{}
+		return &ProviderModule{
+			RecordDeleter:  &p,
+			RecordAppender: &p,
+			setConfig: func(c *config.Map) {
+				c.String("username", false, true, "", &p.Username)
+				c.String("password", false, true, "", &p.Password)
+				c.String("subdomain", false, true, "", &p.Subdomain)
+				c.String("server_url", false, true, "", &p.ServerURL)
+			},
+			instName: instName,
+			modName:  modName,
+		}, nil
+	})
+}

internal/libdns/rfc2136.go

@@ -0,0 +1,28 @@
+//go:build libdns_rfc2136 || libdns_all
+// +build libdns_rfc2136 libdns_all
+
+package libdns
+
+import (
+	"github.com/foxcpp/maddy/framework/config"
+	"github.com/foxcpp/maddy/framework/module"
+	"github.com/libdns/rfc2136"
+)
+
+func init() {
+	module.Register("libdns.rfc2136", func(modName, instName string, _, _ []string) (module.Module, error) {
+		p := rfc2136.Provider{}
+		return &ProviderModule{
+			RecordDeleter:  &p,
+			RecordAppender: &p,
+			setConfig: func(c *config.Map) {
+				c.String("key_name", false, true, "", &p.KeyName)
+				c.String("key", false, true, "", &p.Key)
+				c.String("key_alg", false, true, "", &p.KeyAlg)
+				c.String("server", false, true, "", &p.Server)
+			},
+			instName: instName,
+			modName:  modName,
+		}, nil
+	})
+}

internal/proxy_protocol/proxy_protocol.go

@@ -0,0 +1,86 @@
+package proxy_protocol
+
+import (
+	"crypto/tls"
+	"net"
+	"strings"
+
+	"github.com/c0va23/go-proxyprotocol"
+	"github.com/foxcpp/maddy/framework/config"
+	tls2 "github.com/foxcpp/maddy/framework/config/tls"
+	"github.com/foxcpp/maddy/framework/log"
+)
+
+type ProxyProtocol struct {
+	trust     []net.IPNet
+	tlsConfig *tls.Config
+}
+
+func ProxyProtocolDirective(_ *config.Map, node config.Node) (interface{}, error) {
+	p := ProxyProtocol{}
+
+	childM := config.NewMap(nil, node)
+	var trustList []string
+
+	childM.StringList("trust", false, false, nil, &trustList)
+	childM.Custom("tls", true, false, nil, tls2.TLSDirective, &p.tlsConfig)
+
+	if _, err := childM.Process(); err != nil {
+		return nil, err
+	}
+
+	if len(node.Args) > 0 {
+		if trustList == nil {
+			trustList = make([]string, 0)
+		}
+		trustList = append(trustList, node.Args...)
+	}
+
+	for _, trust := range trustList {
+		if !strings.Contains(trust, "/") {
+			trust += "/32"
+		}
+		_, ipNet, err := net.ParseCIDR(trust)
+		if err != nil {
+			return nil, err
+		}
+		p.trust = append(p.trust, *ipNet)
+	}
+
+	return &p, nil
+}
+
+func NewListener(inner net.Listener, p *ProxyProtocol, logger log.Logger) net.Listener {
+	var listener net.Listener
+
+	sourceChecker := func(upstream net.Addr) (bool, error) {
+		if tcpAddr, ok := upstream.(*net.TCPAddr); ok {
+			if len(p.trust) == 0 {
+				return true, nil
+			}
+			for _, trusted := range p.trust {
+				if trusted.Contains(tcpAddr.IP) {
+					return true, nil
+				}
+			}
+		} else if _, ok := upstream.(*net.UnixAddr); ok {
+			// UNIX local socket connection, always trusted
+			return true, nil
+		}
+
+		logger.Printf("proxy_protocol: connection from untrusted source %s", upstream)
+		return false, nil
+	}
+
+	listener = proxyprotocol.NewDefaultListener(inner).
+		WithLogger(proxyprotocol.LoggerFunc(func(format string, v ...interface{}) {
+			logger.Debugf("proxy_protocol: "+format, v...)
+		})).
+		WithSourceChecker(sourceChecker)
+
+	if p.tlsConfig != nil {
+		listener = tls.NewListener(listener, p.tlsConfig)
+	}
+
+	return listener
+}

tests/smtp_test.go

@@ -23,6 +23,7 @@ package tests_test
 
 import (
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"path/filepath"
 	"strings"
@@ -68,6 +69,94 @@ func TestCheckRequireTLS(tt *testing.T) {
 	conn.ExpectPattern("221 *")
 }
 
+func TestProxyProtocolTrustedSource(tt *testing.T) {
+	tt.Parallel()
+	t := tests.NewT(tt)
+	t.DNS(map[string]mockdns.Zone{
+		"one.maddy.test.": {
+			TXT: []string{"v=spf1 ip4:127.0.0.17 -all"},
+		},
+	})
+	t.Port("smtp")
+	t.Config(`
+		smtp tcp://127.0.0.1:{env:TEST_PORT_smtp} {
+			hostname mx.maddy.test
+			tls off
+
+			proxy_protocol {
+				trust ` + tests.DefaultSourceIP.String() + ` ::1/128
+				tls off
+			}
+
+			defer_sender_reject no
+
+			check {
+				spf {
+					enforce_early yes
+					fail_action reject
+				}
+			}
+
+			deliver_to dummy
+		}
+	`)
+	t.Run(1)
+	defer t.Close()
+
+	conn := t.Conn("smtp")
+	defer conn.Close()
+	conn.Writeln(fmt.Sprintf("PROXY TCP4 127.0.0.17 %s 12345 %d", tests.DefaultSourceIP.String(), t.Port("smtp")))
+	conn.SMTPNegotation("localhost", nil, nil)
+	conn.Writeln("MAIL FROM:<testing@one.maddy.test>")
+	conn.ExpectPattern("250 *")
+	conn.Writeln("QUIT")
+	conn.ExpectPattern("221 *")
+}
+
+func TestProxyProtocolUntrustedSource(tt *testing.T) {
+	tt.Parallel()
+	t := tests.NewT(tt)
+	t.DNS(map[string]mockdns.Zone{
+		"one.maddy.test.": {
+			TXT: []string{"v=spf1 ip4:127.0.0.17 -all"},
+		},
+	})
+	t.Port("smtp")
+	t.Config(`
+		smtp tcp://127.0.0.1:{env:TEST_PORT_smtp} {
+			hostname mx.maddy.test
+			tls off
+
+			proxy_protocol {
+				trust fe80::bad/128
+				tls off
+			}
+
+			defer_sender_reject no
+
+			check {
+				spf {
+					enforce_early yes
+					fail_action reject
+				}
+			}
+
+			deliver_to dummy
+		}
+	`)
+	t.Run(1)
+	defer t.Close()
+
+	conn := t.Conn("smtp")
+	defer conn.Close()
+	conn.Writeln(fmt.Sprintf("PROXY TCP4 127.0.0.17 %s 12345 %d", tests.DefaultSourceIP.String(), t.Port("smtp")))
+	conn.SMTPNegotation("localhost", nil, nil)
+	conn.Writeln("MAIL FROM:<testing@one.maddy.test>")
+	conn.ExpectPattern("550 *")
+	conn.Writeln("QUIT")
+	conn.ExpectPattern("221 *")
+}
+
 func TestCheckSPF(tt *testing.T) {
 	tt.Parallel()
 	t := tests.NewT(tt)