Skip to content

Minor cleanup and fixes #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Feb 16, 2021
Merged

Minor cleanup and fixes #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
b202a22
Refactor out getTLSConfig()
JonathonReinhart Feb 15, 2021
fd3f513
Don't run ListenAndServe in a goroutine
JonathonReinhart Feb 15, 2021
4fd6bb1
Refactor common code in listener setup
JonathonReinhart Feb 15, 2021
ecf8308
Add helpful log messages for various error cases
JonathonReinhart Feb 15, 2021
7fa0eeb
Simplify range code for setting up listeners
JonathonReinhart Feb 15, 2021
70dfe6b
Only call AuthLoadFile() once at startup
JonathonReinhart Feb 15, 2021
009ae8f
hasher: Check number of arguments
JonathonReinhart Feb 15, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion cmd/hasher.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,15 @@ import (
)

func main() {
if len(os.Args) != 2 {
fmt.Fprintln(os.Stderr, "Usage: hasher PASSWORD")
os.Exit(1)
}
password := os.Args[1]

hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil {
fmt.Println("Error generating hash: %s", err)
fmt.Fprintln(os.Stderr, "Error generating hash: %s", err)
}
fmt.Println(string(hash))
}
124 changes: 60 additions & 64 deletions main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ func connectionChecker(peer smtpd.Peer) error {
}
}

log.Printf("Connection from peer=[%s] denied: Not in allowed_nets\n", peerIP)
return smtpd.Error{Code: 421, Message: "Denied"}
}

Expand Down Expand Up @@ -84,10 +85,13 @@ func senderChecker(peer smtpd.Peer, addr string) error {
if *allowedUsers != "" && peer.Username != "" {
user, err := AuthFetch(peer.Username)
if err != nil {
// Shouldn't happen: authChecker already validated username+password
return smtpd.Error{Code: 451, Message: "Bad sender address"}
}

if !addrAllowed(addr, user.allowedAddresses) {
log.Printf("Mail from=<%s> not allowed for authenticated user %s (%v)\n",
addr, peer.Username, peer.Addr)
return smtpd.Error{Code: 451, Message: "Bad sender address"}
}
}
Expand All @@ -106,6 +110,8 @@ func senderChecker(peer smtpd.Peer, addr string) error {
return nil
}

log.Printf("Mail from=<%s> not allowed by allowed_sender pattern for peer %v\n",
addr, peer.Addr)
return smtpd.Error{Code: 451, Message: "Bad sender address"}
}

Expand All @@ -124,13 +130,15 @@ func recipientChecker(peer smtpd.Peer, addr string) error {
return nil
}

log.Printf("Mail to=<%s> not allowed by allowed_recipients pattern for peer %v\n",
addr, peer.Addr)
return smtpd.Error{Code: 451, Message: "Bad recipient address"}
}

func authChecker(peer smtpd.Peer, username string, password string) error {
err := AuthCheckPassword(username, password)
if err != nil {
log.Printf("Auth error: %v\n", err)
log.Printf("Auth error for peer %v: %v\n", peer.Addr, err)
return smtpd.Error{Code: 535, Message: "Authentication credentials invalid"}
}
return nil
Expand Down Expand Up @@ -188,7 +196,7 @@ func mailHandler(peer smtpd.Peer, env smtpd.Envelope) error {
return nil
}

func main() {
func getTLSConfig() *tls.Config {
// Ciphersuites as defined in stock Go but without 3DES and RC4
// https://golang.org/src/crypto/tls/cipher_suites.go
var tlsCipherSuites = []uint16{
Expand All @@ -214,6 +222,24 @@ func main() {
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
}

if *localCert == "" || *localKey == "" {
log.Fatal("TLS certificate/key not defined in config")
}

cert, err := tls.LoadX509KeyPair(*localCert, *localKey)
if err != nil {
log.Fatal(err)
}

return &tls.Config{
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS11,
CipherSuites: tlsCipherSuites,
Certificates: []tls.Certificate{cert},
}
}

func main() {
ConfigLoad()

if *versionInfo {
Expand All @@ -231,11 +257,16 @@ func main() {
log.SetOutput(io.MultiWriter(os.Stdout, f))
}

listeners := strings.Split(*listen, " ")

for i := range listeners {
listener := listeners[i]
// Load allowed users file
if *allowedUsers != "" {
err := AuthLoadFile(*allowedUsers)
if err != nil {
log.Fatalf("Authentication file: %s\n", err)
}
}

// Create a server for each desired listen address
for _, listenAddr := range strings.Split(*listen, " ") {
server := &smtpd.Server{
Hostname: *hostName,
WelcomeMessage: *welcomeMsg,
Expand All @@ -246,76 +277,41 @@ func main() {
}

if *allowedUsers != "" {
err := AuthLoadFile(*allowedUsers)
if err != nil {
log.Fatalf("Authentication file: %s\n", err)
}

server.Authenticator = authChecker
}

if strings.Index(listeners[i], "://") == -1 {
log.Printf("Listen on %s ...\n", listener)
go server.ListenAndServe(listener)
} else if strings.HasPrefix(listeners[i], "starttls://") {
listener = strings.TrimPrefix(listener, "starttls://")
var lsnr net.Listener
var err error

if *localCert == "" || *localKey == "" {
log.Fatal("TLS certificate/key not defined in config")
}
if strings.Index(listenAddr, "://") == -1 {
log.Printf("Listen on %s ...\n", listenAddr)

cert, err := tls.LoadX509KeyPair(*localCert, *localKey)
if err != nil {
log.Fatal(err)
}
lsnr, err = net.Listen("tcp", listenAddr)
} else if strings.HasPrefix(listenAddr, "starttls://") {
listenAddr = strings.TrimPrefix(listenAddr, "starttls://")

server.TLSConfig = &tls.Config{
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS11,
CipherSuites: tlsCipherSuites,
Certificates: []tls.Certificate{cert},
}
server.TLSConfig = getTLSConfig()
server.ForceTLS = *localForceTLS

log.Printf("Listen on %s (STARTSSL) ...\n", listener)
lsnr, err := net.Listen("tcp", listener)
if err != nil {
log.Fatal(err)
}
defer lsnr.Close()

go server.Serve(lsnr)
} else if strings.HasPrefix(listeners[i], "tls://") {

listener = strings.TrimPrefix(listener, "tls://")

if *localCert == "" || *localKey == "" {
log.Fatal("TLS certificate/key not defined in config")
}

cert, err := tls.LoadX509KeyPair(*localCert, *localKey)
if err != nil {
log.Fatal(err)
}

server.TLSConfig = &tls.Config{
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS11,
CipherSuites: tlsCipherSuites,
Certificates: []tls.Certificate{cert},
}
log.Printf("Listen on %s (STARTTLS) ...\n", listenAddr)
lsnr, err = net.Listen("tcp", listenAddr)
} else if strings.HasPrefix(listenAddr, "tls://") {
listenAddr = strings.TrimPrefix(listenAddr, "tls://")

log.Printf("Listen on %s (TLS) ...\n", listener)
lsnr, err := tls.Listen("tcp", listener, server.TLSConfig)
if err != nil {
log.Fatal(err)
}
defer lsnr.Close()
server.TLSConfig = getTLSConfig()

go server.Serve(lsnr)
log.Printf("Listen on %s (TLS) ...\n", listenAddr)
lsnr, err = tls.Listen("tcp", listenAddr, server.TLSConfig)
} else {
log.Fatal("Unknown protocol in listener ", listener)
log.Fatal("Unknown protocol in listen address ", listenAddr)
}

if err != nil {
log.Fatal(err)
}
defer lsnr.Close()

go server.Serve(lsnr)
}

for true {
Expand Down