d-b.ca/smtprelay
2
0
Fork 0
forked from drew/smtprelay
Code Pull Requests Activity

Merge pull request #11 from JonathonReinhart/minor-cleanup-fixes

Browse Source 
Minor cleanup and fixes
This commit is contained in:
Bernhard Fröhlich
2021-02-16 15:36:52 +01:00
committed by GitHub
parent 0e8986ca79 009ae8f73a
commit c781938999
2 changed files with 65 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cmd/hasher.go
View File

@@ -8,11 +8,15 @@ import (
) )
func main() { func main() {
if len(os.Args) != 2 {
fmt.Fprintln(os.Stderr, "Usage: hasher PASSWORD")
os.Exit(1)
}
password := os.Args[1] password := os.Args[1]
hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil { if err != nil {
fmt.Println("Error generating hash: %s", err) fmt.Fprintln(os.Stderr, "Error generating hash: %s", err)
} }
fmt.Println(string(hash)) fmt.Println(string(hash))
} }

124
main.go
View File

@@ -33,6 +33,7 @@ func connectionChecker(peer smtpd.Peer) error {
} }
} }
log.Printf("Connection from peer=[%s] denied: Not in allowed_nets\n", peerIP)
return smtpd.Error{Code: 421, Message: "Denied"} return smtpd.Error{Code: 421, Message: "Denied"}
} }
@@ -84,10 +85,13 @@ func senderChecker(peer smtpd.Peer, addr string) error {
if *allowedUsers != "" && peer.Username != "" { if *allowedUsers != "" && peer.Username != "" {
user, err := AuthFetch(peer.Username) user, err := AuthFetch(peer.Username)
if err != nil { if err != nil {
// Shouldn't happen: authChecker already validated username+password
return smtpd.Error{Code: 451, Message: "Bad sender address"} return smtpd.Error{Code: 451, Message: "Bad sender address"}
} }
if !addrAllowed(addr, user.allowedAddresses) { if !addrAllowed(addr, user.allowedAddresses) {
log.Printf("Mail from=<%s> not allowed for authenticated user %s (%v)\n",
addr, peer.Username, peer.Addr)
return smtpd.Error{Code: 451, Message: "Bad sender address"} return smtpd.Error{Code: 451, Message: "Bad sender address"}
} }
} }
@@ -106,6 +110,8 @@ func senderChecker(peer smtpd.Peer, addr string) error {
return nil return nil
} }
log.Printf("Mail from=<%s> not allowed by allowed_sender pattern for peer %v\n",
addr, peer.Addr)
return smtpd.Error{Code: 451, Message: "Bad sender address"} return smtpd.Error{Code: 451, Message: "Bad sender address"}
} }
@@ -124,13 +130,15 @@ func recipientChecker(peer smtpd.Peer, addr string) error {
return nil return nil
} }
log.Printf("Mail to=<%s> not allowed by allowed_recipients pattern for peer %v\n",
addr, peer.Addr)
return smtpd.Error{Code: 451, Message: "Bad recipient address"} return smtpd.Error{Code: 451, Message: "Bad recipient address"}
} }
func authChecker(peer smtpd.Peer, username string, password string) error { func authChecker(peer smtpd.Peer, username string, password string) error {
err := AuthCheckPassword(username, password) err := AuthCheckPassword(username, password)
if err != nil { if err != nil {
log.Printf("Auth error: %v\n", err) log.Printf("Auth error for peer %v: %v\n", peer.Addr, err)
return smtpd.Error{Code: 535, Message: "Authentication credentials invalid"} return smtpd.Error{Code: 535, Message: "Authentication credentials invalid"}
} }
return nil return nil
@@ -188,7 +196,7 @@ func mailHandler(peer smtpd.Peer, env smtpd.Envelope) error {
return nil return nil
} }
func main() { func getTLSConfig() *tls.Config {
// Ciphersuites as defined in stock Go but without 3DES and RC4 // Ciphersuites as defined in stock Go but without 3DES and RC4
// https://golang.org/src/crypto/tls/cipher_suites.go // https://golang.org/src/crypto/tls/cipher_suites.go
var tlsCipherSuites = []uint16{ var tlsCipherSuites = []uint16{
@@ -214,6 +222,24 @@ func main() {
tls.TLS_RSA_WITH_AES_256_CBC_SHA, tls.TLS_RSA_WITH_AES_256_CBC_SHA,
} }
if *localCert == "" || *localKey == "" {
log.Fatal("TLS certificate/key not defined in config")
}
cert, err := tls.LoadX509KeyPair(*localCert, *localKey)
if err != nil {
log.Fatal(err)
}
return &tls.Config{
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS11,
CipherSuites: tlsCipherSuites,
Certificates: []tls.Certificate{cert},
}
}
func main() {
ConfigLoad() ConfigLoad()
if *versionInfo { if *versionInfo {
@@ -231,11 +257,16 @@ func main() {
log.SetOutput(io.MultiWriter(os.Stdout, f)) log.SetOutput(io.MultiWriter(os.Stdout, f))
} }
listeners := strings.Split(*listen, " ") // Load allowed users file
if *allowedUsers != "" {
for i := range listeners { err := AuthLoadFile(*allowedUsers)
listener := listeners[i] if err != nil {
log.Fatalf("Authentication file: %s\n", err)
}
}
// Create a server for each desired listen address
for _, listenAddr := range strings.Split(*listen, " ") {
server := &smtpd.Server{ server := &smtpd.Server{
Hostname: *hostName, Hostname: *hostName,
WelcomeMessage: *welcomeMsg, WelcomeMessage: *welcomeMsg,
@@ -246,76 +277,41 @@ func main() {
} }
if *allowedUsers != "" { if *allowedUsers != "" {
err := AuthLoadFile(*allowedUsers)
if err != nil {
log.Fatalf("Authentication file: %s\n", err)
}
server.Authenticator = authChecker server.Authenticator = authChecker
} }
if strings.Index(listeners[i], "://") == -1 { var lsnr net.Listener
log.Printf("Listen on %s ...\n", listener) var err error
go server.ListenAndServe(listener)
} else if strings.HasPrefix(listeners[i], "starttls://") {
listener = strings.TrimPrefix(listener, "starttls://")
if *localCert == "" || *localKey == "" { if strings.Index(listenAddr, "://") == -1 {
log.Fatal("TLS certificate/key not defined in config") log.Printf("Listen on %s ...\n", listenAddr)
}
cert, err := tls.LoadX509KeyPair(*localCert, *localKey) lsnr, err = net.Listen("tcp", listenAddr)
if err != nil { } else if strings.HasPrefix(listenAddr, "starttls://") {
log.Fatal(err) listenAddr = strings.TrimPrefix(listenAddr, "starttls://")
}
server.TLSConfig = &tls.Config{ server.TLSConfig = getTLSConfig()
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS11,
CipherSuites: tlsCipherSuites,
Certificates: []tls.Certificate{cert},
}
server.ForceTLS = *localForceTLS server.ForceTLS = *localForceTLS
log.Printf("Listen on %s (STARTSSL) ...\n", listener) log.Printf("Listen on %s (STARTTLS) ...\n", listenAddr)
lsnr, err := net.Listen("tcp", listener) lsnr, err = net.Listen("tcp", listenAddr)
if err != nil { } else if strings.HasPrefix(listenAddr, "tls://") {
log.Fatal(err) listenAddr = strings.TrimPrefix(listenAddr, "tls://")
}
defer lsnr.Close()
go server.Serve(lsnr) server.TLSConfig = getTLSConfig()
} else if strings.HasPrefix(listeners[i], "tls://") {
listener = strings.TrimPrefix(listener, "tls://") log.Printf("Listen on %s (TLS) ...\n", listenAddr)
lsnr, err = tls.Listen("tcp", listenAddr, server.TLSConfig)
if *localCert == "" || *localKey == "" {
log.Fatal("TLS certificate/key not defined in config")
}
cert, err := tls.LoadX509KeyPair(*localCert, *localKey)
if err != nil {
log.Fatal(err)
}
server.TLSConfig = &tls.Config{
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS11,
CipherSuites: tlsCipherSuites,
Certificates: []tls.Certificate{cert},
}
log.Printf("Listen on %s (TLS) ...\n", listener)
lsnr, err := tls.Listen("tcp", listener, server.TLSConfig)
if err != nil {
log.Fatal(err)
}
defer lsnr.Close()
go server.Serve(lsnr)
} else { } else {
log.Fatal("Unknown protocol in listener ", listener) log.Fatal("Unknown protocol in listen address ", listenAddr)
} }
if err != nil {
log.Fatal(err)
}
defer lsnr.Close()
go server.Serve(lsnr)
} }
for true { for true {