Add new Release Workflow using Github Actions and wangyoucao577/go-release-action

Minor cleanup and fixes

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,66 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+  schedule:
+    - cron: '0 15 * * 5'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['go']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file. 
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.github/workflows/release.yaml

@@ -0,0 +1,30 @@
+name: Release Go Binaries
+
+on: 
+  release:
+    types: [created]
+
+jobs:
+  releases-matrix:
+    name: Release Go Binary
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        goos: [freebsd, linux, windows]
+        goarch: ["386", amd64]
+    steps:
+    - uses: actions/checkout@v2
+    
+    - name: Set APP_VERSION env
+      run: echo APP_VERSION=$(echo ${GITHUB_REF} | rev | cut -d'/' -f 1 | rev ) >> ${GITHUB_ENV}
+    - name: Set BUILD_TIME env
+      run: echo BUILD_TIME=$(date) >> ${GITHUB_ENV}
+      
+    - uses: wangyoucao577/go-release-action@v1.14
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        goos: ${{ matrix.goos }}
+        goarch: ${{ matrix.goarch }}
+        goversion: "https://golang.org/dl/go1.15.8.linux-amd64.tar.gz"
+        extra_files: LICENSE README.md smtprelay.ini
+        ldflags: -s -w -X "main.appVersion=${{ env.APP_VERSION }}" -X "main.buildTime=${{ env.BUILD_TIME }}"

auth.go

@@ -13,6 +13,12 @@ var (
 	filename string
 )
 
+type AuthUser struct {
+	username         string
+	passwordHash     string
+	allowedAddresses []string
+}
+
 func AuthLoadFile(file string) error {
 	f, err := os.Open(file)
 	if err != nil {
@@ -28,39 +34,66 @@ func AuthReady() bool {
 	return (filename != "")
 }
 
-func AuthFetch(username string) (string, string, error) {
+// Split a string and ignore empty results
+// https://stackoverflow.com/a/46798310/119527
+func splitstr(s string, sep rune) []string {
+	return strings.FieldsFunc(s, func(c rune) bool { return c == sep })
+}
+
+func parseLine(line string) *AuthUser {
+	parts := strings.Fields(line)
+
+	if len(parts) < 2 || len(parts) > 3 {
+		return nil
+	}
+
+	user := AuthUser{
+		username:         parts[0],
+		passwordHash:     parts[1],
+		allowedAddresses: nil,
+	}
+
+	if len(parts) >= 3 {
+		user.allowedAddresses = splitstr(parts[2], ',')
+	}
+
+	return &user
+}
+
+func AuthFetch(username string) (*AuthUser, error) {
 	if !AuthReady() {
-		return "", "", errors.New("Authentication file not specified. Call LoadFile() first")
+		return nil, errors.New("Authentication file not specified. Call LoadFile() first")
 	}
 
 	file, err := os.Open(filename)
 	if err != nil {
-		return "", "", err
+		return nil, err
 	}
 	defer file.Close()
 
 	scanner := bufio.NewScanner(file)
 	for scanner.Scan() {
-		parts := strings.Fields(scanner.Text())
+		user := parseLine(scanner.Text())
-
+		if user == nil {
-		if len(parts) != 3 {
 			continue
 		}
 
-		if strings.ToLower(username) == strings.ToLower(parts[0]) {
+		if strings.ToLower(username) != strings.ToLower(user.username) {
-			return parts[1], parts[2], nil
+			continue
-		}
 		}
 
-	return "", "", errors.New("User not found")
+		return user, nil
+	}
+
+	return nil, errors.New("User not found")
 }
 
 func AuthCheckPassword(username string, secret string) error {
-	hash, _, err := AuthFetch(username)
+	user, err := AuthFetch(username)
 	if err != nil {
 		return err
 	}
-	if bcrypt.CompareHashAndPassword([]byte(hash), []byte(secret)) == nil {
+	if bcrypt.CompareHashAndPassword([]byte(user.passwordHash), []byte(secret)) == nil {
 		return nil
 	}
 	return errors.New("Password invalid")

auth_test.go

@@ -0,0 +1,89 @@
+package main
+
+import (
+	"testing"
+)
+
+func stringsEqual(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+	return true
+}
+
+func TestParseLine(t *testing.T) {
+	var tests = []struct {
+		name       string
+		expectFail bool
+		line       string
+		username   string
+		addrs      []string
+	}{
+		{
+			name:       "Empty line",
+			expectFail: true,
+			line:       "",
+		},
+		{
+			name:       "Too few fields",
+			expectFail: true,
+			line:       "joe",
+		},
+		{
+			name:       "Too many fields",
+			expectFail: true,
+			line:       "joe xxx joe@example.com whatsthis",
+		},
+		{
+			name:     "Normal case",
+			line:     "joe xxx joe@example.com",
+			username: "joe",
+			addrs:    []string{"joe@example.com"},
+		},
+		{
+			name:     "No allowed addrs given",
+			line:     "joe xxx",
+			username: "joe",
+			addrs:    []string{},
+		},
+		{
+			name:     "Trailing comma",
+			line:     "joe xxx joe@example.com,",
+			username: "joe",
+			addrs:    []string{"joe@example.com"},
+		},
+		{
+			name:     "Multiple allowed addrs",
+			line:     "joe xxx joe@example.com,@foo.example.com",
+			username: "joe",
+			addrs:    []string{"joe@example.com", "@foo.example.com"},
+		},
+	}
+
+	for i, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			user := parseLine(test.line)
+			if user == nil {
+				if !test.expectFail {
+					t.Errorf("parseLine() returned nil unexpectedly")
+				}
+				return
+			}
+
+			if user.username != test.username {
+				t.Errorf("Testcase %d: Incorrect username: expected %v, got %v",
+					i, test.username, user.username)
+			}
+
+			if !stringsEqual(user.allowedAddresses, test.addrs) {
+				t.Errorf("Testcase %d: Incorrect addresses: expected %v, got %v",
+					i, test.addrs, user.allowedAddresses)
+			}
+		})
+	}
+}

cmd/hasher.go

@@ -8,11 +8,15 @@ import (
 )
 
 func main() {
+	if len(os.Args) != 2 {
+		fmt.Fprintln(os.Stderr, "Usage: hasher PASSWORD")
+		os.Exit(1)
+	}
 	password := os.Args[1]
 
 	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
 	if err != nil {
-		fmt.Println("Error generating hash: %s", err)
+		fmt.Fprintln(os.Stderr, "Error generating hash: %s", err)
 	}
 	fmt.Println(string(hash))
 }

config.go

@@ -6,8 +6,9 @@ import (
 	"github.com/vharitonsky/iniflags"
 )
 
-const (
+var (
-	VERSION = "1.3.0"
+	appVersion = "unknown"
+	buildTime  = "unknown"
 )
 
 var (
@@ -19,8 +20,8 @@ var (
 	localKey          = flag.String("local_key", "", "SSL private key for STARTTLS/TLS")
 	localForceTLS     = flag.Bool("local_forcetls", false, "Force STARTTLS (needs local_cert and local_key)")
 	allowedNets       = flag.String("allowed_nets", "127.0.0.1/8 ::1/128", "Networks allowed to send mails")
-	allowedSender     = flag.String("allowed_sender", "", "Regular expression for valid FROM EMail adresses")
+	allowedSender     = flag.String("allowed_sender", "", "Regular expression for valid FROM EMail addresses")
-	allowedRecipients = flag.String("allowed_recipients", "", "Regular expression for valid TO EMail adresses")
+	allowedRecipients = flag.String("allowed_recipients", "", "Regular expression for valid TO EMail addresses")
 	allowedUsers      = flag.String("allowed_users", "", "Path to file with valid users/passwords")
 	remoteHost        = flag.String("remote_host", "smtp.gmail.com:587", "Outgoing SMTP server")
 	remoteUser        = flag.String("remote_user", "", "Username for authentication on outgoing SMTP server")

go.mod

@@ -3,7 +3,7 @@ module github.com/decke/smtprelay
 require (
 	github.com/chrj/smtpd v0.2.0
 	github.com/vharitonsky/iniflags v0.0.0-20180513140207-a33cd0b5f3de
-	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9
+	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
 )
 
 go 1.13

go.sum

@@ -4,9 +4,10 @@ github.com/eaigner/dkim v0.0.0-20150301120808-6fe4a7ee9cfb/go.mod h1:FSCIHbrqk7D
 github.com/vharitonsky/iniflags v0.0.0-20180513140207-a33cd0b5f3de h1:fkw+7JkxF3U1GzQoX9h69Wvtvxajo5Rbzy6+YMMzPIg=
 github.com/vharitonsky/iniflags v0.0.0-20180513140207-a33cd0b5f3de/go.mod h1:irMhzlTz8+fVFj6CH2AN2i+WI5S6wWFtK3MBCIxIpyI=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 h1:vEg9joUBmeBcK9iSJftGNf3coIG4HqZElCPehJsfAYM=
+golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad h1:DN0cp81fZ3njFcrLCytUHRSUkqBjfTo4Tx9RJTWs0EY=
-golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

main.go

@@ -33,18 +33,65 @@ func connectionChecker(peer smtpd.Peer) error {
 		}
 	}
 
+	log.Printf("Connection from peer=[%s] denied: Not in allowed_nets\n", peerIP)
 	return smtpd.Error{Code: 421, Message: "Denied"}
 }
 
+func addrAllowed(addr string, allowedAddrs []string) bool {
+	if allowedAddrs == nil {
+		// If absent, all addresses are allowed
+		return true
+	}
+
+	addr = strings.ToLower(addr)
+
+	// Extract optional domain part
+	domain := ""
+	if idx := strings.LastIndex(addr, "@"); idx != -1 {
+		domain = strings.ToLower(addr[idx+1:])
+	}
+
+	// Test each address from allowedUsers file
+	for _, allowedAddr := range allowedAddrs {
+		allowedAddr = strings.ToLower(allowedAddr)
+
+		// Three cases for allowedAddr format:
+		if idx := strings.Index(allowedAddr, "@"); idx == -1 {
+			// 1. local address (no @) -- must match exactly
+			if allowedAddr == addr {
+				return true
+			}
+		} else {
+			if idx != 0 {
+				// 2. email address (user@domain.com) -- must match exactly
+				if allowedAddr == addr {
+					return true
+				}
+			} else {
+				// 3. domain (@domain.com) -- must match addr domain
+				allowedDomain := allowedAddr[idx+1:]
+				if allowedDomain == domain {
+					return true
+				}
+			}
+		}
+	}
+
+	return false
+}
+
 func senderChecker(peer smtpd.Peer, addr string) error {
 	// check sender address from auth file if user is authenticated
 	if *allowedUsers != "" && peer.Username != "" {
-		_, email, err := AuthFetch(peer.Username)
+		user, err := AuthFetch(peer.Username)
 		if err != nil {
+			// Shouldn't happen: authChecker already validated username+password
 			return smtpd.Error{Code: 451, Message: "Bad sender address"}
 		}
 
-		if strings.ToLower(addr) != strings.ToLower(email) {
+		if !addrAllowed(addr, user.allowedAddresses) {
+			log.Printf("Mail from=<%s> not allowed for authenticated user %s (%v)\n",
+				addr, peer.Username, peer.Addr)
 			return smtpd.Error{Code: 451, Message: "Bad sender address"}
 		}
 	}
@@ -63,6 +110,8 @@ func senderChecker(peer smtpd.Peer, addr string) error {
 		return nil
 	}
 
+	log.Printf("Mail from=<%s> not allowed by allowed_sender pattern for peer %v\n",
+		addr, peer.Addr)
 	return smtpd.Error{Code: 451, Message: "Bad sender address"}
 }
 
@@ -81,13 +130,15 @@ func recipientChecker(peer smtpd.Peer, addr string) error {
 		return nil
 	}
 
+	log.Printf("Mail to=<%s> not allowed by allowed_recipients pattern for peer %v\n",
+		addr, peer.Addr)
 	return smtpd.Error{Code: 451, Message: "Bad recipient address"}
 }
 
 func authChecker(peer smtpd.Peer, username string, password string) error {
 	err := AuthCheckPassword(username, password)
 	if err != nil {
-		log.Printf("Auth error: %v\n", err)
+		log.Printf("Auth error for peer %v: %v\n", peer.Addr, err)
 		return smtpd.Error{Code: 535, Message: "Authentication credentials invalid"}
 	}
 	return nil
@@ -145,7 +196,7 @@ func mailHandler(peer smtpd.Peer, env smtpd.Envelope) error {
 	return nil
 }
 
-func main() {
+func getTLSConfig() *tls.Config {
 	// Ciphersuites as defined in stock Go but without 3DES and RC4
 	// https://golang.org/src/crypto/tls/cipher_suites.go
 	var tlsCipherSuites = []uint16{
@@ -158,23 +209,32 @@ func main() {
 		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 		tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // does not provide PFS
 		tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // does not provide PFS
-		tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
-		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 	}
 
+	if *localCert == "" || *localKey == "" {
+		log.Fatal("TLS certificate/key not defined in config")
+	}
+
+	cert, err := tls.LoadX509KeyPair(*localCert, *localKey)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	return &tls.Config{
+		PreferServerCipherSuites: true,
+		MinVersion:               tls.VersionTLS12,
+		CipherSuites:             tlsCipherSuites,
+		Certificates:             []tls.Certificate{cert},
+	}
+}
+
+func main() {
 	ConfigLoad()
 
 	if *versionInfo {
-		fmt.Printf("smtprelay/%s\n", VERSION)
+		fmt.Printf("smtprelay/%s (%s)\n", appVersion, buildTime)
 		os.Exit(0)
 	}
 
@@ -188,11 +248,16 @@ func main() {
 		log.SetOutput(io.MultiWriter(os.Stdout, f))
 	}
 
-	listeners := strings.Split(*listen, " ")
+	// Load allowed users file
-
+	if *allowedUsers != "" {
-	for i := range listeners {
+		err := AuthLoadFile(*allowedUsers)
-		listener := listeners[i]
+		if err != nil {
+			log.Fatalf("Authentication file: %s\n", err)
+		}
+	}
 
+	// Create a server for each desired listen address
+	for _, listenAddr := range strings.Split(*listen, " ") {
 		server := &smtpd.Server{
 			Hostname:          *hostName,
 			WelcomeMessage:    *welcomeMsg,
@@ -203,76 +268,41 @@ func main() {
 		}
 
 		if *allowedUsers != "" {
-			err := AuthLoadFile(*allowedUsers)
-			if err != nil {
-				log.Fatalf("Authentication file: %s\n", err)
-			}
-
 			server.Authenticator = authChecker
 		}
 
-		if strings.Index(listeners[i], "://") == -1 {
+		var lsnr net.Listener
-			log.Printf("Listen on %s ...\n", listener)
+		var err error
-			go server.ListenAndServe(listener)
-		} else if strings.HasPrefix(listeners[i], "starttls://") {
-			listener = strings.TrimPrefix(listener, "starttls://")
 
-			if *localCert == "" || *localKey == "" {
+		if strings.Index(listenAddr, "://") == -1 {
-				log.Fatal("TLS certificate/key not defined in config")
+			log.Printf("Listen on %s ...\n", listenAddr)
-			}
 
-			cert, err := tls.LoadX509KeyPair(*localCert, *localKey)
+			lsnr, err = net.Listen("tcp", listenAddr)
-			if err != nil {
+		} else if strings.HasPrefix(listenAddr, "starttls://") {
-				log.Fatal(err)
+			listenAddr = strings.TrimPrefix(listenAddr, "starttls://")
-			}
 
-			server.TLSConfig = &tls.Config{
+			server.TLSConfig = getTLSConfig()
-				PreferServerCipherSuites: true,
-				MinVersion:               tls.VersionTLS11,
-				CipherSuites:             tlsCipherSuites,
-				Certificates:             []tls.Certificate{cert},
-			}
 			server.ForceTLS = *localForceTLS
 
-			log.Printf("Listen on %s (STARTSSL) ...\n", listener)
+			log.Printf("Listen on %s (STARTTLS) ...\n", listenAddr)
-			lsnr, err := net.Listen("tcp", listener)
+			lsnr, err = net.Listen("tcp", listenAddr)
-			if err != nil {
+		} else if strings.HasPrefix(listenAddr, "tls://") {
-				log.Fatal(err)
+			listenAddr = strings.TrimPrefix(listenAddr, "tls://")
-			}
-			defer lsnr.Close()
 
-			go server.Serve(lsnr)
+			server.TLSConfig = getTLSConfig()
-		} else if strings.HasPrefix(listeners[i], "tls://") {
 
-			listener = strings.TrimPrefix(listener, "tls://")
+			log.Printf("Listen on %s (TLS) ...\n", listenAddr)
-
+			lsnr, err = tls.Listen("tcp", listenAddr, server.TLSConfig)
-			if *localCert == "" || *localKey == "" {
-				log.Fatal("TLS certificate/key not defined in config")
-			}
-
-			cert, err := tls.LoadX509KeyPair(*localCert, *localKey)
-			if err != nil {
-				log.Fatal(err)
-			}
-
-			server.TLSConfig = &tls.Config{
-				PreferServerCipherSuites: true,
-				MinVersion:               tls.VersionTLS11,
-				CipherSuites:             tlsCipherSuites,
-				Certificates:             []tls.Certificate{cert},
-			}
-
-			log.Printf("Listen on %s (TLS) ...\n", listener)
-			lsnr, err := tls.Listen("tcp", listener, server.TLSConfig)
-			if err != nil {
-				log.Fatal(err)
-			}
-			defer lsnr.Close()
-
-			go server.Serve(lsnr)
 		} else {
-			log.Fatal("Unknown protocol in listener ", listener)
+			log.Fatal("Unknown protocol in listen address ", listenAddr)
 		}
+
+		if err != nil {
+			log.Fatal(err)
+		}
+		defer lsnr.Close()
+
+		go server.Serve(lsnr)
 	}
 
 	for true {

main_test.go

@@ -0,0 +1,94 @@
+package main
+
+import (
+	"testing"
+)
+
+func TestAddrAllowedNoDomain(t *testing.T) {
+	allowedAddrs := []string{"joe@abc.com"}
+	if addrAllowed("bob.com", allowedAddrs) {
+		t.FailNow()
+	}
+}
+
+func TestAddrAllowedSingle(t *testing.T) {
+	allowedAddrs := []string{"joe@abc.com"}
+
+	if !addrAllowed("joe@abc.com", allowedAddrs) {
+		t.FailNow()
+	}
+	if addrAllowed("bob@abc.com", allowedAddrs) {
+		t.FailNow()
+	}
+}
+
+func TestAddrAllowedDifferentCase(t *testing.T) {
+	allowedAddrs := []string{"joe@abc.com"}
+	testAddrs := []string{
+		"joe@ABC.com",
+		"Joe@abc.com",
+		"JOE@abc.com",
+		"JOE@ABC.COM",
+	}
+	for _, addr := range testAddrs {
+		if !addrAllowed(addr, allowedAddrs) {
+			t.Errorf("Address %v not allowed, but should be", addr)
+		}
+	}
+}
+
+func TestAddrAllowedLocal(t *testing.T) {
+	allowedAddrs := []string{"joe"}
+
+	if !addrAllowed("joe", allowedAddrs) {
+		t.FailNow()
+	}
+	if addrAllowed("bob", allowedAddrs) {
+		t.FailNow()
+	}
+}
+
+func TestAddrAllowedMulti(t *testing.T) {
+	allowedAddrs := []string{"joe@abc.com", "bob@def.com"}
+	if !addrAllowed("joe@abc.com", allowedAddrs) {
+		t.FailNow()
+	}
+	if !addrAllowed("bob@def.com", allowedAddrs) {
+		t.FailNow()
+	}
+	if addrAllowed("bob@abc.com", allowedAddrs) {
+		t.FailNow()
+	}
+}
+
+func TestAddrAllowedSingleDomain(t *testing.T) {
+	allowedAddrs := []string{"@abc.com"}
+	if !addrAllowed("joe@abc.com", allowedAddrs) {
+		t.FailNow()
+	}
+	if addrAllowed("joe@def.com", allowedAddrs) {
+		t.FailNow()
+	}
+}
+
+func TestAddrAllowedMixed(t *testing.T) {
+	allowedAddrs := []string{"app", "app@example.com", "@appsrv.example.com"}
+	if !addrAllowed("app", allowedAddrs) {
+		t.FailNow()
+	}
+	if !addrAllowed("app@example.com", allowedAddrs) {
+		t.FailNow()
+	}
+	if addrAllowed("ceo@example.com", allowedAddrs) {
+		t.FailNow()
+	}
+	if !addrAllowed("root@appsrv.example.com", allowedAddrs) {
+		t.FailNow()
+	}
+	if !addrAllowed("dev@appsrv.example.com", allowedAddrs) {
+		t.FailNow()
+	}
+	if addrAllowed("appsrv@example.com", allowedAddrs) {
+		t.FailNow()
+	}
+}

scripts/release.sh

@@ -1,34 +0,0 @@
-#!/bin/sh
-
-PROJECT=smtprelay
-VERSION=1.3.0
-
-for goos in freebsd linux windows
-do
-   for goarch in 386 amd64
-   do
-      export GOOS=${goos}
-      export GOARCH=${goarch}
-
-      RELDIR=${PROJECT}-${VERSION}-${GOOS}-${GOARCH}
-
-      rm -rf ${RELDIR}
-      mkdir ${RELDIR} || exit 1
-      cp -p README.md LICENSE ${PROJECT}.ini ${RELDIR}/ || exit 1
-
-      if [ ${GOOS} = "windows" ]; then
-        BINARY=${PROJECT}.exe
-        sed -I '' -e 's/;logfile =.*/logfile =/g' ${RELDIR}/${PROJECT}.ini
-        sed -I '' -e 's/$/^M/' ${RELDIR}/${PROJECT}.ini
-      else
-        BINARY=${PROJECT}
-      fi
-
-      go build -ldflags="-s -w" -o ${RELDIR}/${BINARY} || exit 1
-
-      chown -R root:wheel ${RELDIR} || exit 1
-      tar cvfJ ${RELDIR}.tar.xz ${RELDIR} || exit 1
-      rm -rf ${RELDIR}
-   done
-done
-

smtprelay.ini

@@ -27,17 +27,24 @@
 ; Networks that are allowed to send mails to us
 ;allowed_nets = 127.0.0.1/8 ::1/128
 
-; Regular expression for valid FROM EMail adresses
+; Regular expression for valid FROM EMail addresses
 ; Example: ^(.*)@localhost.localdomain$
 ;allowed_sender =
 
-; Regular expression for valid TO EMail adresses
+; Regular expression for valid TO EMail addresses
 ; Example: ^(.*)@localhost.localdomain$
 ;allowed_recipients =
 
 ; File which contains username and password used for
 ; authentication before they can send mail.
-; File format: username bcrypt-hash email
+; File format: username bcrypt-hash [email[,email[,...]]]
+;   username: The SMTP auth username
+;   bcrypt-hash: The bcrypt hash of the pasword (generate with "./hasher password")
+;   email: Comma-separated list of allowed "from" addresses:
+;          - If omitted, user can send from any address
+;          - If @domain.com is given, user can send from any address @domain.com
+;          - Otherwise, email address must match exactly (case-insensitive)
+;          E.g. "app@example.com,@appsrv.example.com"
 ;allowed_users =
 
 ; Relay all mails to this SMTP server