Bump Go version for CI builds to 1.16

Don't allow configuration requiring authentication with non-TLS listener

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/go.yml

@@ -7,10 +7,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - name: Set up Go 1.14
+    - name: Set up Go 1.16
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v2.1.3
       with:
-        go-version: 1.14
+        go-version: 1.16
       id: go
 
     - name: Check out code into the Go module directory

.github/workflows/release.yaml

@@ -20,11 +20,11 @@ jobs:
     - name: Set BUILD_TIME env
       run: echo BUILD_TIME=$(date) >> ${GITHUB_ENV}
       
-    - uses: wangyoucao577/go-release-action@v1.14
+    - uses: wangyoucao577/go-release-action@v1.16
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         goos: ${{ matrix.goos }}
         goarch: ${{ matrix.goarch }}
-        goversion: "https://golang.org/dl/go1.15.8.linux-amd64.tar.gz"
+        goversion: "https://golang.org/dl/go1.16.3.linux-amd64.tar.gz"
         extra_files: LICENSE README.md smtprelay.ini
         ldflags: -s -w -X "main.appVersion=${{ env.APP_VERSION }}" -X "main.buildTime=${{ env.BUILD_TIME }}"

config.go

@@ -2,8 +2,13 @@ package main
 
 import (
 	"flag"
+	"net"
+	"net/smtp"
+	"regexp"
+	"strings"
 
 	"github.com/vharitonsky/iniflags"
+	"github.com/sirupsen/logrus"
 )
 
 var (
@@ -12,25 +17,170 @@ var (
 )
 
 var (
-	logFile           = flag.String("logfile", "/var/log/smtprelay.log", "Path to logfile")
+	logFile           = flag.String("logfile", "", "Path to logfile")
+	logFormat         = flag.String("log_format", "default", "Log output format")
+	logLevel          = flag.String("log_level", "info", "Minimum log level to output")
 	hostName          = flag.String("hostname", "localhost.localdomain", "Server hostname")
 	welcomeMsg        = flag.String("welcome_msg", "", "Welcome message for SMTP session")
-	listen            = flag.String("listen", "127.0.0.1:25 [::1]:25", "Address and port to listen for incoming SMTP")
+	listenStr         = flag.String("listen", "127.0.0.1:25 [::1]:25", "Address and port to listen for incoming SMTP")
+	listenAddrs       = []protoAddr{}
 	localCert         = flag.String("local_cert", "", "SSL certificate for STARTTLS/TLS")
 	localKey          = flag.String("local_key", "", "SSL private key for STARTTLS/TLS")
 	localForceTLS     = flag.Bool("local_forcetls", false, "Force STARTTLS (needs local_cert and local_key)")
-	allowedNets       = flag.String("allowed_nets", "127.0.0.1/8 ::1/128", "Networks allowed to send mails")
+	allowedNetsStr    = flag.String("allowed_nets", "127.0.0.0/8 ::1/128", "Networks allowed to send mails")
-	allowedSender     = flag.String("allowed_sender", "", "Regular expression for valid FROM EMail addresses")
+	allowedNets       = []*net.IPNet{}
-	allowedRecipients = flag.String("allowed_recipients", "", "Regular expression for valid TO EMail addresses")
+	allowedSenderStr  = flag.String("allowed_sender", "", "Regular expression for valid FROM EMail addresses")
+	allowedSender     *regexp.Regexp
+	allowedRecipStr   = flag.String("allowed_recipients", "", "Regular expression for valid TO EMail addresses")
+	allowedRecipients *regexp.Regexp
 	allowedUsers      = flag.String("allowed_users", "", "Path to file with valid users/passwords")
-	remoteHost        = flag.String("remote_host", "smtp.gmail.com:587", "Outgoing SMTP server")
+	remoteHost        = flag.String("remote_host", "", "Outgoing SMTP server")
 	remoteUser        = flag.String("remote_user", "", "Username for authentication on outgoing SMTP server")
 	remotePass        = flag.String("remote_pass", "", "Password for authentication on outgoing SMTP server")
-	remoteAuth        = flag.String("remote_auth", "plain", "Auth method on outgoing SMTP server (plain, login)")
+	remoteAuthStr     = flag.String("remote_auth", "none", "Auth method on outgoing SMTP server (none, plain, login)")
+	remoteAuth        smtp.Auth
 	remoteSender      = flag.String("remote_sender", "", "Sender e-mail address on outgoing SMTP server")
 	versionInfo       = flag.Bool("version", false, "Show version information")
 )
 
+func localAuthRequired() bool {
+	return *allowedUsers != ""
+}
+
+
+func setupAllowedNetworks() {
+	for _, netstr := range splitstr(*allowedNetsStr, ' ') {
+		baseIP, allowedNet, err := net.ParseCIDR(netstr)
+		if err != nil {
+			log.WithField("netstr", netstr).
+				WithError(err).
+				Fatal("Invalid CIDR notation in allowed_nets")
+		}
+
+		// Reject any network specification where any host bits are set,
+		// meaning the address refers to a host and not a network.
+		if !allowedNet.IP.Equal(baseIP) {
+			log.WithFields(logrus.Fields{
+				"given_net": netstr,
+				"proper_net": allowedNet,
+			}).Fatal("Invalid network in allowed_nets (host bits set)")
+		}
+
+		allowedNets = append(allowedNets, allowedNet)
+	}
+}
+
+func setupAllowedPatterns() {
+	var err error
+
+	if (*allowedSenderStr != "") {
+		allowedSender, err = regexp.Compile(*allowedSenderStr)
+		if err != nil {
+			log.WithField("allowed_sender", *allowedSenderStr).
+				WithError(err).
+				Fatal("allowed_sender pattern invalid")
+		}
+	}
+
+	if (*allowedRecipStr != "") {
+		allowedRecipients, err = regexp.Compile(*allowedRecipStr)
+		if err != nil {
+			log.WithField("allowed_recipients", *allowedRecipStr).
+				WithError(err).
+				Fatal("allowed_recipients pattern invalid")
+		}
+	}
+}
+
+
+func setupRemoteAuth() {
+	logger := log.WithField("remote_auth", *remoteAuthStr)
+
+	// Remote auth disabled?
+	if *remoteAuthStr == "" || *remoteAuthStr == "none" {
+		if *remoteUser != "" {
+			logger.Fatal("remote_user given but not used")
+		}
+		if *remotePass != "" {
+			logger.Fatal("remote_pass given but not used")
+		}
+
+		// No auth; use empty default
+		return
+	}
+
+	// We need a username, password, and remote host
+	if *remoteUser == "" {
+		logger.Fatal("remote_user required but empty")
+	}
+	if *remotePass == "" {
+		logger.Fatal("remote_pass required but empty")
+	}
+	if *remoteHost == "" {
+		logger.Fatal("remote_auth without remote_host is pointless")
+	}
+
+	host, _, err := net.SplitHostPort(*remoteHost)
+	if err != nil {
+		logger.WithField("remote_host", *remoteHost).
+			   Fatal("Invalid remote_host")
+	}
+
+	switch *remoteAuthStr {
+	case "plain":
+		remoteAuth = smtp.PlainAuth("", *remoteUser, *remotePass, host)
+	case "login":
+		remoteAuth = LoginAuth(*remoteUser, *remotePass)
+	default:
+		logger.Fatal("Invalid remote_auth type")
+	}
+}
+
+type protoAddr struct {
+	protocol string
+	address  string
+}
+
+func splitProto(s string) protoAddr {
+	idx := strings.Index(s, "://")
+	if idx == -1 {
+		return protoAddr {
+			address:  s,
+		}
+	}
+	return protoAddr {
+		protocol: s[0 : idx],
+		address:  s[idx+3 : len(s)],
+	}
+}
+
+func setupListeners() {
+	for _, listenAddr := range strings.Split(*listenStr, " ") {
+		pa := splitProto(listenAddr)
+
+		if localAuthRequired() && pa.protocol == "" {
+			log.WithField("address", pa.address).
+				Fatal("Local authentication (via allowed_users file) " +
+				      "not allowed with non-TLS listener")
+		}
+
+
+		listenAddrs = append(listenAddrs, pa)
+	}
+}
+
 func ConfigLoad() {
 	iniflags.Parse()
+
+	// Set up logging as soon as possible
+	setupLogger()
+
+	if (*remoteHost == "") {
+		log.Warn("remote_host not set; mail will not be forwarded!")
+	}
+
+	setupAllowedNetworks()
+	setupAllowedPatterns()
+	setupRemoteAuth()
+	setupListeners()
 }

config_test.go

@@ -0,0 +1,44 @@
+package main
+
+import (
+	"testing"
+)
+
+func TestSplitProto(t *testing.T) {
+	var tests = []struct {
+		input      string
+		proto      string
+		addr       string
+	}{
+		{
+			input:      "localhost",
+			proto:      "",
+			addr:       "localhost",
+		},
+		{
+			input:      "tls://my.local.domain",
+			proto:      "tls",
+			addr:       "my.local.domain",
+		},
+		{
+			input:      "starttls://my.local.domain",
+			proto:      "starttls",
+			addr:       "my.local.domain",
+		},
+	}
+
+	for i, test := range tests {
+		testName := test.input
+		t.Run(testName, func(t *testing.T) {
+			pa := splitProto(test.input)
+			if pa.protocol != test.proto {
+				t.Errorf("Testcase %d: Incorrect proto: expected %v, got %v",
+					i, test.proto, pa.protocol)
+			}
+			if pa.address != test.addr {
+				t.Errorf("Testcase %d: Incorrect addr: expected %v, got %v",
+					i, test.addr, pa.address)
+			}
+		})
+	}
+}

go.mod

@@ -1,7 +1,9 @@
 module github.com/decke/smtprelay
 
 require (
-	github.com/chrj/smtpd v0.2.0
+	github.com/chrj/smtpd v0.3.0
+	github.com/google/uuid v1.2.0
+	github.com/sirupsen/logrus v1.8.1
 	github.com/vharitonsky/iniflags v0.0.0-20180513140207-a33cd0b5f3de
 	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
 )

go.sum

@@ -1,6 +1,16 @@
-github.com/chrj/smtpd v0.2.0 h1:QGbE4UQz7sKjvXpRgNLuiBOjcWTzBKu/dj0hyDLpD14=
+github.com/chrj/smtpd v0.3.0 h1:cw1LSHDOz7N3XbkcZSF/bue9dh7ATKk5ZksfBztV6b0=
-github.com/chrj/smtpd v0.2.0/go.mod h1:1hmG9KbrE10JG1SmvG79Krh4F6713oUrw2+gRp1oSYk=
+github.com/chrj/smtpd v0.3.0/go.mod h1:1hmG9KbrE10JG1SmvG79Krh4F6713oUrw2+gRp1oSYk=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/eaigner/dkim v0.0.0-20150301120808-6fe4a7ee9cfb/go.mod h1:FSCIHbrqk7D01Mj8y/jW+NS1uoCerr+ad+IckTHTFf4=
+github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs=
+github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/vharitonsky/iniflags v0.0.0-20180513140207-a33cd0b5f3de h1:fkw+7JkxF3U1GzQoX9h69Wvtvxajo5Rbzy6+YMMzPIg=
 github.com/vharitonsky/iniflags v0.0.0-20180513140207-a33cd0b5f3de/go.mod h1:irMhzlTz8+fVFj6CH2AN2i+WI5S6wWFtK3MBCIxIpyI=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -8,6 +18,7 @@ golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad h1:DN0cp81fZ3njFcrLCytUHR
 golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 h1:YyJpGZS1sBuBCzLAR1VEpK193GlqGZbnPFnPV/5Rsb4=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

logger.go

@@ -0,0 +1,60 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	log *logrus.Logger
+)
+
+func setupLogger() {
+	log = logrus.New()
+
+	// Handle logfile
+	if (*logFile == "") {
+		log.SetOutput(os.Stderr)
+	} else {
+		writer, err := os.OpenFile(*logFile, os.O_CREATE|os.O_RDWR|os.O_APPEND, 0600)
+		if err != nil {
+			fmt.Printf("cannot open log file: %s\n", err)
+			os.Exit(1)
+		}
+
+		log.SetOutput(writer)
+	}
+
+	// Handle log_format
+	switch *logFormat {
+	case "json":
+		log.SetFormatter(&logrus.JSONFormatter{
+			TimestampFormat:   time.RFC3339Nano,
+			DisableHTMLEscape: true,
+		})
+	case "plain":
+		log.SetFormatter(&logrus.TextFormatter{
+			DisableTimestamp: true,
+		})
+	case "", "default":
+		log.SetFormatter(&logrus.TextFormatter{
+			FullTimestamp: true,
+		})
+	default:
+		fmt.Fprintf(os.Stderr, "Invalid log_format: %s\n", *logFormat)
+		os.Exit(1)
+	}
+
+	// Handle log_level
+	level, err := logrus.ParseLevel(*logLevel)
+	if err != nil {
+		level = logrus.InfoLevel
+
+		log.WithField("given_level", *logLevel).
+			Warn("could not parse log level, defaulting to 'info'")
+	}
+	log.SetLevel(level)
+}

main.go

@@ -3,37 +3,36 @@ package main
 import (
 	"crypto/tls"
 	"fmt"
-	"io"
-	"log"
 	"net"
-	"net/smtp"
+	"net/textproto"
 	"os"
-	"regexp"
+	"os/signal"
 	"strings"
-	"time"
+	"syscall"
 
 	"github.com/chrj/smtpd"
+	"github.com/google/uuid"
+	"github.com/sirupsen/logrus"
 )
 
 func connectionChecker(peer smtpd.Peer) error {
-	var peerIP net.IP
+	// This can't panic because we only have TCP listeners
-	if addr, ok := peer.Addr.(*net.TCPAddr); ok {
+	peerIP := peer.Addr.(*net.TCPAddr).IP
-		peerIP = net.ParseIP(addr.IP.String())
+
-	} else {
+	if len(allowedNets) == 0 {
-		return smtpd.Error{Code: 421, Message: "Denied"}
+		// Special case: empty string means allow everything
+		return nil
 	}
 
-	nets := strings.Split(*allowedNets, " ")
+	for _, allowedNet := range allowedNets {
-
-	for i := range nets {
-		_, allowedNet, _ := net.ParseCIDR(nets[i])
-
 		if allowedNet.Contains(peerIP) {
 			return nil
 		}
 	}
 
-	log.Printf("Connection from peer=[%s] denied: Not in allowed_nets\n", peerIP)
+	log.WithFields(logrus.Fields{
+		"ip": peerIP,
+	}).Warn("Connection refused from address outside of allowed_nets")
 	return smtpd.Error{Code: 421, Message: "Denied"}
 }
 
@@ -82,63 +81,69 @@ func addrAllowed(addr string, allowedAddrs []string) bool {
 
 func senderChecker(peer smtpd.Peer, addr string) error {
 	// check sender address from auth file if user is authenticated
-	if *allowedUsers != "" && peer.Username != "" {
+	if localAuthRequired() && peer.Username != "" {
 		user, err := AuthFetch(peer.Username)
 		if err != nil {
 			// Shouldn't happen: authChecker already validated username+password
+			log.WithFields(logrus.Fields{
+				"peer": peer.Addr,
+				"username": peer.Username,
+			}).WithError(err).Warn("could not fetch auth user")
 			return smtpd.Error{Code: 451, Message: "Bad sender address"}
 		}
 
 		if !addrAllowed(addr, user.allowedAddresses) {
-			log.Printf("Mail from=<%s> not allowed for authenticated user %s (%v)\n",
+			log.WithFields(logrus.Fields{
-				addr, peer.Username, peer.Addr)
+				"peer": peer.Addr,
+				"username": peer.Username,
+				"sender_address": addr,
+			}).Warn("sender address not allowed for authenticated user")
 			return smtpd.Error{Code: 451, Message: "Bad sender address"}
 		}
 	}
 
-	if *allowedSender == "" {
+	if allowedSender == nil {
+		// Any sender is permitted
 		return nil
 	}
 
-	re, err := regexp.Compile(*allowedSender)
+	if allowedSender.MatchString(addr) {
-	if err != nil {
+		// Permitted by regex
-		log.Printf("allowed_sender invalid: %v\n", err)
-		return smtpd.Error{Code: 451, Message: "Bad sender address"}
-	}
-
-	if re.MatchString(addr) {
 		return nil
 	}
 
-	log.Printf("Mail from=<%s> not allowed by allowed_sender pattern for peer %v\n",
+	log.WithFields(logrus.Fields{
-		addr, peer.Addr)
+		"sender_address": addr,
+		"peer": peer.Addr,
+	}).Warn("sender address not allowed by allowed_sender pattern")
 	return smtpd.Error{Code: 451, Message: "Bad sender address"}
 }
 
 func recipientChecker(peer smtpd.Peer, addr string) error {
-	if *allowedRecipients == "" {
+	if allowedRecipients == nil {
+		// Any recipient is permitted
 		return nil
 	}
 
-	re, err := regexp.Compile(*allowedRecipients)
+	if allowedRecipients.MatchString(addr) {
-	if err != nil {
+		// Permitted by regex
-		log.Printf("allowed_recipients invalid: %v\n", err)
-		return smtpd.Error{Code: 451, Message: "Bad recipient address"}
-	}
-
-	if re.MatchString(addr) {
 		return nil
 	}
 
-	log.Printf("Mail to=<%s> not allowed by allowed_recipients pattern for peer %v\n",
+	log.WithFields(logrus.Fields{
-		addr, peer.Addr)
+		"peer": peer.Addr,
+		"recipient_address": addr,
+	}).Warn("recipient address not allowed by allowed_recipients pattern")
 	return smtpd.Error{Code: 451, Message: "Bad recipient address"}
 }
 
 func authChecker(peer smtpd.Peer, username string, password string) error {
 	err := AuthCheckPassword(username, password)
 	if err != nil {
-		log.Printf("Auth error for peer %v: %v\n", peer.Addr, err)
+		log.WithFields(logrus.Fields{
+			"peer": peer.Addr,
+			"username": username,
+		}).WithError(err).Warn("auth error")
 		return smtpd.Error{Code: 535, Message: "Authentication credentials invalid"}
 	}
 	return nil
@@ -150,27 +155,23 @@ func mailHandler(peer smtpd.Peer, env smtpd.Envelope) error {
 		peerIP = addr.IP.String()
 	}
 
-	log.Printf("new mail from=<%s> to=%s peer=[%s]\n", env.Sender,
+	logger := log.WithFields(logrus.Fields{
-		env.Recipients, peerIP)
+		"from": env.Sender,
+		"to": env.Recipients,
+		"peer": peerIP,
+		"host": *remoteHost,
+		"uuid": generateUUID(),
+	})
 
-	var auth smtp.Auth
+	if (*remoteHost == "") {
-	host, _, _ := net.SplitHostPort(*remoteHost)
+		logger.Warning("remote_host not set; discarding mail")
+		return nil
+	}
 
-	if *remoteUser != "" && *remotePass != "" {
+	logger.Info("delivering mail from peer using smarthost")
-		switch *remoteAuth {
-		case "plain":
-			auth = smtp.PlainAuth("", *remoteUser, *remotePass, host)
-		case "login":
-			auth = LoginAuth(*remoteUser, *remotePass)
-		default:
-			return smtpd.Error{Code: 530, Message: "Authentication method not supported"}
-		}
-	}
 
 	env.AddReceivedLine(peer)
 
-	log.Printf("delivering using smarthost %s\n", *remoteHost)
-
 	var sender string
 
 	if *remoteSender == "" {
@@ -181,21 +182,50 @@ func mailHandler(peer smtpd.Peer, env smtpd.Envelope) error {
 
 	err := SendMail(
 		*remoteHost,
-		auth,
+		remoteAuth,
 		sender,
 		env.Recipients,
 		env.Data,
 	)
 	if err != nil {
-		log.Printf("delivery failed: %v\n", err)
+		var smtpError smtpd.Error
-		return smtpd.Error{Code: 554, Message: "Forwarding failed"}
+
+		switch err.(type) {
+		case *textproto.Error:
+			err := err.(*textproto.Error)
+			smtpError = smtpd.Error{Code: err.Code, Message: err.Msg}
+
+			logger.WithFields(logrus.Fields{
+				"err_code": err.Code,
+				"err_msg": err.Msg,
+			}).Error("delivery failed")
+		default:
+			smtpError = smtpd.Error{Code: 554, Message: "Forwarding failed"}
+
+			logger.WithError(err).
+				Error("delivery failed")
 		}
 
-	log.Printf("%s delivery successful\n", env.Recipients)
+		return smtpError
+	}
 
+	logger.Debug("delivery successful")
 	return nil
 }
 
+func generateUUID() string {
+	uniqueID, err := uuid.NewRandom()
+
+	if err != nil {
+		log.WithError(err).
+			Error("could not generate UUIDv4")
+
+		return ""
+	}
+
+	return uniqueID.String()
+}
+
 func getTLSConfig() *tls.Config {
 	// Ciphersuites as defined in stock Go but without 3DES and RC4
 	// https://golang.org/src/crypto/tls/cipher_suites.go
@@ -214,12 +244,16 @@ func getTLSConfig() *tls.Config {
 	}
 
 	if *localCert == "" || *localKey == "" {
-		log.Fatal("TLS certificate/key not defined in config")
+		log.WithFields(logrus.Fields{
+			"cert_file": *localCert,
+			"key_file": *localKey,
+		}).Fatal("TLS certificate/key file not defined in config")
 	}
 
 	cert, err := tls.LoadX509KeyPair(*localCert, *localKey)
 	if err != nil {
-		log.Fatal(err)
+		log.WithField("error", err).
+			Fatal("cannot load X509 keypair")
 	}
 
 	return &tls.Config{
@@ -238,26 +272,25 @@ func main() {
 		os.Exit(0)
 	}
 
-	if *logFile != "" {
+	log.WithField("version", appVersion).
-		f, err := os.OpenFile(*logFile, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0600)
+		Debug("starting smtprelay")
-		if err != nil {
-			log.Fatalf("Error opening logfile: %v", err)
-		}
-		defer f.Close()
-
-		log.SetOutput(io.MultiWriter(os.Stdout, f))
-	}
 
 	// Load allowed users file
-	if *allowedUsers != "" {
+	if localAuthRequired() {
 		err := AuthLoadFile(*allowedUsers)
 		if err != nil {
-			log.Fatalf("Authentication file: %s\n", err)
+			log.WithField("file", *allowedUsers).
+				WithError(err).
+				Fatal("cannot load allowed users file")
 		}
 	}
 
+	var servers []*smtpd.Server
+
 	// Create a server for each desired listen address
-	for _, listenAddr := range strings.Split(*listen, " ") {
+	for _, listen := range listenAddrs {
+		logger := log.WithField("address", listen.address)
+
 		server := &smtpd.Server{
 			Hostname:          *hostName,
 			WelcomeMessage:    *welcomeMsg,
@@ -267,45 +300,79 @@ func main() {
 			Handler:           mailHandler,
 		}
 
-		if *allowedUsers != "" {
+		if localAuthRequired() {
 			server.Authenticator = authChecker
 		}
 
 		var lsnr net.Listener
 		var err error
 
-		if strings.Index(listenAddr, "://") == -1 {
+		switch listen.protocol {
-			log.Printf("Listen on %s ...\n", listenAddr)
+		case "":
-
+			logger.Info("listening on address")
-			lsnr, err = net.Listen("tcp", listenAddr)
+			lsnr, err = net.Listen("tcp", listen.address)
-		} else if strings.HasPrefix(listenAddr, "starttls://") {
-			listenAddr = strings.TrimPrefix(listenAddr, "starttls://")
 
+		case "starttls":
 			server.TLSConfig = getTLSConfig()
 			server.ForceTLS = *localForceTLS
 
-			log.Printf("Listen on %s (STARTTLS) ...\n", listenAddr)
+			logger.Info("listening on address (STARTTLS)")
-			lsnr, err = net.Listen("tcp", listenAddr)
+			lsnr, err = net.Listen("tcp", listen.address)
-		} else if strings.HasPrefix(listenAddr, "tls://") {
-			listenAddr = strings.TrimPrefix(listenAddr, "tls://")
 
+		case "tls":
 			server.TLSConfig = getTLSConfig()
 
-			log.Printf("Listen on %s (TLS) ...\n", listenAddr)
+			logger.Info("listening on address (TLS)")
-			lsnr, err = tls.Listen("tcp", listenAddr, server.TLSConfig)
+			lsnr, err = tls.Listen("tcp", listen.address, server.TLSConfig)
-		} else {
+
-			log.Fatal("Unknown protocol in listen address ", listenAddr)
+		default:
+			logger.WithField("protocol", listen.protocol).
+				Fatal("unknown protocol in listen address")
 		}
 
 		if err != nil {
-			log.Fatal(err)
+			logger.WithError(err).Fatal("error starting listener")
 		}
-		defer lsnr.Close()
+		servers = append(servers, server)
 
-		go server.Serve(lsnr)
+		go func() {
+			server.Serve(lsnr)
+		}()
 	}
 
-	for true {
+	handleSignals()
-		time.Sleep(time.Minute)
+
+	// First close the listeners
+	for _, server := range servers {
+		logger := log.WithField("address", server.Address())
+		logger.Debug("Shutting down server")
+		err := server.Shutdown(false)
+		if err != nil {
+			logger.WithError(err).
+				Warning("Shutdown failed")
 		}
 	}
+
+	// Then wait for the clients to exit
+	for _, server := range servers {
+		logger := log.WithField("address", server.Address())
+		logger.Debug("Waiting for server")
+		err := server.Wait()
+		if err != nil {
+			logger.WithError(err).
+				Warning("Wait failed")
+		}
+	}
+
+	log.Debug("done")
+}
+
+func handleSignals() {
+	// Wait for SIGINT, SIGQUIT, or SIGTERM
+	sigs := make(chan os.Signal, 1)
+	signal.Notify(sigs, syscall.SIGINT, syscall.SIGQUIT, syscall.SIGTERM)
+	sig := <-sigs
+
+	log.WithField("signal", sig).
+		Info("shutting down in response to received signal")
+}

smtp.go

@@ -242,7 +242,8 @@ func (c *Client) Auth(a smtp.Auth) error {
 
 // Mail issues a MAIL command to the server using the provided email address.
 // If the server supports the 8BITMIME extension, Mail adds the BODY=8BITMIME
-// parameter.
+// parameter. If the server supports the SMTPUTF8 extension, Mail adds the
+// SMTPUTF8 parameter.
 // This initiates a mail transaction and is followed by one or more Rcpt calls.
 func (c *Client) Mail(from string) error {
 	if err := validateLine(from); err != nil {
@@ -256,6 +257,9 @@ func (c *Client) Mail(from string) error {
 		if _, ok := c.ext["8BITMIME"]; ok {
 			cmdStr += " BODY=8BITMIME"
 		}
+		if _, ok := c.ext["SMTPUTF8"]; ok {
+			cmdStr += " SMTPUTF8"
+		}
 	}
 	_, _, err := c.cmd(250, cmdStr, from)
 	return err

smtprelay.ini

@@ -1,7 +1,13 @@
 ; smtprelay configuration
 
-; Logfile
+; Logfile (blank/default is stderr)
-;logfile = /var/log/smtprelay.log
+;logfile = 
+
+; Log format: default, plain (no timestamp), json
+;log_format = "default"
+
+; Log level: panic, fatal, error, warn, info, debug, trace
+;log_level = "info"
 
 ; Hostname for this SMTP server
 ;hostname = "localhost.localdomain"
@@ -25,13 +31,16 @@
 ;local_forcetls = false
 
 ; Networks that are allowed to send mails to us
-;allowed_nets = 127.0.0.1/8 ::1/128
+; Defaults to localhost. If set to "", then any address is allowed.
+;allowed_nets = 127.0.0.0/8 ::1/128
 
 ; Regular expression for valid FROM EMail addresses
+; If set to "", then any sender is permitted.
 ; Example: ^(.*)@localhost.localdomain$
 ;allowed_sender =
 
 ; Regular expression for valid TO EMail addresses
+; If set to "", then any recipient is permitted.
 ; Example: ^(.*)@localhost.localdomain$
 ;allowed_recipients =
 
@@ -47,7 +56,8 @@
 ;          E.g. "app@example.com,@appsrv.example.com"
 ;allowed_users =
 
-; Relay all mails to this SMTP server
+; Relay all mails to this SMTP server.
+; If not set, mails are discarded.
 
 ; GMail
 ;remote_host = smtp.gmail.com:587
@@ -63,8 +73,8 @@
 ;remote_pass =
 
 ; Authentication method on outgoing SMTP server
-; (plain, login)
+; (none, plain, login)
-;remote_auth = plain
+;remote_auth = none
 
 ; Sender e-mail address on outgoing SMTP server
 ;remote_sender =