build(deps): Bump golang.org/x/crypto from 0.52.0 to 0.53.0

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.52.0 to 0.53.0.
- [Commits](https://github.com/golang/crypto/compare/v0.52.0...v0.53.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.53.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/codeql-analysis.yml

@@ -1,55 +1,64 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
 name: "CodeQL"
 
 on:
   push:
-    branches: [master]
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [master]
   schedule:
     - cron: '0 15 * * 5'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
 
     strategy:
       fail-fast: false
       matrix:
-        # Override automatic language detection by changing the below list
-        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
-        language: ['go']
-        # Learn more...
-        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+        language: [ 'go' ]
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
+    - name: Harden Runner
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
       with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
+        egress-policy: audit
 
-    # If this run was triggered by a pull request event, then checkout
-    # the head of the pull request instead of the merge commit.
-    - run: git checkout HEAD^2
-      if: ${{ github.event_name == 'pull_request' }}
+    - name: Checkout repository
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file. 
+        # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -63,4 +72,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0

.github/workflows/go.yml

@@ -1,24 +1,26 @@
 name: Go
 on: [push, pull_request]
+permissions:
+  contents: read
+
 jobs:
 
   build:
     name: Build
     runs-on: ubuntu-latest
     steps:
-
-    - name: Set up Go 1.18
-      uses: actions/setup-go@v3
+    - name: Harden Runner
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
       with:
-        go-version: 1.18
-      id: go
+        egress-policy: audit
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Get dependencies
-      run: |
-        go get -v -t -d ./...
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      with:
+        go-version: 'stable'
 
     - name: Build
       run: go build -v .
+
+    - name: Test
+      run: go test -v .

.github/workflows/release.yaml

@@ -1,8 +1,17 @@
 name: Release Go Binaries
 
-on: 
+on:
   release:
     types: [created]
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: 'Tag name to build (v1.3.1)'
+        required: false
+        default: ''
+
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   releases-matrix:
@@ -12,19 +21,43 @@ jobs:
       matrix:
         goos: [freebsd, linux, windows]
         goarch: [amd64, arm64]
+    permissions:
+        contents: write
+        packages: write
+
     steps:
-    - uses: actions/checkout@v3
-    
+    - name: Harden Runner
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+      with:
+        egress-policy: audit
+
+    - name: Determine ref to checkout
+      run: |
+        # If manually invoked with a release_tag input, use refs/tags/<release_tag>.
+        if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ -n "${{ github.event.inputs.release_tag }}" ]; then
+          echo "REF=refs/tags/${{ github.event.inputs.release_tag }}" >> $GITHUB_ENV
+        else
+          # For release events GITHUB_REF is already refs/tags/<tag>; otherwise fall back to the incoming ref.
+          echo "REF=${GITHUB_REF}" >> $GITHUB_ENV
+        fi
+
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      with:
+        ref: ${{ env.REF }}
+
     - name: Set APP_VERSION env
-      run: echo APP_VERSION=$(echo ${GITHUB_REF} | rev | cut -d'/' -f 1 | rev ) >> ${GITHUB_ENV}
+      run: |
+        # basename strips refs/... and yields the tag or branch name
+        echo "APP_VERSION=$(basename ${REF})" >> $GITHUB_ENV
+
     - name: Set BUILD_TIME env
       run: echo BUILD_TIME=$(date) >> ${GITHUB_ENV}
       
-    - uses: wangyoucao577/go-release-action@v1.28
+    - uses: wangyoucao577/go-release-action@279495102627de7960cbc33434ab01a12bae144b # v1.55
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         goos: ${{ matrix.goos }}
         goarch: ${{ matrix.goarch }}
-        goversion: 1.18
         extra_files: LICENSE README.md smtprelay.ini
         ldflags: -s -w -X "main.appVersion=${{ env.APP_VERSION }}" -X "main.buildTime=${{ env.BUILD_TIME }}"
+        release_tag: ${{ env.APP_VERSION }}

.github/workflows/scorecards.yml

@@ -0,0 +1,81 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 7 * * 2'
+  push:
+    branches: ["master"]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      contents: read
+      actions: read
+      # To allow GraphQL ListCommits to work
+      issues: read
+      pull-requests: read
+      # To detect SAST tools
+      checks: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
+      - name: "Checkout code"
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
+        with:
+          sarif_file: results.sarif

README.md

@@ -1,6 +1,7 @@
 # smtprelay
 
 [![Go Report Card](https://goreportcard.com/badge/github.com/decke/smtprelay)](https://goreportcard.com/report/github.com/decke/smtprelay)
+[![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/decke/smtprelay?label=openssf%20scorecard&style=flat)](https://scorecard.dev/viewer/?uri=github.com/decke/smtprelay)
 
 Simple Golang based SMTP relay/proxy server that accepts mail via SMTP
 and forwards it directly to another SMTP server.
@@ -22,6 +23,7 @@ device which produces mail.
 
 ## Main features
 
+* Simple configuration with ini file .env file or environment variables
 * Supports SMTPS/TLS (465), STARTTLS (587) and unencrypted SMTP (25)
 * Checks for sender, receiver, client IP
 * Authentication support with file (LOGIN, PLAIN)
@@ -29,3 +31,4 @@ device which produces mail.
 * Forwards all mail to a smarthost (any SMTP server)
 * Small codebase
 * IPv6 support
+* Aliases support (dynamic reload when alias file changes)

SECURITY.md

@@ -0,0 +1,51 @@
+# smtprelay Security Policy
+
+This document outlines security procedures and general policies for the
+smtprelay project.
+
+## Supported Versions
+
+The latest release is the only supported release.
+
+
+## Disclosing a security issue
+
+The smtprelay maintainers take all security issues in the project seriously.
+Thank you for improving the security of the project! We appreciate your
+dedication to responsible disclosure and will make every effort to acknowledge
+your contributions.
+
+smtprelay leverages GitHub's private vulnerability reporting.
+
+To learn more about this feature and how to submit a vulnerability report,
+review [GitHub's documentation on private reporting](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).
+
+Here are some helpful details to include in your report:
+
+- a detailed description of the issue
+- the steps required to reproduce the issue
+- versions of the project that may be affected by the issue
+- if known, any mitigations for the issue
+
+A maintainer will acknowledge the report within three (3) business days, and
+will send a more detailed response within an additional three (3) business days
+indicating the next steps in handling your report.
+
+After the initial reply to your report, the maintainers will endeavor to keep
+you informed of the progress towards a fix and full announcement, and may ask
+for additional information or guidance.
+
+## Vulnerability management
+
+When the maintainers receive a disclosure report, they will coordinate the
+fix and release process, which involves the following steps:
+
+- confirming the issue
+- determining affected versions of the project
+- auditing code to find any potential similar problems
+- preparing fixes for all releases under maintenance
+
+## Suggesting changes
+
+If you have suggestions on how this process could be improved please submit an
+issue or pull request.

aliases.go

@@ -0,0 +1,72 @@
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"strings"
+	"sync"
+)
+
+type AliasMap map[string]string
+
+var (
+	aliasesMutex sync.RWMutex
+)
+
+func AliasLoadFile(file string) (AliasMap, error) {
+	aliasMap := make(AliasMap)
+	count := 0
+	log.Info().
+		Str("file", file).
+		Msg("Loading aliases file")
+
+	f, err := os.Open(file)
+	if err != nil {
+		log.Fatal().
+			Str("file", file).
+			Err(err).
+			Msg("cannot load aliases file")
+	}
+	defer f.Close()
+
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if line == "" {
+			continue
+		}
+
+		parts := strings.Fields(line)
+		if len(parts) >= 2 {
+			aliasMap[parts[0]] = parts[1]
+			count++
+		}
+	}
+	log.Info().
+		Str("file", file).
+		Msg(fmt.Sprintf("Loaded %d aliases from file", count))
+
+	if err := scanner.Err(); err != nil {
+		log.Fatal().
+			Str("file", file).
+			Err(err).
+			Msg("cannot load aliases file")
+	}
+	return aliasMap, nil
+}
+
+func LoadAliases(filename string) error {
+	newAliases, err := AliasLoadFile(filename)
+	if err != nil {
+		return err
+	}
+
+	aliasesMutex.Lock()
+	defer aliasesMutex.Unlock()
+
+	// Update the aliases map
+	aliasesList = newAliases
+
+	return nil
+}

aliases_test.go

@@ -0,0 +1,315 @@
+package main
+
+import (
+	"io"
+	"os"
+	"testing"
+
+	"github.com/rs/zerolog"
+)
+
+func init() {
+	// Initialize logger for tests to prevent nil pointer dereference
+	logger := zerolog.New(io.Discard).With().Timestamp().Logger()
+	log = &logger
+}
+func TestAliasLoadFile(t *testing.T) {
+	tests := []struct {
+		name        string
+		content     string
+		expected    AliasMap
+		expectError bool
+	}{
+		{
+			name:    "valid aliases",
+			content: "user1 alias1\nuser2 alias2\nuser3 alias3",
+			expected: AliasMap{
+				"user1": "alias1",
+				"user2": "alias2",
+				"user3": "alias3",
+			},
+			expectError: false,
+		},
+		{
+			name:        "empty file",
+			content:     "",
+			expected:    AliasMap{},
+			expectError: false,
+		},
+		{
+			name:    "file with empty lines",
+			content: "user1 alias1\n\nuser2 alias2\n\n",
+			expected: AliasMap{
+				"user1": "alias1",
+				"user2": "alias2",
+			},
+			expectError: false,
+		},
+		{
+			name:    "file with whitespace",
+			content: "  user1   alias1  \n\t user2\talias2\t",
+			expected: AliasMap{
+				"user1": "alias1",
+				"user2": "alias2",
+			},
+			expectError: false,
+		},
+		{
+			name:    "extra fields ignored",
+			content: "user1 alias1 extra field\nuser2 alias2",
+			expected: AliasMap{
+				"user1": "alias1",
+				"user2": "alias2",
+			},
+			expectError: false,
+		},
+		{
+			name:        "single field line ignored",
+			content:     "user1\nuser2 alias2",
+			expected:    AliasMap{"user2": "alias2"},
+			expectError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tmpFile, err := os.CreateTemp("", "aliases-*.txt")
+			if err != nil {
+				t.Fatalf("failed to create temp file: %v", err)
+			}
+			defer os.Remove(tmpFile.Name())
+
+			if _, err := tmpFile.WriteString(tt.content); err != nil {
+				t.Fatalf("failed to write to temp file: %v", err)
+			}
+			tmpFile.Close()
+
+			result, err := AliasLoadFile(tmpFile.Name())
+
+			if tt.expectError && err == nil {
+				t.Error("expected error but got none")
+			}
+			if !tt.expectError && err != nil {
+				t.Errorf("unexpected error: %v", err)
+			}
+
+			if len(result) != len(tt.expected) {
+				t.Errorf("expected %d aliases, got %d", len(tt.expected), len(result))
+			}
+
+			for key, expectedValue := range tt.expected {
+				if actualValue, exists := result[key]; !exists {
+					t.Errorf("expected key %q not found", key)
+				} else if actualValue != expectedValue {
+					t.Errorf("for key %q: expected %q, got %q", key, expectedValue, actualValue)
+				}
+			}
+		})
+	}
+}
+
+func TestLoadAliases(t *testing.T) {
+	tmpFile, err := os.CreateTemp("", "aliases-*.txt")
+	if err != nil {
+		t.Fatalf("failed to create temp file: %v", err)
+	}
+	defer os.Remove(tmpFile.Name())
+
+	content := "user1 alias1\nuser2 alias2"
+	if _, err := tmpFile.WriteString(content); err != nil {
+		t.Fatalf("failed to write to temp file: %v", err)
+	}
+	tmpFile.Close()
+
+	err = LoadAliases(tmpFile.Name())
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	aliasesMutex.RLock()
+	defer aliasesMutex.RUnlock()
+
+	if len(aliasesList) != 2 {
+		t.Errorf("expected 2 aliases, got %d", len(aliasesList))
+	}
+
+	if aliasesList["user1"] != "alias1" {
+		t.Errorf("expected user1 -> alias1, got %q", aliasesList["user1"])
+	}
+	if aliasesList["user2"] != "alias2" {
+		t.Errorf("expected user2 -> alias2, got %q", aliasesList["user2"])
+	}
+}
+
+func TestLoadAliases_EmptyFile(t *testing.T) {
+	tmpFile, err := os.CreateTemp("", "aliases-*.txt")
+	if err != nil {
+		t.Fatalf("failed to create temp file: %v", err)
+	}
+	defer os.Remove(tmpFile.Name())
+	tmpFile.Close()
+
+	err = LoadAliases(tmpFile.Name())
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	aliasesMutex.RLock()
+	defer aliasesMutex.RUnlock()
+
+	if len(aliasesList) != 0 {
+		t.Errorf("expected 0 aliases, got %d", len(aliasesList))
+	}
+}
+
+func TestLoadAliases_UpdatesExistingAliases(t *testing.T) {
+	// First load
+	tmpFile1, err := os.CreateTemp("", "aliases-*.txt")
+	if err != nil {
+		t.Fatalf("failed to create temp file: %v", err)
+	}
+	defer os.Remove(tmpFile1.Name())
+
+	content1 := "user1 alias1\nuser2 alias2"
+	if _, err := tmpFile1.WriteString(content1); err != nil {
+		t.Fatalf("failed to write to temp file: %v", err)
+	}
+	tmpFile1.Close()
+
+	err = LoadAliases(tmpFile1.Name())
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	// Second load with different content
+	tmpFile2, err := os.CreateTemp("", "aliases-*.txt")
+	if err != nil {
+		t.Fatalf("failed to create temp file: %v", err)
+	}
+	defer os.Remove(tmpFile2.Name())
+
+	content2 := "user3 alias3"
+	if _, err := tmpFile2.WriteString(content2); err != nil {
+		t.Fatalf("failed to write to temp file: %v", err)
+	}
+	tmpFile2.Close()
+
+	err = LoadAliases(tmpFile2.Name())
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	aliasesMutex.RLock()
+	defer aliasesMutex.RUnlock()
+
+	if len(aliasesList) != 1 {
+		t.Errorf("expected 1 alias after reload, got %d", len(aliasesList))
+	}
+
+	if aliasesList["user3"] != "alias3" {
+		t.Errorf("expected user3 -> alias3, got %q", aliasesList["user3"])
+	}
+
+	if _, exists := aliasesList["user1"]; exists {
+		t.Error("expected user1 to be removed after reload")
+	}
+}
+
+func TestAliasLoadFile_MultipleSpaces(t *testing.T) {
+	tmpFile, err := os.CreateTemp("", "aliases-*.txt")
+	if err != nil {
+		t.Fatalf("failed to create temp file: %v", err)
+	}
+	defer os.Remove(tmpFile.Name())
+
+	content := "user1     alias1\nuser2          alias2"
+	if _, err := tmpFile.WriteString(content); err != nil {
+		t.Fatalf("failed to write to temp file: %v", err)
+	}
+	tmpFile.Close()
+
+	result, err := AliasLoadFile(tmpFile.Name())
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	if result["user1"] != "alias1" {
+		t.Errorf("expected user1 -> alias1, got %q", result["user1"])
+	}
+	if result["user2"] != "alias2" {
+		t.Errorf("expected user2 -> alias2, got %q", result["user2"])
+	}
+}
+
+func TestAliasLoadFile_TabSeparated(t *testing.T) {
+	tmpFile, err := os.CreateTemp("", "aliases-*.txt")
+	if err != nil {
+		t.Fatalf("failed to create temp file: %v", err)
+	}
+	defer os.Remove(tmpFile.Name())
+
+	content := "user1\talias1\nuser2\t\talias2"
+	if _, err := tmpFile.WriteString(content); err != nil {
+		t.Fatalf("failed to write to temp file: %v", err)
+	}
+	tmpFile.Close()
+
+	result, err := AliasLoadFile(tmpFile.Name())
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	if len(result) != 2 {
+		t.Errorf("expected 2 aliases, got %d", len(result))
+	}
+}
+
+func TestAliasLoadFile_DuplicateKeys(t *testing.T) {
+	tmpFile, err := os.CreateTemp("", "aliases-*.txt")
+	if err != nil {
+		t.Fatalf("failed to create temp file: %v", err)
+	}
+	defer os.Remove(tmpFile.Name())
+
+	content := "user1 alias1\nuser1 alias2\nuser1 alias3"
+	if _, err := tmpFile.WriteString(content); err != nil {
+		t.Fatalf("failed to write to temp file: %v", err)
+	}
+	tmpFile.Close()
+
+	result, err := AliasLoadFile(tmpFile.Name())
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	if len(result) != 1 {
+		t.Errorf("expected 1 alias (last one wins), got %d", len(result))
+	}
+
+	if result["user1"] != "alias3" {
+		t.Errorf("expected user1 -> alias3 (last one), got %q", result["user1"])
+	}
+}
+
+func TestAliasLoadFile_OnlyWhitespace(t *testing.T) {
+	tmpFile, err := os.CreateTemp("", "aliases-*.txt")
+	if err != nil {
+		t.Fatalf("failed to create temp file: %v", err)
+	}
+	defer os.Remove(tmpFile.Name())
+
+	content := "   \n\t\t\n  \t  \n"
+	if _, err := tmpFile.WriteString(content); err != nil {
+		t.Fatalf("failed to write to temp file: %v", err)
+	}
+	tmpFile.Close()
+
+	result, err := AliasLoadFile(tmpFile.Name())
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	if len(result) != 0 {
+		t.Errorf("expected 0 aliases, got %d", len(result))
+	}
+}

cmd/README.md

@@ -1,6 +0,0 @@
-
-To run the hasher, do like this
-
-```bash
-$ go run hasher.go hunter2
-```

cmd/hasher.go

@@ -1,22 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"os"
-
-	"golang.org/x/crypto/bcrypt"
-)
-
-func main() {
-	if len(os.Args) != 2 {
-		fmt.Fprintln(os.Stderr, "Usage: hasher PASSWORD")
-		os.Exit(1)
-	}
-	password := os.Args[1]
-
-	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
-	if err != nil {
-		fmt.Fprintln(os.Stderr, "Error generating hash: %s", err)
-	}
-	fmt.Println(string(hash))
-}

config.go

@@ -1,15 +1,17 @@
 package main
 
 import (
+	"bufio"
 	"flag"
 	"fmt"
+	"io"
 	"net"
+	"os"
 	"regexp"
 	"strings"
 	"time"
 
-	"github.com/sirupsen/logrus"
-	"github.com/vharitonsky/iniflags"
+	"github.com/peterbourgon/ff/v3"
 )
 
 var (
@@ -18,58 +20,116 @@ var (
 )
 
 var (
-	logFile           = flag.String("logfile", "", "Path to logfile")
-	logFormat         = flag.String("log_format", "default", "Log output format")
-	logLevel          = flag.String("log_level", "info", "Minimum log level to output")
-	hostName          = flag.String("hostname", "localhost.localdomain", "Server hostname")
-	welcomeMsg        = flag.String("welcome_msg", "", "Welcome message for SMTP session")
-	listenStr         = flag.String("listen", "127.0.0.1:25 [::1]:25", "Address and port to listen for incoming SMTP")
+	flagset = flag.NewFlagSet("smtprelay", flag.ContinueOnError)
+
+	// config flags
+	logFile          = flagset.String("logfile", "", "Path to logfile")
+	logFormat        = flagset.String("log_format", "default", "Log output format")
+	logLevel         = flagset.String("log_level", "info", "Minimum log level to output")
+	hostName         = flagset.String("hostname", "localhost.localdomain", "Server hostname")
+	welcomeMsg       = flagset.String("welcome_msg", "", "Welcome message for SMTP session")
+	listenStr        = flagset.String("listen", "127.0.0.1:25 [::1]:25", "Address and port to listen for incoming SMTP")
+	localCert        = flagset.String("local_cert", "", "SSL certificate for STARTTLS/TLS")
+	localKey         = flagset.String("local_key", "", "SSL private key for STARTTLS/TLS")
+	tlsProfile       = flagset.String("tls_profile", "default", "TLS profile: modern | intermediate | default | legacy")
+	localForceTLS    = flagset.Bool("local_forcetls", false, "Force STARTTLS (needs local_cert and local_key)")
+	readTimeoutStr   = flagset.String("read_timeout", "60s", "Socket timeout for read operations")
+	writeTimeoutStr  = flagset.String("write_timeout", "60s", "Socket timeout for write operations")
+	dataTimeoutStr   = flagset.String("data_timeout", "5m", "Socket timeout for DATA command")
+	maxConnections   = flagset.Int("max_connections", 100, "Max concurrent connections, use -1 to disable")
+	maxMessageSize   = flagset.Int("max_message_size", 10240000, "Max message size in bytes")
+	maxRecipients    = flagset.Int("max_recipients", 100, "Max RCPT TO calls for each envelope")
+	allowedNetsStr   = flagset.String("allowed_nets", "127.0.0.0/8 ::1/128", "Networks allowed to send mails")
+	allowedSenderStr = flagset.String("allowed_sender", "", "Regular expression for valid FROM EMail addresses")
+	allowedRecipStr  = flagset.String("allowed_recipients", "", "Regular expression for valid TO EMail addresses")
+	allowedUsers     = flagset.String("allowed_users", "", "Path to file with valid users/passwords")
+	aliasFile        = flagset.String("aliases_file", "", "Path to aliases file")
+	command          = flagset.String("command", "", "Path to pipe command")
+	remotesStr       = flagset.String("remotes", "", "Outgoing SMTP servers")
+	strictSender     = flagset.Bool("strict_sender", false, "Use only SMTP servers with Sender matches to From")
+	remoteCert       = flagset.String("remote_certificate", "", "Client SSL certificate for remote STARTTLS/TLS")
+	remoteKey        = flagset.String("remote_key", "", "Client SSL private key for remote STARTTLS/TLS")
+
+	// additional flags
+	_           = flagset.String("config", "", "Path to config file (ini format)")
+	versionInfo = flagset.Bool("version", false, "Show version information")
+
+	// internal
 	listenAddrs       = []protoAddr{}
-	localCert         = flag.String("local_cert", "", "SSL certificate for STARTTLS/TLS")
-	localKey          = flag.String("local_key", "", "SSL private key for STARTTLS/TLS")
-	localForceTLS     = flag.Bool("local_forcetls", false, "Force STARTTLS (needs local_cert and local_key)")
-	readTimeoutStr    = flag.String("read_timeout", "60s", "Socket timeout for read operations")
 	readTimeout       time.Duration
-	writeTimeoutStr   = flag.String("write_timeout", "60s", "Socket timeout for write operations")
 	writeTimeout      time.Duration
-	dataTimeoutStr    = flag.String("data_timeout", "5m", "Socket timeout for DATA command")
 	dataTimeout       time.Duration
-	maxConnections    = flag.Int("max_connections", 100, "Max concurrent connections, use -1 to disable")
-	maxMessageSize    = flag.Int("max_message_size", 10240000, "Max message size in bytes")
-	maxRecipients     = flag.Int("max_recipients", 100, "Max RCPT TO calls for each envelope")
-	allowedNetsStr    = flag.String("allowed_nets", "127.0.0.0/8 ::1/128", "Networks allowed to send mails")
 	allowedNets       = []*net.IPNet{}
-	allowedSenderStr  = flag.String("allowed_sender", "", "Regular expression for valid FROM EMail addresses")
 	allowedSender     *regexp.Regexp
-	allowedRecipStr   = flag.String("allowed_recipients", "", "Regular expression for valid TO EMail addresses")
 	allowedRecipients *regexp.Regexp
-	allowedUsers      = flag.String("allowed_users", "", "Path to file with valid users/passwords")
-	command           = flag.String("command", "", "Path to pipe command")
-	remotesStr        = flag.String("remotes", "", "Outgoing SMTP servers")
 	remotes           = []*Remote{}
-	versionInfo       = flag.Bool("version", false, "Show version information")
+	aliasesList       = AliasMap{}
 )
 
 func localAuthRequired() bool {
 	return *allowedUsers != ""
 }
 
+func remoteCertAndKeyReadable() bool {
+	certSet := *remoteCert != ""
+	keySet := *remoteKey != ""
+	
+	// Both must be set or both must be unset
+	if certSet != keySet {
+		return false
+	}
+	
+	// If both are set, verify files exist and are accessible
+	if certSet && keySet {
+		if _, err := os.Stat(*remoteCert); err != nil {
+			log.Error().
+				Str("cert", *remoteCert).
+				Err(err).
+				Msg("cannot access remote client certificate file")
+			return false
+		}
+		if _, err := os.Stat(*remoteKey); err != nil {
+			log.Error().
+				Str("key", *remoteKey).
+				Err(err).
+				Msg("cannot access remote client key file")
+			return false
+		}
+	}
+	
+	return true
+}
+
+func setupAliases() {
+	if *aliasFile != "" {
+		aliases, err := AliasLoadFile(*aliasFile)
+		if err != nil {
+			log.Fatal().
+				Str("file", *aliasFile).
+				Err(err).
+				Msg("cannot load aliases file")
+		}
+		aliasesList = aliases
+	}
+}
+
 func setupAllowedNetworks() {
 	for _, netstr := range splitstr(*allowedNetsStr, ' ') {
 		baseIP, allowedNet, err := net.ParseCIDR(netstr)
 		if err != nil {
-			log.WithField("netstr", netstr).
-				WithError(err).
-				Fatal("Invalid CIDR notation in allowed_nets")
+			log.Fatal().
+				Str("netstr", netstr).
+				Err(err).
+				Msg("Invalid CIDR notation in allowed_nets")
 		}
 
 		// Reject any network specification where any host bits are set,
 		// meaning the address refers to a host and not a network.
 		if !allowedNet.IP.Equal(baseIP) {
-			log.WithFields(logrus.Fields{
-				"given_net":  netstr,
-				"proper_net": allowedNet,
-			}).Fatal("Invalid network in allowed_nets (host bits set)")
+			log.Fatal().
+				Str("given_net", netstr).
+				Str("proper_net", allowedNet.String()).
+				Msg("Invalid network in allowed_nets (host bits set)")
 		}
 
 		allowedNets = append(allowedNets, allowedNet)
@@ -82,30 +142,37 @@ func setupAllowedPatterns() {
 	if *allowedSenderStr != "" {
 		allowedSender, err = regexp.Compile(*allowedSenderStr)
 		if err != nil {
-			log.WithField("allowed_sender", *allowedSenderStr).
-				WithError(err).
-				Fatal("allowed_sender pattern invalid")
+			log.Fatal().
+				Str("allowed_sender", *allowedSenderStr).
+				Err(err).
+				Msg("allowed_sender pattern invalid")
 		}
 	}
 
 	if *allowedRecipStr != "" {
 		allowedRecipients, err = regexp.Compile(*allowedRecipStr)
 		if err != nil {
-			log.WithField("allowed_recipients", *allowedRecipStr).
-				WithError(err).
-				Fatal("allowed_recipients pattern invalid")
+			log.Fatal().
+				Str("allowed_recipients", *allowedRecipStr).
+				Err(err).
+				Msg("allowed_recipients pattern invalid")
 		}
 	}
 }
 
 func setupRemotes() {
-	logger := log.WithField("remotes", *remotesStr)
+	logger := log.With().Str("remotes", *remotesStr).Logger()
 
 	if *remotesStr != "" {
 		for _, remoteURL := range strings.Split(*remotesStr, " ") {
 			r, err := ParseRemote(remoteURL)
 			if err != nil {
-				logger.Fatal(fmt.Sprintf("error parsing url: '%s': %v", remoteURL, err))
+				logger.Fatal().Msg(fmt.Sprintf("error parsing url: '%s': %v", remoteURL, err))
+			}
+
+			if *remoteCert != "" && *remoteKey != "" && (r.Scheme == "smtps" || r.Scheme == "starttls") {
+				r.ClientCertPath = *remoteCert
+				r.ClientKeyPath = *remoteKey
 			}
 
 			remotes = append(remotes, r)
@@ -136,8 +203,9 @@ func setupListeners() {
 		pa := splitProto(listenAddr)
 
 		if localAuthRequired() && pa.protocol == "" {
-			log.WithField("address", pa.address).
-				Fatal("Local authentication (via allowed_users file) " +
+			log.Fatal().
+				Str("address", pa.address).
+				Msg("Local authentication (via allowed_users file) " +
 					"not allowed with non-TLS listener")
 		}
 
@@ -150,51 +218,129 @@ func setupTimeouts() {
 
 	readTimeout, err = time.ParseDuration(*readTimeoutStr)
 	if err != nil {
-		log.WithField("read_timeout", *readTimeoutStr).
-			WithError(err).
-			Fatal("read_timeout duration string invalid")
+		log.Fatal().
+			Str("read_timeout", *readTimeoutStr).
+			Err(err).
+			Msg("read_timeout duration string invalid")
 	}
 	if readTimeout.Seconds() < 1 {
-		log.WithField("read_timeout", *readTimeoutStr).
-			Fatal("read_timeout less than one second")
+		log.Fatal().
+			Str("read_timeout", *readTimeoutStr).
+			Msg("read_timeout less than one second")
 	}
 
 	writeTimeout, err = time.ParseDuration(*writeTimeoutStr)
 	if err != nil {
-		log.WithField("write_timeout", *writeTimeoutStr).
-			WithError(err).
-			Fatal("write_timeout duration string invalid")
+		log.Fatal().
+			Str("write_timeout", *writeTimeoutStr).
+			Err(err).
+			Msg("write_timeout duration string invalid")
 	}
 	if writeTimeout.Seconds() < 1 {
-		log.WithField("write_timeout", *writeTimeoutStr).
-			Fatal("write_timeout less than one second")
+		log.Fatal().
+			Str("write_timeout", *writeTimeoutStr).
+			Msg("write_timeout less than one second")
 	}
 
 	dataTimeout, err = time.ParseDuration(*dataTimeoutStr)
 	if err != nil {
-		log.WithField("data_timeout", *dataTimeoutStr).
-			WithError(err).
-			Fatal("data_timeout duration string invalid")
+		log.Fatal().
+			Str("data_timeout", *dataTimeoutStr).
+			Err(err).
+			Msg("data_timeout duration string invalid")
 	}
 	if dataTimeout.Seconds() < 1 {
-		log.WithField("data_timeout", *dataTimeoutStr).
-			Fatal("data_timeout less than one second")
+		log.Fatal().
+			Str("data_timeout", *dataTimeoutStr).
+			Msg("data_timeout less than one second")
 	}
 }
 
 func ConfigLoad() {
-	iniflags.Parse()
+	// use .env file if it exists
+	if _, err := os.Stat(".env"); err == nil {
+		if err := ff.Parse(flagset, os.Args[1:],
+			ff.WithEnvVarPrefix("smtprelay"),
+			ff.WithConfigFile(".env"),
+			ff.WithConfigFileParser(ff.EnvParser),
+		); err != nil {
+			fmt.Fprintf(os.Stderr, "error: %v\n", err)
+			os.Exit(1)
+		}
+	} else {
+		// use env variables and smtprelay.ini file
+		if err := ff.Parse(flagset, os.Args[1:],
+			ff.WithEnvVarPrefix("smtprelay"),
+			ff.WithConfigFileFlag("config"),
+			ff.WithConfigFileParser(IniParser),
+		); err != nil {
+			fmt.Fprintf(os.Stderr, "error: %v\n", err)
+			os.Exit(1)
+		}
+	}
 
 	// Set up logging as soon as possible
 	setupLogger()
 
+	if *versionInfo {
+		fmt.Printf("smtprelay/%s (%s)\n", appVersion, buildTime)
+		os.Exit(0)
+	}
+
 	if *remotesStr == "" && *command == "" {
-		log.Warn("no remotes or command set; mail will not be forwarded!")
+		log.Warn().Msg("no remotes or command set; mail will not be forwarded!")
+	}
+
+	if !remoteCertAndKeyReadable() {
+		log.Fatal().
+			Str("remote_certificate", *remoteCert).
+			Str("remote_key", *remoteKey).
+			Msg("remote_certificate and remote_key must both be set or both be empty")
 	}
 
 	setupAllowedNetworks()
 	setupAllowedPatterns()
+	setupAliases()
 	setupRemotes()
 	setupListeners()
 	setupTimeouts()
 }
+
+// IniParser is a parser for config files in classic key/value style format. Each
+// line is tokenized as a single key/value pair. The first "=" delimited
+// token in the line is interpreted as the flag name, and all remaining tokens
+// are interpreted as the value. Any leading hyphens on the flag name are
+// ignored.
+func IniParser(r io.Reader, set func(name, value string) error) error {
+	s := bufio.NewScanner(r)
+	for s.Scan() {
+		line := strings.TrimSpace(s.Text())
+		if line == "" {
+			continue // skip empties
+		}
+
+		if line[0] == '#' || line[0] == ';' {
+			continue // skip comments
+		}
+
+		var (
+			name  string
+			value string
+			index = strings.IndexRune(line, '=')
+		)
+		if index < 0 {
+			name, value = line, "true" // boolean option
+		} else {
+			name, value = strings.TrimSpace(line[:index]), strings.Trim(strings.TrimSpace(line[index+1:]), "\"")
+		}
+
+		if i := strings.Index(value, " #"); i >= 0 {
+			value = strings.TrimSpace(value[:i])
+		}
+
+		if err := set(name, value); err != nil {
+			return err
+		}
+	}
+	return nil
+}

go.mod

@@ -1,19 +1,24 @@
 module github.com/decke/smtprelay
 
 require (
-	github.com/chrj/smtpd v0.3.1
-	github.com/google/uuid v1.3.0
-	github.com/sirupsen/logrus v1.8.1
-	github.com/stretchr/testify v1.7.1
-	github.com/vharitonsky/iniflags v0.0.0-20180513140207-a33cd0b5f3de
-	golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4
+	github.com/DeRuina/timberjack v1.4.5
+	github.com/chrj/smtpd v1.0.0
+	github.com/fsnotify/fsnotify v1.10.1
+	github.com/google/uuid v1.6.0
+	github.com/peterbourgon/ff/v3 v3.4.0
+	github.com/rs/zerolog v1.35.1
+	github.com/stretchr/testify v1.11.1
+	golang.org/x/crypto v0.53.0
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/klauspost/compress v1.18.4 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/sys v0.0.0-20220422013727-9388b58f7150 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
+	golang.org/x/sys v0.46.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
-go 1.18
+go 1.25.0

go.sum

@@ -1,26 +1,35 @@
-github.com/chrj/smtpd v0.3.1 h1:kogHFkbFdKaoH3bgZkqNC9uVtKYOFfM3uV3rroBdooE=
-github.com/chrj/smtpd v0.3.1/go.mod h1:JtABvV/LzvLmEIzy0NyDnrfMGOMd8wy5frAokwf6J9Q=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/DeRuina/timberjack v1.4.5 h1:F/kms5MPNAXUeWdOILt5ALC6iDHWNRPevaeIVH7tqYU=
+github.com/DeRuina/timberjack v1.4.5/go.mod h1:RLoeQrwrCGIEF8gO5nV5b/gMD0QIy7bzQhBUgpp1EqE=
+github.com/chrj/smtpd v1.0.0 h1:jChSfLzAhrSxTky0EZ6oW+UKiqdnepdknWYRkPeA+ZE=
+github.com/chrj/smtpd v1.0.0/go.mod h1:zEP61gNDlWp/jdUqBcq/ykIbgOERyRvwfMsRLl3h9gM=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
+github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
+github.com/fsnotify/fsnotify v1.10.1 h1:b0/UzAf9yR5rhf3RPm9gf3ehBPpf0oZKIjtpKrx59Ho=
+github.com/fsnotify/fsnotify v1.10.1/go.mod h1:TLheqan6HD6GBK6PrDWyDPBaEV8LspOxvPSjC+bVfgo=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
+github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/peterbourgon/ff/v3 v3.4.0 h1:QBvM/rizZM1cB0p0lGMdmR7HxZeI/ZrBWB4DqLkMUBc=
+github.com/peterbourgon/ff/v3 v3.4.0/go.mod h1:zjJVUhx+twciwfDl0zBcFzl4dW8axCRyXE/eKY9RztQ=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
-github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/vharitonsky/iniflags v0.0.0-20180513140207-a33cd0b5f3de h1:fkw+7JkxF3U1GzQoX9h69Wvtvxajo5Rbzy6+YMMzPIg=
-github.com/vharitonsky/iniflags v0.0.0-20180513140207-a33cd0b5f3de/go.mod h1:irMhzlTz8+fVFj6CH2AN2i+WI5S6wWFtK3MBCIxIpyI=
-golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 h1:kUhD7nTDoI3fVd9G4ORWrbV5NY0liEs/Jg2pv5f+bBA=
-golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20220422013727-9388b58f7150 h1:xHms4gcpe1YE7A3yIllJXP16CMAGuqwO2lX1mTyyRRc=
-golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+github.com/rs/zerolog v1.35.1 h1:m7xQeoiLIiV0BCEY4Hs+j2NG4Gp2o2KPKmhnnLiazKI=
+github.com/rs/zerolog v1.35.1/go.mod h1:EjML9kdfa/RMA7h/6z6pYmq1ykOuA8/mjWaEvGI+jcw=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+golang.org/x/crypto v0.53.0 h1:QZ4Muo8THX6CizN2vPPd5fBGHyogrdK9fG4wLPFUsto=
+golang.org/x/crypto v0.53.0/go.mod h1:DNLU434OwVakk9PzuwV8w62mAJpRJL3vsgcfp4Qnsio=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
+golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

logger.go

@@ -2,59 +2,84 @@ package main
 
 import (
 	"fmt"
+	"io"
 	"os"
+	"strings"
 	"time"
 
-	"github.com/sirupsen/logrus"
+	"github.com/DeRuina/timberjack"
+	"github.com/rs/zerolog"
 )
 
 var (
-	log *logrus.Logger
+	rotator *timberjack.Logger
+	log     *zerolog.Logger
 )
 
 func setupLogger() {
-	log = logrus.New()
+	zerolog.TimeFieldFormat = time.RFC3339
 
 	// Handle logfile
+	var writer io.Writer
 	if *logFile == "" {
-		log.SetOutput(os.Stderr)
+		writer = os.Stderr
 	} else {
-		writer, err := os.OpenFile(*logFile, os.O_CREATE|os.O_RDWR|os.O_APPEND, 0600)
-		if err != nil {
-			fmt.Printf("cannot open log file: %s\n", err)
-			os.Exit(1)
+		rotator = &timberjack.Logger{
+			Filename:         *logFile,
+			MaxSize:          10, // megabytes before rotation
+			MaxBackups:       3,
+			MaxAge:           30, // days
+			Compress:         true,
+			BackupTimeFormat: "20060102150405",
 		}
-
-		log.SetOutput(writer)
+		writer = rotator
 	}
 
 	// Handle log_format
 	switch *logFormat {
 	case "json":
-		log.SetFormatter(&logrus.JSONFormatter{
-			TimestampFormat:   time.RFC3339Nano,
-			DisableHTMLEscape: true,
-		})
+		// zerolog default is JSON
 	case "plain":
-		log.SetFormatter(&logrus.TextFormatter{
-			DisableTimestamp: true,
-		})
+		writer = zerolog.ConsoleWriter{
+			Out:        writer,
+			NoColor:    true,
+			TimeFormat: "",
+			FormatTimestamp: func(i interface{}) string {
+				return "" // avoid default time
+			},
+		}
 	case "", "default":
-		log.SetFormatter(&logrus.TextFormatter{
-			FullTimestamp: true,
-		})
+		writer = zerolog.ConsoleWriter{
+			Out:        writer,
+			NoColor:    true,
+			TimeFormat: time.RFC3339,
+		}
+	case "pretty":
+		writer = zerolog.ConsoleWriter{
+			Out:        writer,
+			TimeFormat: time.RFC3339Nano,
+		}
 	default:
 		fmt.Fprintf(os.Stderr, "Invalid log_format: %s\n", *logFormat)
 		os.Exit(1)
 	}
 
-	// Handle log_level
-	level, err := logrus.ParseLevel(*logLevel)
-	if err != nil {
-		level = logrus.InfoLevel
+	l := zerolog.New(writer).With().Timestamp().Logger()
+	log = &l
 
-		log.WithField("given_level", *logLevel).
-			Warn("could not parse log level, defaulting to 'info'")
+	// Handle log_level
+	level, err := zerolog.ParseLevel(strings.ToLower(*logLevel))
+	if err != nil {
+		level = zerolog.InfoLevel
+		log.Warn().Str("given_level", *logLevel).
+			Msg("could not parse log level, defaulting to 'info'")
+	}
+	zerolog.SetGlobalLevel(level)
+}
+
+// Call this on shutdown if you want to close the rotator and stop timers cleanly
+func closeLogger() {
+	if rotator != nil {
+		rotator.Close()
 	}
-	log.SetLevel(level)
 }

main.go

@@ -13,8 +13,8 @@ import (
 	"syscall"
 
 	"github.com/chrj/smtpd"
+	"github.com/fsnotify/fsnotify"
 	"github.com/google/uuid"
-	"github.com/sirupsen/logrus"
 )
 
 func connectionChecker(peer smtpd.Peer) error {
@@ -32,9 +32,9 @@ func connectionChecker(peer smtpd.Peer) error {
 		}
 	}
 
-	log.WithFields(logrus.Fields{
-		"ip": peerIP,
-	}).Warn("Connection refused from address outside of allowed_nets")
+	log.Warn().
+		Str("ip", peerIP.String()).
+		Msg("Connection refused from address outside of allowed_nets")
 	return smtpd.Error{Code: 421, Message: "Denied"}
 }
 
@@ -87,19 +87,21 @@ func senderChecker(peer smtpd.Peer, addr string) error {
 		user, err := AuthFetch(peer.Username)
 		if err != nil {
 			// Shouldn't happen: authChecker already validated username+password
-			log.WithFields(logrus.Fields{
-				"peer":     peer.Addr,
-				"username": peer.Username,
-			}).WithError(err).Warn("could not fetch auth user")
+			log.Warn().
+				Str("peer", peer.Addr.String()).
+				Str("username", peer.Username).
+				Err(err).
+				Msg("could not fetch auth user")
 			return smtpd.Error{Code: 451, Message: "Bad sender address"}
 		}
 
 		if !addrAllowed(addr, user.allowedAddresses) {
-			log.WithFields(logrus.Fields{
-				"peer":           peer.Addr,
-				"username":       peer.Username,
-				"sender_address": addr,
-			}).Warn("sender address not allowed for authenticated user")
+			log.Warn().
+				Str("peer", peer.Addr.String()).
+				Str("username", peer.Username).
+				Str("sender_address", addr).
+				Err(err).
+				Msg("sender address not allowed for authenticated user")
 			return smtpd.Error{Code: 451, Message: "Bad sender address"}
 		}
 	}
@@ -114,10 +116,10 @@ func senderChecker(peer smtpd.Peer, addr string) error {
 		return nil
 	}
 
-	log.WithFields(logrus.Fields{
-		"sender_address": addr,
-		"peer":           peer.Addr,
-	}).Warn("sender address not allowed by allowed_sender pattern")
+	log.Warn().
+		Str("sender_address", addr).
+		Str("peer", peer.Addr.String()).
+		Msg("sender address not allowed by allowed_sender pattern")
 	return smtpd.Error{Code: 451, Message: "Bad sender address"}
 }
 
@@ -132,20 +134,21 @@ func recipientChecker(peer smtpd.Peer, addr string) error {
 		return nil
 	}
 
-	log.WithFields(logrus.Fields{
-		"peer":              peer.Addr,
-		"recipient_address": addr,
-	}).Warn("recipient address not allowed by allowed_recipients pattern")
+	log.Warn().
+		Str("peer", peer.Addr.String()).
+		Str("recipient_address", addr).
+		Msg("recipient address not allowed by allowed_recipients pattern")
 	return smtpd.Error{Code: 451, Message: "Bad recipient address"}
 }
 
 func authChecker(peer smtpd.Peer, username string, password string) error {
 	err := AuthCheckPassword(username, password)
 	if err != nil {
-		log.WithFields(logrus.Fields{
-			"peer":     peer.Addr,
-			"username": username,
-		}).WithError(err).Warn("auth error")
+		log.Warn().
+			Str("peer", peer.Addr.String()).
+			Str("username", username).
+			Err(err).
+			Msg("auth error")
 		return smtpd.Error{Code: 535, Message: "Authentication credentials invalid"}
 	}
 	return nil
@@ -157,43 +160,77 @@ func mailHandler(peer smtpd.Peer, env smtpd.Envelope) error {
 		peerIP = addr.IP.String()
 	}
 
-	logger := log.WithFields(logrus.Fields{
-		"from": env.Sender,
-		"to":   env.Recipients,
-		"peer": peerIP,
-		"uuid": generateUUID(),
-	})
+	// Check for aliases
+	aliasesMutex.RLock()
+	for i, recipient := range env.Recipients {
+		if alias, exists := aliasesList[recipient]; exists {
+			env.Recipients[i] = alias
+			log.Info().
+				Str("original_recipient", recipient).
+				Str("aliased_recipient", alias).
+				Msg("Recipient address aliased")
+		}
+	}
+	aliasesMutex.RUnlock()
 
-	if *remotesStr == "" && *command == "" {
-		logger.Warning("no remote_host or command set; discarding mail")
-		return nil
+	logger := log.With().
+		Str("from", env.Sender).
+		Strs("to", env.Recipients).
+		Str("peer", peerIP).
+		Str("uuid", generateUUID()).
+		Logger()
+
+	var envRemotes []*Remote
+
+	if *strictSender {
+		for _, remote := range remotes {
+			if remote.Sender == env.Sender {
+				envRemotes = append(envRemotes, remote)
+			}
+		}
+	} else {
+		envRemotes = remotes
+	}
+
+	if len(envRemotes) == 0 && *command == "" {
+		logger.Warn().Msg("no remote_host or command set; discarding mail")
+		return smtpd.Error{Code: 554, Message: "There are no appropriate remote_host or command"}
 	}
 
 	env.AddReceivedLine(peer)
 
 	if *command != "" {
-		cmdLogger := logger.WithField("command", *command)
+		cmdLogger := logger.With().Str("command", *command).Logger()
 
 		var stdout bytes.Buffer
 		var stderr bytes.Buffer
 
-		cmd := exec.Command(*command)
+		environ := os.Environ()
+		environ = append(environ, fmt.Sprintf("%s=%s", "SMTPRELAY_FROM", env.Sender))
+		environ = append(environ, fmt.Sprintf("%s=%s", "SMTPRELAY_TO", env.Recipients))
+		environ = append(environ, fmt.Sprintf("%s=%s", "SMTPRELAY_PEER", peerIP))
+
+		cmd := exec.Cmd{
+			Env:  environ,
+			Path: *command,
+		}
+
 		cmd.Stdin = bytes.NewReader(env.Data)
 		cmd.Stdout = &stdout
 		cmd.Stderr = &stderr
 
 		err := cmd.Run()
 		if err != nil {
-			cmdLogger.WithError(err).Error(stderr.String())
+			cmdLogger.Error().Err(err).Msg(stderr.String())
 			return smtpd.Error{Code: 554, Message: "External command failed"}
 		}
 
-		cmdLogger.Info("pipe command successful: " + stdout.String())
+		cmdLogger.Info().Msg("pipe command successful: " + stdout.String())
 	}
 
-	for _, remote := range remotes {
-		logger = logger.WithField("host", remote.Addr)
-		logger.Info("delivering mail from peer using smarthost")
+	for _, remote := range envRemotes {
+		logger = logger.With().Str("host", remote.Addr).Logger()
+		logger.Info().Msg("delivering mail from peer using smarthost")
 
 		err := SendMail(
 			remote,
@@ -208,21 +245,22 @@ func mailHandler(peer smtpd.Peer, env smtpd.Envelope) error {
 			case *textproto.Error:
 				smtpError = smtpd.Error{Code: err.Code, Message: err.Msg}
 
-				logger.WithFields(logrus.Fields{
-					"err_code": err.Code,
-					"err_msg":  err.Msg,
-				}).Error("delivery failed")
+				logger.Error().
+					Int("err_code", err.Code).
+					Str("err_msg", err.Msg).
+					Msg("delivery failed")
 			default:
-				smtpError = smtpd.Error{Code: 554, Message: "Forwarding failed"}
+				smtpError = smtpd.Error{Code: 421, Message: "Forwarding failed"}
 
-				logger.WithError(err).
-					Error("delivery failed")
+				logger.Error().
+					Err(err).
+					Msg("delivery failed")
 			}
 
 			return smtpError
 		}
 
-		logger.Debug("delivery successful")
+		logger.Debug().Msg("delivery successful")
 	}
 
 	return nil
@@ -232,8 +270,9 @@ func generateUUID() string {
 	uniqueID, err := uuid.NewRandom()
 
 	if err != nil {
-		log.WithError(err).
-			Error("could not generate UUIDv4")
+		log.Error().
+			Err(err).
+			Msg("could not generate UUIDv4")
 
 		return ""
 	}
@@ -242,69 +281,168 @@ func generateUUID() string {
 }
 
 func getTLSConfig() *tls.Config {
-	// Ciphersuites as defined in stock Go but without 3DES and RC4
-	// https://golang.org/src/crypto/tls/cipher_suites.go
-	var tlsCipherSuites = []uint16{
-		tls.TLS_AES_128_GCM_SHA256,
-		tls.TLS_AES_256_GCM_SHA384,
-		tls.TLS_CHACHA20_POLY1305_SHA256,
-		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // does not provide PFS
-		tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // does not provide PFS
-	}
-
+	// Certificate loading / validation
 	if *localCert == "" || *localKey == "" {
-		log.WithFields(logrus.Fields{
-			"cert_file": *localCert,
-			"key_file":  *localKey,
-		}).Fatal("TLS certificate/key file not defined in config")
+		log.Fatal().
+			Str("cert_file", *localCert).
+			Str("key_file", *localKey).
+			Msg("TLS certificate/key file not defined in config")
 	}
 
 	cert, err := tls.LoadX509KeyPair(*localCert, *localKey)
 	if err != nil {
-		log.WithField("error", err).
-			Fatal("cannot load X509 keypair")
+		log.Fatal().
+			Err(err).
+			Msg("cannot load X509 keypair")
 	}
 
-	return &tls.Config{
-		PreferServerCipherSuites: true,
-		MinVersion:               tls.VersionTLS12,
-		CipherSuites:             tlsCipherSuites,
-		Certificates:             []tls.Certificate{cert},
+	// TLS profile configuration
+	// tls.Config.CipherSuites only affects TLS 1.0–1.2.
+
+	// Base config: Go defaults unless overridden.
+	conf := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+	}
+
+	profile := strings.ToLower(strings.TrimSpace(*tlsProfile))
+	if profile == "" {
+		profile = "default"
+	}
+
+	switch profile {
+	case "default":
+		// Go defaults (leave MinVersion/MaxVersion/CipherSuites unset).
+
+	case "modern":
+		// TLS 1.3+.
+		conf.MinVersion = tls.VersionTLS13
+
+	case "intermediate":
+		// TLS 1.2+ with AEAD + ECDHE cipher suites only.
+		// Mozilla "intermediate" — AEAD + ECDHE only.
+		conf.MinVersion = tls.VersionTLS12
+		conf.CipherSuites = []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+		}
+
+	case "legacy":
+		// Last resort: TLS 1.0+ and everything Go exposes for TLS 1.0–1.2.
+		conf.MinVersion = tls.VersionTLS10
+
+		allSuites := []uint16{}
+		for _, cs := range tls.CipherSuites() {
+			allSuites = append(allSuites, cs.ID)
+		}
+		for _, cs := range tls.InsecureCipherSuites() {
+			allSuites = append(allSuites, cs.ID)
+		}
+		conf.CipherSuites = allSuites
+
+	default:
+		log.Warn().
+			Str("tls_profile", profile).
+			Msg("unknown tls_profile; using default")
+	}
+
+	return conf
+}
+
+func watchAliasFile() {
+	if *aliasFile == "" {
+		return
+	}
+
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		log.Error().
+			Err(err).
+			Msg("failed to create file watcher for alias file")
+		return
+	}
+
+	go func() {
+		defer watcher.Close()
+
+		for {
+			select {
+			case event, ok := <-watcher.Events:
+				if !ok {
+					return
+				}
+
+				if event.Has(fsnotify.Write) || event.Has(fsnotify.Create) {
+					log.Info().
+						Str("file", event.Name).
+						Msg("alias file changed, reloading")
+
+					err := LoadAliases(*aliasFile)
+					if err != nil {
+						log.Error().
+							Str("file", *aliasFile).
+							Err(err).
+							Msg("failed to reload alias file")
+					} else {
+						log.Info().
+							Int("count", len(aliasesList)).
+							Msg("alias file reloaded successfully")
+					}
+				}
+
+			case err, ok := <-watcher.Errors:
+				if !ok {
+					return
+				}
+				log.Error().
+					Err(err).
+					Msg("file watcher error")
+			}
+		}
+	}()
+
+	err = watcher.Add(*aliasFile)
+	if err != nil {
+		log.Error().
+			Str("file", *aliasFile).
+			Err(err).
+			Msg("failed to watch alias file")
+	} else {
+		log.Info().
+			Str("file", *aliasFile).
+			Msg("watching alias file for changes")
 	}
 }
 
 func main() {
 	ConfigLoad()
 
-	if *versionInfo {
-		fmt.Printf("smtprelay/%s (%s)\n", appVersion, buildTime)
-		os.Exit(0)
-	}
-
-	log.WithField("version", appVersion).
-		Debug("starting smtprelay")
+	log.Debug().
+		Str("version", appVersion).
+		Msg("starting smtprelay")
 
 	// Load allowed users file
 	if localAuthRequired() {
 		err := AuthLoadFile(*allowedUsers)
 		if err != nil {
-			log.WithField("file", *allowedUsers).
-				WithError(err).
-				Fatal("cannot load allowed users file")
+			log.Fatal().
+				Str("file", *allowedUsers).
+				Err(err).
+				Msg("cannot load allowed users file")
 		}
 	}
 
+	// Start watching alias file for changes
+	watchAliasFile()
+
 	var servers []*smtpd.Server
 
 	// Create a server for each desired listen address
 	for _, listen := range listenAddrs {
-		logger := log.WithField("address", listen.address)
+		logger := log.With().Str("address", listen.address).Logger()
 
 		server := &smtpd.Server{
 			Hostname:          *hostName,
@@ -330,29 +468,32 @@ func main() {
 
 		switch listen.protocol {
 		case "":
-			logger.Info("listening on address")
+			logger.Info().Msg("listening on address")
 			lsnr, err = net.Listen("tcp", listen.address)
 
 		case "starttls":
 			server.TLSConfig = getTLSConfig()
 			server.ForceTLS = *localForceTLS
 
-			logger.Info("listening on address (STARTTLS)")
+			logger.Info().Msg("listening on address (STARTTLS)")
 			lsnr, err = net.Listen("tcp", listen.address)
 
 		case "tls":
 			server.TLSConfig = getTLSConfig()
 
-			logger.Info("listening on address (TLS)")
+			logger.Info().Msg("listening on address (TLS)")
 			lsnr, err = tls.Listen("tcp", listen.address, server.TLSConfig)
 
 		default:
-			logger.WithField("protocol", listen.protocol).
-				Fatal("unknown protocol in listen address")
+			logger.Fatal().
+				Str("protocol", listen.protocol).
+				Msg("unknown protocol in listen address")
 		}
 
 		if err != nil {
-			logger.WithError(err).Fatal("error starting listener")
+			logger.Fatal().
+				Err(err).
+				Msg("error starting listener")
 		}
 		servers = append(servers, server)
 
@@ -365,27 +506,31 @@ func main() {
 
 	// First close the listeners
 	for _, server := range servers {
-		logger := log.WithField("address", server.Address())
-		logger.Debug("Shutting down server")
+		logger := log.With().Str("address", server.Address().String()).Logger()
+		logger.Debug().Msg("Shutting down server")
 		err := server.Shutdown(false)
 		if err != nil {
-			logger.WithError(err).
-				Warning("Shutdown failed")
+			logger.Warn().
+				Err(err).
+				Msg("Shutdown failed")
 		}
 	}
 
 	// Then wait for the clients to exit
 	for _, server := range servers {
-		logger := log.WithField("address", server.Address())
-		logger.Debug("Waiting for server")
+		logger := log.With().Str("address", server.Address().String()).Logger()
+		logger.Debug().Msg("Waiting for server")
 		err := server.Wait()
 		if err != nil {
-			logger.WithError(err).
-				Warning("Wait failed")
+			logger.Warn().
+				Err(err).
+				Msg("Wait failed")
 		}
 	}
 
-	log.Debug("done")
+	log.Debug().Msg("done")
+
+	closeLogger()
 }
 
 func handleSignals() {
@@ -394,6 +539,7 @@ func handleSignals() {
 	signal.Notify(sigs, syscall.SIGINT, syscall.SIGQUIT, syscall.SIGTERM)
 	sig := <-sigs
 
-	log.WithField("signal", sig).
-		Info("shutting down in response to received signal")
+	log.Info().
+		Str("signal", sig.String()).
+		Msg("shutting down in response to received signal")
 }

remotes.go

@@ -7,13 +7,15 @@ import (
 )
 
 type Remote struct {
-	SkipVerify bool
-	Auth       smtp.Auth
-	Scheme     string
-	Hostname   string
-	Port       string
-	Addr       string
-	Sender     string
+	SkipVerify      bool
+	Auth            smtp.Auth
+	Scheme          string
+	Hostname        string
+	Port            string
+	Addr            string
+	Sender          string
+	ClientCertPath  string
+	ClientKeyPath   string
 }
 
 // ParseRemote creates a remote from a given url in the following format:
@@ -25,7 +27,6 @@ type Remote struct {
 // Supported Params:
 // - skipVerify: can be "true" or empty to prevent ssl verification of remote server's certificate.
 // - auth: can be "login" to trigger "LOGIN" auth instead of "PLAIN" auth
-//
 func ParseRemote(remoteURL string) (*Remote, error) {
 	u, err := url.Parse(remoteURL)
 	if err != nil {

smtp.go

@@ -49,7 +49,7 @@ type Client struct {
 	helloError error  // the error from the hello
 }
 
-// Dial returns a new Client connected to an SMTP server at addr.
+// Dial returns a new [Client] connected to an SMTP server at addr.
 // The addr must include a port, as in "mail.example.com:smtp".
 func Dial(addr string) (*Client, error) {
 	conn, err := net.Dial("tcp", addr)
@@ -60,7 +60,7 @@ func Dial(addr string) (*Client, error) {
 	return NewClient(conn, host)
 }
 
-// NewClient returns a new Client using an existing connection and host as a
+// NewClient returns a new [Client] using an existing connection and host as a
 // server name to be used when authenticating.
 func NewClient(conn net.Conn, host string) (*Client, error) {
 	text := textproto.NewConn(conn)
@@ -167,7 +167,7 @@ func (c *Client) StartTLS(config *tls.Config) error {
 }
 
 // TLSConnectionState returns the client's TLS connection state.
-// The return values are their zero values if StartTLS did
+// The return values are their zero values if [Client.StartTLS] did
 // not succeed.
 func (c *Client) TLSConnectionState() (state tls.ConnectionState, ok bool) {
 	tc, ok := c.conn.(*tls.Conn)
@@ -207,7 +207,7 @@ func (c *Client) Auth(a smtp.Auth) error {
 	}
 	resp64 := make([]byte, encoding.EncodedLen(len(resp)))
 	encoding.Encode(resp64, resp)
-	code, msg64, err := c.cmd(0, strings.TrimSpace(fmt.Sprintf("AUTH %s %s", mech, resp64)))
+	code, msg64, err := c.cmd(0, "%s", strings.TrimSpace(fmt.Sprintf("AUTH %s %s", mech, resp64)))
 	for err == nil {
 		var msg []byte
 		switch code {
@@ -233,7 +233,7 @@ func (c *Client) Auth(a smtp.Auth) error {
 		}
 		resp64 = make([]byte, encoding.EncodedLen(len(resp)))
 		encoding.Encode(resp64, resp)
-		code, msg64, err = c.cmd(0, string(resp64))
+		code, msg64, err = c.cmd(0, "%s", resp64)
 	}
 	return err
 }
@@ -242,7 +242,7 @@ func (c *Client) Auth(a smtp.Auth) error {
 // If the server supports the 8BITMIME extension, Mail adds the BODY=8BITMIME
 // parameter. If the server supports the SMTPUTF8 extension, Mail adds the
 // SMTPUTF8 parameter.
-// This initiates a mail transaction and is followed by one or more Rcpt calls.
+// This initiates a mail transaction and is followed by one or more [Client.Rcpt] calls.
 func (c *Client) Mail(from string) error {
 	if err := validateLine(from); err != nil {
 		return err
@@ -264,8 +264,8 @@ func (c *Client) Mail(from string) error {
 }
 
 // Rcpt issues a RCPT command to the server using the provided email address.
-// A call to Rcpt must be preceded by a call to Mail and may be followed by
-// a Data call or another Rcpt call.
+// A call to Rcpt must be preceded by a call to [Client.Mail] and may be followed by
+// a [Client.Data] call or another Rcpt call.
 func (c *Client) Rcpt(to string) error {
 	if err := validateLine(to); err != nil {
 		return err
@@ -288,7 +288,7 @@ func (d *dataCloser) Close() error {
 // Data issues a DATA command to the server and returns a writer that
 // can be used to write the mail headers and body. The caller should
 // close the writer before calling any more methods on c. A call to
-// Data must be preceded by one or more calls to Rcpt.
+// Data must be preceded by one or more calls to [Client.Rcpt].
 func (c *Client) Data() (io.WriteCloser, error) {
 	_, _, err := c.cmd(354, "DATA")
 	if err != nil {
@@ -340,6 +340,14 @@ func SendMail(r *Remote, from string, to []string, msg []byte) error {
 			ServerName:         r.Hostname,
 			InsecureSkipVerify: r.SkipVerify,
 		}
+		// Load client certificate on-demand, just before connection
+		if r.ClientCertPath != "" && r.ClientKeyPath != "" {
+			cert, err := tls.LoadX509KeyPair(r.ClientCertPath, r.ClientKeyPath)
+			if err != nil {
+				return err
+			}
+			config.Certificates = []tls.Certificate{cert}
+		}
 		conn, err := tls.Dial("tcp", r.Addr, config)
 		if err != nil {
 			return err
@@ -366,6 +374,14 @@ func SendMail(r *Remote, from string, to []string, msg []byte) error {
 				ServerName:         c.serverName,
 				InsecureSkipVerify: r.SkipVerify,
 			}
+			// Load client certificate on-demand, just before use
+			if r.ClientCertPath != "" && r.ClientKeyPath != "" {
+				cert, err := tls.LoadX509KeyPair(r.ClientCertPath, r.ClientKeyPath)
+				if err != nil {
+					return err
+				}
+				config.Certificates = []tls.Certificate{cert}
+			}
 			if testHookStartTLS != nil {
 				testHookStartTLS(config)
 			}
@@ -445,9 +461,7 @@ func (c *Client) Noop() error {
 
 // Quit sends the QUIT command and closes the connection to the server.
 func (c *Client) Quit() error {
-	if err := c.hello(); err != nil {
-		return err
-	}
+	c.hello() // ignore error; we're quitting anyhow
 	_, _, err := c.cmd(221, "QUIT")
 	if err != nil {
 		return err
@@ -455,7 +469,7 @@ func (c *Client) Quit() error {
 	return c.Text.Close()
 }
 
-// validateLine checks to see if a line has CR or LF as per RFC 5321
+// validateLine checks to see if a line has CR or LF as per RFC 5321.
 func validateLine(line string) error {
 	if strings.ContainsAny(line, "\n\r") {
 		return errors.New("smtp: A line must not contain CR or LF")

smtprelay.ini

@@ -1,19 +1,28 @@
 ; smtprelay configuration
+;
+; All config parameters can also be provided as environment
+; variables in uppercase and the prefix "SMTPRELAY_".
+; (eg. SMTPRELAY_LOGFILE, SMTPRELAY_LOG_FORMAT)
 
 ; Logfile (blank/default is stderr)
 ;logfile = 
 
 ; Log format: default, plain (no timestamp), json
-;log_format = "default"
+;log_format = default
 
 ; Log level: panic, fatal, error, warn, info, debug, trace
-;log_level = "info"
+;log_level = info
+
+; path to alias file
+; alias file format (separated by space):
+; fake@email.tld real@email.tld
+;aliases_file = aliases.txt
 
 ; Hostname for this SMTP server
-;hostname = "localhost.localdomain"
+;hostname = localhost.localdomain
 
 ; Welcome message for clients
-;welcome_msg = "<hostname> ESMTP ready."
+;welcome_msg = <hostname> ESMTP ready.
 
 ; Listen on the following addresses for incoming
 ; unencrypted connections.
@@ -26,10 +35,41 @@
 ;local_cert = smtpd.pem
 ;local_key  = smtpd.key
 
+; TLS PROFILE (STARTTLS / TLS listeners)
+; Controls the minimum TLS version and allowed cipher suites for inbound
+; connections when using listen protocols `starttls://` or `tls://`.
+; Profiles follow the Mozilla SSL Configuration Generator guidelines.
+;
+;   default
+;     Go standard library defaults. Tracks improvements as Go updates
+;     its TLS defaults. Recommended for most deployments.
+;
+;   modern
+;     TLS 1.3+ only. Simplest and most secure, but rejects any client
+;     that cannot negotiate TLS 1.3.
+;     Matches Mozilla "modern" configuration.
+;
+;   intermediate
+;     TLS 1.2+. For TLS 1.2 connections only AEAD ciphers (AES-GCM,
+;     ChaCha20-Poly1305) with ECDHE key exchange are allowed,
+;     providing forward secrecy. TLS 1.3 ciphers are always available.
+;     Matches Mozilla "intermediate" configuration.
+;
+;   legacy
+;     TLS 1.0+ with all cipher suites the Go standard library supports,
+;     including insecure ones (RC4, 3DES). Use only when you must
+;     support very old clients that cannot negotiate TLS 1.2.
+;
+;tls_profile=default
+
 ; Enforce encrypted connection on STARTTLS ports before
 ; accepting mails from client.
 ;local_forcetls = false
 
+; Only use remotes where FROM EMail address in received
+; EMail matches remote_sender.
+;strict_sender = false
+
 ; Socket timeout for read operations
 ; Duration string as sequence of decimal numbers,
 ; each with optional fraction and a unit suffix.
@@ -75,7 +115,7 @@
 ; authentication before they can send mail.
 ; File format: username bcrypt-hash [email[,email[,...]]]
 ;   username: The SMTP auth username
-;   bcrypt-hash: The bcrypt hash of the pasword (generate with "./hasher password")
+;   bcrypt-hash: The bcrypt hash of the pasword
 ;   email: Comma-separated list of allowed "from" addresses:
 ;          - If omitted, user can send from any address
 ;          - If @domain.com is given, user can send from any address @domain.com
@@ -106,6 +146,10 @@
 ; Mailjet.com
 ;remotes = starttls://user:pass@in-v3.mailjet.com:587
 
+; Exchange Online (O365) SMTP relay
+; (Change netloc to your own Exchange MX endpoint)
+; remotes = starttls://contoso-com.mail.protection.outlook.com:25
+
 ; Ignore remote host certificates
 ;remotes = starttls://user:pass@server:587?skipVerify
 
@@ -118,5 +162,11 @@
 ; Multiple remotes, space delimited
 ;remotes = smtp://127.0.0.1:1025 starttls://user:pass@smtp.mailgun.org:587
 
+; Client SSL certificate for remote STARTTLS/TLS
+; remote_certificate = /path/to/certificate-chain.pem
+
+; Client SSL private key for remote STARTTLS/TLS
+; remote_key = /path/to/private-key.pem
+
 ; Pipe messages to external command
 ;command = /usr/local/bin/script