Skip to content

Commit

Permalink
Merge branch 'master' into dev
Browse files Browse the repository at this point in the history
  • Loading branch information
foxcpp committed Jan 21, 2024
2 parents 351c44e + c67955e commit 798c411
Show file tree
Hide file tree
Showing 109 changed files with 1,969 additions and 1,384 deletions.
8 changes: 5 additions & 3 deletions .github/workflows/cicd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,13 @@ on:
jobs:
build-and-test:
name: "Build and test"
runs-on: ubuntu-20.04
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: "Install libpam"
run: sudo apt-get install -y libpam-dev
run: |
sudo apt-get update
sudo apt-get install -y libpam-dev
- uses: actions/cache@v2
with:
path: |
Expand All @@ -24,7 +26,7 @@ jobs:
restore-keys: ${{ runner.os }}-go-
- uses: actions/setup-go@v2
with:
go-version: 1.18.9
go-version: 1.19
- name: "Verify build.sh"
run: |
./build.sh
Expand Down
2 changes: 1 addition & 1 deletion .mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ nav:
- reference/table/sql_query.md
- reference/table/chain.md
- reference/table/email_localpart.md
- reference/table/email_with_domains.md
- reference/table/email_with_domain.md
- reference/table/auth.md
- Authentication providers:
- reference/auth/pass_table.md
Expand Down
4 changes: 2 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.18-alpine AS build-env
FROM golang:1.19-alpine AS build-env

RUN set -ex && \
apk upgrade --no-cache --available && \
Expand All @@ -14,7 +14,7 @@ RUN mkdir -p /pkg/data && \
cp maddy.conf.docker /pkg/data/maddy.conf && \
./build.sh --builddir /tmp --destdir /pkg/ --tags docker build install

FROM alpine:3.17.0
FROM alpine:3.18.4
LABEL maintainer="fox.cpp@disroot.org"
LABEL org.opencontainers.image.source=https://github.com/foxcpp/maddy

Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ daemon with uniform configuration and minimal maintenance cost.
feature-packed implementation you may want to use Dovecot instead. maddy still
can handle message delivery business.

[![CI status](https://img.shields.io/github/workflow/status/foxcpp/maddy/Testing%20and%20release%20preparation?style=flat-square)](https://github.com/foxcpp/maddy/actions/workflows/cicd.yml)
[![Issues tracker](https://img.shields.io/github/issues/foxcpp/maddy)](https://github.com/foxcpp/maddy)
[![CI status](https://img.shields.io/github/actions/workflow/status/foxcpp/maddy/cicd.yml?style=flat-square)](https://github.com/foxcpp/maddy/actions/workflows/cicd.yml)
[![Issues tracker](https://img.shields.io/github/issues/foxcpp/maddy?style=flat-square)](https://github.com/foxcpp/maddy)

* [Setup tutorial](https://maddy.email/tutorials/setting-up/)
* [Documentation](https://maddy.email/)
Expand Down
21 changes: 17 additions & 4 deletions build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -146,10 +146,23 @@ install() {
# Attempt to install systemd units only for Linux.
# Check is done using GOOS instead of uname -s to account for possible
# package cross-compilation.
if [ "$(go env GOOS)" = "linux" ]; then
command install -m 0755 -d "${destdir}/${prefix}/lib/systemd/system/"
command install -m 0644 "${builddir}"/systemd/*.service "${destdir}/${prefix}/lib/systemd/system/"
fi
# Though go command might be unavailable if build.sh is run
# with sudo and go installation is user-specific, so fallback
# to using uname -s in the end.
set +e
if command -v go >/dev/null 2>/dev/null; then
set -e
if [ "$(go env GOOS)" = "linux" ]; then
command install -m 0755 -d "${destdir}/${prefix}/lib/systemd/system/"
command install -m 0644 "${builddir}"/systemd/*.service "${destdir}/${prefix}/lib/systemd/system/"
fi
else
set -e
if [ "$(uname -s)" = "Linux" ]; then
command install -m 0755 -d "${destdir}/${prefix}/lib/systemd/system/"
command install -m 0644 "${builddir}"/systemd/*.service "${destdir}/${prefix}/lib/systemd/system/"
fi
fi

if [ -e "${builddir}"/man ]; then
command install -m 0755 -d "${destdir}/${prefix}/share/man/man1/"
Expand Down
6 changes: 3 additions & 3 deletions contrib/kubernetes/chart/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ load balancer in front of the nodes.

## Requirement

In order to run maddy properly, you need to have TLS secret undet name maddy present in the cluster. If you have commercial
In order to run maddy properly, you need to have TLS secret under name maddy present in the cluster. If you have commercial
certificate, you can create it by the following command:

```sh
Expand All @@ -20,9 +20,9 @@ If you use cert-manager, just create the secret under name maddy.

## Replication

Default for this chart is 1 replica of maddy. If you try to increse this, you will probably get an error because of
Default for this chart is 1 replica of maddy. If you try to increase this, you will probably get an error because of
the busy ports 25, 143, 587, etc. We do not support this feature at the moment, so please use just 1 replica. Like said
at the begining of this document, multiple replicas would probably require to switch do DaemonSet which would further require
at the beginning of this document, multiple replicas would probably require to switch do DaemonSet which would further require
to have TCP load balancer and shared storage between all replicas. This is not supported by this chart, sorry.
This chart is used on one node cluster and then installation is straight forward, like described bellow, but if you have
multiple node cluster, please use taints and tolerations to select the desired node. This chart supports tolerations to
Expand Down
2 changes: 1 addition & 1 deletion dist/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ Additionally, unit files apply strict sandboxing, limiting maddy permissions on
the system to a bare minimum. Subset of these options makes it impossible for
privileged authentication helper binaries to gain required permissions, so you
may have to disable it when using system account-based authentication with
maddy running as a unprivilieged user.
maddy running as a unprivileged user.

## fail2ban configuration

Expand Down
7 changes: 4 additions & 3 deletions dist/systemd/maddy.service
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Description=maddy mail server
Documentation=man:maddy(1)
Documentation=man:maddy.conf(5)
Documentation=https://maddy.email
After=network.target
After=network-online.target

[Service]
Type=notify
Expand Down Expand Up @@ -54,8 +54,9 @@ KillSignal=SIGTERM
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

# Force all files created by maddy to be only readable by it.
UMask=0027
# Force all files created by maddy to be only readable by it
# and maddy group.
UMask=0007

# Bump FD limitations. Even idle mail server can have a lot of FDs open (think
# of idle IMAP connections, especially ones abandoned on the other end and
Expand Down
7 changes: 4 additions & 3 deletions dist/systemd/maddy@.service
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Description=maddy mail server (using %i.conf)
Documentation=man:maddy(1)
Documentation=man:maddy.conf(5)
Documentation=https://maddy.email
After=network.target
After=network-online.target

[Service]
Type=notify
Expand Down Expand Up @@ -50,8 +50,9 @@ KillSignal=SIGTERM
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

# Force all files created by maddy to be only readable by it.
UMask=0027
# Force all files created by maddy to be only readable by it and
# maddy group.
UMask=0007

# Bump FD limitations. Even idle mail server can have a lot of FDs open (think
# of idle IMAP connections, especially ones abandoned on the other end and
Expand Down
2 changes: 1 addition & 1 deletion docs/docker.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,4 +72,4 @@ docker run \

It will fail on first startup. Copy TLS certificate to /data/tls/fullchain.pem
and key to /data/tls/privkey.pem. Run the server again. Finish DNS configuration
(DKIM keys, etc) as described in [tutorials/setting-up/](tutorials/setting-up/).
(DKIM keys, etc) as described in [tutorials/setting-up/](../tutorials/setting-up/).
2 changes: 1 addition & 1 deletion docs/internals/unicode.md
Original file line number Diff line number Diff line change
Expand Up @@ -93,4 +93,4 @@ mentioned above).

Clients that want to implement proper handling for Unicode strings may assume
maddy does not handle them properly in e.g. SEARCH commands and so such clients
may download messsages and process them locally.
may download messages and process them locally.
12 changes: 6 additions & 6 deletions docs/multiple-domains.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ the [introduction tutorial](tutorials/setting-up.md).

Also note that you do not really need a separate TLS certificate for each
managed domain. You can have one hostname e.g. mail.example.org set as an MX
record for mulitple domains.
record for multiple domains.

**If you want multiple domains to share username namespace**, you should change
several more options.
Expand All @@ -53,7 +53,7 @@ maddy imap-acct create user@example.com
"user"**, you can set `storage_map` in IMAP endpoint and `delivery_map` in
storage backend to use `email_locapart`:
```
straoge.imapsql local_mailboxes {
storage.imapsql local_mailboxes {
...
delivery_map email_localpart # deliver "user@*" to "user"
}
Expand All @@ -75,8 +75,8 @@ accept non-email usernames:
authorize_sender {
...
user_to_email chain {
step email_localpart_optional # remove domain from username if present
step email_with_domains $(local_domains) # expand username with all allowed domains
step email_localpart_optional # remove domain from username if present
step email_with_domain $(local_domains) # expand username with all allowed domains
}
}
```
Expand Down Expand Up @@ -141,8 +141,8 @@ mailboxes.**
authorize_sender {
...
user_to_email chain {
step email_localpart_optional # remove domain from username if present
step email_with_domains $(local_domains) # expand username with all allowed domains
step email_localpart_optional # remove domain from username if present
step email_with_domain $(local_domains) # expand username with all allowed domains
}
}
}
Expand Down
8 changes: 4 additions & 4 deletions docs/reference/auth/dovecot_sasl.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Dovecot SASL

The 'auth.dovecot\_sasl' module implements the client side of the Dovecot
The 'auth.dovecot_sasl' module implements the client side of the Dovecot
authentication protocol, allowing maddy to use it as a credentials source.

Currently SASL mechanisms support is limited to mechanisms supported by maddy
Expand All @@ -16,11 +16,11 @@ dovecot_sasl unix://socket_path

## Configuration directives

**Syntax**: endpoint _schema://address_ <br>
**Default**: not set
### endpoint _schema://address_
Default: not set

Set the address to use to contact Dovecot SASL server in the standard endpoint
format.

tcp://10.0.0.1:2222 for TCP, unix:///var/lib/dovecot/auth.sock for Unix
`tcp://10.0.0.1:2222` for TCP, `unix:///var/lib/dovecot/auth.sock` for Unix
domain sockets.
23 changes: 14 additions & 9 deletions docs/reference/auth/external.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
# System command

auth.external module for authentication using external helper binary. It looks for binary
named maddy-auth-helper in $PATH and libexecdir and uses it for authentication
named `maddy-auth-helper` in $PATH and libexecdir and uses it for authentication
using username/password pair.

The protocol is very simple:
Program is launched for each authentication. Username and password are written
to stdin, adding \\n to the end. If binary exits with 0 status code -
to stdin, adding \n to the end. If binary exits with 0 status code -
authentication is considered successful. If the status code is 1 -
authentication is failed. If the status code is 2 - another unrelated error has
happened. Additional information should be written to stderr.
Expand All @@ -21,19 +21,24 @@ auth.external {

## Configuration directives

**Syntax**: helper _file\_path\_
### helper _file_path_

Location of the helper binary. **Required.**
**Required.** <br>
Location of the helper binary.

**Syntax**: perdomain _boolean_ <br>
**Default**: no
---

### perdomain _boolean_
Default: `no`

Don't remove domain part of username when authenticating and require it to be
present. Can be used if you want user@domain1 and user@domain2 to be different
accounts.

**Syntax**: domains _domains..._ <br>
**Default**: not specified
---

### domains _domains..._
Default: not specified

Domains that should be allowed in username during authentication.

Expand All @@ -43,5 +48,5 @@ name in addition to just username.

If used without 'perdomain', domain part will be removed from login before
check with underlying auth. mechanism. If 'perdomain' is set, then
domains must be also set and domain part WILL NOT be removed before check.
domains must be also set and domain part **will not** be removed before check.

Loading

0 comments on commit 798c411

Please sign in to comment.