infrastructure/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2025-07-12 17:44:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

replace listener config option IPsNATed with NATIPs, and let autotls check NATIPs

Browse Source 
NATIPs lists the public IPs, so we can still do the DNS checks on them. with
IPsNATed, we disabled the checks.

based on feedback by kikoreis in issue #52
This commit is contained in:
Mechiel Lukkien
2023-08-11 10:13:17 +02:00
parent d7df70acd8
commit 55d05c6bea
6 changed files with 82 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
mox-/admin.go
View File

@ -959,7 +959,8 @@ func ClientConfigDomain(d dns.Domain) (ClientConfig, error) {
return c, nil
}
// return IPs we may be listening/receiving mail on or connecting/sending from to the outside.
// IPs returns ip addresses we may be listening/receiving mail on or
// connecting/sending from to the outside.
func IPs(ctx context.Context, receiveOnly bool) ([]net.IP, error) {
log := xlog.WithContext(ctx)
@ -972,7 +973,11 @@ func IPs(ctx context.Context, receiveOnly bool) ([]net.IP, error) {
if l.IPsNATed {
return nil, nil
}
for _, s := range l.IPs {
check := l.IPs
if len(l.NATIPs) > 0 {
check = l.NATIPs
}
for _, s := range check {
ip := net.ParseIP(s)
if ip.IsUnspecified() {
if ip.To4() != nil {

21
mox-/config.go
View File

@ -272,7 +272,15 @@ func (c *Config) allowACMEHosts(checkACMEHosts bool) {
}
}
m.SetAllowedHostnames(dns.StrictResolver{Pkg: "autotls"}, hostnames, c.Static.Listeners["public"].IPs, checkACMEHosts)
public := c.Static.Listeners["public"]
ips := public.IPs
if len(public.NATIPs) > 0 {
ips = public.NATIPs
}
if public.IPsNATed {
ips = nil
}
m.SetAllowedHostnames(dns.StrictResolver{Pkg: "autotls"}, hostnames, ips, checkACMEHosts)
}
}
@ -629,6 +637,17 @@ func PrepareStaticConfig(ctx context.Context, configFile string, conf *Config, c
}
l.SMTP.DNSBLZones = append(l.SMTP.DNSBLZones, d)
}
if l.IPsNATed && len(l.NATIPs) > 0 {
addErrorf("listener %q has both IPsNATed and NATIPs (remove deprecated IPsNATed)", name)
}
for _, ipstr := range l.NATIPs {
ip := net.ParseIP(ipstr)
if ip == nil {
addErrorf("listener %q has invalid ip %q", name, ipstr)
} else if ip.IsUnspecified() || ip.IsLoopback() {
addErrorf("listener %q has NAT ip that is the unspecified or loopback address %s", name, ipstr)
}
}
checkPath := func(kind string, enabled bool, path string) {
if enabled && path != "" && !strings.HasPrefix(path, "/") {
addErrorf("listener %q has %s with path %q that must start with a slash", name, kind, path)