replace listener config option IPsNATed with NATIPs, and let autotls check NATIPs

NATIPs lists the public IPs, so we can still do the DNS checks on them. with IPsNATed, we disabled the checks. based on feedback by kikoreis in issue #52
2025-07-10 07:54:40 +03:00 · 2023-08-11 10:13:17 +02:00
parent d7df70acd8
commit 55d05c6bea
6 changed files with 82 additions and 19 deletions
--- a/mox-/config.go
+++ b/mox-/config.go
@ -272,7 +272,15 @@ func (c *Config) allowACMEHosts(checkACMEHosts bool) {
 			}
 		}

-		m.SetAllowedHostnames(dns.StrictResolver{Pkg: "autotls"}, hostnames, c.Static.Listeners["public"].IPs, checkACMEHosts)
+		public := c.Static.Listeners["public"]
+		ips := public.IPs
+		if len(public.NATIPs) > 0 {
+			ips = public.NATIPs
+		}
+		if public.IPsNATed {
+			ips = nil
+		}
+		m.SetAllowedHostnames(dns.StrictResolver{Pkg: "autotls"}, hostnames, ips, checkACMEHosts)
 	}
 }

@ -629,6 +637,17 @@ func PrepareStaticConfig(ctx context.Context, configFile string, conf *Config, c
 			}
 			l.SMTP.DNSBLZones = append(l.SMTP.DNSBLZones, d)
 		}
+		if l.IPsNATed && len(l.NATIPs) > 0 {
+			addErrorf("listener %q has both IPsNATed and NATIPs (remove deprecated IPsNATed)", name)
+		}
+		for _, ipstr := range l.NATIPs {
+			ip := net.ParseIP(ipstr)
+			if ip == nil {
+				addErrorf("listener %q has invalid ip %q", name, ipstr)
+			} else if ip.IsUnspecified() || ip.IsLoopback() {
+				addErrorf("listener %q has NAT ip that is the unspecified or loopback address %s", name, ipstr)
+			}
+		}
 		checkPath := func(kind string, enabled bool, path string) {
 			if enabled && path != "" && !strings.HasPrefix(path, "/") {
 				addErrorf("listener %q has %s with path %q that must start with a slash", name, kind, path)