add config option to disable tls client auth during tls handshakes

to work around clients, like the gmail smtp client, that tries to
authenticate with a webpki-issued certificate (which we don't know).

i tried specifying a list of accepted (subjects of) CA certs during the
tls handshake (with just 1 entry, with "xmox.nl" as common name), which
clients can use to influence their cert selection.  however, the gmail
smtp client ignores it, so not a solution for the issue where this was
raised. also, specifying a list of accepted certs could cause other
clients to not send their client cert anymore, breaking existing setups.

i also considered only asking for tls client auth when at least one
account has a tls pubkey configured. but decided against it since any
account can add one on their own (without system admin interaction),
changing behaviour of the system and potentially breaking existing
submission/tls configs.

we now also print the "subject" and "issuer" of certs when tls client
auth fails, should be useful for future debugging.

for issue #359

.github/workflows/build-test.yml

@@ -12,6 +12,13 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
+      # Trigger rebuilding frontends, should be the same as committed.
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 16
+          cache: 'npm'
+      - run: 'touch */*.ts'
+
       - uses: actions/setup-go@v4
         with:
           go-version: ${{ matrix.go-version }}
@@ -20,18 +27,11 @@ jobs:
       # Need to run tests with a temp dir on same file system for os.Rename to succeed.
       - run: 'mkdir -p tmp && TMPDIR=$PWD/tmp make test'
 
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
+          name: coverage-${{ matrix.go-version }}
           path: cover.html
 
-      # Rebuild webmail frontend code, should be the same as committed.
-      - uses: actions/setup-node@v3
-        with:
-          node-version: 16
-          cache: 'npm'
-      - run: npm ci
-      - run: 'touch webmail/*.ts && make frontend'
-
       # Format code, we check below if nothing changed.
       - run: 'make fmt'
 

.gitignore

@@ -1,10 +1,11 @@
 /mox
 /mox.exe
 /rfc/[0-9][0-9]*
+/rfc/xr/
 /local/
 /testdata/check/
 /testdata/*/data/
-/testdata/ctl/dkim/
+/testdata/ctl/config/dkim/
 /testdata/empty/
 /testdata/exportmaildir/
 /testdata/exportmbox/
@@ -24,3 +25,4 @@
 /node_modules/
 /upgrade*-verifydata.*.pprof
 /upgrade*-openaccounts.*.pprof
+/website/html/

Makefile

@@ -1,106 +1,160 @@
 default: build
 
-build:
+build: build0 frontend build1
+
+build0:
 	# build early to catch syntax errors
 	CGO_ENABLED=0 go build
 	CGO_ENABLED=0 go vet ./...
-	CGO_ENABLED=0 go vet -tags integration
 	./gendoc.sh
-	(cd webadmin && CGO_ENABLED=0 go run ../vendor/github.com/mjl-/sherpadoc/cmd/sherpadoc/*.go -adjust-function-names none Admin) >webadmin/adminapi.json
-	(cd webaccount && CGO_ENABLED=0 go run ../vendor/github.com/mjl-/sherpadoc/cmd/sherpadoc/*.go -adjust-function-names none Account) >webaccount/accountapi.json
-	(cd webmail && CGO_ENABLED=0 go run ../vendor/github.com/mjl-/sherpadoc/cmd/sherpadoc/*.go -adjust-function-names none Webmail) >webmail/api.json
-	go run vendor/github.com/mjl-/sherpats/cmd/sherpats/main.go -bytes-to-string -slices-nullable -maps-nullable -nullable-optional -namespace api api <webmail/api.json >webmail/api.ts
-	# build again, api json files above are embedded
+	./genapidoc.sh
+	./gents.sh webadmin/api.json webadmin/api.ts
+	./gents.sh webaccount/api.json webaccount/api.ts
+	./gents.sh webmail/api.json webmail/api.ts
+
+build1:
+	# build again, api json files above are embedded and new frontend code generated
 	CGO_ENABLED=0 go build
 
+install: build0 frontend
+	CGO_ENABLED=0 go install
+
+race: build0
+	go build -race
+
 test:
-	CGO_ENABLED=0 go test -shuffle=on -coverprofile cover.out ./...
+	CGO_ENABLED=0 go test -fullpath -shuffle=on -coverprofile cover.out ./...
 	go tool cover -html=cover.out -o cover.html
 
 test-race:
-	CGO_ENABLED=1 go test -race -shuffle=on -covermode atomic -coverprofile cover.out ./...
+	CGO_ENABLED=1 go test -fullpath -race -shuffle=on -covermode atomic -coverprofile cover.out ./...
 	go tool cover -html=cover.out -o cover.html
 
+test-more:
+	TZ= CGO_ENABLED=0 go test -fullpath -shuffle=on -count 2 ./...
+
 # note: if testdata/upgradetest.mbox.gz exists, its messages will be imported
 # during tests. helpful for performance/resource consumption tests.
-test-upgrade:
+test-upgrade: build
 	nice ./test-upgrade.sh
 
+# needed for "check" target
+install-staticcheck:
+	CGO_ENABLED=0 go install honnef.co/go/tools/cmd/staticcheck@latest
+
+install-ineffassign:
+	CGO_ENABLED=0 go install github.com/gordonklaus/ineffassign@v0.1.0
+
 check:
-	staticcheck ./...
-	staticcheck -tags integration
+	CGO_ENABLED=0 go vet -tags integration
+	CGO_ENABLED=0 go vet -tags website website/website.go
+	CGO_ENABLED=0 go vet -tags link rfc/link.go
+	CGO_ENABLED=0 go vet -tags errata rfc/errata.go
+	CGO_ENABLED=0 go vet -tags xr rfc/xr.go
 	GOARCH=386 CGO_ENABLED=0 go vet ./...
+	CGO_ENABLED=0 ineffassign ./...
+	CGO_ENABLED=0 staticcheck ./...
+	CGO_ENABLED=0 staticcheck -tags integration
+	CGO_ENABLED=0 staticcheck -tags website website/website.go
+	CGO_ENABLED=0 staticcheck -tags link rfc/link.go
+	CGO_ENABLED=0 staticcheck -tags errata rfc/errata.go
+	CGO_ENABLED=0 staticcheck -tags xr rfc/xr.go
+
+# needed for check-shadow
+install-shadow:
+	CGO_ENABLED=0 go install golang.org/x/tools/go/analysis/passes/shadow/cmd/shadow@latest
 
 # having "err" shadowed is common, best to not have others
 check-shadow:
-	go vet -vettool=$$(which shadow) ./... 2>&1 | grep -v '"err"'
+	CGO_ENABLED=0 go vet -vettool=$$(which shadow) ./... 2>&1 | grep -v '"err"'
+	CGO_ENABLED=0 go vet -tags integration -vettool=$$(which shadow) 2>&1 | grep -v '"err"'
+	CGO_ENABLED=0 go vet -tags website -vettool=$$(which shadow) website/website.go 2>&1 | grep -v '"err"'
+	CGO_ENABLED=0 go vet -tags link -vettool=$$(which shadow) rfc/link.go 2>&1 | grep -v '"err"'
+	CGO_ENABLED=0 go vet -tags errata -vettool=$$(which shadow) rfc/errata.go 2>&1 | grep -v '"err"'
+	CGO_ENABLED=0 go vet -tags xr -vettool=$$(which shadow) rfc/xr.go 2>&1 | grep -v '"err"'
 
 fuzz:
-	go test -fuzz FuzzParseSignature -fuzztime 5m ./dkim
-	go test -fuzz FuzzParseRecord -fuzztime 5m ./dkim
-	go test -fuzz . -fuzztime 5m ./dmarc
-	go test -fuzz . -fuzztime 5m ./dmarcrpt
-	go test -fuzz . -parallel 1 -fuzztime 5m ./imapserver
-	go test -fuzz . -parallel 1 -fuzztime 5m ./junk
-	go test -fuzz FuzzParseRecord -fuzztime 5m ./mtasts
-	go test -fuzz FuzzParsePolicy -fuzztime 5m ./mtasts
-	go test -fuzz . -parallel 1 -fuzztime 5m ./smtpserver
-	go test -fuzz . -fuzztime 5m ./spf
-	go test -fuzz FuzzParseRecord -fuzztime 5m ./tlsrpt
-	go test -fuzz FuzzParseMessage -fuzztime 5m ./tlsrpt
+	go test -fullpath -fuzz FuzzParseSignature -fuzztime 5m ./dkim
+	go test -fullpath -fuzz FuzzParseRecord -fuzztime 5m ./dkim
+	go test -fullpath -fuzz . -fuzztime 5m ./dmarc
+	go test -fullpath -fuzz . -fuzztime 5m ./dmarcrpt
+	go test -fullpath -fuzz . -parallel 1 -fuzztime 5m ./imapserver
+	go test -fullpath -fuzz . -fuzztime 5m ./imapclient
+	go test -fullpath -fuzz . -parallel 1 -fuzztime 5m ./junk
+	go test -fullpath -fuzz FuzzParseRecord -fuzztime 5m ./mtasts
+	go test -fullpath -fuzz FuzzParsePolicy -fuzztime 5m ./mtasts
+	go test -fullpath -fuzz . -fuzztime 5m ./smtp
+	go test -fullpath -fuzz . -parallel 1 -fuzztime 5m ./smtpserver
+	go test -fullpath -fuzz . -fuzztime 5m ./spf
+	go test -fullpath -fuzz FuzzParseRecord -fuzztime 5m ./tlsrpt
+	go test -fullpath -fuzz FuzzParseMessage -fuzztime 5m ./tlsrpt
 
+govendor:
+	go mod tidy
+	go mod vendor
+	./genlicenses.sh
 
 test-integration:
+	-docker compose -f docker-compose-integration.yml kill
+	-docker compose -f docker-compose-integration.yml down
 	docker image build --pull --no-cache -f Dockerfile -t mox_integration_moxmail .
 	docker image build --pull --no-cache -f testdata/integration/Dockerfile.test -t mox_integration_test testdata/integration
 	-rm -rf testdata/integration/moxacmepebble/data
 	-rm -rf testdata/integration/moxmail2/data
 	-rm -f testdata/integration/tmp-pebble-ca.pem
-	MOX_UID=$$(id -u) docker-compose -f docker-compose-integration.yml run test
-	docker-compose -f docker-compose-integration.yml down --timeout 1
+	MOX_UID=$$(id -u) docker compose -f docker-compose-integration.yml run test
+	docker compose -f docker-compose-integration.yml kill
 
 
 imaptest-build:
-	-docker-compose -f docker-compose-imaptest.yml build --no-cache --pull mox
+	-docker compose -f docker-compose-imaptest.yml build --no-cache --pull mox
 
 imaptest-run:
 	-rm -r testdata/imaptest/data
 	mkdir testdata/imaptest/data
-	docker-compose -f docker-compose-imaptest.yml run --entrypoint /usr/local/bin/imaptest imaptest host=mox port=1143 user=mjl@mox.example pass=testtest mbox=imaptest.mbox
-	docker-compose -f docker-compose-imaptest.yml down
+	docker compose -f docker-compose-imaptest.yml run --entrypoint /usr/local/bin/imaptest imaptest host=mox port=1143 user=mjl@mox.example pass=testtest mbox=imaptest.mbox
+	docker compose -f docker-compose-imaptest.yml down
 
 
 fmt:
 	go fmt ./...
 	gofmt -w -s *.go */*.go
 
-jswatch:
-	bash -c 'while true; do inotifywait -q -e close_write webadmin/*.html webaccount/*.html webmail/*.ts; make frontend; done'
+tswatch:
+	bash -c 'while true; do inotifywait -q -e close_write *.ts webadmin/*.ts webaccount/*.ts webmail/*.ts; make frontend; done'
 
-jsinstall:
+node_modules/.bin/tsc:
 	-mkdir -p node_modules/.bin
-	npm ci
+	npm ci --ignore-scripts
 
-jsinstall0:
+install-js: node_modules/.bin/tsc
+
+install-js0:
 	-mkdir -p node_modules/.bin
-	npm install --save-dev --save-exact jshint@2.13.6 typescript@5.1.6
+	npm install --ignore-scripts --save-dev --save-exact typescript@5.1.6
 
-webmail/webmail.js: webmail/api.ts webmail/lib.ts webmail/webmail.ts
-	./tsc.sh $@ $^
+webmail/webmail.js: lib.ts webmail/api.ts webmail/lib.ts webmail/webmail.ts
+	./tsc.sh $@ lib.ts webmail/api.ts webmail/lib.ts webmail/webmail.ts
 
-webmail/msg.js: webmail/api.ts webmail/lib.ts webmail/msg.ts
-	./tsc.sh $@ $^
+webmail/msg.js: lib.ts webmail/api.ts webmail/lib.ts webmail/msg.ts
+	./tsc.sh $@ lib.ts webmail/api.ts webmail/lib.ts webmail/msg.ts
 
-webmail/text.js: webmail/api.ts webmail/lib.ts webmail/text.ts
-	./tsc.sh $@ $^
+webmail/text.js: lib.ts webmail/api.ts webmail/lib.ts webmail/text.ts
+	./tsc.sh $@ lib.ts webmail/api.ts webmail/lib.ts webmail/text.ts
 
-webadmin/admin.htmlx:
-	./node_modules/.bin/jshint --extract always webadmin/admin.html | ./fixjshintlines.sh
+webadmin/admin.js: lib.ts webadmin/api.ts webadmin/admin.ts
+	./tsc.sh $@ lib.ts webadmin/api.ts webadmin/admin.ts
 
-webaccount/account.htmlx:
-	./node_modules/.bin/jshint --extract always webaccount/account.html | ./fixjshintlines.sh
+webaccount/account.js: lib.ts webaccount/api.ts webaccount/account.ts
+	./tsc.sh $@ lib.ts webaccount/api.ts webaccount/account.ts
 
-frontend: webadmin/admin.htmlx webaccount/account.htmlx webmail/webmail.js webmail/msg.js webmail/text.js
+frontend: node_modules/.bin/tsc webadmin/admin.js webaccount/account.js webmail/webmail.js webmail/msg.js webmail/text.js
+
+install-apidiff:
+	CGO_ENABLED=0 go install golang.org/x/exp/cmd/apidiff@v0.0.0-20231206192017-f3f8817b8deb
+
+genapidiff:
+	./apidiff.sh
 
 docker:
 	docker build -t mox:dev .
@@ -108,18 +162,21 @@ docker:
 docker-release:
 	./docker-release.sh
 
+genwebsite:
+	./genwebsite.sh
+
 buildall:
-	GOOS=linux GOARCH=arm go build
-	GOOS=linux GOARCH=arm64 go build
-	GOOS=linux GOARCH=amd64 go build
-	GOOS=linux GOARCH=386 go build
-	GOOS=openbsd GOARCH=amd64 go build
-	GOOS=freebsd GOARCH=amd64 go build
-	GOOS=netbsd GOARCH=amd64 go build
-	GOOS=darwin GOARCH=amd64 go build
-	GOOS=dragonfly GOARCH=amd64 go build
-	GOOS=illumos GOARCH=amd64 go build
-	GOOS=solaris GOARCH=amd64 go build
-	GOOS=aix GOARCH=ppc64 go build
-	GOOS=windows GOARCH=amd64 go build
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm go build
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build
+	CGO_ENABLED=0 GOOS=linux GOARCH=386 go build
+	CGO_ENABLED=0 GOOS=openbsd GOARCH=amd64 go build
+	CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build
+	CGO_ENABLED=0 GOOS=netbsd GOARCH=amd64 go build
+	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build
+	CGO_ENABLED=0 GOOS=dragonfly GOARCH=amd64 go build
+	CGO_ENABLED=0 GOOS=illumos GOARCH=amd64 go build
+	CGO_ENABLED=0 GOOS=solaris GOARCH=amd64 go build
+	CGO_ENABLED=0 GOOS=aix GOARCH=ppc64 go build
+	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build
 	# no plan9 for now

README.md

@@ -1,5 +1,7 @@
 Mox is a modern full-featured open source secure mail server for low-maintenance self-hosted email.
 
+For more details, see the mox website, https://www.xmox.nl.
+
 See Quickstart below to get started.
 
 ## Features
@@ -17,23 +19,26 @@ See Quickstart below to get started.
   (similar to greylisting). Rejected emails are stored in a mailbox called Rejects
   for a short period, helping with misclassified legitimate synchronous
   signup/login/transactional emails.
-- Internationalized email, with unicode in email address usernames
+- Internationalized email (EIA), with unicode in email address usernames
   ("localparts"), and in domain names (IDNA).
 - Automatic TLS with ACME, for use with Let's Encrypt and other CA's.
 - DANE and MTA-STS for inbound and outbound delivery over SMTP with STARTTLS,
   including REQUIRETLS and with incoming/outgoing TLSRPT reporting.
-- Web admin interface that helps you set up your domains and accounts
-  (instructions to create DNS records, configure
-  SPF/DKIM/DMARC/TLSRPT/MTA-STS), for status information, managing
-  accounts/domains, and modifying the configuration file.
+- Web admin interface that helps you set up your domains, accounts and list
+  aliases (instructions to create DNS records, configure
+  SPF/DKIM/DMARC/TLSRPT/MTA-STS), for status information, and modifying the
+  configuration file.
 - Account autodiscovery (with SRV records, Microsoft-style, Thunderbird-style,
   and Apple device management profiles) for easy account setup (though client
   support is limited).
 - Webserver with serving static files and forwarding requests (reverse
   proxy), so port 443 can also be used to serve websites.
+- Simple HTTP/JSON API for sending transaction email and receiving delivery
+  events and incoming messages (webapi and webhooks).
 - Prometheus metrics and structured logging for operational insight.
 - "mox localserve" subcommand for running mox locally for email-related
   testing/developing, including pedantic mode.
+- Most non-server Go packages mox consists of are written to be reusable.
 
 Mox is available under the MIT-license and was created by Mechiel Lukkien,
 mechiel@ueber.net. Mox includes BSD-3-claused code from the Go Authors, and the
@@ -47,12 +52,12 @@ proton.me.
 
 The code is heavily cross-referenced with the RFCs for readability/maintainability.
 
-
 # Quickstart
 
 The easiest way to get started with serving email for your domain is to get a
-(virtual) machine dedicated to serving email, name it [host].[domain] (e.g.
-mail.example.com), login as root, and run:
+(virtual) machine dedicated to serving email, name it `[host].[domain]` (e.g.
+mail.example.com). Having a DNSSEC-verifying resolver installed, such as
+unbound, is highly recommended. Run as root:
 
 	# Create mox user and homedir (or pick another name or homedir):
 	useradd -m -d /home/mox mox
@@ -63,100 +68,122 @@ mail.example.com), login as root, and run:
 	# Generate config files for your address/domain:
 	./mox quickstart you@example.com
 
-The quickstart creates configuration files for the domain and account,
-generates an admin and account password, prints the DNS records you need to add
-and prints commands to start mox and optionally install mox as a service.
+The quickstart:
+
+- Creates configuration files mox.conf and domains.conf.
+- Adds the domain and an account for the email address to domains.conf
+- Generates an admin and account password.
+- Prints the DNS records you need to add, for the machine and domain.
+- Prints commands to start mox, and optionally install mox as a service.
 
 A machine that doesn't already run a webserver is highly recommended because
-modern email requires HTTPS, and mox currently needs it for automatic TLS.  You
-could combine mox with an existing webserver, but it requires a lot more
-configuration. If you want to serve websites on the same machine, consider using
-the webserver built into mox. It's pretty good! If you want to run an existing
-webserver on port 443/80, see "mox help quickstart".
+modern email requires HTTPS, and mox currently needs to run a webserver for
+automatic TLS with ACME.  You could combine mox with an existing webserver, but
+it requires a lot more configuration. If you want to serve websites on the same
+machine, consider using the webserver built into mox. It's pretty good! If you
+want to run an existing webserver on port 443/80, see `mox help quickstart`.
 
 After starting, you can access the admin web interface on internal IPs.
 
 # Download
 
-You can easily (cross) compile mox if you have a recent Go toolchain installed
-(see "go version", it must be >= 1.20; otherwise, see https://go.dev/dl/ or
-https://go.dev/doc/manage-install and $HOME/go/bin):
+Download a mox binary from
+https://beta.gobuilds.org/github.com/mjl-/mox@latest/linux-amd64-latest/.
+
+Symlink or rename it to "mox".
+
+The URL above always resolves to the latest release for linux/amd64 built with
+the latest Go toolchain.  See the links at the bottom of that page for binaries
+for other platforms.
+
+# Compiling
+
+You can easily (cross) compile mox yourself. You need a recent Go toolchain
+installed.  Run `go version`, it must be >= 1.23. Download the latest version
+from https://go.dev/dl/ or see https://go.dev/doc/manage-install.
+
+To download the source code of the latest release, and compile it to binary "mox":
 
 	GOBIN=$PWD CGO_ENABLED=0 go install github.com/mjl-/mox@latest
 
-Or you can download a binary built with the latest Go toolchain from
-https://beta.gobuilds.org/github.com/mjl-/mox@latest/linux-amd64-latest/, and
-symlink or rename it to "mox".
-
-Verify you have a working mox binary:
-
-	./mox version
-
 Mox only compiles for and fully works on unix systems. Mox also compiles for
 Windows, but "mox serve" does not yet work, though "mox localserve" (for a
 local test instance) and most other subcommands do. Mox does not compile for
 Plan 9.
 
-You can also run mox with docker image `r.xmox.nl/mox`, with tags like `v0.0.1`
-and `v0.0.1-go1.20.1-alpine3.17.2`, see https://r.xmox.nl/r/mox/. Though new
-docker images aren't (automatically) generated for new Go runtime/compile
-releases. See docker-compose.yml in this repository for instructions on
-starting. It is important to run with docker host networking, so mox can use
-the public IPs and has correct remote IP information for incoming connections
-(important for junk filtering and rate-limiting). Given these caveats, it's
-recommended to run mox without docker.
+# Docker
 
-# Future/development
+Although not recommended, you can also run mox with docker image
+`r.xmox.nl/mox`, with tags like `v0.0.1` and `v0.0.1-go1.20.1-alpine3.17.2`, see
+https://r.xmox.nl/r/mox/.  See
+https://github.com/mjl-/mox/blob/main/docker-compose.yml to get started.
 
-Mox will receive funding for essentially full-time continued work from August
-2023 to August 2024 through NLnet/EU's NGI0 Entrust, see
-https://nlnet.nl/project/Mox/.
+New docker images aren't (automatically) generated for new Go runtime/compile
+releases.
 
-## Roadmap
+It is important to run with docker host networking, so mox can use the public
+IPs and has correct remote IP information for incoming connections (important
+for junk filtering and rate-limiting).
 
-- Authentication other than HTTP-basic for webmail/webadmin/webaccount
-- Per-domain webmail and IMAP/SMTP host name (and TLS cert) and client settings
-- Make mox Go packages more easily reusable, each pulling in fewer (internal)
-  dependencies
-- HTTP-based API for sending messages and receiving delivery feedback
+# Development
+
+See develop.txt for instructions/tips for developing on mox.
+
+# Sponsors
+
+Thanks to NLnet foundation, the European Commission's NGI programme, and the
+Netherlands Ministry of the Interior and Kingdom Relations for financial
+support:
+
+- 2024/2025, NLnet NGI0 Zero Core, https://nlnet.nl/project/Mox-Automation/
+- 2024, NLnet e-Commons Fund, https://nlnet.nl/project/Mox-API/
+- 2023/2024, NLnet NGI0 Entrust, https://nlnet.nl/project/Mox/
+
+# Roadmap
+
+- "mox setup" command, using admin web interface for interactive setup
+- Automate DNS management, for setup and maintenance, such as DANE/DKIM key rotation
+- Config options for "transactional email domains", for which mox will only
+  send messages
+- Encrypted storage of files (email messages, TLS keys), also with per account keys
+- Recognize common deliverability issues and help postmasters solve them
+- JMAP, IMAP OBJECTID extension, IMAP JMAPACCESS extension
 - Calendaring with CalDAV/iCal
-- More IMAP extensions (PREVIEW, WITHIN, IMPORTANT, COMPRESS=DEFLATE,
-  CREATE-SPECIAL-USE, SAVEDATE, UNAUTHENTICATE, REPLACE, QUOTA, NOTIFY,
-  MULTIAPPEND, OBJECTID, MULTISEARCH)
-- ARC, with forwarded email from trusted source
-- Forwarding (to an external address)
+- Introbox, to which first-time senders are delivered
 - Add special IMAP mailbox ("Queue?") that contains queued but
-  not-yet-delivered messages, updated with IMAP flags/keywords/tags.
-- Sieve for filtering (for now see Rulesets in the account config)
-- Expose threading through IMAP extension
+  undelivered messages, updated with IMAP flags/keywords/tags and message headers.
+- External addresses in aliases/lists.
 - Autoresponder (out of office/vacation)
-- OAUTH2 support, for single sign on
-- Privilege separation, isolating parts of the application to more restricted
-  sandbox (e.g. new unauthenticated connections)
-- Using mox as backup MX
-- JMAP
-- Milter support, for integration with external tools
+- Mailing list manager
 - IMAP extensions for "online"/non-syncing/webmail clients (SORT (including
   DISPLAYFROM, DISPLAYTO), THREAD, PARTIAL, CONTEXT=SEARCH CONTEXT=SORT ESORT,
   FILTERS)
-- IMAP Sieve extension, to run Sieve scripts after message changes (not only
-  new deliveries)
+- IMAP ACL support, for account sharing (interacts with many extensions and code)
 - Improve support for mobile clients with extensions: IMAP URLAUTH, SMTP
   CHUNKING and BINARYMIME, IMAP CATENATE
+- Privilege separation, isolating parts of the application to more restricted
+  sandbox (e.g. new unauthenticated connections)
+- Using mox as backup MX
+- Sieve for filtering (for now see Rulesets in the account config)
+- ARC, with forwarded email from trusted source
+- Milter support, for integration with external tools
+- SMTP DSN extension
+- IMAP Sieve extension, to run Sieve scripts after message changes (not only
+  new deliveries)
+- OAUTH2 support, for single sign on
+- Forwarding (to an external address)
 
 There are many smaller improvements to make as well, search for "todo" in the code.
 
 ## Not supported/planned
 
-But perhaps in the future...
+There is currently no plan to implement the following. Though this may
+change in the future.
 
-- Mailing list manager
-- Functioning as SMTP relay
+- Functioning as an SMTP relay without authentication
 - POP3
-- Delivery to (unix) OS system users
+- Delivery to (unix) OS system users (mbox/Maildir)
 - Support for pluggable delivery mechanisms
-- iOS Mail push notifications (with XAPPLEPUSHSERVICE undocumented imap
-  extension and hard to get APNS certificate)
 
 
 # FAQ - Frequently Asked Questions
@@ -175,11 +202,15 @@ make that easy.
 
 ## Where is the documentation?
 
-See all commands and help output at https://pkg.go.dev/github.com/mjl-/mox/.
+To keep mox as a project maintainable, documentation is integrated into, and
+generated from the code.
 
-See the commented example config files at
-https://pkg.go.dev/github.com/mjl-/mox/config/. They often contain enough
-documentation about a feature and how to configure it.
+A list of mox commands, and their help output, are at
+https://www.xmox.nl/commands/.
+
+Mox is configured through configuration files, and each field comes with
+documentation. See https://www.xmox.nl/config/ for config files containing all
+fields and their documentation.
 
 You can get the same information by running "mox" without arguments to list its
 subcommands and usage, and "mox help [subcommand]" for more details.
@@ -187,9 +218,44 @@ subcommands and usage, and "mox help [subcommand]" for more details.
 The example config files are printed by "mox config describe-static" and "mox
 config describe-dynamic".
 
-Mox is still in early stages, and documentation is still limited. Please create
-an issue describing what is unclear or confusing, and we'll try to improve the
-documentation.
+If you're missing some documentation, please create an issue describing what is
+unclear or confusing, and we'll try to improve the documentation.
+
+## Is Mox affected by SMTP smuggling?
+
+Mox itself is not affected: it only treats "\r\n.\r\n" as SMTP end-of-message.
+But read on for caveats.
+
+SMTP smuggling exploits differences in handling by SMTP servers of: carriage
+returns (CR, or "\r"), newlines (line feeds, LF, "\n") in the context of "dot
+stuffing".  SMTP is a text-based protocol. An SMTP transaction to send a
+message is finalized with a "\r\n.\r\n" sequence. This sequence could occur in
+the message being transferred, so any verbatim "." at the start of a line in a
+message is "escaped" with another dot ("dot stuffing"), to not trigger the SMTP
+end-of-message. SMTP smuggling takes advantage of bugs in some mail servers
+that interpret other sequences than "\r\n.\r\n" as SMTP end-of-message. For
+example "\n.\n" or even "\r.\r", and perhaps even other magic character
+combinations.
+
+Before v0.0.9, mox accepted SMTP transactions with bare carriage returns
+(without newline) for compatibility with real-world email messages, considering
+them meaningless and therefore innocuous.
+
+Since v0.0.9, SMTP transactions with bare carriage returns are rejected.
+Sending messages with bare carriage returns to buggy mail servers can cause
+those mail servers to materialize non-existent messages. Now that mox rejects
+messages with bare carriage returns, sending a message through mox can no
+longer be used to trigger those bugs.
+
+Mox can still handle bare carriage returns in email messages, e.g. those
+imported from mbox files or Maildirs, or from messages added over IMAP. Mox
+still fixes up messages with bare newlines by adding the missing carriage
+returns.
+
+Before v0.0.9, an SMTP transaction for a message containing "\n.\n" would
+result in a non-specific error message, and "\r\n.\n" would result in the dot
+being dropped. Since v0.0.9, these sequences are rejected with a message
+mentioning SMTP smuggling.
 
 ## How do I import/export email?
 
@@ -229,23 +295,24 @@ MIT license (like mox), and have the rights to do so.
 
 ## Where can I discuss mox?
 
-Join #mox on irc.oftc.net, or #mox on the "Gopher slack".
+Join #mox on irc.oftc.net, or #mox:matrix.org (https://matrix.to/#/#mox:matrix.org),
+or #mox on the "Gopher slack".
 
 For bug reports, please file an issue at https://github.com/mjl-/mox/issues/new.
 
 ## How do I change my password?
 
 Regular users (doing IMAP/SMTP with authentication) can change their password
-at the account page, e.g. http://localhost/. Or you can set a password with "mox
+at the account page, e.g. `http://localhost/`. Or you can set a password with "mox
 setaccountpassword".
 
 The admin can change the password of any account through the admin page, at
-http://localhost/admin/ by default (leave username empty when logging in).
+`http://localhost/admin/` by default (leave username empty when logging in).
 
 The account and admin pages are served on localhost for configs created with
 the quickstart.  To access these from your browser, run
 `ssh -L 8080:localhost:80 you@yourmachine` locally and open
-http://localhost:8080/[...].
+`http://localhost:8080/[...]`.
 
 The admin password can be changed with "mox setadminpassword".
 
@@ -287,15 +354,18 @@ in place and restart. If manual actions are required, the release notes mention
 them. Check the release notes of all version between your current installation
 and the release you're upgrading to.
 
-Before upgrading, make a backup of the data directory with `mox backup
-<destdir>`. This writes consistent snapshots of the database files, and
-duplicates message files from the outgoing queue and accounts.  Using the new
-mox binary, run `mox verifydata <backupdir>` (do NOT use the "live" data
-directory!) for a dry run. If this fails, an upgrade will probably fail too.
-Important: verifydata with the new mox binary can modify the database files (due
-to automatic schema upgrades). So make a fresh backup again before the actual
-upgrade. See the help output of the "backup" and "verifydata" commands for more
-details.
+Before upgrading, make a backup of the config & data directory with `mox backup
+<destdir>`. This copies all files from the config directory to
+`<destdir>/config`, and creates `<destdir>/data` with a consistent snapshots of
+the database files, and message files from the outgoing queue and accounts.
+Using the new mox binary, run `mox verifydata <destdir>/data` (do NOT use the
+"live" data directory!) for a dry run. If this fails, an upgrade will probably
+fail too.
+
+Important: verifydata with the new mox binary can modify the database files
+(due to automatic schema upgrades). So make a fresh backup again before the
+actual upgrade. See the help output of the "backup" and "verifydata" commands
+for more details.
 
 During backup, message files are hardlinked if possible, and copied otherwise.
 Using a destination directory like `data/tmp/backup` increases the odds
@@ -335,19 +405,6 @@ should account for the size of the email messages (no compression currently),
 an additional 15% overhead for the meta data, and add some more headroom.
 Expand as necessary.
 
-## Can I see some screenshots?
-
-Yes, see https://www.xmox.nl/screenshots/.
-
-Mox has a webmail for reading/writing messages.
-
-Mox also has an "account" web interface where users can view their account and
-manage their address configuration, such as rules for automatically delivering
-certain incoming messages to a specific mailbox.
-
-And mox has an "admin" web interface where the administrator can make changes,
-e.g. add/remove/modify domains/accounts/addresses.
-
 ## Won't the big email providers block my email?
 
 It is a common misconception that it is impossible to run your own email server
@@ -377,12 +434,50 @@ to determine if your email message could be spam and should be rejected. Mox
 helps you set up a system that doesn't trigger most of the technical signals
 (e.g. with SPF/DKIM/DMARC). But there are more signals, for example: Sending to
 a mail server or address for the first time. Sending from a newly registered
-domain. Sending messages with content that resembles known spam messages.
+domain (especially if you're sending automated messages, and if you send more
+messages after previous messages were rejected), domains that existed for a few
+weeks to a month are treated more friendly. Sending messages with content that
+resembles known spam messages.
 
 Should your email be rejected, you will typically get an error message during
 the SMTP transaction that explains why. In the case of big email providers the
-error message often has instructions on how to prove to them you are a legimate
-sender.
+error message often has instructions on how to prove to them you are a
+legitimate sender.
+
+## Can mox deliver through a smarthost?
+
+Yes, you can configure a "Transport" in mox.conf and configure "Routes" in
+domains.conf to send some or all messages through the transport. A transport
+can be an SMTP relay or authenticated submission, or making mox make outgoing
+connections through a SOCKS proxy.
+
+For an example, see https://www.xmox.nl/config/#hdr-example-transport. For
+details about Transports and Routes, see
+https://www.xmox.nl/config/#cfg-mox-conf-Transports and
+https://www.xmox.nl/config/#cfg-domains-conf-Routes.
+
+Remember to add the IP addresses of the transport to the SPF records of your
+domains. Keep in mind some 3rd party submission servers may mishandle your
+messages, for example by replacing your Message-Id header and thereby
+invalidating your DKIM-signatures, or rejecting messages with more than one
+DKIM-signature.
+
+## Can I use mox to send transactional email?
+
+Yes. While you can use SMTP submission to send messages you've composed
+yourself, and monitor a mailbox for DSNs, a more convenient option is to use
+the mox HTTP/JSON-based webapi and webhooks.
+
+The mox webapi can be used to send outgoing messages that mox composes. The web
+api can also be used to deal with messages stored in an account, like changing
+message flags, retrieving messages in parsed form or individual parts of
+multipart messages, or moving messages to another mailbox or deleting messages
+altogether.
+
+Mox webhooks can be used to receive updates about incoming and outgoing
+deliveries. Mox can automatically manage per account suppression lists.
+
+See https://www.xmox.nl/features/#hdr-webapi-and-webhooks for details.
 
 ## Can I use existing TLS certificates/keys?
 
@@ -390,19 +485,68 @@ Yes. The quickstart command creates a config that uses ACME with Let's Encrypt,
 but you can change the config file to use existing certificate and key files.
 
 You'll see "ACME: letsencrypt" in the "TLS" section of the "public" Listener.
-Remove or comment out the ACME-line, and add a "KeyCerts" section like in the
-example config file in
-https://pkg.go.dev/github.com/mjl-/mox/config#hdr-mox_conf. You can have
-multiple certificates and keys: The line with the "-" (dash) is the start of a
-list item. Duplicate that line up to and including the line with KeyFile for
-each certificate/key you have. Mox makes a TLS config that holds all specified
-certificates/keys, and uses it for all services for that Listener (including a
-webserver), choosing the correct certificate for incoming requests.
+Remove or comment out the ACME-line, and add a "KeyCerts" section, see
+https://www.xmox.nl/config/#cfg-mox-conf-Listeners-x-TLS-KeyCerts
+
+You can have multiple certificates and keys: The line with the "-" (dash) is
+the start of a list item. Duplicate that line up to and including the line with
+KeyFile for each certificate/key you have. Mox makes a TLS config that holds
+all specified certificates/keys, and uses it for all services for that Listener
+(including a webserver), choosing the correct certificate for incoming
+requests.
 
 Keep in mind that for each email domain you host, you will need a certificate
-for `mta-sts.<domain>` and `autoconfig.<domain>`, unless you disable MTA-STS
-and autoconfig for that domain.
+for `mta-sts.<domain>`, `autoconfig.<domain>` and `mail.<domain>`, unless you
+disable MTA-STS, autoconfig and the client-settings-domain for that domain.
 
 Mox opens the key and certificate files during initial startup, as root (and
 passes file descriptors to the unprivileged process).  No special permissions
 are needed on the key and certificate files.
+
+## Can I directly access mailboxes through the file system?
+
+No, mox only provides access to email through protocols like IMAP.
+
+While it can be convenient for users/email clients to access email through
+conventions like Maildir, providing such access puts quite a burden on the
+server: The server has to continuously watch for changes made to the mail store
+by external programs, and sync its internal state. By only providing access to
+emails through mox, the storage/state management is simpler and easier to
+implement reliably.
+
+Not providing direct file system access also allows future improvements in the
+storage mechanism. Such as encryption of all stored messages. Programs won't be
+able to access such messages directly.
+
+Mox stores metadata about delivered messages in its per-account message index
+database, more than fits in a simple (filename-based) format like Maildir. The
+IP address of the remote SMTP server during delivery, SPF/DKIM/DMARC domains
+and validation status, and more...
+
+For efficiency, mox doesn't prepend message headers generated during delivery
+(e.g. Authentication-Results) to the on-disk message file, but only stores it
+in the database. This prevents a rewrite of the entire message file. When
+reading a message, mox combines the prepended headers from the database with
+the message file.
+
+Mox user accounts have no relation to operating system user accounts. Multiple
+system users reading their email on a single machine is not very common
+anymore. All data (for all accounts) stored by mox is accessible only by the
+mox process.  Messages are currently stored as individual files in standard
+Internet Message Format (IMF), at `data/accounts/<account>/msg/<dir>/<msgid>`:
+`msgid` is a consecutive unique integer id assigned by the per-account message
+index database; `dir` groups 8k consecutive message ids into a directory,
+ensuring they don't become too large.  The message index database file for an
+account is at `data/accounts/<account>/index.db`, accessed with the bstore
+database library, which uses bbolt (formerly BoltDB) for storage, a
+transactional key/value library/file format inspired by LMDB.
+
+## How do I block IPs with authentication failures with fail2ban?
+
+Mox includes a rate limiter for IPs/networks that cause too many authentication
+failures. It automatically unblocks such IPs/networks after a while. So you may
+not need fail2ban. If you want to use fail2ban, you could use this snippet:
+
+	[Definition]
+	failregex = .*failed authentication attempt.*remote=<HOST>
+	ignoreregex =

admin/clientconfig.go

@@ -0,0 +1,175 @@
+package admin
+
+import (
+	"fmt"
+	"maps"
+	"slices"
+
+	"github.com/mjl-/mox/config"
+	"github.com/mjl-/mox/dns"
+	"github.com/mjl-/mox/mox-"
+)
+
+type TLSMode uint8
+
+const (
+	TLSModeImmediate TLSMode = 0
+	TLSModeSTARTTLS  TLSMode = 1
+	TLSModeNone      TLSMode = 2
+)
+
+type ProtocolConfig struct {
+	Host           dns.Domain
+	Port           int
+	TLSMode        TLSMode
+	EnabledOnHTTPS bool
+}
+
+type ClientConfig struct {
+	IMAP       ProtocolConfig
+	Submission ProtocolConfig
+}
+
+// ClientConfigDomain returns a single IMAP and Submission client configuration for
+// a domain.
+func ClientConfigDomain(d dns.Domain) (rconfig ClientConfig, rerr error) {
+	var haveIMAP, haveSubmission bool
+
+	domConf, ok := mox.Conf.Domain(d)
+	if !ok {
+		return ClientConfig{}, fmt.Errorf("%w: unknown domain", ErrRequest)
+	}
+
+	gather := func(l config.Listener) (done bool) {
+		host := mox.Conf.Static.HostnameDomain
+		if l.Hostname != "" {
+			host = l.HostnameDomain
+		}
+		if domConf.ClientSettingsDomain != "" {
+			host = domConf.ClientSettingsDNSDomain
+		}
+		if !haveIMAP && l.IMAPS.Enabled {
+			rconfig.IMAP.Host = host
+			rconfig.IMAP.Port = config.Port(l.IMAPS.Port, 993)
+			rconfig.IMAP.TLSMode = TLSModeImmediate
+			rconfig.IMAP.EnabledOnHTTPS = l.IMAPS.EnabledOnHTTPS
+			haveIMAP = true
+		}
+		if !haveIMAP && l.IMAP.Enabled {
+			rconfig.IMAP.Host = host
+			rconfig.IMAP.Port = config.Port(l.IMAP.Port, 143)
+			rconfig.IMAP.TLSMode = TLSModeSTARTTLS
+			if l.TLS == nil {
+				rconfig.IMAP.TLSMode = TLSModeNone
+			}
+			haveIMAP = true
+		}
+		if !haveSubmission && l.Submissions.Enabled {
+			rconfig.Submission.Host = host
+			rconfig.Submission.Port = config.Port(l.Submissions.Port, 465)
+			rconfig.Submission.TLSMode = TLSModeImmediate
+			rconfig.Submission.EnabledOnHTTPS = l.Submissions.EnabledOnHTTPS
+			haveSubmission = true
+		}
+		if !haveSubmission && l.Submission.Enabled {
+			rconfig.Submission.Host = host
+			rconfig.Submission.Port = config.Port(l.Submission.Port, 587)
+			rconfig.Submission.TLSMode = TLSModeSTARTTLS
+			if l.TLS == nil {
+				rconfig.Submission.TLSMode = TLSModeNone
+			}
+			haveSubmission = true
+		}
+		return haveIMAP && haveSubmission
+	}
+
+	// Look at the public listener first. Most likely the intended configuration.
+	if public, ok := mox.Conf.Static.Listeners["public"]; ok {
+		if gather(public) {
+			return
+		}
+	}
+	// Go through the other listeners in consistent order.
+	names := slices.Sorted(maps.Keys(mox.Conf.Static.Listeners))
+	for _, name := range names {
+		if gather(mox.Conf.Static.Listeners[name]) {
+			return
+		}
+	}
+	return ClientConfig{}, fmt.Errorf("%w: no listeners found for imap and/or submission", ErrRequest)
+}
+
+// ClientConfigs holds the client configuration for IMAP/Submission for a
+// domain.
+type ClientConfigs struct {
+	Entries []ClientConfigsEntry
+}
+
+type ClientConfigsEntry struct {
+	Protocol string
+	Host     dns.Domain
+	Port     int
+	Listener string
+	Note     string
+}
+
+// ClientConfigsDomain returns the client configs for IMAP/Submission for a
+// domain.
+func ClientConfigsDomain(d dns.Domain) (ClientConfigs, error) {
+	domConf, ok := mox.Conf.Domain(d)
+	if !ok {
+		return ClientConfigs{}, fmt.Errorf("%w: unknown domain", ErrRequest)
+	}
+
+	c := ClientConfigs{}
+	c.Entries = []ClientConfigsEntry{}
+	var listeners []string
+
+	for name := range mox.Conf.Static.Listeners {
+		listeners = append(listeners, name)
+	}
+	slices.Sort(listeners)
+
+	note := func(tls bool, requiretls bool) string {
+		if !tls {
+			return "plain text, no STARTTLS configured"
+		}
+		if requiretls {
+			return "STARTTLS required"
+		}
+		return "STARTTLS optional"
+	}
+
+	for _, name := range listeners {
+		l := mox.Conf.Static.Listeners[name]
+		host := mox.Conf.Static.HostnameDomain
+		if l.Hostname != "" {
+			host = l.HostnameDomain
+		}
+		if domConf.ClientSettingsDomain != "" {
+			host = domConf.ClientSettingsDNSDomain
+		}
+		if l.Submissions.Enabled {
+			note := "with TLS"
+			if l.Submissions.EnabledOnHTTPS {
+				note += "; also served on port 443 with TLS ALPN \"smtp\""
+			}
+			c.Entries = append(c.Entries, ClientConfigsEntry{"Submission (SMTP)", host, config.Port(l.Submissions.Port, 465), name, note})
+		}
+		if l.IMAPS.Enabled {
+			note := "with TLS"
+			if l.IMAPS.EnabledOnHTTPS {
+				note += "; also served on port 443 with TLS ALPN \"imap\""
+			}
+			c.Entries = append(c.Entries, ClientConfigsEntry{"IMAP", host, config.Port(l.IMAPS.Port, 993), name, note})
+		}
+		if l.Submission.Enabled {
+			c.Entries = append(c.Entries, ClientConfigsEntry{"Submission (SMTP)", host, config.Port(l.Submission.Port, 587), name, note(l.TLS != nil, !l.Submission.NoRequireSTARTTLS)})
+		}
+		if l.IMAP.Enabled {
+			c.Entries = append(c.Entries, ClientConfigsEntry{"IMAP", host, config.Port(l.IMAPS.Port, 143), name, note(l.TLS != nil, !l.IMAP.NoRequireSTARTTLS)})
+		}
+	}
+
+	return c, nil
+}

admin/dnsrecords.go

@@ -0,0 +1,318 @@
+package admin
+
+import (
+	"crypto"
+	"crypto/ed25519"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"fmt"
+	"net/url"
+	"strings"
+
+	"github.com/mjl-/adns"
+
+	"github.com/mjl-/mox/config"
+	"github.com/mjl-/mox/dkim"
+	"github.com/mjl-/mox/dmarc"
+	"github.com/mjl-/mox/dns"
+	"github.com/mjl-/mox/mox-"
+	"github.com/mjl-/mox/smtp"
+	"github.com/mjl-/mox/spf"
+	"github.com/mjl-/mox/tlsrpt"
+	"slices"
+)
+
+// todo: find a way to automatically create the dns records as it would greatly simplify setting up email for a domain. we could also dynamically make changes, e.g. providing grace periods after disabling a dkim key, only automatically removing the dkim dns key after a few days. but this requires some kind of api and authentication to the dns server. there doesn't appear to be a single commonly used api for dns management. each of the numerous cloud providers have their own APIs and rather large SKDs to use them. we don't want to link all of them in.
+
+// DomainRecords returns text lines describing DNS records required for configuring
+// a domain.
+//
+// If certIssuerDomainName is set, CAA records to limit TLS certificate issuance to
+// that caID will be suggested. If acmeAccountURI is also set, CAA records also
+// restricting issuance to that account ID will be suggested.
+func DomainRecords(domConf config.Domain, domain dns.Domain, hasDNSSEC bool, certIssuerDomainName, acmeAccountURI string) ([]string, error) {
+	d := domain.ASCII
+	h := mox.Conf.Static.HostnameDomain.ASCII
+
+	// The first line with ";" is used by ../testdata/integration/moxacmepebble.sh and
+	// ../testdata/integration/moxmail2.sh for selecting DNS records
+	records := []string{
+		"; Time To Live of 5 minutes, may be recognized if importing as a zone file.",
+		"; Once your setup is working, you may want to increase the TTL.",
+		"$TTL 300",
+		"",
+	}
+
+	if public, ok := mox.Conf.Static.Listeners["public"]; ok && public.TLS != nil && (len(public.TLS.HostPrivateRSA2048Keys) > 0 || len(public.TLS.HostPrivateECDSAP256Keys) > 0) {
+		records = append(records,
+			`; DANE: These records indicate that a remote mail server trying to deliver email`,
+			`; with SMTP (TCP port 25) must verify the TLS certificate with DANE-EE (3), based`,
+			`; on the certificate public key ("SPKI", 1) that is SHA2-256-hashed (1) to the`,
+			`; hexadecimal hash. DANE-EE verification means only the certificate or public`,
+			`; key is verified, not whether the certificate is signed by a (centralized)`,
+			`; certificate authority (CA), is expired, or matches the host name.`,
+			`;`,
+			`; NOTE: Create the records below only once: They are for the machine, and apply`,
+			`; to all hosted domains.`,
+		)
+		if !hasDNSSEC {
+			records = append(records,
+				";",
+				"; WARNING: Domain does not appear to be DNSSEC-signed. To enable DANE, first",
+				"; enable DNSSEC on your domain, then add the TLSA records. Records below have been",
+				"; commented out.",
+			)
+		}
+		addTLSA := func(privKey crypto.Signer) error {
+			spkiBuf, err := x509.MarshalPKIXPublicKey(privKey.Public())
+			if err != nil {
+				return fmt.Errorf("marshal SubjectPublicKeyInfo for DANE record: %v", err)
+			}
+			sum := sha256.Sum256(spkiBuf)
+			tlsaRecord := adns.TLSA{
+				Usage:     adns.TLSAUsageDANEEE,
+				Selector:  adns.TLSASelectorSPKI,
+				MatchType: adns.TLSAMatchTypeSHA256,
+				CertAssoc: sum[:],
+			}
+			var s string
+			if hasDNSSEC {
+				s = fmt.Sprintf("_25._tcp.%-*s TLSA %s", 20+len(d)-len("_25._tcp."), h+".", tlsaRecord.Record())
+			} else {
+				s = fmt.Sprintf(";; _25._tcp.%-*s TLSA %s", 20+len(d)-len(";; _25._tcp."), h+".", tlsaRecord.Record())
+			}
+			records = append(records, s)
+			return nil
+		}
+		for _, privKey := range public.TLS.HostPrivateECDSAP256Keys {
+			if err := addTLSA(privKey); err != nil {
+				return nil, err
+			}
+		}
+		for _, privKey := range public.TLS.HostPrivateRSA2048Keys {
+			if err := addTLSA(privKey); err != nil {
+				return nil, err
+			}
+		}
+		records = append(records, "")
+	}
+
+	if d != h {
+		records = append(records,
+			"; For the machine, only needs to be created once, for the first domain added:",
+			"; ",
+			"; SPF-allow host for itself, resulting in relaxed DMARC pass for (postmaster)",
+			"; messages (DSNs) sent from host:",
+			fmt.Sprintf(`%-*s TXT "v=spf1 a -all"`, 20+len(d), h+"."), // ../rfc/7208:2263 ../rfc/7208:2287
+			"",
+		)
+	}
+	if d != h && mox.Conf.Static.HostTLSRPT.ParsedLocalpart != "" {
+		uri := url.URL{
+			Scheme: "mailto",
+			Opaque: smtp.NewAddress(mox.Conf.Static.HostTLSRPT.ParsedLocalpart, mox.Conf.Static.HostnameDomain).Pack(false),
+		}
+		tlsrptr := tlsrpt.Record{Version: "TLSRPTv1", RUAs: [][]tlsrpt.RUA{{tlsrpt.RUA(uri.String())}}}
+		records = append(records,
+			"; For the machine, only needs to be created once, for the first domain added:",
+			"; ",
+			"; Request reporting about success/failures of TLS connections to (MX) host, for DANE.",
+			fmt.Sprintf(`_smtp._tls.%-*s         TXT "%s"`, 20+len(d)-len("_smtp._tls."), h+".", tlsrptr.String()),
+			"",
+		)
+	}
+
+	records = append(records,
+		"; Deliver email for the domain to this host.",
+		fmt.Sprintf("%s.                    MX 10 %s.", d, h),
+		"",
+
+		"; Outgoing messages will be signed with the first two DKIM keys. The other two",
+		"; configured for backup, switching to them is just a config change.",
+	)
+	var selectors []string
+	for name := range domConf.DKIM.Selectors {
+		selectors = append(selectors, name)
+	}
+	slices.Sort(selectors)
+	for _, name := range selectors {
+		sel := domConf.DKIM.Selectors[name]
+		dkimr := dkim.Record{
+			Version:   "DKIM1",
+			Hashes:    []string{"sha256"},
+			PublicKey: sel.Key.Public(),
+		}
+		if _, ok := sel.Key.(ed25519.PrivateKey); ok {
+			dkimr.Key = "ed25519"
+		} else if _, ok := sel.Key.(*rsa.PrivateKey); !ok {
+			return nil, fmt.Errorf("unrecognized private key for DKIM selector %q: %T", name, sel.Key)
+		}
+		txt, err := dkimr.Record()
+		if err != nil {
+			return nil, fmt.Errorf("making DKIM DNS TXT record: %v", err)
+		}
+
+		if len(txt) > 100 {
+			records = append(records,
+				"; NOTE: The following is a single long record split over several lines for use",
+				"; in zone files. When adding through a DNS operator web interface, combine the",
+				"; strings into a single string, without ().",
+			)
+		}
+		s := fmt.Sprintf("%s._domainkey.%s.   TXT %s", name, d, mox.TXTStrings(txt))
+		records = append(records, s)
+
+	}
+	dmarcr := dmarc.DefaultRecord
+	dmarcr.Policy = "reject"
+	if domConf.DMARC != nil {
+		uri := url.URL{
+			Scheme: "mailto",
+			Opaque: smtp.NewAddress(domConf.DMARC.ParsedLocalpart, domConf.DMARC.DNSDomain).Pack(false),
+		}
+		dmarcr.AggregateReportAddresses = []dmarc.URI{
+			{Address: uri.String(), MaxSize: 10, Unit: "m"},
+		}
+	}
+	dspfr := spf.Record{Version: "spf1"}
+	for _, ip := range mox.DomainSPFIPs() {
+		mech := "ip4"
+		if ip.To4() == nil {
+			mech = "ip6"
+		}
+		dspfr.Directives = append(dspfr.Directives, spf.Directive{Mechanism: mech, IP: ip})
+	}
+	dspfr.Directives = append(dspfr.Directives,
+		spf.Directive{Mechanism: "mx"},
+		spf.Directive{Qualifier: "~", Mechanism: "all"},
+	)
+	dspftxt, err := dspfr.Record()
+	if err != nil {
+		return nil, fmt.Errorf("making domain spf record: %v", err)
+	}
+	records = append(records,
+		"",
+
+		"; Specify the MX host is allowed to send for our domain and for itself (for DSNs).",
+		"; ~all means softfail for anything else, which is done instead of -all to prevent older",
+		"; mail servers from rejecting the message because they never get to looking for a dkim/dmarc pass.",
+		fmt.Sprintf(`%s.                    TXT "%s"`, d, dspftxt),
+		"",
+
+		"; Emails that fail the DMARC check (without aligned DKIM and without aligned SPF)",
+		"; should be rejected, and request reports. If you email through mailing lists that",
+		"; strip DKIM-Signature headers and don't rewrite the From header, you may want to",
+		"; set the policy to p=none.",
+		fmt.Sprintf(`_dmarc.%s.             TXT "%s"`, d, dmarcr.String()),
+		"",
+	)
+
+	if sts := domConf.MTASTS; sts != nil {
+		records = append(records,
+			"; Remote servers can use MTA-STS to verify our TLS certificate with the",
+			"; WebPKI pool of CA's (certificate authorities) when delivering over SMTP with",
+			"; STARTTLS.",
+			fmt.Sprintf(`mta-sts.%s.            CNAME %s.`, d, h),
+			fmt.Sprintf(`_mta-sts.%s.           TXT "v=STSv1; id=%s"`, d, sts.PolicyID),
+			"",
+		)
+	} else {
+		records = append(records,
+			"; Note: No MTA-STS to indicate TLS should be used. Either because disabled for the",
+			"; domain or because mox.conf does not have a listener with MTA-STS configured.",
+			"",
+		)
+	}
+
+	if domConf.TLSRPT != nil {
+		uri := url.URL{
+			Scheme: "mailto",
+			Opaque: smtp.NewAddress(domConf.TLSRPT.ParsedLocalpart, domConf.TLSRPT.DNSDomain).Pack(false),
+		}
+		tlsrptr := tlsrpt.Record{Version: "TLSRPTv1", RUAs: [][]tlsrpt.RUA{{tlsrpt.RUA(uri.String())}}}
+		records = append(records,
+			"; Request reporting about TLS failures.",
+			fmt.Sprintf(`_smtp._tls.%s.         TXT "%s"`, d, tlsrptr.String()),
+			"",
+		)
+	}
+
+	if domConf.ClientSettingsDomain != "" && domConf.ClientSettingsDNSDomain != mox.Conf.Static.HostnameDomain {
+		records = append(records,
+			"; Client settings will reference a subdomain of the hosted domain, making it",
+			"; easier to migrate to a different server in the future by not requiring settings",
+			"; in all clients to be updated.",
+			fmt.Sprintf(`%-*s CNAME %s.`, 20+len(d), domConf.ClientSettingsDNSDomain.ASCII+".", h),
+			"",
+		)
+	}
+
+	records = append(records,
+		"; Autoconfig is used by Thunderbird. Autodiscover is (in theory) used by Microsoft.",
+		fmt.Sprintf(`autoconfig.%s.         CNAME %s.`, d, h),
+		fmt.Sprintf(`_autodiscover._tcp.%s. SRV 0 1 443 %s.`, d, h),
+		"",
+
+		// ../rfc/6186:133 ../rfc/8314:692
+		"; For secure IMAP and submission autoconfig, point to mail host.",
+		fmt.Sprintf(`_imaps._tcp.%s.        SRV 0 1 993 %s.`, d, h),
+		fmt.Sprintf(`_submissions._tcp.%s.  SRV 0 1 465 %s.`, d, h),
+		"",
+		// ../rfc/6186:242
+		"; Next records specify POP3 and non-TLS ports are not to be used.",
+		"; These are optional and safe to leave out (e.g. if you have to click a lot in a",
+		"; DNS admin web interface).",
+		fmt.Sprintf(`_imap._tcp.%s.         SRV 0 0 0 .`, d),
+		fmt.Sprintf(`_submission._tcp.%s.   SRV 0 0 0 .`, d),
+		fmt.Sprintf(`_pop3._tcp.%s.         SRV 0 0 0 .`, d),
+		fmt.Sprintf(`_pop3s._tcp.%s.        SRV 0 0 0 .`, d),
+	)
+
+	if certIssuerDomainName != "" {
+		// ../rfc/8659:18 for CAA records.
+		records = append(records,
+			"",
+			"; Optional:",
+			"; You could mark Let's Encrypt as the only Certificate Authority allowed to",
+			"; sign TLS certificates for your domain.",
+			fmt.Sprintf(`%s.                    CAA 0 issue "%s"`, d, certIssuerDomainName),
+		)
+		if acmeAccountURI != "" {
+			// ../rfc/8657:99 for accounturi.
+			// ../rfc/8657:147 for validationmethods.
+			records = append(records,
+				";",
+				"; Optionally limit certificates for this domain to the account ID and methods used by mox.",
+				fmt.Sprintf(`;; %s.                 CAA 0 issue "%s; accounturi=%s; validationmethods=tls-alpn-01,http-01"`, d, certIssuerDomainName, acmeAccountURI),
+				";",
+				"; Or alternatively only limit for email-specific subdomains, so you can use",
+				"; other accounts/methods for other subdomains.",
+				fmt.Sprintf(`;; autoconfig.%s.      CAA 0 issue "%s; accounturi=%s; validationmethods=tls-alpn-01,http-01"`, d, certIssuerDomainName, acmeAccountURI),
+				fmt.Sprintf(`;; mta-sts.%s.         CAA 0 issue "%s; accounturi=%s; validationmethods=tls-alpn-01,http-01"`, d, certIssuerDomainName, acmeAccountURI),
+			)
+			if domConf.ClientSettingsDomain != "" && domConf.ClientSettingsDNSDomain != mox.Conf.Static.HostnameDomain {
+				records = append(records,
+					fmt.Sprintf(`;; %-*s CAA 0 issue "%s; accounturi=%s; validationmethods=tls-alpn-01,http-01"`, 20-3+len(d), domConf.ClientSettingsDNSDomain.ASCII, certIssuerDomainName, acmeAccountURI),
+				)
+			}
+			if strings.HasSuffix(h, "."+d) {
+				records = append(records,
+					";",
+					"; And the mail hostname.",
+					fmt.Sprintf(`;; %-*s CAA 0 issue "%s; accounturi=%s; validationmethods=tls-alpn-01,http-01"`, 20-3+len(d), h+".", certIssuerDomainName, acmeAccountURI),
+				)
+			}
+		} else {
+			// The string "will be suggested" is used by
+			// ../testdata/integration/moxacmepebble.sh and ../testdata/integration/moxmail2.sh
+			// as end of DNS records.
+			records = append(records,
+				";",
+				"; Note: After starting up, once an ACME account has been created, CAA records",
+				"; that restrict issuance to the account will be suggested.",
+			)
+		}
+	}
+	return records, nil
+}

apidiff.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+set -e
+
+prevversion=$(go list -mod=readonly -m -f '{{ .Version }}' github.com/mjl-/mox@latest)
+if ! test -d tmp/mox-$prevversion; then
+	mkdir -p tmp/mox-$prevversion
+	git archive --format=tar $prevversion | tar -C tmp/mox-$prevversion -xf -
+fi
+(rm -r tmp/apidiff || exit 0)
+mkdir -p tmp/apidiff/$prevversion tmp/apidiff/next
+(rm apidiff/next.txt.new 2>/dev/null || exit 0)
+touch apidiff/next.txt.new
+for p in $(cat apidiff/packages.txt); do
+	if ! test -d tmp/mox-$prevversion/$p; then
+		continue
+	fi
+	(cd tmp/mox-$prevversion && apidiff -w ../apidiff/$prevversion/$p.api ./$p)
+	apidiff -w tmp/apidiff/next/$p.api ./$p
+	apidiff -incompatible tmp/apidiff/$prevversion/$p.api tmp/apidiff/next/$p.api >$p.diff
+	if test -s $p.diff; then
+		(
+		echo '#' $p
+		cat $p.diff
+		echo
+		) >>apidiff/next.txt.new
+	fi
+	rm $p.diff
+done
+if test -s apidiff/next.txt.new; then
+	(
+	echo "Below are the incompatible changes between $prevversion and next, per package."
+	echo
+	cat apidiff/next.txt.new
+	) >apidiff/next.txt
+	rm apidiff/next.txt.new
+else
+	mv apidiff/next.txt.new apidiff/next.txt
+fi

apidiff/README.txt

@@ -0,0 +1,10 @@
+This directory lists incompatible changes between released versions for packages
+intended for reuse by third party projects, as listed in packages.txt. These
+files are generated using golang.org/x/exp/cmd/apidiff (see
+https://pkg.go.dev/golang.org/x/exp/apidiff) and ../apidiff.sh.
+
+There is no guarantee that there will be no breaking changes. With Go's
+dependency versioning approach (minimal version selection), Go code will never
+unexpectedly stop compiling. Incompatibilities will show when explicitly
+updating a dependency. Making the required changes is typically fairly
+straightforward.

apidiff/next.txt

@@ -0,0 +1,5 @@
+Below are the incompatible changes between v0.0.15 and next, per package.
+
+# smtpclient
+- GatherDestinations: changed from func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.IPDomain) (bool, bool, bool, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dns.IPDomain, bool, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.IPDomain) (bool, bool, bool, github.com/mjl-/mox/dns.Domain, []HostPref, bool, error)
+

apidiff/packages.txt

@@ -0,0 +1,20 @@
+dane
+dmarc
+dmarcrpt
+dns
+dnsbl
+iprev
+message
+mtasts
+publicsuffix
+ratelimit
+sasl
+scram
+smtp
+smtpclient
+spf
+subjectpass
+tlsrpt
+updates
+webapi
+webhook

apidiff/v0.0.10.txt

@@ -0,0 +1,79 @@
+Below are the incompatible changes between v0.0.9 and v0.0.10, per package.
+
+# dane
+- Dial: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, string, string, []github.com/mjl-/adns.TLSAUsage, *crypto/x509.CertPool) (net.Conn, github.com/mjl-/adns.TLSA, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, string, string, []github.com/mjl-/adns.TLSAUsage, *crypto/x509.CertPool) (net.Conn, github.com/mjl-/adns.TLSA, error)
+- TLSClientConfig: changed from func(*golang.org/x/exp/slog.Logger, []github.com/mjl-/adns.TLSA, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dns.Domain, *github.com/mjl-/adns.TLSA, *crypto/x509.CertPool) crypto/tls.Config to func(*log/slog.Logger, []github.com/mjl-/adns.TLSA, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dns.Domain, *github.com/mjl-/adns.TLSA, *crypto/x509.CertPool) crypto/tls.Config
+- Verify: changed from func(*golang.org/x/exp/slog.Logger, []github.com/mjl-/adns.TLSA, crypto/tls.ConnectionState, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dns.Domain, *crypto/x509.CertPool) (bool, github.com/mjl-/adns.TLSA, error) to func(*log/slog.Logger, []github.com/mjl-/adns.TLSA, crypto/tls.ConnectionState, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dns.Domain, *crypto/x509.CertPool) (bool, github.com/mjl-/adns.TLSA, error)
+
+# dmarc
+- Lookup: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (Status, github.com/mjl-/mox/dns.Domain, *Record, string, bool, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (Status, github.com/mjl-/mox/dns.Domain, *Record, string, bool, error)
+- LookupExternalReportsAccepted: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, github.com/mjl-/mox/dns.Domain) (bool, Status, []*Record, []string, bool, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, github.com/mjl-/mox/dns.Domain) (bool, Status, []*Record, []string, bool, error)
+- Verify: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dkim.Result, github.com/mjl-/mox/spf.Status, *github.com/mjl-/mox/dns.Domain, bool) (bool, Result) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dkim.Result, github.com/mjl-/mox/spf.Status, *github.com/mjl-/mox/dns.Domain, bool) (bool, Result)
+
+# dmarcrpt
+- ParseMessageReport: changed from func(*golang.org/x/exp/slog.Logger, io.ReaderAt) (*Feedback, error) to func(*log/slog.Logger, io.ReaderAt) (*Feedback, error)
+
+# dns
+- StrictResolver.Log: changed from *golang.org/x/exp/slog.Logger to *log/slog.Logger
+
+# dnsbl
+- CheckHealth: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) error to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) error
+- Lookup: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, net.IP) (Status, string, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, net.IP) (Status, string, error)
+
+# iprev
+
+# message
+- (*Part).ParseNextPart: changed from func(*golang.org/x/exp/slog.Logger) (*Part, error) to func(*log/slog.Logger) (*Part, error)
+- (*Part).Walk: changed from func(*golang.org/x/exp/slog.Logger, *Part) error to func(*log/slog.Logger, *Part) error
+- EnsurePart: changed from func(*golang.org/x/exp/slog.Logger, bool, io.ReaderAt, int64) (Part, error) to func(*log/slog.Logger, bool, io.ReaderAt, int64) (Part, error)
+- From: changed from func(*golang.org/x/exp/slog.Logger, bool, io.ReaderAt) (github.com/mjl-/mox/smtp.Address, *Envelope, net/textproto.MIMEHeader, error) to func(*log/slog.Logger, bool, io.ReaderAt) (github.com/mjl-/mox/smtp.Address, *Envelope, net/textproto.MIMEHeader, error)
+- Parse: changed from func(*golang.org/x/exp/slog.Logger, bool, io.ReaderAt) (Part, error) to func(*log/slog.Logger, bool, io.ReaderAt) (Part, error)
+
+# mtasts
+- FetchPolicy: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Domain) (*Policy, string, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Domain) (*Policy, string, error)
+- Get: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (*Record, *Policy, string, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (*Record, *Policy, string, error)
+- HTTPClientObserve: changed from func(context.Context, *golang.org/x/exp/slog.Logger, string, string, int, error, time.Time) to func(context.Context, *log/slog.Logger, string, string, int, error, time.Time)
+- LookupRecord: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (*Record, string, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (*Record, string, error)
+
+# publicsuffix
+- List.Lookup: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Domain) github.com/mjl-/mox/dns.Domain to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Domain) github.com/mjl-/mox/dns.Domain
+- Lookup: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Domain) github.com/mjl-/mox/dns.Domain to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Domain) github.com/mjl-/mox/dns.Domain
+- ParseList: changed from func(*golang.org/x/exp/slog.Logger, io.Reader) (List, error) to func(*log/slog.Logger, io.Reader) (List, error)
+
+# ratelimit
+
+# sasl
+
+# scram
+
+# smtp
+- SePol7ARCFail: removed
+- SePol7MissingReqTLS: removed
+
+# smtpclient
+- Dial: changed from func(context.Context, *golang.org/x/exp/slog.Logger, Dialer, github.com/mjl-/mox/dns.IPDomain, []net.IP, int, map[string][]net.IP, []net.IP) (net.Conn, net.IP, error) to func(context.Context, *log/slog.Logger, Dialer, github.com/mjl-/mox/dns.IPDomain, []net.IP, int, map[string][]net.IP, []net.IP) (net.Conn, net.IP, error)
+- Error: old is comparable, new is not
+- GatherDestinations: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.IPDomain) (bool, bool, bool, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dns.IPDomain, bool, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.IPDomain) (bool, bool, bool, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dns.IPDomain, bool, error)
+- GatherIPs: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.IPDomain, map[string][]net.IP) (bool, bool, github.com/mjl-/mox/dns.Domain, []net.IP, bool, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.IPDomain, map[string][]net.IP) (bool, bool, github.com/mjl-/mox/dns.Domain, []net.IP, bool, error)
+- GatherTLSA: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, bool, github.com/mjl-/mox/dns.Domain) (bool, []github.com/mjl-/adns.TLSA, github.com/mjl-/mox/dns.Domain, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, bool, github.com/mjl-/mox/dns.Domain) (bool, []github.com/mjl-/adns.TLSA, github.com/mjl-/mox/dns.Domain, error)
+- New: changed from func(context.Context, *golang.org/x/exp/slog.Logger, net.Conn, TLSMode, bool, github.com/mjl-/mox/dns.Domain, github.com/mjl-/mox/dns.Domain, Opts) (*Client, error) to func(context.Context, *log/slog.Logger, net.Conn, TLSMode, bool, github.com/mjl-/mox/dns.Domain, github.com/mjl-/mox/dns.Domain, Opts) (*Client, error)
+
+# spf
+- Evaluate: changed from func(context.Context, *golang.org/x/exp/slog.Logger, *Record, github.com/mjl-/mox/dns.Resolver, Args) (Status, string, string, bool, error) to func(context.Context, *log/slog.Logger, *Record, github.com/mjl-/mox/dns.Resolver, Args) (Status, string, string, bool, error)
+- Lookup: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (Status, string, *Record, bool, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (Status, string, *Record, bool, error)
+- Verify: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, Args) (Received, github.com/mjl-/mox/dns.Domain, string, bool, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, Args) (Received, github.com/mjl-/mox/dns.Domain, string, bool, error)
+
+# subjectpass
+- Generate: changed from func(*golang.org/x/exp/slog.Logger, github.com/mjl-/mox/smtp.Address, []byte, time.Time) string to func(*log/slog.Logger, github.com/mjl-/mox/smtp.Address, []byte, time.Time) string
+- Verify: changed from func(*golang.org/x/exp/slog.Logger, io.ReaderAt, []byte, time.Duration) error to func(*log/slog.Logger, io.ReaderAt, []byte, time.Duration) error
+
+# tlsrpt
+- Lookup: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (*Record, string, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (*Record, string, error)
+- ParseMessage: changed from func(*golang.org/x/exp/slog.Logger, io.ReaderAt) (*ReportJSON, error) to func(*log/slog.Logger, io.ReaderAt) (*ReportJSON, error)
+
+# updates
+- Check: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, Version, string, []byte) (Version, *Record, *Changelog, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, Version, string, []byte) (Version, *Record, *Changelog, error)
+- FetchChangelog: changed from func(context.Context, *golang.org/x/exp/slog.Logger, string, Version, []byte) (*Changelog, error) to func(context.Context, *log/slog.Logger, string, Version, []byte) (*Changelog, error)
+- HTTPClientObserve: changed from func(context.Context, *golang.org/x/exp/slog.Logger, string, string, int, error, time.Time) to func(context.Context, *log/slog.Logger, string, string, int, error, time.Time)
+- Lookup: changed from func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (Version, *Record, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (Version, *Record, error)
+

apidiff/v0.0.11.txt

@@ -0,0 +1,45 @@
+Below are the incompatible changes between v0.0.10 and v0.0.11, per package.
+
+# dane
+
+# dmarc
+- DMARCPolicy: removed
+
+# dmarcrpt
+
+# dns
+
+# dnsbl
+
+# iprev
+
+# message
+- (*Composer).TextPart: changed from func(string) ([]byte, string, string) to func(string, string) ([]byte, string, string)
+- From: changed from func(*log/slog.Logger, bool, io.ReaderAt) (github.com/mjl-/mox/smtp.Address, *Envelope, net/textproto.MIMEHeader, error) to func(*log/slog.Logger, bool, io.ReaderAt, *Part) (github.com/mjl-/mox/smtp.Address, *Envelope, net/textproto.MIMEHeader, error)
+- NewComposer: changed from func(io.Writer, int64) *Composer to func(io.Writer, int64, bool) *Composer
+
+# mtasts
+- STSMX: removed
+
+# publicsuffix
+
+# ratelimit
+
+# sasl
+
+# scram
+
+# smtp
+- SeMsg6ConversoinUnsupported3: removed
+
+# smtpclient
+- GatherIPs: changed from func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.IPDomain, map[string][]net.IP) (bool, bool, github.com/mjl-/mox/dns.Domain, []net.IP, bool, error) to func(context.Context, *log/slog.Logger, github.com/mjl-/mox/dns.Resolver, string, github.com/mjl-/mox/dns.IPDomain, map[string][]net.IP) (bool, bool, github.com/mjl-/mox/dns.Domain, []net.IP, bool, error)
+
+# spf
+
+# subjectpass
+
+# tlsrpt
+
+# updates
+

apidiff/v0.0.12.txt

@@ -0,0 +1,43 @@
+Below are the incompatible changes between v0.0.11 and next, per package.
+
+# dane
+
+# dmarc
+
+# dmarcrpt
+
+# dns
+
+# dnsbl
+
+# iprev
+
+# message
+- (*HeaderWriter).AddWrap: changed from func([]byte) to func([]byte, bool)
+
+# mtasts
+
+# publicsuffix
+
+# ratelimit
+
+# sasl
+
+# scram
+
+# smtp
+
+# smtpclient
+
+# spf
+
+# subjectpass
+
+# tlsrpt
+
+# updates
+
+# webapi
+
+# webhook
+

apidiff/v0.0.13.txt

@@ -0,0 +1,5 @@
+Below are the incompatible changes between v0.0.13 and next, per package.
+
+# webhook
+- PartStructure: removed
+

apidiff/v0.0.15.txt

@@ -0,0 +1,7 @@
+Below are the incompatible changes between v0.0.14 and next, per package.
+
+# message
+- Part.ContentDescription: changed from string to *string
+- Part.ContentID: changed from string to *string
+- Part.ContentTransferEncoding: changed from string to *string
+

apidiff/v0.0.9.txt

@@ -0,0 +1,83 @@
+Below are the incompatible changes between v0.0.8 and v0.0.9, per package.
+
+# dane
+- Dial: changed from func(context.Context, github.com/mjl-/mox/dns.Resolver, string, string, []github.com/mjl-/adns.TLSAUsage) (net.Conn, github.com/mjl-/adns.TLSA, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, string, string, []github.com/mjl-/adns.TLSAUsage, *crypto/x509.CertPool) (net.Conn, github.com/mjl-/adns.TLSA, error)
+- TLSClientConfig: changed from func(*github.com/mjl-/mox/mlog.Log, []github.com/mjl-/adns.TLSA, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dns.Domain, *github.com/mjl-/adns.TLSA) crypto/tls.Config to func(*golang.org/x/exp/slog.Logger, []github.com/mjl-/adns.TLSA, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dns.Domain, *github.com/mjl-/adns.TLSA, *crypto/x509.CertPool) crypto/tls.Config
+- Verify: changed from func(*github.com/mjl-/mox/mlog.Log, []github.com/mjl-/adns.TLSA, crypto/tls.ConnectionState, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dns.Domain) (bool, github.com/mjl-/adns.TLSA, error) to func(*golang.org/x/exp/slog.Logger, []github.com/mjl-/adns.TLSA, crypto/tls.ConnectionState, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dns.Domain, *crypto/x509.CertPool) (bool, github.com/mjl-/adns.TLSA, error)
+
+# dmarc
+- Lookup: changed from func(context.Context, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (Status, github.com/mjl-/mox/dns.Domain, *Record, string, bool, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (Status, github.com/mjl-/mox/dns.Domain, *Record, string, bool, error)
+- LookupExternalReportsAccepted: changed from func(context.Context, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, github.com/mjl-/mox/dns.Domain) (bool, Status, []*Record, []string, bool, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, github.com/mjl-/mox/dns.Domain) (bool, Status, []*Record, []string, bool, error)
+- Verify: changed from func(context.Context, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dkim.Result, github.com/mjl-/mox/spf.Status, *github.com/mjl-/mox/dns.Domain, bool) (bool, Result) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dkim.Result, github.com/mjl-/mox/spf.Status, *github.com/mjl-/mox/dns.Domain, bool) (bool, Result)
+
+# dmarcrpt
+- ParseMessageReport: changed from func(*github.com/mjl-/mox/mlog.Log, io.ReaderAt) (*Feedback, error) to func(*golang.org/x/exp/slog.Logger, io.ReaderAt) (*Feedback, error)
+
+# dns
+
+# dnsbl
+- CheckHealth: changed from func(context.Context, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) error to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) error
+- Lookup: changed from func(context.Context, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, net.IP) (Status, string, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, net.IP) (Status, string, error)
+
+# iprev
+
+# message
+- (*Part).ParseNextPart: changed from func(*github.com/mjl-/mox/mlog.Log) (*Part, error) to func(*golang.org/x/exp/slog.Logger) (*Part, error)
+- (*Part).Walk: changed from func(*github.com/mjl-/mox/mlog.Log, *Part) error to func(*golang.org/x/exp/slog.Logger, *Part) error
+- EnsurePart: changed from func(*github.com/mjl-/mox/mlog.Log, bool, io.ReaderAt, int64) (Part, error) to func(*golang.org/x/exp/slog.Logger, bool, io.ReaderAt, int64) (Part, error)
+- From: changed from func(*github.com/mjl-/mox/mlog.Log, bool, io.ReaderAt) (github.com/mjl-/mox/smtp.Address, net/textproto.MIMEHeader, error) to func(*golang.org/x/exp/slog.Logger, bool, io.ReaderAt) (github.com/mjl-/mox/smtp.Address, *Envelope, net/textproto.MIMEHeader, error)
+- Parse: changed from func(*github.com/mjl-/mox/mlog.Log, bool, io.ReaderAt) (Part, error) to func(*golang.org/x/exp/slog.Logger, bool, io.ReaderAt) (Part, error)
+- TLSReceivedComment: removed
+
+# mtasts
+- FetchPolicy: changed from func(context.Context, github.com/mjl-/mox/dns.Domain) (*Policy, string, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Domain) (*Policy, string, error)
+- Get: changed from func(context.Context, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (*Record, *Policy, string, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (*Record, *Policy, string, error)
+- LookupRecord: changed from func(context.Context, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (*Record, string, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (*Record, string, error)
+
+# publicsuffix
+- List.Lookup: changed from func(context.Context, github.com/mjl-/mox/dns.Domain) github.com/mjl-/mox/dns.Domain to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Domain) github.com/mjl-/mox/dns.Domain
+- Lookup: changed from func(context.Context, github.com/mjl-/mox/dns.Domain) github.com/mjl-/mox/dns.Domain to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Domain) github.com/mjl-/mox/dns.Domain
+- ParseList: changed from func(io.Reader) (List, error) to func(*golang.org/x/exp/slog.Logger, io.Reader) (List, error)
+
+# ratelimit
+
+# sasl
+- NewClientSCRAMSHA1: changed from func(string, string) Client to func(string, string, bool) Client
+- NewClientSCRAMSHA256: changed from func(string, string) Client to func(string, string, bool) Client
+
+# scram
+- HMAC: removed
+- NewClient: changed from func(func() hash.Hash, string, string) *Client to func(func() hash.Hash, string, string, bool, *crypto/tls.ConnectionState) *Client
+- NewServer: changed from func(func() hash.Hash, []byte) (*Server, error) to func(func() hash.Hash, []byte, *crypto/tls.ConnectionState, bool) (*Server, error)
+
+# smtp
+
+# smtpclient
+- (*Client).TLSEnabled: removed
+- Dial: changed from func(context.Context, *github.com/mjl-/mox/mlog.Log, Dialer, github.com/mjl-/mox/dns.IPDomain, []net.IP, int, map[string][]net.IP) (net.Conn, net.IP, error) to func(context.Context, *golang.org/x/exp/slog.Logger, Dialer, github.com/mjl-/mox/dns.IPDomain, []net.IP, int, map[string][]net.IP, []net.IP) (net.Conn, net.IP, error)
+- GatherDestinations: changed from func(context.Context, *github.com/mjl-/mox/mlog.Log, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.IPDomain) (bool, bool, bool, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dns.IPDomain, bool, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.IPDomain) (bool, bool, bool, github.com/mjl-/mox/dns.Domain, []github.com/mjl-/mox/dns.IPDomain, bool, error)
+- GatherIPs: changed from func(context.Context, *github.com/mjl-/mox/mlog.Log, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.IPDomain, map[string][]net.IP) (bool, bool, github.com/mjl-/mox/dns.Domain, []net.IP, bool, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.IPDomain, map[string][]net.IP) (bool, bool, github.com/mjl-/mox/dns.Domain, []net.IP, bool, error)
+- GatherTLSA: changed from func(context.Context, *github.com/mjl-/mox/mlog.Log, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, bool, github.com/mjl-/mox/dns.Domain) (bool, []github.com/mjl-/adns.TLSA, github.com/mjl-/mox/dns.Domain, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, bool, github.com/mjl-/mox/dns.Domain) (bool, []github.com/mjl-/adns.TLSA, github.com/mjl-/mox/dns.Domain, error)
+- New: changed from func(context.Context, *github.com/mjl-/mox/mlog.Log, net.Conn, TLSMode, bool, github.com/mjl-/mox/dns.Domain, github.com/mjl-/mox/dns.Domain, Opts) (*Client, error) to func(context.Context, *golang.org/x/exp/slog.Logger, net.Conn, TLSMode, bool, github.com/mjl-/mox/dns.Domain, github.com/mjl-/mox/dns.Domain, Opts) (*Client, error)
+- Opts.Auth: changed from []github.com/mjl-/mox/sasl.Client to func([]string, *crypto/tls.ConnectionState) (github.com/mjl-/mox/sasl.Client, error)
+
+# spf
+- Evaluate: changed from func(context.Context, *Record, github.com/mjl-/mox/dns.Resolver, Args) (Status, string, string, bool, error) to func(context.Context, *golang.org/x/exp/slog.Logger, *Record, github.com/mjl-/mox/dns.Resolver, Args) (Status, string, string, bool, error)
+- Lookup: changed from func(context.Context, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (Status, string, *Record, bool, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (Status, string, *Record, bool, error)
+- Verify: changed from func(context.Context, github.com/mjl-/mox/dns.Resolver, Args) (Received, github.com/mjl-/mox/dns.Domain, string, bool, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, Args) (Received, github.com/mjl-/mox/dns.Domain, string, bool, error)
+
+# subjectpass
+- Generate: changed from func(github.com/mjl-/mox/smtp.Address, []byte, time.Time) string to func(*golang.org/x/exp/slog.Logger, github.com/mjl-/mox/smtp.Address, []byte, time.Time) string
+- Verify: changed from func(*github.com/mjl-/mox/mlog.Log, io.ReaderAt, []byte, time.Duration) error to func(*golang.org/x/exp/slog.Logger, io.ReaderAt, []byte, time.Duration) error
+
+# tlsrpt
+- (*TLSRPTDateRange).UnmarshalJSON: removed
+- Lookup: changed from func(context.Context, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (*Record, string, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (*Record, string, error)
+- Parse: changed from func(io.Reader) (*Report, error) to func(io.Reader) (*ReportJSON, error)
+- ParseMessage: changed from func(*github.com/mjl-/mox/mlog.Log, io.ReaderAt) (*Report, error) to func(*golang.org/x/exp/slog.Logger, io.ReaderAt) (*ReportJSON, error)
+
+# updates
+- Check: changed from func(context.Context, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, Version, string, []byte) (Version, *Record, *Changelog, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain, Version, string, []byte) (Version, *Record, *Changelog, error)
+- FetchChangelog: changed from func(context.Context, string, Version, []byte) (*Changelog, error) to func(context.Context, *golang.org/x/exp/slog.Logger, string, Version, []byte) (*Changelog, error)
+- Lookup: changed from func(context.Context, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (Version, *Record, error) to func(context.Context, *golang.org/x/exp/slog.Logger, github.com/mjl-/mox/dns.Resolver, github.com/mjl-/mox/dns.Domain) (Version, *Record, error)
+

autotls/autotls.go

@@ -20,6 +20,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"log/slog"
 	"net"
 	"os"
 	"path/filepath"
@@ -28,9 +29,10 @@ import (
 	"sync"
 	"time"
 
+	"golang.org/x/crypto/acme"
+
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
-	"golang.org/x/crypto/acme"
 
 	"github.com/mjl-/autocert"
 
@@ -39,9 +41,25 @@ import (
 	"github.com/mjl-/mox/moxvar"
 )
 
-var xlog = mlog.New("autotls")
-
 var (
+	metricMissingServerName = promauto.NewCounter(
+		prometheus.CounterOpts{
+			Name: "mox_autotls_missing_servername_total",
+			Help: "Number of failed TLS connection attempts with missing SNI where no fallback hostname was configured.",
+		},
+	)
+	metricUnknownServerName = promauto.NewCounter(
+		prometheus.CounterOpts{
+			Name: "mox_autotls_unknown_servername_total",
+			Help: "Number of failed TLS connection attempts with an unrecognized SNI name where no fallback hostname was configured.",
+		},
+	)
+	metricCertRequestErrors = promauto.NewCounter(
+		prometheus.CounterOpts{
+			Name: "mox_autotls_cert_request_errors_total",
+			Help: "Number of errors trying to retrieve a certificate for a hostname, possibly ACME verification errors.",
+		},
+	)
 	metricCertput = promauto.NewCounter(
 		prometheus.CounterOpts{
 			Name: "mox_autotls_certput_total",
@@ -54,7 +72,6 @@ var (
 // certificates for allowlisted hosts.
 type Manager struct {
 	ACMETLSConfig *tls.Config // For serving HTTPS on port 443, which is required for certificate requests to succeed.
-	TLSConfig     *tls.Config // For all TLS servers not used for validating ACME requests. Like SMTP and IMAP (including with STARTTLS) and HTTPS on ports other than 443.
 	Manager       *autocert.Manager
 
 	shutdown <-chan struct{}
@@ -69,12 +86,15 @@ type Manager struct {
 // contactEmail must be a valid email address to which notifications about ACME can
 // be sent. directoryURL is the ACME starting point.
 //
+// eabKeyID and eabKey are for external account binding when making a new account,
+// which some ACME providers require.
+//
 // getPrivateKey is called to get the private key for the host and key type. It
 // can be used to deliver a specific (e.g. always the same) private key for a
 // host, or a newly generated key.
 //
 // When shutdown is closed, no new TLS connections can be created.
-func Load(name, acmeDir, contactEmail, directoryURL string, getPrivateKey func(host string, keyType autocert.KeyType) (crypto.Signer, error), shutdown <-chan struct{}) (*Manager, error) {
+func Load(log mlog.Log, name, acmeDir, contactEmail, directoryURL string, eabKeyID string, eabKey []byte, getPrivateKey func(host string, keyType autocert.KeyType) (crypto.Signer, error), shutdown <-chan struct{}) (*Manager, error) {
 	if directoryURL == "" {
 		return nil, fmt.Errorf("empty ACME directory URL")
 	}
@@ -87,7 +107,10 @@ func Load(name, acmeDir, contactEmail, directoryURL string, getPrivateKey func(h
 	var key crypto.Signer
 	f, err := os.Open(p)
 	if f != nil {
-		defer f.Close()
+		defer func() {
+			err := f.Close()
+			log.Check(err, "closing identify key file")
+		}()
 	}
 	if err != nil && os.IsNotExist(err) {
 		key, err = ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
@@ -146,55 +169,160 @@ func Load(name, acmeDir, contactEmail, directoryURL string, getPrivateKey func(h
 		GetPrivateKey: getPrivateKey,
 		// HostPolicy set below.
 	}
-
-	loggingGetCertificate := func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-		log := xlog.WithContext(hello.Context())
-
-		// Handle missing SNI to prevent logging an error below.
-		// At startup, during config initialization, we already adjust the tls config to
-		// inject the listener hostname if there isn't one in the TLS client hello. This is
-		// common for SMTP STARTTLS connections, which often do not care about the
-		// verification of the certificate.
-		if hello.ServerName == "" {
-			log.Debug("tls request without sni servername, rejecting", mlog.Field("localaddr", hello.Conn.LocalAddr()), mlog.Field("supportedprotos", hello.SupportedProtos))
-			return nil, fmt.Errorf("sni server name required")
+	// If external account binding key is provided, use it for registering a new account.
+	// todo: ideally the key and its id are provided temporarily by the admin when registering a new account. but we don't do that interactive setup yet. in the future, an interactive setup/quickstart would ask for the key once to register a new acme account.
+	if eabKeyID != "" {
+		m.ExternalAccountBinding = &acme.ExternalAccountBinding{
+			KID: eabKeyID,
+			Key: eabKey,
 		}
-
-		cert, err := m.GetCertificate(hello)
-		if err != nil {
-			if errors.Is(err, errHostNotAllowed) {
-				log.Debugx("requesting certificate", err, mlog.Field("host", hello.ServerName))
-			} else {
-				log.Errorx("requesting certificate", err, mlog.Field("host", hello.ServerName))
-			}
-		}
-		return cert, err
-	}
-
-	acmeTLSConfig := *m.TLSConfig()
-	acmeTLSConfig.GetCertificate = loggingGetCertificate
-
-	tlsConfig := tls.Config{
-		GetCertificate: loggingGetCertificate,
 	}
 
 	a := &Manager{
-		ACMETLSConfig: &acmeTLSConfig,
-		TLSConfig:     &tlsConfig,
-		Manager:       m,
-		shutdown:      shutdown,
-		hosts:         map[dns.Domain]struct{}{},
+		Manager:  m,
+		shutdown: shutdown,
+		hosts:    map[dns.Domain]struct{}{},
 	}
 	m.HostPolicy = a.HostPolicy
+	acmeTLSConfig := *m.TLSConfig()
+	acmeTLSConfig.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		return a.loggingGetCertificate(hello, dns.Domain{}, false, false)
+	}
+	a.ACMETLSConfig = &acmeTLSConfig
 	return a, nil
 }
 
+// loggingGetCertificate is a helper to implement crypto/tls.Config.GetCertificate,
+// optionally falling back to a certificate for fallbackHostname in case SNI is
+// absent or for an unknown hostname.
+func (m *Manager) loggingGetCertificate(hello *tls.ClientHelloInfo, fallbackHostname dns.Domain, fallbackNoSNI, fallbackUnknownSNI bool) (*tls.Certificate, error) {
+	log := mlog.New("autotls", nil).WithContext(hello.Context()).With(
+		slog.Any("localaddr", hello.Conn.LocalAddr()),
+		slog.Any("supportedprotos", hello.SupportedProtos),
+		slog.String("servername", hello.ServerName),
+	)
+
+	// If we can't find a certificate (depending on fallback parameters), we return a
+	// nil certificate and nil error, which crypto/tls turns into a TLS alert
+	// "unrecognized name", which can be interpreted by clients as a hint that they are
+	// using the wrong hostname, or a certificate is missing. ../rfc/9325:578
+
+	// IP addresses for ServerName are not allowed, but happen in practice. If we
+	// should be lenient (fallbackUnknownSNI), we switch to the fallback hostname,
+	// otherwise we return an error. We don't want to pass IP addresses to
+	// GetCertificate because it will return an error for IPv6 addresses.
+	// ../rfc/6066:367 ../rfc/4366:535
+	if net.ParseIP(hello.ServerName) != nil {
+		if fallbackUnknownSNI {
+			hello.ServerName = fallbackHostname.ASCII
+			log = log.With(slog.String("servername", hello.ServerName))
+		} else {
+			log.Debug("tls request with ip for server name, rejecting")
+			return nil, fmt.Errorf("invalid ip address for sni server name")
+		}
+	}
+
+	if hello.ServerName == "" && fallbackNoSNI {
+		hello.ServerName = fallbackHostname.ASCII
+		log = log.With(slog.String("servername", hello.ServerName))
+	}
+
+	// Handle missing SNI to prevent logging an error below.
+	if hello.ServerName == "" {
+		metricMissingServerName.Inc()
+		log.Debug("tls request without sni server name, rejecting")
+		return nil, nil
+	}
+
+	cert, err := m.Manager.GetCertificate(hello)
+	if err != nil && errors.Is(err, errHostNotAllowed) {
+		if !fallbackUnknownSNI {
+			metricUnknownServerName.Inc()
+			log.Debugx("requesting certificate", err)
+			return nil, nil
+		}
+
+		// Some legitimate email deliveries over SMTP use an unknown SNI, e.g. a bare
+		// domain instead of the MX hostname. We "should" return an error, but that would
+		// break email delivery, so we use the fallback name if it is configured.
+		// ../rfc/9325:589
+
+		log = log.With(slog.String("servername", hello.ServerName))
+		log.Debug("certificate for unknown hostname, using fallback hostname")
+		hello.ServerName = fallbackHostname.ASCII
+		cert, err = m.Manager.GetCertificate(hello)
+		if err != nil {
+			metricCertRequestErrors.Inc()
+			log.Errorx("requesting certificate for fallback hostname", err)
+		} else {
+			log.Debug("using certificate for fallback hostname")
+		}
+		return cert, err
+	} else if err != nil {
+		metricCertRequestErrors.Inc()
+		log.Errorx("requesting certificate", err)
+	}
+	return cert, err
+}
+
+// TLSConfig returns a TLS server config that optionally returns a certificate for
+// fallbackHostname if no SNI was done, or for an unknown hostname.
+//
+// If fallbackNoSNI is set, TLS connections without SNI will use a certificate for
+// fallbackHostname. Otherwise, connections without SNI will fail with a message
+// that no TLS certificate is available.
+//
+// If fallbackUnknownSNI is set, TLS connections with an SNI hostname that is not
+// allowlisted will instead use a certificate for fallbackHostname. Otherwise, such
+// TLS connections will fail.
+func (m *Manager) TLSConfig(fallbackHostname dns.Domain, fallbackNoSNI, fallbackUnknownSNI bool) *tls.Config {
+	return &tls.Config{
+		GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			return m.loggingGetCertificate(hello, fallbackHostname, fallbackNoSNI, fallbackUnknownSNI)
+		},
+	}
+}
+
+// CertAvailable checks whether a non-expired ECDSA certificate is available in the
+// cache for host. No other checks than expiration are done.
+func (m *Manager) CertAvailable(ctx context.Context, log mlog.Log, host dns.Domain) (bool, error) {
+	ck := host.ASCII // Would be "+rsa" for rsa keys.
+	data, err := m.Manager.Cache.Get(ctx, ck)
+	if err != nil && errors.Is(err, autocert.ErrCacheMiss) {
+		return false, nil
+	} else if err != nil {
+		return false, fmt.Errorf("attempt to get certificate from cache: %v", err)
+	}
+
+	// The cached keycert is of the form: private key, leaf certificate, intermediate certificates...
+	privb, rem := pem.Decode(data)
+	if privb == nil {
+		return false, fmt.Errorf("missing private key in cached keycert file")
+	}
+	pubb, _ := pem.Decode(rem)
+	if pubb == nil {
+		return false, fmt.Errorf("missing certificate in cached keycert file")
+	} else if pubb.Type != "CERTIFICATE" {
+		return false, fmt.Errorf("second pem block is %q, expected CERTIFICATE", pubb.Type)
+	}
+	cert, err := x509.ParseCertificate(pubb.Bytes)
+	if err != nil {
+		return false, fmt.Errorf("parsing certificate from cached keycert file: %v", err)
+	}
+	// We assume the certificate has a matching hostname, and is properly CA-signed. We
+	// only check the expiration time.
+	if time.Until(cert.NotBefore) > 0 || time.Since(cert.NotAfter) > 0 {
+		return false, nil
+	}
+	return true, nil
+}
+
 // SetAllowedHostnames sets a new list of allowed hostnames for automatic TLS.
 // After setting the host names, a goroutine is start to check that new host names
 // are fully served by publicIPs (only if non-empty and there is no unspecified
 // address in the list). If no, log an error with a warning that ACME validation
 // may fail.
-func (m *Manager) SetAllowedHostnames(resolver dns.Resolver, hostnames map[dns.Domain]struct{}, publicIPs []string, checkHosts bool) {
+func (m *Manager) SetAllowedHostnames(log mlog.Log, resolver dns.Resolver, hostnames map[dns.Domain]struct{}, publicIPs []string, checkHosts bool) {
 	m.Lock()
 	defer m.Unlock()
 
@@ -207,7 +335,7 @@ func (m *Manager) SetAllowedHostnames(resolver dns.Resolver, hostnames map[dns.D
 		return l[i].Name() < l[j].Name()
 	})
 
-	xlog.Debug("autotls setting allowed hostnames", mlog.Field("hostnames", l), mlog.Field("publicips", publicIPs))
+	log.Debug("autotls setting allowed hostnames", slog.Any("hostnames", l), slog.Any("publicips", publicIPs))
 	var added []dns.Domain
 	for h := range hostnames {
 		if _, ok := m.hosts[h]; !ok {
@@ -231,16 +359,20 @@ func (m *Manager) SetAllowedHostnames(resolver dns.Resolver, hostnames map[dns.D
 				publicIPstrs[ip] = struct{}{}
 			}
 
-			xlog.Debug("checking ips of hosts configured for acme tls cert validation")
+			log.Debug("checking ips of hosts configured for acme tls cert validation")
 			for _, h := range added {
 				ips, _, err := resolver.LookupIP(ctx, "ip", h.ASCII+".")
 				if err != nil {
-					xlog.Errorx("warning: acme tls cert validation for host may fail due to dns lookup error", err, mlog.Field("host", h))
+					log.Warnx("acme tls cert validation for host may fail due to dns lookup error", err, slog.Any("host", h))
 					continue
 				}
 				for _, ip := range ips {
 					if _, ok := publicIPstrs[ip.String()]; !ok {
-						xlog.Error("warning: acme tls cert validation for host is likely to fail because not all its ips are being listened on", mlog.Field("hostname", h), mlog.Field("listenedips", publicIPs), mlog.Field("hostips", ips), mlog.Field("missingip", ip))
+						log.Warn("acme tls cert validation for host is likely to fail because not all its ips are being listened on",
+							slog.Any("hostname", h),
+							slog.Any("listenedips", publicIPs),
+							slog.Any("hostips", ips),
+							slog.Any("missingip", ip))
 					}
 				}
 			}
@@ -266,9 +398,9 @@ var errHostNotAllowed = errors.New("autotls: host not in allowlist")
 // present. Only hosts added with SetAllowedHostnames are allowed. During shutdown,
 // no new connections are allowed.
 func (m *Manager) HostPolicy(ctx context.Context, host string) (rerr error) {
-	log := xlog.WithContext(ctx)
+	log := mlog.New("autotls", nil).WithContext(ctx)
 	defer func() {
-		log.WithContext(ctx).Debugx("autotls hostpolicy result", rerr, mlog.Field("host", host))
+		log.Debugx("autotls hostpolicy result", rerr, slog.String("host", host))
 	}()
 
 	// Don't request new TLS certs when we are shutting down.
@@ -300,46 +432,46 @@ func (m *Manager) HostPolicy(ctx context.Context, host string) (rerr error) {
 type dirCache autocert.DirCache
 
 func (d dirCache) Delete(ctx context.Context, name string) (rerr error) {
-	log := xlog.WithContext(ctx)
+	log := mlog.New("autotls", nil).WithContext(ctx)
 	defer func() {
-		log.Debugx("dircache delete result", rerr, mlog.Field("name", name))
+		log.Debugx("dircache delete result", rerr, slog.String("name", name))
 	}()
 	err := autocert.DirCache(d).Delete(ctx, name)
 	if err != nil {
-		log.Errorx("deleting cert from dir cache", err, mlog.Field("name", name))
+		log.Errorx("deleting cert from dir cache", err, slog.String("name", name))
 	} else if !strings.HasSuffix(name, "+token") {
-		log.Info("autotls cert delete", mlog.Field("name", name))
+		log.Info("autotls cert delete", slog.String("name", name))
 	}
 	return err
 }
 
 func (d dirCache) Get(ctx context.Context, name string) (rbuf []byte, rerr error) {
-	log := xlog.WithContext(ctx)
+	log := mlog.New("autotls", nil).WithContext(ctx)
 	defer func() {
-		log.Debugx("dircache get result", rerr, mlog.Field("name", name))
+		log.Debugx("dircache get result", rerr, slog.String("name", name))
 	}()
 	buf, err := autocert.DirCache(d).Get(ctx, name)
 	if err != nil && errors.Is(err, autocert.ErrCacheMiss) {
-		log.Infox("getting cert from dir cache", err, mlog.Field("name", name))
+		log.Infox("getting cert from dir cache", err, slog.String("name", name))
 	} else if err != nil {
-		log.Errorx("getting cert from dir cache", err, mlog.Field("name", name))
+		log.Errorx("getting cert from dir cache", err, slog.String("name", name))
 	} else if !strings.HasSuffix(name, "+token") {
-		log.Debug("autotls cert get", mlog.Field("name", name))
+		log.Debug("autotls cert get", slog.String("name", name))
 	}
 	return buf, err
 }
 
 func (d dirCache) Put(ctx context.Context, name string, data []byte) (rerr error) {
-	log := xlog.WithContext(ctx)
+	log := mlog.New("autotls", nil).WithContext(ctx)
 	defer func() {
-		log.Debugx("dircache put result", rerr, mlog.Field("name", name))
+		log.Debugx("dircache put result", rerr, slog.String("name", name))
 	}()
 	metricCertput.Inc()
 	err := autocert.DirCache(d).Put(ctx, name, data)
 	if err != nil {
-		log.Errorx("storing cert in dir cache", err, mlog.Field("name", name))
+		log.Errorx("storing cert in dir cache", err, slog.String("name", name))
 	} else if !strings.HasSuffix(name, "+token") {
-		log.Info("autotls cert store", mlog.Field("name", name))
+		log.Info("autotls cert store", slog.String("name", name))
 	}
 	return err
 }

autotls/autotls_test.go

@@ -12,9 +12,11 @@ import (
 	"github.com/mjl-/autocert"
 
 	"github.com/mjl-/mox/dns"
+	"github.com/mjl-/mox/mlog"
 )
 
 func TestAutotls(t *testing.T) {
+	log := mlog.New("autotls", nil)
 	os.RemoveAll("../testdata/autotls")
 	os.MkdirAll("../testdata/autotls", 0770)
 
@@ -23,7 +25,7 @@ func TestAutotls(t *testing.T) {
 	getPrivateKey := func(host string, keyType autocert.KeyType) (crypto.Signer, error) {
 		return nil, fmt.Errorf("not used")
 	}
-	m, err := Load("test", "../testdata/autotls", "mox@localhost", "https://localhost/", getPrivateKey, shutdown)
+	m, err := Load(log, "test", "../testdata/autotls", "mox@localhost", "https://localhost/", "", nil, getPrivateKey, shutdown)
 	if err != nil {
 		t.Fatalf("load manager: %v", err)
 	}
@@ -34,7 +36,7 @@ func TestAutotls(t *testing.T) {
 	if err := m.HostPolicy(context.Background(), "mox.example"); err == nil || !errors.Is(err, errHostNotAllowed) {
 		t.Fatalf("hostpolicy, got err %v, expected errHostNotAllowed", err)
 	}
-	m.SetAllowedHostnames(dns.StrictResolver{}, map[dns.Domain]struct{}{{ASCII: "mox.example"}: {}}, nil, false)
+	m.SetAllowedHostnames(log, dns.MockResolver{}, map[dns.Domain]struct{}{{ASCII: "mox.example"}: {}}, nil, false)
 	l = m.Hostnames()
 	if !reflect.DeepEqual(l, []dns.Domain{{ASCII: "mox.example"}}) {
 		t.Fatalf("hostnames, got %v, expected single mox.example", l)
@@ -80,7 +82,7 @@ func TestAutotls(t *testing.T) {
 
 	key0 := m.Manager.Client.Key
 
-	m, err = Load("test", "../testdata/autotls", "mox@localhost", "https://localhost/", getPrivateKey, shutdown)
+	m, err = Load(log, "test", "../testdata/autotls", "mox@localhost", "https://localhost/", "", nil, getPrivateKey, shutdown)
 	if err != nil {
 		t.Fatalf("load manager again: %v", err)
 	}
@@ -88,12 +90,12 @@ func TestAutotls(t *testing.T) {
 		t.Fatalf("private key changed after reload")
 	}
 	m.shutdown = make(chan struct{})
-	m.SetAllowedHostnames(dns.StrictResolver{}, map[dns.Domain]struct{}{{ASCII: "mox.example"}: {}}, nil, false)
+	m.SetAllowedHostnames(log, dns.MockResolver{}, map[dns.Domain]struct{}{{ASCII: "mox.example"}: {}}, nil, false)
 	if err := m.HostPolicy(context.Background(), "mox.example"); err != nil {
 		t.Fatalf("hostpolicy, got err %v, expected no error", err)
 	}
 
-	m2, err := Load("test2", "../testdata/autotls", "mox@localhost", "https://localhost/", nil, shutdown)
+	m2, err := Load(log, "test2", "../testdata/autotls", "mox@localhost", "https://localhost/", "", nil, nil, shutdown)
 	if err != nil {
 		t.Fatalf("load another manager: %v", err)
 	}

backup.go

@@ -7,15 +7,18 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"log/slog"
 	"os"
 	"path/filepath"
+	"runtime"
+	"strconv"
 	"strings"
+	"syscall"
 	"time"
 
 	"github.com/mjl-/bstore"
 
 	"github.com/mjl-/mox/dmarcdb"
-	"github.com/mjl-/mox/mlog"
 	"github.com/mjl-/mox/mox-"
 	"github.com/mjl-/mox/moxvar"
 	"github.com/mjl-/mox/mtastsdb"
@@ -24,7 +27,7 @@ import (
 	"github.com/mjl-/mox/tlsrptdb"
 )
 
-func backupctl(ctx context.Context, ctl *ctl) {
+func xbackupctl(ctx context.Context, xctl *ctl) {
 	/* protocol:
 	> "backup"
 	> destdir
@@ -38,61 +41,144 @@ func backupctl(ctx context.Context, ctl *ctl) {
 	// "src" or "dst" are incomplete paths relative to the source or destination data
 	// directories.
 
-	dstDataDir := ctl.xread()
-	verbose := ctl.xread() == "verbose"
+	dstDir := xctl.xread()
+	verbose := xctl.xread() == "verbose"
 
 	// Set when an error is encountered. At the end, we warn if set.
 	var incomplete bool
 
 	// We'll be writing output, and logging both to mox and the ctl stream.
-	writer := ctl.writer()
+	xwriter := xctl.writer()
 
 	// Format easily readable output for the user.
-	formatLog := func(prefix, text string, err error, fields ...mlog.Pair) []byte {
+	formatLog := func(prefix, text string, err error, attrs ...slog.Attr) []byte {
 		var b bytes.Buffer
 		fmt.Fprint(&b, prefix)
 		fmt.Fprint(&b, text)
 		if err != nil {
 			fmt.Fprint(&b, ": "+err.Error())
 		}
-		for _, f := range fields {
-			fmt.Fprintf(&b, "; %s=%v", f.Key, f.Value)
+		for _, a := range attrs {
+			fmt.Fprintf(&b, "; %s=%v", a.Key, a.Value)
 		}
 		fmt.Fprint(&b, "\n")
 		return b.Bytes()
 	}
 
 	// Log an error to both the mox service as the user running "mox backup".
-	xlogx := func(prefix, text string, err error, fields ...mlog.Pair) {
-		ctl.log.Errorx(text, err, fields...)
-
-		_, werr := writer.Write(formatLog(prefix, text, err, fields...))
-		ctl.xcheck(werr, "write to ctl")
+	pkglogx := func(prefix, text string, err error, attrs ...slog.Attr) {
+		xctl.log.Errorx(text, err, attrs...)
+		xwriter.Write(formatLog(prefix, text, err, attrs...))
 	}
 
 	// Log an error but don't mark backup as failed.
-	xwarnx := func(text string, err error, fields ...mlog.Pair) {
-		xlogx("warning: ", text, err, fields...)
+	xwarnx := func(text string, err error, attrs ...slog.Attr) {
+		pkglogx("warning: ", text, err, attrs...)
 	}
 
 	// Log an error that causes the backup to be marked as failed. We typically
 	// continue processing though.
-	xerrx := func(text string, err error, fields ...mlog.Pair) {
+	xerrx := func(text string, err error, attrs ...slog.Attr) {
 		incomplete = true
-		xlogx("error: ", text, err, fields...)
+		pkglogx("error: ", text, err, attrs...)
 	}
 
 	// If verbose is enabled, log to the cli command. Always log as info level.
-	xvlog := func(text string, fields ...mlog.Pair) {
-		ctl.log.Info(text, fields...)
+	xvlog := func(text string, attrs ...slog.Attr) {
+		xctl.log.Info(text, attrs...)
 		if verbose {
-			_, werr := writer.Write(formatLog("", text, nil, fields...))
-			ctl.xcheck(werr, "write to ctl")
+			xwriter.Write(formatLog("", text, nil, attrs...))
 		}
 	}
 
+	dstConfigDir := filepath.Join(dstDir, "config")
+	dstDataDir := filepath.Join(dstDir, "data")
+
+	// Warn if directories already exist, will likely cause failures when trying to
+	// write files that already exist.
+	if _, err := os.Stat(dstConfigDir); err == nil {
+		xwarnx("destination config directory already exists", nil, slog.String("configdir", dstConfigDir))
+	}
 	if _, err := os.Stat(dstDataDir); err == nil {
-		xwarnx("destination data directory already exists", nil, mlog.Field("dir", dstDataDir))
+		xwarnx("destination data directory already exists", nil, slog.String("datadir", dstDataDir))
+	}
+
+	os.MkdirAll(dstDir, 0770)
+	os.MkdirAll(dstConfigDir, 0770)
+	os.MkdirAll(dstDataDir, 0770)
+
+	// Copy all files in the config dir.
+	srcConfigDir := filepath.Clean(mox.ConfigDirPath("."))
+	err := filepath.WalkDir(srcConfigDir, func(srcPath string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+
+		if srcConfigDir == srcPath {
+			return nil
+		}
+
+		// Trim directory and separator.
+		relPath := srcPath[len(srcConfigDir)+1:]
+
+		destPath := filepath.Join(dstConfigDir, relPath)
+
+		if d.IsDir() {
+			if info, err := os.Stat(srcPath); err != nil {
+				return fmt.Errorf("stat config dir %s: %v", srcPath, err)
+			} else if err := os.Mkdir(destPath, info.Mode()&0777); err != nil {
+				return fmt.Errorf("mkdir %s: %v", destPath, err)
+			}
+			return nil
+		}
+		if d.Type()&fs.ModeSymlink != 0 {
+			linkDest, err := os.Readlink(srcPath)
+			if err != nil {
+				return fmt.Errorf("reading symlink %s: %v", srcPath, err)
+			}
+			if err := os.Symlink(linkDest, destPath); err != nil {
+				return fmt.Errorf("creating symlink %s: %v", destPath, err)
+			}
+			return nil
+		}
+		if !d.Type().IsRegular() {
+			xwarnx("skipping non-regular/dir/symlink file in config dir", nil, slog.String("path", srcPath))
+			return nil
+		}
+
+		sf, err := os.Open(srcPath)
+		if err != nil {
+			return fmt.Errorf("open config file %s: %v", srcPath, err)
+		}
+		info, err := sf.Stat()
+		if err != nil {
+			return fmt.Errorf("stat config file %s: %v", srcPath, err)
+		}
+		df, err := os.OpenFile(destPath, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0777&info.Mode())
+		if err != nil {
+			return fmt.Errorf("create destination config file %s: %v", destPath, err)
+		}
+		defer func() {
+			if df != nil {
+				err := df.Close()
+				xctl.log.Check(err, "closing file")
+			}
+		}()
+		defer func() {
+			err := sf.Close()
+			xctl.log.Check(err, "closing file")
+		}()
+		if _, err := io.Copy(df, sf); err != nil {
+			return fmt.Errorf("copying config file %s to %s: %v", srcPath, destPath, err)
+		}
+		if err := df.Close(); err != nil {
+			return fmt.Errorf("closing destination config file %s: %v", srcPath, err)
+		}
+		df = nil
+		return nil
+	})
+	if err != nil {
+		xerrx("storing config directory", err)
 	}
 
 	srcDataDir := filepath.Clean(mox.DataDirPath("."))
@@ -119,33 +205,37 @@ func backupctl(ctx context.Context, ctl *ctl) {
 
 		sf, err := os.Open(srcpath)
 		if err != nil {
-			xerrx("open source file (not backed up)", err, mlog.Field("srcpath", srcpath), mlog.Field("dstpath", dstpath))
+			xerrx("open source file (not backed up)", err, slog.String("srcpath", srcpath), slog.String("dstpath", dstpath))
 			return
 		}
-		defer sf.Close()
+		defer func() {
+			err := sf.Close()
+			xctl.log.Check(err, "closing source file")
+		}()
 
 		ensureDestDir(dstpath)
 		df, err := os.OpenFile(dstpath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0660)
 		if err != nil {
-			xerrx("creating destination file (not backed up)", err, mlog.Field("srcpath", srcpath), mlog.Field("dstpath", dstpath))
+			xerrx("creating destination file (not backed up)", err, slog.String("srcpath", srcpath), slog.String("dstpath", dstpath))
 			return
 		}
 		defer func() {
 			if df != nil {
-				df.Close()
+				err := df.Close()
+				xctl.log.Check(err, "closing destination file")
 			}
 		}()
 		if _, err := io.Copy(df, sf); err != nil {
-			xerrx("copying file (not backed up properly)", err, mlog.Field("srcpath", srcpath), mlog.Field("dstpath", dstpath))
+			xerrx("copying file (not backed up properly)", err, slog.String("srcpath", srcpath), slog.String("dstpath", dstpath))
 			return
 		}
 		err = df.Close()
 		df = nil
 		if err != nil {
-			xerrx("closing destination file (not backed up properly)", err, mlog.Field("srcpath", srcpath), mlog.Field("dstpath", dstpath))
+			xerrx("closing destination file (not backed up properly)", err, slog.String("srcpath", srcpath), slog.String("dstpath", dstpath))
 			return
 		}
-		xvlog("backed up file", mlog.Field("path", path), mlog.Field("duration", time.Since(tmFile)))
+		xvlog("backed up file", slog.String("path", path), slog.Duration("duration", time.Since(tmFile)))
 	}
 
 	// Back up the files in a directory (by copying).
@@ -155,7 +245,7 @@ func backupctl(ctx context.Context, ctl *ctl) {
 		dstdir := filepath.Join(dstDataDir, dir)
 		err := filepath.WalkDir(srcdir, func(srcpath string, d fs.DirEntry, err error) error {
 			if err != nil {
-				xerrx("walking file (not backed up)", err, mlog.Field("srcpath", srcpath))
+				xerrx("walking file (not backed up)", err, slog.String("srcpath", srcpath))
 				return nil
 			}
 			if d.IsDir() {
@@ -165,24 +255,18 @@ func backupctl(ctx context.Context, ctl *ctl) {
 			return nil
 		})
 		if err != nil {
-			xerrx("copying directory (not backed up properly)", err, mlog.Field("srcdir", srcdir), mlog.Field("dstdir", dstdir), mlog.Field("duration", time.Since(tmDir)))
+			xerrx("copying directory (not backed up properly)", err,
+				slog.String("srcdir", srcdir),
+				slog.String("dstdir", dstdir),
+				slog.Duration("duration", time.Since(tmDir)))
 			return
 		}
-		xvlog("backed up directory", mlog.Field("dir", dir), mlog.Field("duration", time.Since(tmDir)))
+		xvlog("backed up directory", slog.String("dir", dir), slog.Duration("duration", time.Since(tmDir)))
 	}
 
-	// Backup a database by copying it in a readonly transaction.
-	// Always logs on error, so caller doesn't have to, but also returns the error so
-	// callers can see result.
-	backupDB := func(db *bstore.DB, path string) (rerr error) {
-		defer func() {
-			if rerr != nil {
-				xerrx("backing up database", rerr, mlog.Field("path", path))
-			}
-		}()
-
-		tmDB := time.Now()
-
+	// Backup a database by copying it in a readonly transaction. Wrapped by backupDB
+	// which logs and returns just a bool.
+	backupDB0 := func(db *bstore.DB, path string) error {
 		dstpath := filepath.Join(dstDataDir, path)
 		ensureDestDir(dstpath)
 		df, err := os.OpenFile(dstpath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0660)
@@ -191,7 +275,8 @@ func backupctl(ctx context.Context, ctl *ctl) {
 		}
 		defer func() {
 			if df != nil {
-				df.Close()
+				err := df.Close()
+				xctl.log.Check(err, "closing destination database file")
 			}
 		}()
 		err = db.Read(ctx, func(tx *bstore.Tx) error {
@@ -216,10 +301,20 @@ func backupctl(ctx context.Context, ctl *ctl) {
 		if err != nil {
 			return fmt.Errorf("closing destination database after copy: %v", err)
 		}
-		xvlog("backed up database file", mlog.Field("path", path), mlog.Field("duration", time.Since(tmDB)))
 		return nil
 	}
 
+	backupDB := func(db *bstore.DB, path string) bool {
+		start := time.Now()
+		err := backupDB0(db, path)
+		if err != nil {
+			xerrx("backing up database", err, slog.String("path", path), slog.Duration("duration", time.Since(start)))
+			return false
+		}
+		xvlog("backed up database file", slog.String("path", path), slog.Duration("duration", time.Since(start)))
+		return true
+	}
+
 	// Try to create a hardlink. Fall back to copying the file (e.g. when on different file system).
 	warnedHardlink := false // We warn once about failing to hardlink.
 	linkOrCopy := func(srcpath, dstpath string) (bool, error) {
@@ -231,7 +326,11 @@ func backupctl(ctx context.Context, ctl *ctl) {
 			// No point in trying with regular copy, we would warn twice.
 			return false, err
 		} else if !warnedHardlink {
-			xwarnx("creating hardlink to message failed, will be doing regular file copies and not warn again", err, mlog.Field("srcpath", srcpath), mlog.Field("dstpath", dstpath))
+			var hardlinkHint string
+			if runtime.GOOS == "linux" && errors.Is(err, syscall.EXDEV) {
+				hardlinkHint = " (hint: if running under systemd, ReadWritePaths in mox.service may cause multiple mountpoints; consider merging paths into a single parent directory to prevent cross-device/mountpoint hardlinks)"
+			}
+			xwarnx("creating hardlink to message failed, will be doing regular file copies and not warn again"+hardlinkHint, err, slog.String("srcpath", srcpath), slog.String("dstpath", dstpath))
 			warnedHardlink = true
 		}
 
@@ -242,7 +341,7 @@ func backupctl(ctx context.Context, ctl *ctl) {
 		}
 		defer func() {
 			err := sf.Close()
-			ctl.log.Check(err, "closing copied source file")
+			xctl.log.Check(err, "closing copied source file")
 		}()
 
 		df, err := os.OpenFile(dstpath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0660)
@@ -252,7 +351,7 @@ func backupctl(ctx context.Context, ctl *ctl) {
 		defer func() {
 			if df != nil {
 				err := df.Close()
-				ctl.log.Check(err, "closing partial destination file")
+				xctl.log.Check(err, "closing partial destination file")
 			}
 		}()
 		if _, err := io.Copy(df, sf); err != nil {
@@ -269,16 +368,16 @@ func backupctl(ctx context.Context, ctl *ctl) {
 	// Start making the backup.
 	tmStart := time.Now()
 
-	ctl.log.Print("making backup", mlog.Field("destdir", dstDataDir))
+	xctl.log.Print("making backup", slog.String("destdir", dstDataDir))
 
-	err := os.MkdirAll(dstDataDir, 0770)
-	if err != nil {
+	if err := os.MkdirAll(dstDataDir, 0770); err != nil {
 		xerrx("creating destination data directory", err)
 	}
 
 	if err := os.WriteFile(filepath.Join(dstDataDir, "moxversion"), []byte(moxvar.Version), 0660); err != nil {
 		xerrx("writing moxversion", err)
 	}
+	backupDB(store.AuthDB, "auth.db")
 	backupDB(dmarcdb.ReportsDB, "dmarcrpt.db")
 	backupDB(dmarcdb.EvalDB, "dmarceval.db")
 	backupDB(mtastsdb.DB, "mtasts.db")
@@ -290,7 +389,7 @@ func backupctl(ctx context.Context, ctl *ctl) {
 	srcAcmeDir := filepath.Join(srcDataDir, "acme")
 	if _, err := os.Stat(srcAcmeDir); err == nil {
 		backupDir("acme")
-	} else if err != nil && !os.IsNotExist(err) {
+	} else if !os.IsNotExist(err) {
 		xerrx("copying acme/", err)
 	}
 
@@ -298,38 +397,41 @@ func backupctl(ctx context.Context, ctl *ctl) {
 	backupQueue := func(path string) {
 		tmQueue := time.Now()
 
-		if err := backupDB(queue.DB, path); err != nil {
-			xerrx("queue not backed up", err, mlog.Field("path", path), mlog.Field("duration", time.Since(tmQueue)))
+		if !backupDB(queue.DB, path) {
 			return
 		}
 
 		dstdbpath := filepath.Join(dstDataDir, path)
-		db, err := bstore.Open(ctx, dstdbpath, &bstore.Options{MustExist: true}, queue.DBTypes...)
+		opts := bstore.Options{MustExist: true, RegisterLogger: xctl.log.Logger}
+		db, err := bstore.Open(ctx, dstdbpath, &opts, queue.DBTypes...)
 		if err != nil {
-			xerrx("open copied queue database", err, mlog.Field("dstpath", dstdbpath), mlog.Field("duration", time.Since(tmQueue)))
+			xerrx("open copied queue database", err, slog.String("dstpath", dstdbpath), slog.Duration("duration", time.Since(tmQueue)))
 			return
 		}
 
 		defer func() {
 			if db != nil {
 				err := db.Close()
-				ctl.log.Check(err, "closing new queue db")
+				xctl.log.Check(err, "closing new queue db")
 			}
 		}()
 
-		// Link/copy known message files. Warn if files are missing or unexpected
-		// (though a message file could have been removed just now due to delivery, or a
-		// new message may have been queued).
+		// Link/copy known message files. If a message has been removed while we read the
+		// database, our backup is not consistent and the backup will be marked failed.
 		tmMsgs := time.Now()
 		seen := map[string]struct{}{}
 		var nlinked, ncopied int
+		var maxID int64
 		err = bstore.QueryDB[queue.Msg](ctx, db).ForEach(func(m queue.Msg) error {
+			if m.ID > maxID {
+				maxID = m.ID
+			}
 			mp := store.MessagePath(m.ID)
 			seen[mp] = struct{}{}
 			srcpath := filepath.Join(srcDataDir, "queue", mp)
 			dstpath := filepath.Join(dstDataDir, "queue", mp)
 			if linked, err := linkOrCopy(srcpath, dstpath); err != nil {
-				xerrx("linking/copying queue message", err, mlog.Field("srcpath", srcpath), mlog.Field("dstpath", dstpath))
+				xerrx("linking/copying queue message", err, slog.String("srcpath", srcpath), slog.String("dstpath", dstpath))
 			} else if linked {
 				nlinked++
 			} else {
@@ -338,17 +440,22 @@ func backupctl(ctx context.Context, ctl *ctl) {
 			return nil
 		})
 		if err != nil {
-			xerrx("processing queue messages (not backed up properly)", err, mlog.Field("duration", time.Since(tmMsgs)))
+			xerrx("processing queue messages (not backed up properly)", err, slog.Duration("duration", time.Since(tmMsgs)))
 		} else {
-			xvlog("queue message files linked/copied", mlog.Field("linked", nlinked), mlog.Field("copied", ncopied), mlog.Field("duration", time.Since(tmMsgs)))
+			xvlog("queue message files linked/copied",
+				slog.Int("linked", nlinked),
+				slog.Int("copied", ncopied),
+				slog.Duration("duration", time.Since(tmMsgs)))
 		}
 
-		// Read through all files in queue directory and warn about anything we haven't handled yet.
+		// Read through all files in queue directory and warn about anything we haven't
+		// handled yet. Message files that are newer than we expect from our consistent
+		// database snapshot are ignored.
 		tmWalk := time.Now()
 		srcqdir := filepath.Join(srcDataDir, "queue")
 		err = filepath.WalkDir(srcqdir, func(srcqpath string, d fs.DirEntry, err error) error {
 			if err != nil {
-				xerrx("walking files in queue", err, mlog.Field("srcpath", srcqpath))
+				xerrx("walking files in queue", err, slog.String("srcpath", srcqpath))
 				return nil
 			}
 			if d.IsDir() {
@@ -361,37 +468,43 @@ func backupctl(ctx context.Context, ctl *ctl) {
 			if p == "index.db" {
 				return nil
 			}
+			// Skip any messages that were added since we started on our consistent snapshot.
+			// We don't want to cause spurious backup warnings.
+			if id, err := strconv.ParseInt(filepath.Base(p), 10, 64); err == nil && maxID > 0 && id > maxID && p == store.MessagePath(id) {
+				return nil
+			}
+
 			qp := filepath.Join("queue", p)
-			xwarnx("backing up unrecognized file in queue directory", nil, mlog.Field("path", qp))
+			xwarnx("backing up unrecognized file in queue directory", nil, slog.String("path", qp))
 			backupFile(qp)
 			return nil
 		})
 		if err != nil {
-			xerrx("walking queue directory (not backed up properly)", err, mlog.Field("dir", "queue"), mlog.Field("duration", time.Since(tmWalk)))
+			xerrx("walking queue directory (not backed up properly)", err, slog.String("dir", "queue"), slog.Duration("duration", time.Since(tmWalk)))
 		} else {
-			xvlog("walked queue directory", mlog.Field("duration", time.Since(tmWalk)))
+			xvlog("walked queue directory", slog.Duration("duration", time.Since(tmWalk)))
 		}
 
-		xvlog("queue backed finished", mlog.Field("duration", time.Since(tmQueue)))
+		xvlog("queue backed finished", slog.Duration("duration", time.Since(tmQueue)))
 	}
 	backupQueue(filepath.FromSlash("queue/index.db"))
 
 	backupAccount := func(acc *store.Account) {
-		defer acc.Close()
+		defer func() {
+			err := acc.Close()
+			xctl.log.Check(err, "closing account")
+		}()
 
 		tmAccount := time.Now()
 
 		// Copy database file.
 		dbpath := filepath.Join("accounts", acc.Name, "index.db")
-		err := backupDB(acc.DB, dbpath)
-		if err != nil {
-			xerrx("copying account database", err, mlog.Field("path", dbpath), mlog.Field("duration", time.Since(tmAccount)))
-		}
+		backupDB(acc.DB, dbpath)
 
 		// todo: should document/check not taking a rlock on account.
 
 		// Copy junkfilter files, if configured.
-		if jf, _, err := acc.OpenJunkFilter(ctx, ctl.log); err != nil {
+		if jf, _, err := acc.OpenJunkFilter(ctx, xctl.log); err != nil {
 			if !errors.Is(err, store.ErrNoJunkFilter) {
 				xerrx("opening junk filter for account (not backed up)", err)
 			}
@@ -401,39 +514,41 @@ func backupctl(ctx context.Context, ctl *ctl) {
 			backupDB(db, jfpath)
 			bloompath := filepath.Join("accounts", acc.Name, "junkfilter.bloom")
 			backupFile(bloompath)
-			db = nil
 			err := jf.Close()
-			ctl.log.Check(err, "closing junkfilter")
+			xctl.log.Check(err, "closing junkfilter")
 		}
 
 		dstdbpath := filepath.Join(dstDataDir, dbpath)
-		db, err := bstore.Open(ctx, dstdbpath, &bstore.Options{MustExist: true}, store.DBTypes...)
+		opts := bstore.Options{MustExist: true, RegisterLogger: xctl.log.Logger}
+		db, err := bstore.Open(ctx, dstdbpath, &opts, store.DBTypes...)
 		if err != nil {
-			xerrx("open copied account database", err, mlog.Field("dstpath", dstdbpath), mlog.Field("duration", time.Since(tmAccount)))
+			xerrx("open copied account database", err, slog.String("dstpath", dstdbpath), slog.Duration("duration", time.Since(tmAccount)))
 			return
 		}
 
 		defer func() {
 			if db != nil {
 				err := db.Close()
-				ctl.log.Check(err, "close account database")
+				xctl.log.Check(err, "close account database")
 			}
 		}()
 
-		// Link/copy known message files. Warn if files are missing or unexpected (though a
-		// message file could have been added just now due to delivery, or a message have
-		// been removed).
+		// Link/copy known message files.
 		tmMsgs := time.Now()
 		seen := map[string]struct{}{}
+		var maxID int64
 		var nlinked, ncopied int
 		err = bstore.QueryDB[store.Message](ctx, db).FilterEqual("Expunged", false).ForEach(func(m store.Message) error {
+			if m.ID > maxID {
+				maxID = m.ID
+			}
 			mp := store.MessagePath(m.ID)
 			seen[mp] = struct{}{}
 			amp := filepath.Join("accounts", acc.Name, "msg", mp)
 			srcpath := filepath.Join(srcDataDir, amp)
 			dstpath := filepath.Join(dstDataDir, amp)
 			if linked, err := linkOrCopy(srcpath, dstpath); err != nil {
-				xerrx("linking/copying account message", err, mlog.Field("srcpath", srcpath), mlog.Field("dstpath", dstpath))
+				xerrx("linking/copying account message", err, slog.String("srcpath", srcpath), slog.String("dstpath", dstpath))
 			} else if linked {
 				nlinked++
 			} else {
@@ -442,17 +557,31 @@ func backupctl(ctx context.Context, ctl *ctl) {
 			return nil
 		})
 		if err != nil {
-			xerrx("processing account messages (not backed up properly)", err, mlog.Field("duration", time.Since(tmMsgs)))
+			xerrx("processing account messages (not backed up properly)", err, slog.Duration("duration", time.Since(tmMsgs)))
 		} else {
-			xvlog("account message files linked/copied", mlog.Field("linked", nlinked), mlog.Field("copied", ncopied), mlog.Field("duration", time.Since(tmMsgs)))
+			xvlog("account message files linked/copied",
+				slog.Int("linked", nlinked),
+				slog.Int("copied", ncopied),
+				slog.Duration("duration", time.Since(tmMsgs)))
 		}
 
-		// Read through all files in account directory and warn about anything we haven't handled yet.
+		eraseIDs := map[int64]struct{}{}
+		err = bstore.QueryDB[store.MessageErase](ctx, db).ForEach(func(me store.MessageErase) error {
+			eraseIDs[me.ID] = struct{}{}
+			return nil
+		})
+		if err != nil {
+			xerrx("listing erased messages", err)
+		}
+
+		// Read through all files in queue directory and warn about anything we haven't
+		// handled yet. Message files that are newer than we expect from our consistent
+		// database snapshot are ignored.
 		tmWalk := time.Now()
 		srcadir := filepath.Join(srcDataDir, "accounts", acc.Name)
 		err = filepath.WalkDir(srcadir, func(srcapath string, d fs.DirEntry, err error) error {
 			if err != nil {
-				xerrx("walking files in account", err, mlog.Field("srcpath", srcapath))
+				xerrx("walking files in account", err, slog.String("srcpath", srcapath))
 				return nil
 			}
 			if d.IsDir() {
@@ -465,6 +594,16 @@ func backupctl(ctx context.Context, ctl *ctl) {
 				if _, ok := seen[mp]; ok {
 					return nil
 				}
+
+				// Skip any messages that were added since we started on our consistent snapshot,
+				// or messages that will be erased. We don't want to cause spurious backup
+				// warnings.
+				id, err := strconv.ParseInt(l[len(l)-1], 10, 64)
+				if err == nil && id > maxID && mp == store.MessagePath(id) {
+					return nil
+				} else if _, ok := eraseIDs[id]; err == nil && ok {
+					return nil
+				}
 			}
 			switch p {
 			case "index.db", "junkfilter.db", "junkfilter.bloom":
@@ -472,20 +611,20 @@ func backupctl(ctx context.Context, ctl *ctl) {
 			}
 			ap := filepath.Join("accounts", acc.Name, p)
 			if strings.HasPrefix(p, "msg"+string(filepath.Separator)) {
-				xwarnx("backing up unrecognized file in account message directory (should be moved away)", nil, mlog.Field("path", ap))
+				xwarnx("backing up unrecognized file in account message directory (should be moved away)", nil, slog.String("path", ap))
 			} else {
-				xwarnx("backing up unrecognized file in account directory", nil, mlog.Field("path", ap))
+				xwarnx("backing up unrecognized file in account directory", nil, slog.String("path", ap))
 			}
 			backupFile(ap)
 			return nil
 		})
 		if err != nil {
-			xerrx("walking account directory (not backed up properly)", err, mlog.Field("srcdir", srcadir), mlog.Field("duration", time.Since(tmWalk)))
+			xerrx("walking account directory (not backed up properly)", err, slog.String("srcdir", srcadir), slog.Duration("duration", time.Since(tmWalk)))
 		} else {
-			xvlog("walked account directory", mlog.Field("duration", time.Since(tmWalk)))
+			xvlog("walked account directory", slog.Duration("duration", time.Since(tmWalk)))
 		}
 
-		xvlog("account backup finished", mlog.Field("dir", filepath.Join("accounts", acc.Name)), mlog.Field("duration", time.Since(tmAccount)))
+		xvlog("account backup finished", slog.String("dir", filepath.Join("accounts", acc.Name)), slog.Duration("duration", time.Since(tmAccount)))
 	}
 
 	// For each configured account, open it, make a copy of the database and
@@ -493,9 +632,9 @@ func backupctl(ctx context.Context, ctl *ctl) {
 	// account directories when handling "all other files" below.
 	accounts := map[string]struct{}{}
 	for _, accName := range mox.Conf.Accounts() {
-		acc, err := store.OpenAccount(accName)
+		acc, err := store.OpenAccount(xctl.log, accName, false)
 		if err != nil {
-			xerrx("opening account for copying (will try to copy as regular files later)", err, mlog.Field("account", accName))
+			xerrx("opening account for copying (will try to copy as regular files later)", err, slog.String("account", accName))
 			continue
 		}
 		accounts[accName] = struct{}{}
@@ -506,7 +645,7 @@ func backupctl(ctx context.Context, ctl *ctl) {
 	tmWalk := time.Now()
 	err = filepath.WalkDir(srcDataDir, func(srcpath string, d fs.DirEntry, err error) error {
 		if err != nil {
-			xerrx("walking path", err, mlog.Field("path", srcpath))
+			xerrx("walking path", err, slog.String("path", srcpath))
 			return nil
 		}
 
@@ -531,29 +670,29 @@ func backupctl(ctx context.Context, ctl *ctl) {
 		}
 
 		switch p {
-		case "dmarcrpt.db", "dmarceval.db", "mtasts.db", "tlsrpt.db", "tlsrptresult.db", "receivedid.key", "ctl":
+		case "auth.db", "dmarcrpt.db", "dmarceval.db", "mtasts.db", "tlsrpt.db", "tlsrptresult.db", "receivedid.key", "ctl":
 			// Already handled.
 			return nil
 		case "lastknownversion": // Optional file, not yet handled.
 		default:
-			xwarnx("backing up unrecognized file", nil, mlog.Field("path", p))
+			xwarnx("backing up unrecognized file", nil, slog.String("path", p))
 		}
 		backupFile(p)
 		return nil
 	})
 	if err != nil {
-		xerrx("walking other files (not backed up properly)", err, mlog.Field("duration", time.Since(tmWalk)))
+		xerrx("walking other files (not backed up properly)", err, slog.Duration("duration", time.Since(tmWalk)))
 	} else {
-		xvlog("walking other files finished", mlog.Field("duration", time.Since(tmWalk)))
+		xvlog("walking other files finished", slog.Duration("duration", time.Since(tmWalk)))
 	}
 
-	xvlog("backup finished", mlog.Field("duration", time.Since(tmStart)))
+	xvlog("backup finished", slog.Duration("duration", time.Since(tmStart)))
 
-	writer.xclose()
+	xwriter.xclose()
 
 	if incomplete {
-		ctl.xwrite("errors were encountered during backup")
+		xctl.xwrite("errors were encountered during backup")
 	} else {
-		ctl.xwriteok()
+		xctl.xwriteok()
 	}
 }

config/config.go

@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"net"
+	"net/http"
 	"net/url"
 	"reflect"
 	"regexp"
@@ -60,19 +61,20 @@ type Static struct {
 	HostTLSRPT struct {
 		Account   string `sconf-doc:"Account to deliver TLS reports to. Typically same account as for postmaster."`
 		Mailbox   string `sconf-doc:"Mailbox to deliver TLS reports to. Recommended value: TLSRPT."`
-		Localpart string `sconf-doc:"Localpart at hostname to accept TLS reports at. Recommended value: tls-reports."`
+		Localpart string `sconf-doc:"Localpart at hostname to accept TLS reports at. Recommended value: tlsreports."`
 
 		ParsedLocalpart smtp.Localpart `sconf:"-"`
 	} `sconf:"optional" sconf-doc:"Destination for per-host TLS reports (TLSRPT). TLS reports can be per recipient domain (for MTA-STS), or per MX host (for DANE). The per-domain TLS reporting configuration is in domains.conf. This is the TLS reporting configuration for this host. If absent, no host-based TLSRPT address is configured, and no host TLSRPT DNS record is suggested."`
-	InitialMailboxes InitialMailboxes     `sconf:"optional" sconf-doc:"Mailboxes to create for new accounts. Inbox is always created. Mailboxes can be given a 'special-use' role, which are understood by most mail clients. If absent/empty, the following mailboxes are created: Sent, Archive, Trash, Drafts and Junk."`
+	InitialMailboxes InitialMailboxes     `sconf:"optional" sconf-doc:"Mailboxes to create for new accounts. Inbox is always created. Mailboxes can be given a 'special-use' role, which are understood by most mail clients. If absent/empty, the following additional mailboxes are created: Sent, Archive, Trash, Drafts and Junk."`
 	DefaultMailboxes []string             `sconf:"optional" sconf-doc:"Deprecated in favor of InitialMailboxes. Mailboxes to create when adding an account. Inbox is always created. If no mailboxes are specified, the following are automatically created: Sent, Archive, Trash, Drafts and Junk."`
 	Transports       map[string]Transport `sconf:"optional" sconf-doc:"Transport are mechanisms for delivering messages. Transports can be referenced from Routes in accounts, domains and the global configuration. There is always an implicit/fallback delivery transport doing direct delivery with SMTP from the outgoing message queue. Transports are typically only configured when using smarthosts, i.e. when delivering through another SMTP server. Zero or one transport methods must be set in a transport, never multiple. When using an external party to send email for a domain, keep in mind you may have to add their IP address to your domain's SPF record, and possibly additional DKIM records."`
 	// Awkward naming of fields to get intended default behaviour for zero values.
-	NoOutgoingDMARCReports          bool `sconf:"optional" sconf-doc:"Do not send DMARC reports (aggregate only). By default, aggregate reports on DMARC evaluations are sent to domains if their DMARC policy requests them. Reports are sent at whole hours, with a minimum of 1 hour and maximum of 24 hours, rounded up so a whole number of intervals cover 24 hours, aligned at whole days in UTC. Reports are sent from the postmaster@<mailhostname> address."`
-	NoOutgoingTLSReports            bool `sconf:"optional" sconf-doc:"Do not send TLS reports. By default, reports about failed SMTP STARTTLS connections and related MTA-STS/DANE policies are sent to domains if their TLSRPT DNS record requests them. Reports covering a 24 hour UTC interval are sent daily. Reports are sent from the postmaster address of the configured domain the mailhostname is in. If there is no such domain, or it does not have DKIM configured, no reports are sent."`
-	OutgoingTLSReportsForAllSuccess bool `sconf:"optional" sconf-doc:"Also send TLS reports if there were no SMTP STARTTLS connection failures. By default, reports are only sent when at least one failure occurred. If a report is sent, it does always include the successful connection counts as well."`
+	NoOutgoingDMARCReports          bool  `sconf:"optional" sconf-doc:"Do not send DMARC reports (aggregate only). By default, aggregate reports on DMARC evaluations are sent to domains if their DMARC policy requests them. Reports are sent at whole hours, with a minimum of 1 hour and maximum of 24 hours, rounded up so a whole number of intervals cover 24 hours, aligned at whole days in UTC. Reports are sent from the postmaster@<mailhostname> address."`
+	NoOutgoingTLSReports            bool  `sconf:"optional" sconf-doc:"Do not send TLS reports. By default, reports about failed SMTP STARTTLS connections and related MTA-STS/DANE policies are sent to domains if their TLSRPT DNS record requests them. Reports covering a 24 hour UTC interval are sent daily. Reports are sent from the postmaster address of the configured domain the mailhostname is in. If there is no such domain, or it does not have DKIM configured, no reports are sent."`
+	OutgoingTLSReportsForAllSuccess bool  `sconf:"optional" sconf-doc:"Also send TLS reports if there were no SMTP STARTTLS connection failures. By default, reports are only sent when at least one failure occurred. If a report is sent, it does always include the successful connection counts as well."`
+	QuotaMessageSize                int64 `sconf:"optional" sconf-doc:"Default maximum total message size in bytes for each individual account, only applicable if greater than zero. Can be overridden per account. Attempting to add new messages to an account beyond its maximum total size will result in an error. Useful to prevent a single account from filling storage. The quota only applies to the email message files, not to any file system overhead and also not the message index database file (account for approximately 15% overhead)."`
 
-	// All IPs that were explicitly listen on for external SMTP. Only set when there
+	// All IPs that were explicitly listened on for external SMTP. Only set when there
 	// are no unspecified external SMTP listeners and there is at most one for IPv4 and
 	// at most one for IPv6. Used for setting the local address when making outgoing
 	// connections. Those IPs are assumed to be in an SPF record for the domain,
@@ -106,28 +108,39 @@ type SpecialUseMailboxes struct {
 // Dynamic is the parsed form of domains.conf, and is automatically reloaded when changed.
 type Dynamic struct {
 	Domains            map[string]Domain  `sconf-doc:"NOTE: This config file is in 'sconf' format. Indent with tabs. Comments must be on their own line, they don't end a line. Do not escape or quote strings. Details: https://pkg.go.dev/github.com/mjl-/sconf.\n\n\nDomains for which email is accepted. For internationalized domains, use their IDNA names in UTF-8."`
-	Accounts           map[string]Account `sconf-doc:"Accounts to which email can be delivered. An account can accept email for multiple domains, for multiple localparts, and deliver to multiple mailboxes."`
+	Accounts           map[string]Account `sconf-doc:"Accounts represent mox users, each with a password and email address(es) to which email can be delivered (possibly at different domains). Each account has its own on-disk directory holding its messages and index database. An account name is not an email address."`
 	WebDomainRedirects map[string]string  `sconf:"optional" sconf-doc:"Redirect all requests from domain (key) to domain (value). Always redirects to HTTPS. For plain HTTP redirects, use a WebHandler with a WebRedirect."`
-	WebHandlers        []WebHandler       `sconf:"optional" sconf-doc:"Handle webserver requests by serving static files, redirecting or reverse-proxying HTTP(s). The first matching WebHandler will handle the request. Built-in handlers, e.g. for account, admin, autoconfig and mta-sts always run first. If no handler matches, the response status code is file not found (404). If functionality you need is missng, simply forward the requests to an application that can provide the needed functionality."`
+	WebHandlers        []WebHandler       `sconf:"optional" sconf-doc:"Handle webserver requests by serving static files, redirecting, reverse-proxying HTTP(s) or passing the request to an internal service. The first matching WebHandler will handle the request. Built-in system handlers, e.g. for ACME validation, autoconfig and mta-sts always run first. Built-in handlers for admin, account, webmail and webapi are evaluated after all handlers, including webhandlers (allowing for overrides of internal services for some domains). If no handler matches, the response status code is file not found (404). If webserver features are missing, forward the requests to an application that provides the needed functionality itself."`
 	Routes             []Route            `sconf:"optional" sconf-doc:"Routes for delivering outgoing messages through the queue. Each delivery attempt evaluates account routes, domain routes and finally these global routes. The transport of the first matching route is used in the delivery attempt. If no routes match, which is the default with no configured routes, messages are delivered directly from the queue."`
+	MonitorDNSBLs      []string           `sconf:"optional" sconf-doc:"DNS blocklists to periodically check with if IPs we send from are present, without using them for checking incoming deliveries.. Also see DNSBLs in SMTP listeners in mox.conf, which specifies DNSBLs to use both for incoming deliveries and for checking our IPs against. Example DNSBLs: sbl.spamhaus.org, bl.spamcop.net."`
 
-	WebDNSDomainRedirects map[dns.Domain]dns.Domain `sconf:"-"`
+	WebDNSDomainRedirects map[dns.Domain]dns.Domain `sconf:"-" json:"-"`
+	MonitorDNSBLZones     []dns.Domain              `sconf:"-"`
+	ClientSettingDomains  map[dns.Domain]struct{}   `sconf:"-" json:"-"`
 }
 
 type ACME struct {
-	DirectoryURL string        `sconf-doc:"For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory."`
-	RenewBefore  time.Duration `sconf:"optional" sconf-doc:"How long before expiration to renew the certificate. Default is 30 days."`
-	ContactEmail string        `sconf-doc:"Email address to register at ACME provider. The provider can email you when certificates are about to expire. If you configure an address for which email is delivered by this server, keep in mind that TLS misconfigurations could result in such notification emails not arriving."`
-	Port         int           `sconf:"optional" sconf-doc:"TLS port for ACME validation, 443 by default. You should only override this if you cannot listen on port 443 directly. ACME will make requests to port 443, so you'll have to add an external mechanism to get the connection here, e.g. by configuring port forwarding."`
+	DirectoryURL           string                  `sconf-doc:"For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory."`
+	RenewBefore            time.Duration           `sconf:"optional" sconf-doc:"How long before expiration to renew the certificate. Default is 30 days."`
+	ContactEmail           string                  `sconf-doc:"Email address to register at ACME provider. The provider can email you when certificates are about to expire. If you configure an address for which email is delivered by this server, keep in mind that TLS misconfigurations could result in such notification emails not arriving."`
+	Port                   int                     `sconf:"optional" sconf-doc:"TLS port for ACME validation, 443 by default. You should only override this if you cannot listen on port 443 directly. ACME will make requests to port 443, so you'll have to add an external mechanism to get the tls connection here, e.g. by configuring firewall-level port forwarding. Validation over the https port uses tls-alpn-01 with application-layer protocol negotiation, which essentially means the original tls connection must make it here unmodified, an https reverse proxy will not work."`
+	IssuerDomainName       string                  `sconf:"optional" sconf-doc:"If set, used for suggested CAA DNS records, for restricting TLS certificate issuance to a Certificate Authority. If empty and DirectyURL is for Let's Encrypt, this value is set automatically to letsencrypt.org."`
+	ExternalAccountBinding *ExternalAccountBinding `sconf:"optional" sconf-doc:"ACME providers can require that a request for a new ACME account reference an existing non-ACME account known to the provider. External account binding references that account by a key id, and authorizes new ACME account requests by signing it with a key known both by the ACME client and ACME provider."`
+	// ../rfc/8555:2111
 
 	Manager *autotls.Manager `sconf:"-" json:"-"`
 }
 
+type ExternalAccountBinding struct {
+	KeyID   string `sconf-doc:"Key identifier, from ACME provider."`
+	KeyFile string `sconf-doc:"File containing the base64url-encoded key used to sign account requests with external account binding. The ACME provider will verify the account request is correctly signed by the key. File is evaluated relative to the directory of mox.conf."`
+}
+
 type Listener struct {
-	IPs            []string   `sconf-doc:"Use 0.0.0.0 to listen on all IPv4 and/or :: to listen on all IPv6 addresses, but it is better to explicitly specify the IPs you want to use for email, as mox will make sure outgoing connections will only be made from one of those IPs."`
+	IPs            []string   `sconf-doc:"Use 0.0.0.0 to listen on all IPv4 and/or :: to listen on all IPv6 addresses, but it is better to explicitly specify the IPs you want to use for email, as mox will make sure outgoing connections will only be made from one of those IPs. If both outgoing IPv4 and IPv6 connectivity is possible, and only one family has explicitly configured addresses, both address families are still used for outgoing connections. Use the \"direct\" transport to limit address families for outgoing connections."`
 	NATIPs         []string   `sconf:"optional" sconf-doc:"If set, the mail server is configured behind a NAT and field IPs are internal instead of the public IPs, while NATIPs lists the public IPs. Used during IP-related DNS self-checks, such as for iprev, mx, spf, autoconfig, autodiscover, and for autotls."`
 	IPsNATed       bool       `sconf:"optional" sconf-doc:"Deprecated, use NATIPs instead. If set, IPs are not the public IPs, but are NATed. Skips IP-related DNS self-checks."`
-	Hostname       string     `sconf:"optional" sconf-doc:"If empty, the config global Hostname is used."`
+	Hostname       string     `sconf:"optional" sconf-doc:"If empty, the config global Hostname is used. The internal services webadmin, webaccount, webmail and webapi only match requests to IPs, this hostname, \"localhost\". All except webadmin also match for any client settings domain."`
 	HostnameDomain dns.Domain `sconf:"-" json:"-"` // Set when parsing config.
 
 	TLS                *TLS  `sconf:"optional" sconf-doc:"For SMTP/IMAP STARTTLS, direct TLS and HTTPS connections."`
@@ -141,10 +154,12 @@ type Listener struct {
 		// Reoriginated messages (such as messages sent to mailing list subscribers) should
 		// keep REQUIRETLS. ../rfc/8689:412
 
-		DNSBLs []string `sconf:"optional" sconf-doc:"Addresses of DNS block lists for incoming messages. Block lists are only consulted for connections/messages without enough reputation to make an accept/reject decision. This prevents sending IPs of all communications to the block list provider. If any of the listed DNSBLs contains a requested IP address, the message is rejected as spam. The DNSBLs are checked for healthiness before use, at most once per 4 hours. Example DNSBLs: sbl.spamhaus.org, bl.spamcop.net. See https://www.spamhaus.org/sbl/ and https://www.spamcop.net/ for more information and terms of use."`
+		DNSBLs []string `sconf:"optional" sconf-doc:"Addresses of DNS block lists for incoming messages. Block lists are only consulted for connections/messages without enough reputation to make an accept/reject decision. This prevents sending IPs of all communications to the block list provider. If any of the listed DNSBLs contains a requested IP address, the message is rejected as spam. The DNSBLs are checked for healthiness before use, at most once per 4 hours. IPs we can send from are periodically checked for being in the configured DNSBLs. See MonitorDNSBLs in domains.conf to only monitor IPs we send from, without using those DNSBLs for incoming messages. Example DNSBLs: sbl.spamhaus.org, bl.spamcop.net. See https://www.spamhaus.org/sbl/ and https://www.spamcop.net/ for more information and terms of use."`
 
 		FirstTimeSenderDelay *time.Duration `sconf:"optional" sconf-doc:"Delay before accepting a message from a first-time sender for the destination account. Default: 15s."`
 
+		TLSSessionTicketsDisabled *bool `sconf:"optional" sconf-doc:"Override default setting for enabling TLS session tickets. Disabling session tickets may work around TLS interoperability issues."`
+
 		DNSBLZones []dns.Domain `sconf:"-"`
 	} `sconf:"optional"`
 	Submission struct {
@@ -153,8 +168,9 @@ type Listener struct {
 		NoRequireSTARTTLS bool `sconf:"optional" sconf-doc:"Do not require STARTTLS. Since users must login, this means password may be sent without encryption. Not recommended."`
 	} `sconf:"optional" sconf-doc:"SMTP for submitting email, e.g. by email applications. Starts out in plain text, can be upgraded to TLS with the STARTTLS command. Prefer using Submissions which is always a TLS connection."`
 	Submissions struct {
-		Enabled bool
-		Port    int `sconf:"optional" sconf-doc:"Default 465."`
+		Enabled        bool
+		Port           int  `sconf:"optional" sconf-doc:"Default 465."`
+		EnabledOnHTTPS bool `sconf:"optional" sconf-doc:"Additionally enable submission on HTTPS port 443 via TLS ALPN. TLS Application Layer Protocol Negotiation allows clients to request a specific protocol from the server as part of the TLS connection setup. When this setting is enabled and a client requests the 'smtp' protocol after TLS, it will be able to talk SMTP to Mox on port 443. This is meant to be useful as a censorship circumvention technique for Delta Chat."`
 	} `sconf:"optional" sconf-doc:"SMTP over TLS for submitting email, by email applications. Requires a TLS config."`
 	IMAP struct {
 		Enabled           bool
@@ -162,40 +178,19 @@ type Listener struct {
 		NoRequireSTARTTLS bool `sconf:"optional" sconf-doc:"Enable this only when the connection is otherwise encrypted (e.g. through a VPN)."`
 	} `sconf:"optional" sconf-doc:"IMAP for reading email, by email applications. Starts out in plain text, can be upgraded to TLS with the STARTTLS command. Prefer using IMAPS instead which is always a TLS connection."`
 	IMAPS struct {
-		Enabled bool
-		Port    int `sconf:"optional" sconf-doc:"Default 993."`
+		Enabled        bool
+		Port           int  `sconf:"optional" sconf-doc:"Default 993."`
+		EnabledOnHTTPS bool `sconf:"optional" sconf-doc:"Additionally enable IMAP on HTTPS port 443 via TLS ALPN. TLS Application Layer Protocol Negotiation allows clients to request a specific protocol from the server as part of the TLS connection setup. When this setting is enabled and a client requests the 'imap' protocol after TLS, it will be able to talk IMAP to Mox on port 443. This is meant to be useful as a censorship circumvention technique for Delta Chat."`
 	} `sconf:"optional" sconf-doc:"IMAP over TLS for reading email, by email applications. Requires a TLS config."`
-	AccountHTTP struct {
-		Enabled bool
-		Port    int    `sconf:"optional" sconf-doc:"Default 80."`
-		Path    string `sconf:"optional" sconf-doc:"Path to serve account requests on, e.g. /mox/. Useful if domain serves other resources. Default is /."`
-	} `sconf:"optional" sconf-doc:"Account web interface, for email users wanting to change their accounts, e.g. set new password, set new delivery rulesets. Served at /."`
-	AccountHTTPS struct {
-		Enabled bool
-		Port    int    `sconf:"optional" sconf-doc:"Default 80."`
-		Path    string `sconf:"optional" sconf-doc:"Path to serve account requests on, e.g. /mox/. Useful if domain serves other resources. Default is /."`
-	} `sconf:"optional" sconf-doc:"Account web interface listener for HTTPS. Requires a TLS config."`
-	AdminHTTP struct {
-		Enabled bool
-		Port    int    `sconf:"optional" sconf-doc:"Default 80."`
-		Path    string `sconf:"optional" sconf-doc:"Path to serve admin requests on, e.g. /moxadmin/. Useful if domain serves other resources. Default is /admin/."`
-	} `sconf:"optional" sconf-doc:"Admin web interface, for managing domains, accounts, etc. Served at /admin/. Preferably only enable on non-public IPs. Hint: use 'ssh -L 8080:localhost:80 you@yourmachine' and open http://localhost:8080/admin/, or set up a tunnel (e.g. WireGuard) and add its IP to the mox 'internal' listener."`
-	AdminHTTPS struct {
-		Enabled bool
-		Port    int    `sconf:"optional" sconf-doc:"Default 443."`
-		Path    string `sconf:"optional" sconf-doc:"Path to serve admin requests on, e.g. /moxadmin/. Useful if domain serves other resources. Default is /admin/."`
-	} `sconf:"optional" sconf-doc:"Admin web interface listener for HTTPS. Requires a TLS config. Preferably only enable on non-public IPs."`
-	WebmailHTTP struct {
-		Enabled bool
-		Port    int    `sconf:"optional" sconf-doc:"Default 80."`
-		Path    string `sconf:"optional" sconf-doc:"Path to serve account requests on. Useful if domain serves other resources. Default is /webmail/."`
-	} `sconf:"optional" sconf-doc:"Webmail client, for reading email."`
-	WebmailHTTPS struct {
-		Enabled bool
-		Port    int    `sconf:"optional" sconf-doc:"Default 443."`
-		Path    string `sconf:"optional" sconf-doc:"Path to serve account requests on. Useful if domain serves other resources. Default is /webmail/."`
-	} `sconf:"optional" sconf-doc:"Webmail client, for reading email."`
-	MetricsHTTP struct {
+	AccountHTTP  WebService `sconf:"optional" sconf-doc:"Account web interface, for email users wanting to change their accounts, e.g. set new password, set new delivery rulesets. Default path is /."`
+	AccountHTTPS WebService `sconf:"optional" sconf-doc:"Account web interface listener like AccountHTTP, but for HTTPS. Requires a TLS config."`
+	AdminHTTP    WebService `sconf:"optional" sconf-doc:"Admin web interface, for managing domains, accounts, etc. Default path is /admin/. Preferably only enable on non-public IPs. Hint: use 'ssh -L 8080:localhost:80 you@yourmachine' and open http://localhost:8080/admin/, or set up a tunnel (e.g. WireGuard) and add its IP to the mox 'internal' listener."`
+	AdminHTTPS   WebService `sconf:"optional" sconf-doc:"Admin web interface listener like AdminHTTP, but for HTTPS. Requires a TLS config."`
+	WebmailHTTP  WebService `sconf:"optional" sconf-doc:"Webmail client, for reading email. Default path is /webmail/."`
+	WebmailHTTPS WebService `sconf:"optional" sconf-doc:"Webmail client, like WebmailHTTP, but for HTTPS. Requires a TLS config."`
+	WebAPIHTTP   WebService `sconf:"optional" sconf-doc:"Like WebAPIHTTP, but with plain HTTP, without TLS."`
+	WebAPIHTTPS  WebService `sconf:"optional" sconf-doc:"WebAPI, a simple HTTP/JSON-based API for email, with HTTPS (requires a TLS config). Default path is /webapi/."`
+	MetricsHTTP  struct {
 		Enabled bool
 		Port    int `sconf:"optional" sconf-doc:"Default 8010."`
 	} `sconf:"optional" sconf-doc:"Serve prometheus metrics, for monitoring. You should not enable this on a public IP."`
@@ -214,23 +209,35 @@ type Listener struct {
 		NonTLS  bool `sconf:"optional" sconf-doc:"If set, plain HTTP instead of HTTPS is spoken on the configured port. Can be useful when the mta-sts domain is reverse proxied."`
 	} `sconf:"optional" sconf-doc:"Serve MTA-STS policies describing SMTP TLS requirements. Requires a TLS config."`
 	WebserverHTTP struct {
-		Enabled bool
-		Port    int `sconf:"optional" sconf-doc:"Port for plain HTTP (non-TLS) webserver."`
+		Enabled           bool
+		Port              int  `sconf:"optional" sconf-doc:"Port for plain HTTP (non-TLS) webserver."`
+		RateLimitDisabled bool `sconf:"optional" sconf-doc:"Disable rate limiting for all requests to this port."`
 	} `sconf:"optional" sconf-doc:"All configured WebHandlers will serve on an enabled listener."`
 	WebserverHTTPS struct {
-		Enabled bool
-		Port    int `sconf:"optional" sconf-doc:"Port for HTTPS webserver."`
+		Enabled           bool
+		Port              int  `sconf:"optional" sconf-doc:"Port for HTTPS webserver."`
+		RateLimitDisabled bool `sconf:"optional" sconf-doc:"Disable rate limiting for all requests to this port."`
 	} `sconf:"optional" sconf-doc:"All configured WebHandlers will serve on an enabled listener. Either ACME must be configured, or for each WebHandler domain a TLS certificate must be configured."`
 }
 
+// WebService is an internal web interface: webmail, webaccount, webadmin, webapi.
+type WebService struct {
+	Enabled   bool
+	Port      int    `sconf:"optional" sconf-doc:"Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname matching behaviour."`
+	Path      string `sconf:"optional" sconf-doc:"Path to serve requests on. Should end with a slash, related to cookie paths."`
+	Forwarded bool   `sconf:"optional" sconf-doc:"If set, X-Forwarded-* headers are used for the remote IP address for rate limiting and for the \"secure\" status of cookies."`
+}
+
 // Transport is a method to delivery a message. At most one of the fields can
 // be non-nil. The non-nil field represents the type of transport. For a
 // transport with all fields nil, regular email delivery is done.
 type Transport struct {
-	Submissions *TransportSMTP  `sconf:"optional" sconf-doc:"Submission SMTP over a TLS connection to submit email to a remote queue."`
-	Submission  *TransportSMTP  `sconf:"optional" sconf-doc:"Submission SMTP over a plain TCP connection (possibly with STARTTLS) to submit email to a remote queue."`
-	SMTP        *TransportSMTP  `sconf:"optional" sconf-doc:"SMTP over a plain connection (possibly with STARTTLS), typically for old-fashioned unauthenticated relaying to a remote queue."`
-	Socks       *TransportSocks `sconf:"optional" sconf-doc:"Like regular direct delivery, but makes outgoing connections through a SOCKS proxy."`
+	Submissions *TransportSMTP   `sconf:"optional" sconf-doc:"Submission SMTP over a TLS connection to submit email to a remote queue."`
+	Submission  *TransportSMTP   `sconf:"optional" sconf-doc:"Submission SMTP over a plain TCP connection (possibly with STARTTLS) to submit email to a remote queue."`
+	SMTP        *TransportSMTP   `sconf:"optional" sconf-doc:"SMTP over a plain connection (possibly with STARTTLS), typically for old-fashioned unauthenticated relaying to a remote queue."`
+	Socks       *TransportSocks  `sconf:"optional" sconf-doc:"Like regular direct delivery, but makes outgoing connections through a SOCKS proxy."`
+	Direct      *TransportDirect `sconf:"optional" sconf-doc:"Like regular direct delivery, but allows to tweak outgoing connections."`
+	Fail        *TransportFail   `sconf:"optional" sconf-doc:"Immediately fails the delivery attempt."`
 }
 
 // TransportSMTP delivers messages by "submission" (SMTP, typically
@@ -251,7 +258,7 @@ type TransportSMTP struct {
 type SMTPAuth struct {
 	Username   string
 	Password   string
-	Mechanisms []string `sconf:"optional" sconf-doc:"Allowed authentication mechanisms. Defaults to SCRAM-SHA-256, SCRAM-SHA-1, CRAM-MD5. Not included by default: PLAIN."`
+	Mechanisms []string `sconf:"optional" sconf-doc:"Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS, SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default: PLAIN. Specify the strongest mechanism known to be implemented by the server to prevent mechanism downgrade attacks."`
 
 	EffectiveMechanisms []string `sconf:"-" json:"-"`
 }
@@ -267,60 +274,112 @@ type TransportSocks struct {
 	Hostname dns.Domain `sconf:"-" json:"-"` // Parsed form of RemoteHostname
 }
 
-type Domain struct {
-	Description                string  `sconf:"optional" sconf-doc:"Free-form description of domain."`
-	LocalpartCatchallSeparator string  `sconf:"optional" sconf-doc:"If not empty, only the string before the separator is used to for email delivery decisions. For example, if set to \"+\", you+anything@example.com will be delivered to you@example.com."`
-	LocalpartCaseSensitive     bool    `sconf:"optional" sconf-doc:"If set, upper/lower case is relevant for email delivery."`
-	DKIM                       DKIM    `sconf:"optional" sconf-doc:"With DKIM signing, a domain is taking responsibility for (content of) emails it sends, letting receiving mail servers build up a (hopefully positive) reputation of the domain, which can help with mail delivery."`
-	DMARC                      *DMARC  `sconf:"optional" sconf-doc:"With DMARC, a domain publishes, in DNS, a policy on how other mail servers should handle incoming messages with the From-header matching this domain and/or subdomain (depending on the configured alignment). Receiving mail servers use this to build up a reputation of this domain, which can help with mail delivery. A domain can also publish an email address to which reports about DMARC verification results can be sent by verifying mail servers, useful for monitoring. Incoming DMARC reports are automatically parsed, validated, added to metrics and stored in the reporting database for later display in the admin web pages."`
-	MTASTS                     *MTASTS `sconf:"optional" sconf-doc:"With MTA-STS a domain publishes, in DNS, presence of a policy for using/requiring TLS for SMTP connections. The policy is served over HTTPS."`
-	TLSRPT                     *TLSRPT `sconf:"optional" sconf-doc:"With TLSRPT a domain specifies in DNS where reports about encountered SMTP TLS behaviour should be sent. Useful for monitoring. Incoming TLS reports are automatically parsed, validated, added to metrics and stored in the reporting database for later display in the admin web pages."`
-	Routes                     []Route `sconf:"optional" sconf-doc:"Routes for delivering outgoing messages through the queue. Each delivery attempt evaluates account routes, these domain routes and finally global routes. The transport of the first matching route is used in the delivery attempt. If no routes match, which is the default with no configured routes, messages are delivered directly from the queue."`
+type TransportDirect struct {
+	DisableIPv4 bool `sconf:"optional" sconf-doc:"If set, outgoing SMTP connections will *NOT* use IPv4 addresses to connect to remote SMTP servers."`
+	DisableIPv6 bool `sconf:"optional" sconf-doc:"If set, outgoing SMTP connections will *NOT* use IPv6 addresses to connect to remote SMTP servers."`
 
-	Domain dns.Domain `sconf:"-" json:"-"`
+	IPFamily string `sconf:"-" json:"-"`
+}
+
+// TransportFail is a transport that fails all delivery attempts.
+type TransportFail struct {
+	SMTPCode    int    `sconf:"optional" sconf-doc:"SMTP error code and optional enhanced error code to use for the failure. If empty, 554 is used (transaction failed)."`
+	SMTPMessage string `sconf:"optional" sconf-doc:"Message to include for the rejection. It will be shown in the DSN."`
+
+	// Effective values to use, set when parsing.
+	Code    int    `sconf:"-"`
+	Message string `sconf:"-"`
+}
+
+type Domain struct {
+	Disabled                    bool             `sconf:"optional" sconf-doc:"Disabled domains can be useful during/before migrations. Domains that are disabled can still be configured like normal, including adding addresses using the domain to accounts. However, disabled domains: 1. Do not try to fetch ACME certificates. TLS connections to host names involving the email domain will fail. A TLS certificate for the hostname (that wil be used as MX) itself will be requested. 2. Incoming deliveries over SMTP are rejected with a temporary error '450 4.2.1 recipient domain temporarily disabled'. 3. Submissions over SMTP using an (envelope) SMTP MAIL FROM address or message 'From' address of a disabled domain will be rejected with a temporary error '451 4.3.0 sender domain temporarily disabled'. Note that accounts with addresses at disabled domains can still log in and read email (unless the account itself is disabled)."`
+	Description                 string           `sconf:"optional" sconf-doc:"Free-form description of domain."`
+	ClientSettingsDomain        string           `sconf:"optional" sconf-doc:"Hostname for client settings instead of the mail server hostname. E.g. mail.<domain>. For future migration to another mail operator without requiring all clients to update their settings, it is convenient to have client settings that reference a subdomain of the hosted domain instead of the hostname of the server where the mail is currently hosted. If empty, the hostname of the mail server is used for client configurations. Unicode name."`
+	LocalpartCatchallSeparator  string           `sconf:"optional" sconf-doc:"If not empty, only the string before the separator is used to for email delivery decisions. For example, if set to \"+\", you+anything@example.com will be delivered to you@example.com."`
+	LocalpartCatchallSeparators []string         `sconf:"optional" sconf-doc:"Similar to LocalpartCatchallSeparator, but in case multiple are needed. For example both \"+\" and \"-\". Only of one LocalpartCatchallSeparator or LocalpartCatchallSeparators can be set. If set, the first separator is used to make unique addresses for outgoing SMTP connections with FromIDLoginAddresses."`
+	LocalpartCaseSensitive      bool             `sconf:"optional" sconf-doc:"If set, upper/lower case is relevant for email delivery."`
+	DKIM                        DKIM             `sconf:"optional" sconf-doc:"With DKIM signing, a domain is taking responsibility for (content of) emails it sends, letting receiving mail servers build up a (hopefully positive) reputation of the domain, which can help with mail delivery."`
+	DMARC                       *DMARC           `sconf:"optional" sconf-doc:"With DMARC, a domain publishes, in DNS, a policy on how other mail servers should handle incoming messages with the From-header matching this domain and/or subdomain (depending on the configured alignment). Receiving mail servers use this to build up a reputation of this domain, which can help with mail delivery. A domain can also publish an email address to which reports about DMARC verification results can be sent by verifying mail servers, useful for monitoring. Incoming DMARC reports are automatically parsed, validated, added to metrics and stored in the reporting database for later display in the admin web pages."`
+	MTASTS                      *MTASTS          `sconf:"optional" sconf-doc:"MTA-STS is a mechanism that allows publishing a policy with requirements for WebPKI-verified SMTP STARTTLS connections for email delivered to a domain. Existence of a policy is announced in a DNS TXT record (often unprotected/unverified, MTA-STS's weak spot). If a policy exists, it is fetched with a WebPKI-verified HTTPS request. The policy can indicate that WebPKI-verified SMTP STARTTLS is required, and which MX hosts (optionally with a wildcard pattern) are allowd. MX hosts to deliver to are still taken from DNS (again, not necessarily protected/verified), but messages will only be delivered to domains matching the MX hosts from the published policy. Mail servers look up the MTA-STS policy when first delivering to a domain, then keep a cached copy, periodically checking the DNS record if a new policy is available, and fetching and caching it if so. To update a policy, first serve a new policy with an updated policy ID, then update the DNS record (not the other way around). To remove an enforced policy, publish an updated policy with mode \"none\" for a long enough period so all cached policies have been refreshed (taking DNS TTL and policy max age into account), then remove the policy from DNS, wait for TTL to expire, and stop serving the policy."`
+	TLSRPT                      *TLSRPT          `sconf:"optional" sconf-doc:"With TLSRPT a domain specifies in DNS where reports about encountered SMTP TLS behaviour should be sent. Useful for monitoring. Incoming TLS reports are automatically parsed, validated, added to metrics and stored in the reporting database for later display in the admin web pages."`
+	Routes                      []Route          `sconf:"optional" sconf-doc:"Routes for delivering outgoing messages through the queue. Each delivery attempt evaluates account routes, these domain routes and finally global routes. The transport of the first matching route is used in the delivery attempt. If no routes match, which is the default with no configured routes, messages are delivered directly from the queue."`
+	Aliases                     map[string]Alias `sconf:"optional" sconf-doc:"Aliases that cause messages to be delivered to one or more locally configured addresses. Keys are localparts (encoded, as they appear in email addresses)."`
+
+	Domain                  dns.Domain `sconf:"-"`
+	ClientSettingsDNSDomain dns.Domain `sconf:"-" json:"-"`
+
+	// Set when DMARC and TLSRPT (when set) has an address with different domain (we're
+	// hosting the reporting), and there are no destination addresses configured for
+	// the domain. Disables some functionality related to hosting a domain.
+	ReportsOnly                          bool     `sconf:"-" json:"-"`
+	LocalpartCatchallSeparatorsEffective []string `sconf:"-"` // Either LocalpartCatchallSeparators, the value of LocalpartCatchallSeparator, or empty.
+}
+
+// todo: allow external addresses as members of aliases. we would add messages for them to the queue for outgoing delivery. we should require an admin addresses to which delivery failures will be delivered (locally, and to use in smtp mail from, so dsns go there). also take care to evaluate smtputf8 (if external address requires utf8 and incoming transaction didn't).
+// todo: as alternative to PostPublic, allow specifying a list of addresses (dmarc-like verified) that are (the only addresses) allowed to post to the list. if msgfrom is an external address, require a valid dkim signature to prevent dmarc-policy-related issues when delivering to remote members.
+// todo: add option to require messages sent to an alias have that alias as From or Reply-To address?
+
+type Alias struct {
+	Addresses    []string `sconf-doc:"Expanded addresses to deliver to. These must currently be of addresses of local accounts. To prevent duplicate messages, a member address that is also an explicit recipient in the SMTP transaction will only have the message delivered once. If the address in the message From header is a member, that member also won't receive the message."`
+	PostPublic   bool     `sconf:"optional" sconf-doc:"If true, anyone can send messages to the list. Otherwise only members, based on message From address, which is assumed to be DMARC-like-verified."`
+	ListMembers  bool     `sconf:"optional" sconf-doc:"If true, members can see addresses of members."`
+	AllowMsgFrom bool     `sconf:"optional" sconf-doc:"If true, members are allowed to send messages with this alias address in the message From header."`
+
+	LocalpartStr    string         `sconf:"-"` // In encoded form.
+	Domain          dns.Domain     `sconf:"-"`
+	ParsedAddresses []AliasAddress `sconf:"-"` // Matches addresses.
+}
+
+type AliasAddress struct {
+	Address     smtp.Address // Parsed address.
+	AccountName string       // Looked up.
+	Destination Destination  // Belonging to address.
 }
 
 type DMARC struct {
-	Localpart string `sconf-doc:"Address-part before the @ that accepts DMARC reports. Must be non-internationalized. Recommended value: dmarc-reports."`
-	Domain    string `sconf:"optional" sconf-doc:"Alternative domain for report recipient address. Can be used to receive reports for other domains. Unicode name."`
+	Localpart string `sconf-doc:"Address-part before the @ that accepts DMARC reports. Must be non-internationalized. Recommended value: dmarcreports."`
+	Domain    string `sconf:"optional" sconf-doc:"Alternative domain for reporting address, for incoming reports. Typically empty, causing the domain wherein this config exists to be used. Can be used to receive reports for domains that aren't fully hosted on this server. Configure such a domain as a hosted domain without making all the DNS changes, and configure this field with a domain that is fully hosted on this server, so the localpart and the domain of this field form a reporting address. Then only update the DMARC DNS record for the not fully hosted domain, ensuring the reporting address is specified in its \"rua\" field as shown in the suggested DNS settings. Unicode name."`
 	Account   string `sconf-doc:"Account to deliver to."`
 	Mailbox   string `sconf-doc:"Mailbox to deliver to, e.g. DMARC."`
 
-	ParsedLocalpart smtp.Localpart `sconf:"-"`
+	ParsedLocalpart smtp.Localpart `sconf:"-"` // Lower-case if case-sensitivity is not configured for domain. Not "canonical" for catchall separators for backwards compatibility.
 	DNSDomain       dns.Domain     `sconf:"-"` // Effective domain, always set based on Domain field or Domain where this is configured.
 }
 
 type MTASTS struct {
-	PolicyID string        `sconf-doc:"Policies are versioned. The version must be specified in the DNS record. If you change a policy, first change it in mox, then update the DNS record."`
-	Mode     mtasts.Mode   `sconf-doc:"testing, enforce or none. If set to enforce, a remote SMTP server will not deliver email to us if it cannot make a TLS connection."`
+	PolicyID string        `sconf-doc:"Policies are versioned. The version must be specified in the DNS record. If you change a policy, first change it here to update the served policy, then update the DNS record with the updated policy ID."`
+	Mode     mtasts.Mode   `sconf-doc:"If set to \"enforce\", a remote SMTP server will not deliver email to us if it cannot make a WebPKI-verified SMTP STARTTLS connection. In mode \"testing\", deliveries can be done without verified TLS, but errors will be reported through TLS reporting. In mode \"none\", verified TLS is not required, used for phasing out an MTA-STS policy."`
 	MaxAge   time.Duration `sconf-doc:"How long a remote mail server is allowed to cache a policy. Typically 1 or several weeks."`
 	MX       []string      `sconf:"optional" sconf-doc:"List of server names allowed for SMTP. If empty, the configured hostname is set. Host names can contain a wildcard (*) as a leading label (matching a single label, e.g. *.example matches host.example, not sub.host.example)."`
 	// todo: parse mx as valid mtasts.Policy.MX, with dns.ParseDomain but taking wildcard into account
 }
 
 type TLSRPT struct {
-	Localpart string `sconf-doc:"Address-part before the @ that accepts TLSRPT reports. Recommended value: tls-reports."`
-	Domain    string `sconf:"optional" sconf-doc:"Alternative domain for report recipient address. Can be used to receive reports for other domains. Unicode name."`
+	Localpart string `sconf-doc:"Address-part before the @ that accepts TLSRPT reports. Recommended value: tlsreports."`
+	Domain    string `sconf:"optional" sconf-doc:"Alternative domain for reporting address, for incoming reports. Typically empty, causing the domain wherein this config exists to be used. Can be used to receive reports for domains that aren't fully hosted on this server. Configure such a domain as a hosted domain without making all the DNS changes, and configure this field with a domain that is fully hosted on this server, so the localpart and the domain of this field form a reporting address. Then only update the TLSRPT DNS record for the not fully hosted domain, ensuring the reporting address is specified in its \"rua\" field as shown in the suggested DNS settings. Unicode name."`
 	Account   string `sconf-doc:"Account to deliver to."`
 	Mailbox   string `sconf-doc:"Mailbox to deliver to, e.g. TLSRPT."`
 
-	ParsedLocalpart smtp.Localpart `sconf:"-"`
+	ParsedLocalpart smtp.Localpart `sconf:"-"` // Lower-case if case-sensitivity is not configured for domain. Not "canonical" for catchall separators for backwards compatibility.
 	DNSDomain       dns.Domain     `sconf:"-"` // Effective domain, always set based on Domain field or Domain where this is configured.
 }
 
-type Selector struct {
-	Hash             string `sconf:"optional" sconf-doc:"sha256 (default) or (older, not recommended) sha1"`
-	HashEffective    string `sconf:"-"`
-	Canonicalization struct {
-		HeaderRelaxed bool `sconf-doc:"If set, some modifications to the headers (mostly whitespace) are allowed."`
-		BodyRelaxed   bool `sconf-doc:"If set, some whitespace modifications to the message body are allowed."`
-	} `sconf:"optional"`
-	Headers          []string `sconf:"optional" sconf-doc:"Headers to sign with DKIM. If empty, a reasonable default set of headers is selected."`
-	HeadersEffective []string `sconf:"-"` // Used when signing. Based on Headers from config, or the reasonable default.
-	DontSealHeaders  bool     `sconf:"optional" sconf-doc:"If set, don't prevent duplicate headers from being added. Not recommended."`
-	Expiration       string   `sconf:"optional" sconf-doc:"Period a signature is valid after signing, as duration, e.g. 72h. The period should be enough for delivery at the final destination, potentially with several hops/relays. In the order of days at least."`
-	PrivateKeyFile   string   `sconf-doc:"Either an RSA or ed25519 private key file in PKCS8 PEM form."`
+type Canonicalization struct {
+	HeaderRelaxed bool `sconf-doc:"If set, some modifications to the headers (mostly whitespace) are allowed."`
+	BodyRelaxed   bool `sconf-doc:"If set, some whitespace modifications to the message body are allowed."`
+}
 
+type Selector struct {
+	Hash             string           `sconf:"optional" sconf-doc:"sha256 (default) or (older, not recommended) sha1."`
+	HashEffective    string           `sconf:"-"`
+	Canonicalization Canonicalization `sconf:"optional"`
+	Headers          []string         `sconf:"optional" sconf-doc:"Headers to sign with DKIM. If empty, a reasonable default set of headers is selected."`
+	HeadersEffective []string         `sconf:"-"` // Used when signing. Based on Headers from config, or the reasonable default.
+	DontSealHeaders  bool             `sconf:"optional" sconf-doc:"If set, don't prevent duplicate headers from being added. Not recommended."`
+	Expiration       string           `sconf:"optional" sconf-doc:"Period a signature is valid after signing, as duration, e.g. 72h. The period should be enough for delivery at the final destination, potentially with several hops/relays. In the order of days at least."`
+	PrivateKeyFile   string           `sconf-doc:"Either an RSA or ed25519 private key file in PKCS8 PEM form."`
+
+	Algorithm         string        `sconf:"-"`          // "ed25519", "rsa-*", based on private key.
 	ExpirationSeconds int           `sconf:"-" json:"-"` // Parsed from Expiration.
 	Key               crypto.Signer `sconf:"-" json:"-"` // As parsed with x509.ParsePKCS8PrivateKey.
 	Domain            dns.Domain    `sconf:"-" json:"-"` // Of selector only, not FQDN.
@@ -344,31 +403,68 @@ type Route struct {
 	ResolvedTransport Transport `sconf:"-" json:"-"`
 }
 
-type Account struct {
-	Domain       string                 `sconf-doc:"Default domain for account. Deprecated behaviour: If a destination is not a full address but only a localpart, this domain is added to form a full address."`
-	Description  string                 `sconf:"optional" sconf-doc:"Free form description, e.g. full name or alternative contact info."`
-	FullName     string                 `sconf:"optional" sconf-doc:"Full name, to use in message From header when composing messages in webmail. Can be overridden per destination."`
-	Destinations map[string]Destination `sconf-doc:"Destinations, keys are email addresses (with IDNA domains). If the address is of the form '@domain', i.e. with localpart missing, it serves as a catchall for the domain, matching all messages that are not explicitly configured. Deprecated behaviour: If the address is not a full address but a localpart, it is combined with Domain to form a full address."`
-	SubjectPass  struct {
-		Period time.Duration `sconf-doc:"How long unique values are accepted after generating, e.g. 12h."` // todo: have a reasonable default for this?
-	} `sconf:"optional" sconf-doc:"If configured, messages classified as weakly spam are rejected with instructions to retry delivery, but this time with a signed token added to the subject. During the next delivery attempt, the signed token will bypass the spam filter. Messages with a clear spam signal, such as a known bad reputation, are rejected/delayed without a signed token."`
-	RejectsMailbox     string `sconf:"optional" sconf-doc:"Mail that looks like spam will be rejected, but a copy can be stored temporarily in a mailbox, e.g. Rejects. If mail isn't coming in when you expect, you can look there. The mail still isn't accepted, so the remote mail server may retry (hopefully, if legitimate), or give up (hopefully, if indeed a spammer). Messages are automatically removed from this mailbox, so do not set it to a mailbox that has messages you want to keep."`
-	KeepRejects        bool   `sconf:"optional" sconf-doc:"Don't automatically delete mail in the RejectsMailbox listed above. This can be useful, e.g. for future spam training."`
-	AutomaticJunkFlags struct {
-		Enabled              bool   `sconf-doc:"If enabled, flags will be set automatically if they match a regular expression below. When two of the three mailbox regular expressions are set, the remaining one will match all unmatched messages. Messages are matched in the order specified and the search stops on the first match. Mailboxes are lowercased before matching."`
-		JunkMailboxRegexp    string `sconf:"optional" sconf-doc:"Example: ^(junk|spam)."`
-		NeutralMailboxRegexp string `sconf:"optional" sconf-doc:"Example: ^(inbox|neutral|postmaster|dmarc|tlsrpt|rejects), and you may wish to add trash depending on how you use it, or leave this empty."`
-		NotJunkMailboxRegexp string `sconf:"optional" sconf-doc:"Example: .* or an empty string."`
-	} `sconf:"optional" sconf-doc:"Automatically set $Junk and $NotJunk flags based on mailbox messages are delivered/moved/copied to. Email clients typically have too limited functionality to conveniently set these flags, especially $NonJunk, but they can all move messages to a different mailbox, so this helps them."`
-	JunkFilter                   *JunkFilter `sconf:"optional" sconf-doc:"Content-based filtering, using the junk-status of individual messages to rank words in such messages as spam or ham. It is recommended you always set the applicable (non)-junk status on messages, and that you do not empty your Trash because those messages contain valuable ham/spam training information."` // todo: sane defaults for junkfilter
-	MaxOutgoingMessagesPerDay    int         `sconf:"optional" sconf-doc:"Maximum number of outgoing messages for this account in a 24 hour window. This limits the damage to recipients and the reputation of this mail server in case of account compromise. Default 1000."`
-	MaxFirstTimeRecipientsPerDay int         `sconf:"optional" sconf-doc:"Maximum number of first-time recipients in outgoing messages for this account in a 24 hour window. This limits the damage to recipients and the reputation of this mail server in case of account compromise. Default 200."`
-	Routes                       []Route     `sconf:"optional" sconf-doc:"Routes for delivering outgoing messages through the queue. Each delivery attempt evaluates these account routes, domain routes and finally global routes. The transport of the first matching route is used in the delivery attempt. If no routes match, which is the default with no configured routes, messages are delivered directly from the queue."`
+// todo: move RejectsMailbox to store.Mailbox.SpecialUse, possibly with "X" prefix?
 
-	DNSDomain      dns.Domain     `sconf:"-"` // Parsed form of Domain.
-	JunkMailbox    *regexp.Regexp `sconf:"-" json:"-"`
-	NeutralMailbox *regexp.Regexp `sconf:"-" json:"-"`
-	NotJunkMailbox *regexp.Regexp `sconf:"-" json:"-"`
+// note: outgoing hook events are in ../queue/hooks.go, ../mox-/config.go, ../queue.go and ../webapi/gendoc.sh. keep in sync.
+
+type OutgoingWebhook struct {
+	URL           string   `sconf-doc:"URL to POST webhooks."`
+	Authorization string   `sconf:"optional" sconf-doc:"If not empty, value of Authorization header to add to HTTP requests."`
+	Events        []string `sconf:"optional" sconf-doc:"Events to send outgoing delivery notifications for. If absent, all events are sent. Valid values: delivered, suppressed, delayed, failed, relayed, expanded, canceled, unrecognized."`
+}
+
+type IncomingWebhook struct {
+	URL           string `sconf-doc:"URL to POST webhooks to for incoming deliveries over SMTP."`
+	Authorization string `sconf:"optional" sconf-doc:"If not empty, value of Authorization header to add to HTTP requests."`
+}
+
+type SubjectPass struct {
+	Period time.Duration `sconf-doc:"How long unique values are accepted after generating, e.g. 12h."` // todo: have a reasonable default for this?
+}
+
+type AutomaticJunkFlags struct {
+	Enabled              bool   `sconf-doc:"If enabled, junk/nonjunk flags will be set automatically if they match some of the regular expressions. When two of the three mailbox regular expressions are set, the remaining one will match all unmatched messages. Messages are matched in the order 'junk', 'neutral', 'not junk', and the search stops on the first match. Mailboxes are lowercased before matching."`
+	JunkMailboxRegexp    string `sconf:"optional" sconf-doc:"Example: ^(junk|spam)."`
+	NeutralMailboxRegexp string `sconf:"optional" sconf-doc:"Example: ^(inbox|neutral|postmaster|dmarc|tlsrpt|rejects), and you may wish to add trash depending on how you use it, or leave this empty."`
+	NotJunkMailboxRegexp string `sconf:"optional" sconf-doc:"Example: .* or an empty string."`
+}
+
+type Account struct {
+	OutgoingWebhook          *OutgoingWebhook `sconf:"optional" sconf-doc:"Webhooks for events about outgoing deliveries."`
+	IncomingWebhook          *IncomingWebhook `sconf:"optional" sconf-doc:"Webhooks for events about incoming deliveries over SMTP."`
+	FromIDLoginAddresses     []string         `sconf:"optional" sconf-doc:"Login addresses that cause outgoing email to be sent with SMTP MAIL FROM addresses with a unique id after the localpart catchall separator (which must be enabled when addresses are specified here). Any delivery status notifications (DSN, e.g. for bounces), can be related to the original message and recipient with unique id's. You can login to an account with any valid email address, including variants with the localpart catchall separator. You can use this mechanism to both send outgoing messages with and without unique fromid for a given email address. With the webapi and webmail, a unique id will be generated. For submission, the id from the SMTP MAIL FROM command is used if present, and a unique id is generated otherwise."`
+	KeepRetiredMessagePeriod time.Duration    `sconf:"optional" sconf-doc:"Period to keep messages retired from the queue (delivered or failed) around. Keeping retired messages is useful for maintaining the suppression list for transactional email, for matching incoming DSNs to sent messages, and for debugging. The time at which to clean up (remove) is calculated at retire time. E.g. 168h (1 week)."`
+	KeepRetiredWebhookPeriod time.Duration    `sconf:"optional" sconf-doc:"Period to keep webhooks retired from the queue (delivered or failed) around. Useful for debugging. The time at which to clean up (remove) is calculated at retire time. E.g. 168h (1 week)."`
+
+	LoginDisabled                string                 `sconf:"optional" sconf-doc:"If non-empty, login attempts on all protocols (e.g. SMTP/IMAP, web interfaces) is rejected with this error message. Useful during migrations. Incoming deliveries for addresses of this account are still accepted as normal."`
+	Domain                       string                 `sconf-doc:"Default domain for account. Deprecated behaviour: If a destination is not a full address but only a localpart, this domain is added to form a full address."`
+	Description                  string                 `sconf:"optional" sconf-doc:"Free form description, e.g. full name or alternative contact info."`
+	FullName                     string                 `sconf:"optional" sconf-doc:"Full name, to use in message From header when composing messages in webmail. Can be overridden per destination."`
+	Destinations                 map[string]Destination `sconf:"optional" sconf-doc:"Destinations, keys are email addresses (with IDNA domains). All destinations are allowed for logging in with IMAP/SMTP/webmail. If no destinations are configured, the account can not login. If the address is of the form '@domain', i.e. with localpart missing, it serves as a catchall for the domain, matching all messages that are not explicitly configured. Deprecated behaviour: If the address is not a full address but a localpart, it is combined with Domain to form a full address."`
+	SubjectPass                  SubjectPass            `sconf:"optional" sconf-doc:"If configured, messages classified as weakly spam are rejected with instructions to retry delivery, but this time with a signed token added to the subject. During the next delivery attempt, the signed token will bypass the spam filter. Messages with a clear spam signal, such as a known bad reputation, are rejected/delayed without a signed token."`
+	QuotaMessageSize             int64                  `sconf:"optional" sconf-doc:"Default maximum total message size in bytes for the account, overriding any globally configured default maximum size if non-zero. A negative value can be used to have no limit in case there is a limit by default. Attempting to add new messages to an account beyond its maximum total size will result in an error. Useful to prevent a single account from filling storage."`
+	RejectsMailbox               string                 `sconf:"optional" sconf-doc:"Mail that looks like spam will be rejected, but a copy can be stored temporarily in a mailbox, e.g. Rejects. If mail isn't coming in when you expect, you can look there. The mail still isn't accepted, so the remote mail server may retry (hopefully, if legitimate), or give up (hopefully, if indeed a spammer). Messages are automatically removed from this mailbox, so do not set it to a mailbox that has messages you want to keep."`
+	KeepRejects                  bool                   `sconf:"optional" sconf-doc:"Don't automatically delete mail in the RejectsMailbox listed above. This can be useful, e.g. for future spam training. It can also cause storage to fill up."`
+	AutomaticJunkFlags           AutomaticJunkFlags     `sconf:"optional" sconf-doc:"Automatically set $Junk and $NotJunk flags based on mailbox messages are delivered/moved/copied to. Email clients typically have too limited functionality to conveniently set these flags, especially $NonJunk, but they can all move messages to a different mailbox, so this helps them."`
+	JunkFilter                   *JunkFilter            `sconf:"optional" sconf-doc:"Content-based filtering, using the junk-status of individual messages to rank words in such messages as spam or ham. It is recommended you always set the applicable (non)-junk status on messages, and that you do not empty your Trash because those messages contain valuable ham/spam training information."` // todo: sane defaults for junkfilter
+	MaxOutgoingMessagesPerDay    int                    `sconf:"optional" sconf-doc:"Maximum number of outgoing messages for this account in a 24 hour window. This limits the damage to recipients and the reputation of this mail server in case of account compromise. Default 1000."`
+	MaxFirstTimeRecipientsPerDay int                    `sconf:"optional" sconf-doc:"Maximum number of first-time recipients in outgoing messages for this account in a 24 hour window. This limits the damage to recipients and the reputation of this mail server in case of account compromise. Default 200."`
+	NoFirstTimeSenderDelay       bool                   `sconf:"optional" sconf-doc:"Do not apply a delay to SMTP connections before accepting an incoming message from a first-time sender. Can be useful for accounts that sends automated responses and want instant replies."`
+	NoCustomPassword             bool                   `sconf:"optional" sconf-doc:"If set, this account cannot set a password of their own choice, but can only set a new randomly generated password, preventing password reuse across services and use of weak passwords. Custom account passwords can be set by the admin."`
+	Routes                       []Route                `sconf:"optional" sconf-doc:"Routes for delivering outgoing messages through the queue. Each delivery attempt evaluates these account routes, domain routes and finally global routes. The transport of the first matching route is used in the delivery attempt. If no routes match, which is the default with no configured routes, messages are delivered directly from the queue."`
+
+	DNSDomain                  dns.Domain     `sconf:"-"` // Parsed form of Domain.
+	JunkMailbox                *regexp.Regexp `sconf:"-" json:"-"`
+	NeutralMailbox             *regexp.Regexp `sconf:"-" json:"-"`
+	NotJunkMailbox             *regexp.Regexp `sconf:"-" json:"-"`
+	ParsedFromIDLoginAddresses []smtp.Address `sconf:"-" json:"-"`
+	Aliases                    []AddressAlias `sconf:"-"`
+}
+
+type AddressAlias struct {
+	SubscriptionAddress string
+	Alias               Alias    // Without members.
+	MemberAddresses     []string // Only if allowed to see.
 }
 
 type JunkFilter struct {
@@ -377,13 +473,19 @@ type JunkFilter struct {
 }
 
 type Destination struct {
-	Mailbox  string    `sconf:"optional" sconf-doc:"Mailbox to deliver to if none of Rulesets match. Default: Inbox."`
-	Rulesets []Ruleset `sconf:"optional" sconf-doc:"Delivery rules based on message and SMTP transaction. You may want to match each mailing list by SMTP MailFrom address, VerifiedDomain and/or List-ID header (typically <listname.example.org> if the list address is listname@example.org), delivering them to their own mailbox."`
-	FullName string    `sconf:"optional" sconf-doc:"Full name to use in message From header when composing messages coming from this address with webmail."`
+	Mailbox                      string    `sconf:"optional" sconf-doc:"Mailbox to deliver to if none of Rulesets match. Default: Inbox."`
+	Rulesets                     []Ruleset `sconf:"optional" sconf-doc:"Delivery rules based on message and SMTP transaction. You may want to match each mailing list by SMTP MailFrom address, VerifiedDomain and/or List-ID header (typically <listname.example.org> if the list address is listname@example.org), delivering them to their own mailbox."`
+	SMTPError                    string    `sconf:"optional" sconf-doc:"If non-empty, incoming delivery attempts to this destination will be rejected during SMTP RCPT TO with this error response line. Useful when a catchall address is configured for the domain and messages to some addresses should be rejected. The response line must start with an error code. Currently the following error resonse codes are allowed: 421 (temporary local error), 550 (user not found). If the line consists of only an error code, an appropriate error message is added. Rejecting messages with a 4xx code invites later retries by the remote, while 5xx codes should prevent further delivery attempts."`
+	MessageAuthRequiredSMTPError string    `sconf:"optional" sconf-doc:"If non-empty, an additional DMARC-like message authentication check is done for incoming messages, validating the domain in the From-header of the message. Messages without either an aligned SPF or aligned DKIM pass are rejected during the SMTP DATA command with a permanent error code followed by the message in this field. The domain in the message 'From' header is matched in relaxed or strict mode according to the domain's DMARC policy if present, or relaxed mode (organizational instead of exact domain match) otherwise. Useful for autoresponders that don't want to accept messages they don't want to send an automated reply to."`
+	FullName                     string    `sconf:"optional" sconf-doc:"Full name to use in message From header when composing messages coming from this address with webmail."`
 
 	DMARCReports     bool `sconf:"-" json:"-"`
 	HostTLSReports   bool `sconf:"-" json:"-"`
 	DomainTLSReports bool `sconf:"-" json:"-"`
+	// Ready to use in SMTP responses.
+	SMTPErrorCode   int    `sconf:"-" json:"-"`
+	SMTPErrorSecode string `sconf:"-" json:"-"`
+	SMTPErrorMsg    string `sconf:"-" json:"-"`
 }
 
 // Equal returns whether d and o are equal, only looking at their user-changeable fields.
@@ -401,18 +503,21 @@ func (d Destination) Equal(o Destination) bool {
 
 type Ruleset struct {
 	SMTPMailFromRegexp string            `sconf:"optional" sconf-doc:"Matches if this regular expression matches (a substring of) the SMTP MAIL FROM address (not the message From-header). E.g. '^user@example\\.org$'."`
+	MsgFromRegexp      string            `sconf:"optional" sconf-doc:"Matches if this regular expression matches (a substring of) the single address in the message From header."`
 	VerifiedDomain     string            `sconf:"optional" sconf-doc:"Matches if this domain matches an SPF- and/or DKIM-verified (sub)domain."`
 	HeadersRegexp      map[string]string `sconf:"optional" sconf-doc:"Matches if these header field/value regular expressions all match (substrings of) the message headers. Header fields and valuees are converted to lower case before matching. Whitespace is trimmed from the value before matching. A header field can occur multiple times in a message, only one instance has to match. For mailing lists, you could match on ^list-id$ with the value typically the mailing list address in angled brackets with @ replaced with a dot, e.g. <name\\.lists\\.example\\.org>."`
-	// todo: add a SMTPRcptTo check, and MessageFrom that works on a properly parsed From header.
+	// todo: add a SMTPRcptTo check
 
 	// todo: once we implement ARC, we can use dkim domains that we cannot verify but that the arc-verified forwarding mail server was able to verify.
-	IsForward              bool   `sconf:"optional" sconf-doc:"Influences spam filtering only, this option does not change whether a message matches this ruleset. Can only be used together with SMTPMailFromRegexp and VerifiedDomain. SMTPMailFromRegexp must be set to the address used to deliver the forwarded message, e.g. '^user(|\\+.*)@forward\\.example$'. Changes to junk analysis: 1. Messages are not rejects for failing a DMARC policy, because a legitimate forwarded message without valid/intact/aligned DKIM signature would be rejected because any verified SPF domain will be 'unaligned', of the forwarding mail server. 2. The sending mail server IP address, and sending EHLO and MAIL FROM domains and matching DKIM domain aren't used in future reputation-based spam classifications (but other verified DKIM domains are) because the forwarding server is not a useful spam signal for future messages."`
+	IsForward              bool   `sconf:"optional" sconf-doc:"Influences spam filtering only, this option does not change whether a message matches this ruleset. Can only be used together with SMTPMailFromRegexp and VerifiedDomain. SMTPMailFromRegexp must be set to the address used to deliver the forwarded message, e.g. '^user(|\\+.*)@forward\\.example$'. Changes to junk analysis: 1. Messages are not rejected for failing a DMARC policy, because a legitimate forwarded message without valid/intact/aligned DKIM signature would be rejected because any verified SPF domain will be 'unaligned', of the forwarding mail server. 2. The sending mail server IP address, and sending EHLO and MAIL FROM domains and matching DKIM domain aren't used in future reputation-based spam classifications (but other verified DKIM domains are) because the forwarding server is not a useful spam signal for future messages."`
 	ListAllowDomain        string `sconf:"optional" sconf-doc:"Influences spam filtering only, this option does not change whether a message matches this ruleset. If this domain matches an SPF- and/or DKIM-verified (sub)domain, the message is accepted without further spam checks, such as a junk filter or DMARC reject evaluation. DMARC rejects should not apply for mailing lists that are not configured to rewrite the From-header of messages that don't have a passing DKIM signature of the From-domain. Otherwise, by rejecting messages, you may be automatically unsubscribed from the mailing list. The assumption is that mailing lists do their own spam filtering/moderation."`
 	AcceptRejectsToMailbox string `sconf:"optional" sconf-doc:"Influences spam filtering only, this option does not change whether a message matches this ruleset. If a message is classified as spam, it isn't rejected during the SMTP transaction (the normal behaviour), but accepted during the SMTP transaction and delivered to the specified mailbox. The specified mailbox is not automatically cleaned up like the account global Rejects mailbox, unless set to that Rejects mailbox."`
 
 	Mailbox string `sconf-doc:"Mailbox to deliver to if this ruleset matches."`
+	Comment string `sconf:"optional" sconf-doc:"Free-form comments."`
 
 	SMTPMailFromRegexpCompiled *regexp.Regexp      `sconf:"-" json:"-"`
+	MsgFromRegexpCompiled      *regexp.Regexp      `sconf:"-" json:"-"`
 	VerifiedDNSDomain          dns.Domain          `sconf:"-"`
 	HeadersRegexpCompiled      [][2]*regexp.Regexp `sconf:"-" json:"-"`
 	ListAllowDNSDomain         dns.Domain          `sconf:"-"`
@@ -420,7 +525,7 @@ type Ruleset struct {
 
 // Equal returns whether r and o are equal, only looking at their user-changeable fields.
 func (r Ruleset) Equal(o Ruleset) bool {
-	if r.SMTPMailFromRegexp != o.SMTPMailFromRegexp || r.VerifiedDomain != o.VerifiedDomain || r.IsForward != o.IsForward || r.ListAllowDomain != o.ListAllowDomain || r.AcceptRejectsToMailbox != o.AcceptRejectsToMailbox || r.Mailbox != o.Mailbox {
+	if r.SMTPMailFromRegexp != o.SMTPMailFromRegexp || r.MsgFromRegexp != o.MsgFromRegexp || r.VerifiedDomain != o.VerifiedDomain || r.IsForward != o.IsForward || r.ListAllowDomain != o.ListAllowDomain || r.AcceptRejectsToMailbox != o.AcceptRejectsToMailbox || r.Mailbox != o.Mailbox || r.Comment != o.Comment {
 		return false
 	}
 	if !reflect.DeepEqual(r.HeadersRegexp, o.HeadersRegexp) {
@@ -439,22 +544,27 @@ type TLS struct {
 	KeyCerts            []KeyCert `sconf:"optional" sconf-doc:"Keys and certificates to use for this listener. The files are opened by the privileged root process and passed to the unprivileged mox process, so no special permissions are required on the files. If the private key will not be replaced when refreshing certificates, also consider adding the private key to HostPrivateKeyFiles and configuring DANE TLSA DNS records."`
 	MinVersion          string    `sconf:"optional" sconf-doc:"Minimum TLS version. Default: TLSv1.2."`
 	HostPrivateKeyFiles []string  `sconf:"optional" sconf-doc:"Private keys used for ACME certificates. Specified explicitly so DANE TLSA DNS records can be generated, even before the certificates are requested. DANE is a mechanism to authenticate remote TLS certificates based on a public key or certificate specified in DNS, protected with DNSSEC. DANE is opportunistic and attempted when delivering SMTP with STARTTLS. The private key files must be in PEM format. PKCS8 is recommended, but PKCS1 and EC private keys are recognized as well. Only RSA 2048 bit and ECDSA P-256 keys are currently used. The first of each is used when requesting new certificates through ACME."`
+	ClientAuthDisabled  bool      `sconf:"optional" sconf-doc:"Disable TLS client authentication with certificates/keys, preventing the TLS server from requesting a TLS certificate from clients. Useful for working around clients that don't handle TLS client authentication well."`
 
-	Config                   *tls.Config     `sconf:"-" json:"-"` // TLS config for non-ACME-verification connections, i.e. SMTP and IMAP, and not port 443.
+	Config                   *tls.Config     `sconf:"-" json:"-"` // TLS config for non-ACME-verification connections, i.e. SMTP and IMAP, and not port 443. Connections without SNI will use a certificate for the hostname of the listener, connections with an SNI hostname that isn't allowed will be rejected.
+	ConfigFallback           *tls.Config     `sconf:"-" json:"-"` // Like Config, but uses the certificate for the listener hostname when the requested SNI hostname is not allowed, instead of causing the connection to fail.
 	ACMEConfig               *tls.Config     `sconf:"-" json:"-"` // TLS config that handles ACME verification, for serving on port 443.
 	HostPrivateRSA2048Keys   []crypto.Signer `sconf:"-" json:"-"` // Private keys for new TLS certificates for listener host name, for new certificates with ACME, and for DANE records.
 	HostPrivateECDSAP256Keys []crypto.Signer `sconf:"-" json:"-"`
 }
 
+// todo: we could implement matching WebHandler.Domain as IPs too
+
 type WebHandler struct {
 	LogName               string       `sconf:"optional" sconf-doc:"Name to use in logging and metrics."`
-	Domain                string       `sconf-doc:"Both Domain and PathRegexp must match for this WebHandler to match a request. Exactly one of WebStatic, WebRedirect, WebForward must be set."`
+	Domain                string       `sconf-doc:"Both Domain and PathRegexp must match for this WebHandler to match a request. Exactly one of WebStatic, WebRedirect, WebForward, WebInternal must be set."`
 	PathRegexp            string       `sconf-doc:"Regular expression matched against request path, must always start with ^ to ensure matching from the start of the path. The matching prefix can optionally be stripped by WebForward. The regular expression does not have to end with $."`
 	DontRedirectPlainHTTP bool         `sconf:"optional" sconf-doc:"If set, plain HTTP requests are not automatically permanently redirected (308) to HTTPS. If you don't have a HTTPS webserver configured, set this to true."`
 	Compress              bool         `sconf:"optional" sconf-doc:"Transparently compress responses (currently with gzip) if the client supports it, the status is 200 OK, no Content-Encoding is set on the response yet and the Content-Type of the response hints that the data is compressible (text/..., specific application/... and .../...+json and .../...+xml). For static files only, a cache with compressed files is kept."`
 	WebStatic             *WebStatic   `sconf:"optional" sconf-doc:"Serve static files."`
 	WebRedirect           *WebRedirect `sconf:"optional" sconf-doc:"Redirect requests to configured URL."`
 	WebForward            *WebForward  `sconf:"optional" sconf-doc:"Forward requests to another webserver, i.e. reverse proxy."`
+	WebInternal           *WebInternal `sconf:"optional" sconf-doc:"Pass request to internal service, like webmail, webapi, etc."`
 
 	Name      string         `sconf:"-"` // Either LogName, or numeric index if LogName was empty. Used instead of LogName in logging/metrics.
 	DNSDomain dns.Domain     `sconf:"-"`
@@ -470,6 +580,7 @@ func (wh WebHandler) Equal(o WebHandler) bool {
 		x.WebStatic = nil
 		x.WebRedirect = nil
 		x.WebForward = nil
+		x.WebInternal = nil
 		return x
 	}
 	cwh := clean(wh)
@@ -477,7 +588,7 @@ func (wh WebHandler) Equal(o WebHandler) bool {
 	if cwh != co {
 		return false
 	}
-	if (wh.WebStatic == nil) != (o.WebStatic == nil) || (wh.WebRedirect == nil) != (o.WebRedirect == nil) || (wh.WebForward == nil) != (o.WebForward == nil) {
+	if (wh.WebStatic == nil) != (o.WebStatic == nil) || (wh.WebRedirect == nil) != (o.WebRedirect == nil) || (wh.WebForward == nil) != (o.WebForward == nil) || (wh.WebInternal == nil) != (o.WebInternal == nil) {
 		return false
 	}
 	if wh.WebStatic != nil {
@@ -489,6 +600,9 @@ func (wh WebHandler) Equal(o WebHandler) bool {
 	if wh.WebForward != nil {
 		return wh.WebForward.equal(*o.WebForward)
 	}
+	if wh.WebInternal != nil {
+		return wh.WebInternal.equal(*o.WebInternal)
+	}
 	return true
 }
 
@@ -531,3 +645,16 @@ func (wf WebForward) equal(o WebForward) bool {
 	o.TargetURL = nil
 	return reflect.DeepEqual(wf, o)
 }
+
+type WebInternal struct {
+	BasePath string `sconf-doc:"Path to use as root of internal service, e.g. /webmail/."`
+	Service  string `sconf-doc:"Name of the service, values: admin, account, webmail, webapi."`
+
+	Handler http.Handler `sconf:"-" json:"-"`
+}
+
+func (wi WebInternal) equal(o WebInternal) bool {
+	wi.Handler = nil
+	o.Handler = nil
+	return reflect.DeepEqual(wi, o)
+}

config/doc.go

@@ -1,15 +1,36 @@
 /*
-Package config holds the configuration file definitions for mox.conf (Static)
-and domains.conf (Dynamic).
+Package config holds the configuration file definitions.
 
-These config files are in "sconf" format.  Summarized: Indent with tabs, "#" as
-first non-whitespace character makes the line a comment (you cannot have a line
-with both a value and a comment), strings are not quoted/escaped and can never
-span multiple lines. See https://pkg.go.dev/github.com/mjl-/sconf for details.
+Mox uses two config files:
 
-Annotated empty/default configuration files you could use as a starting point
-for your mox.conf and domains.conf, as generated by "mox config
-describe-static" and "mox config describe-domains":
+1. mox.conf, also called the static configuration file.
+2. domains.conf, also called the dynamic configuration file.
+
+The static configuration file is never reloaded during the lifetime of a
+running mox instance. After changes to mox.conf, mox must be restarted for the
+changes to take effect.
+
+The dynamic configuration file is reloaded automatically when it changes.
+If the file contains an error after the change, the reload is aborted and the
+previous version remains active.
+
+Below are "empty" config files, generated from the config file definitions in
+the source code, along with comments explaining the fields. Fields named "x" are
+placeholders for user-chosen map keys.
+
+# sconf
+
+The config files are in "sconf" format. Properties of sconf files:
+
+  - Indentation with tabs only.
+  - "#" as first non-whitespace character makes the line a comment. Lines with a
+    value cannot also have a comment.
+  - Values don't have syntax indicating their type. For example, strings are
+    not quoted/escaped and can never span multiple lines.
+  - Fields that are optional can be left out completely. But the value of an
+    optional field may itself have required fields.
+
+See https://pkg.go.dev/github.com/mjl-/sconf for details.
 
 # mox.conf
 
@@ -92,10 +113,34 @@ describe-static" and "mox config describe-domains":
 
 			# TLS port for ACME validation, 443 by default. You should only override this if
 			# you cannot listen on port 443 directly. ACME will make requests to port 443, so
-			# you'll have to add an external mechanism to get the connection here, e.g. by
-			# configuring port forwarding. (optional)
+			# you'll have to add an external mechanism to get the tls connection here, e.g. by
+			# configuring firewall-level port forwarding. Validation over the https port uses
+			# tls-alpn-01 with application-layer protocol negotiation, which essentially means
+			# the original tls connection must make it here unmodified, an https reverse proxy
+			# will not work. (optional)
 			Port: 0
 
+			# If set, used for suggested CAA DNS records, for restricting TLS certificate
+			# issuance to a Certificate Authority. If empty and DirectyURL is for Let's
+			# Encrypt, this value is set automatically to letsencrypt.org. (optional)
+			IssuerDomainName:
+
+			# ACME providers can require that a request for a new ACME account reference an
+			# existing non-ACME account known to the provider. External account binding
+			# references that account by a key id, and authorizes new ACME account requests by
+			# signing it with a key known both by the ACME client and ACME provider.
+			# (optional)
+			ExternalAccountBinding:
+
+				# Key identifier, from ACME provider.
+				KeyID:
+
+				# File containing the base64url-encoded key used to sign account requests with
+				# external account binding. The ACME provider will verify the account request is
+				# correctly signed by the key. File is evaluated relative to the directory of
+				# mox.conf.
+				KeyFile:
+
 	# File containing hash of admin password, for authentication in the web admin
 	# pages (if enabled). (optional)
 	AdminPasswordFile:
@@ -111,7 +156,11 @@ describe-static" and "mox config describe-domains":
 
 			# Use 0.0.0.0 to listen on all IPv4 and/or :: to listen on all IPv6 addresses, but
 			# it is better to explicitly specify the IPs you want to use for email, as mox
-			# will make sure outgoing connections will only be made from one of those IPs.
+			# will make sure outgoing connections will only be made from one of those IPs. If
+			# both outgoing IPv4 and IPv6 connectivity is possible, and only one family has
+			# explicitly configured addresses, both address families are still used for
+			# outgoing connections. Use the "direct" transport to limit address families for
+			# outgoing connections.
 			IPs:
 				-
 
@@ -126,7 +175,10 @@ describe-static" and "mox config describe-domains":
 			# NATed. Skips IP-related DNS self-checks. (optional)
 			IPsNATed: false
 
-			# If empty, the config global Hostname is used. (optional)
+			# If empty, the config global Hostname is used. The internal services webadmin,
+			# webaccount, webmail and webapi only match requests to IPs, this hostname,
+			# "localhost". All except webadmin also match for any client settings domain.
+			# (optional)
 			Hostname:
 
 			# For SMTP/IMAP STARTTLS, direct TLS and HTTPS connections. (optional)
@@ -165,6 +217,11 @@ describe-static" and "mox config describe-domains":
 				HostPrivateKeyFiles:
 					-
 
+				# Disable TLS client authentication with certificates/keys, preventing the TLS
+				# server from requesting a TLS certificate from clients. Useful for working around
+				# clients that don't handle TLS client authentication well. (optional)
+				ClientAuthDisabled: false
+
 			# Maximum size in bytes for incoming and outgoing messages. Default is 100MB.
 			# (optional)
 			SMTPMaxMessageSize: 0
@@ -197,9 +254,12 @@ describe-static" and "mox config describe-domains":
 				# accept/reject decision. This prevents sending IPs of all communications to the
 				# block list provider. If any of the listed DNSBLs contains a requested IP
 				# address, the message is rejected as spam. The DNSBLs are checked for healthiness
-				# before use, at most once per 4 hours. Example DNSBLs: sbl.spamhaus.org,
-				# bl.spamcop.net. See https://www.spamhaus.org/sbl/ and https://www.spamcop.net/
-				# for more information and terms of use. (optional)
+				# before use, at most once per 4 hours. IPs we can send from are periodically
+				# checked for being in the configured DNSBLs. See MonitorDNSBLs in domains.conf to
+				# only monitor IPs we send from, without using those DNSBLs for incoming messages.
+				# Example DNSBLs: sbl.spamhaus.org, bl.spamcop.net. See
+				# https://www.spamhaus.org/sbl/ and https://www.spamcop.net/ for more information
+				# and terms of use. (optional)
 				DNSBLs:
 					-
 
@@ -207,6 +267,10 @@ describe-static" and "mox config describe-domains":
 				# account. Default: 15s. (optional)
 				FirstTimeSenderDelay: 0s
 
+				# Override default setting for enabling TLS session tickets. Disabling session
+				# tickets may work around TLS interoperability issues. (optional)
+				TLSSessionTicketsDisabled: false
+
 			# SMTP for submitting email, e.g. by email applications. Starts out in plain text,
 			# can be upgraded to TLS with the STARTTLS command. Prefer using Submissions which
 			# is always a TLS connection. (optional)
@@ -228,6 +292,14 @@ describe-static" and "mox config describe-domains":
 				# Default 465. (optional)
 				Port: 0
 
+				# Additionally enable submission on HTTPS port 443 via TLS ALPN. TLS Application
+				# Layer Protocol Negotiation allows clients to request a specific protocol from
+				# the server as part of the TLS connection setup. When this setting is enabled and
+				# a client requests the 'smtp' protocol after TLS, it will be able to talk SMTP to
+				# Mox on port 443. This is meant to be useful as a censorship circumvention
+				# technique for Delta Chat. (optional)
+				EnabledOnHTTPS: false
+
 			# IMAP for reading email, by email applications. Starts out in plain text, can be
 			# upgraded to TLS with the STARTTLS command. Prefer using IMAPS instead which is
 			# always a TLS connection. (optional)
@@ -249,77 +321,151 @@ describe-static" and "mox config describe-domains":
 				# Default 993. (optional)
 				Port: 0
 
+				# Additionally enable IMAP on HTTPS port 443 via TLS ALPN. TLS Application Layer
+				# Protocol Negotiation allows clients to request a specific protocol from the
+				# server as part of the TLS connection setup. When this setting is enabled and a
+				# client requests the 'imap' protocol after TLS, it will be able to talk IMAP to
+				# Mox on port 443. This is meant to be useful as a censorship circumvention
+				# technique for Delta Chat. (optional)
+				EnabledOnHTTPS: false
+
 			# Account web interface, for email users wanting to change their accounts, e.g.
-			# set new password, set new delivery rulesets. Served at /. (optional)
+			# set new password, set new delivery rulesets. Default path is /. (optional)
 			AccountHTTP:
 				Enabled: false
 
-				# Default 80. (optional)
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
 				Port: 0
 
-				# Path to serve account requests on, e.g. /mox/. Useful if domain serves other
-				# resources. Default is /. (optional)
+				# Path to serve requests on. Should end with a slash, related to cookie paths.
+				# (optional)
 				Path:
 
-			# Account web interface listener for HTTPS. Requires a TLS config. (optional)
+				# If set, X-Forwarded-* headers are used for the remote IP address for rate
+				# limiting and for the "secure" status of cookies. (optional)
+				Forwarded: false
+
+			# Account web interface listener like AccountHTTP, but for HTTPS. Requires a TLS
+			# config. (optional)
 			AccountHTTPS:
 				Enabled: false
 
-				# Default 80. (optional)
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
 				Port: 0
 
-				# Path to serve account requests on, e.g. /mox/. Useful if domain serves other
-				# resources. Default is /. (optional)
+				# Path to serve requests on. Should end with a slash, related to cookie paths.
+				# (optional)
 				Path:
 
-			# Admin web interface, for managing domains, accounts, etc. Served at /admin/.
-			# Preferably only enable on non-public IPs. Hint: use 'ssh -L 8080:localhost:80
-			# you@yourmachine' and open http://localhost:8080/admin/, or set up a tunnel (e.g.
-			# WireGuard) and add its IP to the mox 'internal' listener. (optional)
+				# If set, X-Forwarded-* headers are used for the remote IP address for rate
+				# limiting and for the "secure" status of cookies. (optional)
+				Forwarded: false
+
+			# Admin web interface, for managing domains, accounts, etc. Default path is
+			# /admin/. Preferably only enable on non-public IPs. Hint: use 'ssh -L
+			# 8080:localhost:80 you@yourmachine' and open http://localhost:8080/admin/, or set
+			# up a tunnel (e.g. WireGuard) and add its IP to the mox 'internal' listener.
+			# (optional)
 			AdminHTTP:
 				Enabled: false
 
-				# Default 80. (optional)
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
 				Port: 0
 
-				# Path to serve admin requests on, e.g. /moxadmin/. Useful if domain serves other
-				# resources. Default is /admin/. (optional)
+				# Path to serve requests on. Should end with a slash, related to cookie paths.
+				# (optional)
 				Path:
 
-			# Admin web interface listener for HTTPS. Requires a TLS config. Preferably only
-			# enable on non-public IPs. (optional)
+				# If set, X-Forwarded-* headers are used for the remote IP address for rate
+				# limiting and for the "secure" status of cookies. (optional)
+				Forwarded: false
+
+			# Admin web interface listener like AdminHTTP, but for HTTPS. Requires a TLS
+			# config. (optional)
 			AdminHTTPS:
 				Enabled: false
 
-				# Default 443. (optional)
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
 				Port: 0
 
-				# Path to serve admin requests on, e.g. /moxadmin/. Useful if domain serves other
-				# resources. Default is /admin/. (optional)
+				# Path to serve requests on. Should end with a slash, related to cookie paths.
+				# (optional)
 				Path:
 
-			# Webmail client, for reading email. (optional)
+				# If set, X-Forwarded-* headers are used for the remote IP address for rate
+				# limiting and for the "secure" status of cookies. (optional)
+				Forwarded: false
+
+			# Webmail client, for reading email. Default path is /webmail/. (optional)
 			WebmailHTTP:
 				Enabled: false
 
-				# Default 80. (optional)
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
 				Port: 0
 
-				# Path to serve account requests on. Useful if domain serves other resources.
-				# Default is /webmail/. (optional)
+				# Path to serve requests on. Should end with a slash, related to cookie paths.
+				# (optional)
 				Path:
 
-			# Webmail client, for reading email. (optional)
+				# If set, X-Forwarded-* headers are used for the remote IP address for rate
+				# limiting and for the "secure" status of cookies. (optional)
+				Forwarded: false
+
+			# Webmail client, like WebmailHTTP, but for HTTPS. Requires a TLS config.
+			# (optional)
 			WebmailHTTPS:
 				Enabled: false
 
-				# Default 443. (optional)
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
 				Port: 0
 
-				# Path to serve account requests on. Useful if domain serves other resources.
-				# Default is /webmail/. (optional)
+				# Path to serve requests on. Should end with a slash, related to cookie paths.
+				# (optional)
 				Path:
 
+				# If set, X-Forwarded-* headers are used for the remote IP address for rate
+				# limiting and for the "secure" status of cookies. (optional)
+				Forwarded: false
+
+			# Like WebAPIHTTP, but with plain HTTP, without TLS. (optional)
+			WebAPIHTTP:
+				Enabled: false
+
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
+				Port: 0
+
+				# Path to serve requests on. Should end with a slash, related to cookie paths.
+				# (optional)
+				Path:
+
+				# If set, X-Forwarded-* headers are used for the remote IP address for rate
+				# limiting and for the "secure" status of cookies. (optional)
+				Forwarded: false
+
+			# WebAPI, a simple HTTP/JSON-based API for email, with HTTPS (requires a TLS
+			# config). Default path is /webapi/. (optional)
+			WebAPIHTTPS:
+				Enabled: false
+
+				# Default 80 for HTTP and 443 for HTTPS. See Hostname at Listener for hostname
+				# matching behaviour. (optional)
+				Port: 0
+
+				# Path to serve requests on. Should end with a slash, related to cookie paths.
+				# (optional)
+				Path:
+
+				# If set, X-Forwarded-* headers are used for the remote IP address for rate
+				# limiting and for the "secure" status of cookies. (optional)
+				Forwarded: false
+
 			# Serve prometheus metrics, for monitoring. You should not enable this on a public
 			# IP. (optional)
 			MetricsHTTP:
@@ -373,6 +519,9 @@ describe-static" and "mox config describe-domains":
 				# Port for plain HTTP (non-TLS) webserver. (optional)
 				Port: 0
 
+				# Disable rate limiting for all requests to this port. (optional)
+				RateLimitDisabled: false
+
 			# All configured WebHandlers will serve on an enabled listener. Either ACME must
 			# be configured, or for each WebHandler domain a TLS certificate must be
 			# configured. (optional)
@@ -382,6 +531,9 @@ describe-static" and "mox config describe-domains":
 				# Port for HTTPS webserver. (optional)
 				Port: 0
 
+				# Disable rate limiting for all requests to this port. (optional)
+				RateLimitDisabled: false
+
 	# Destination for emails delivered to postmaster addresses: a plain 'postmaster'
 	# without domain, 'postmaster@<hostname>' (also for each listener with SMTP
 	# enabled), and as fallback for each domain without explicitly configured
@@ -405,13 +557,13 @@ describe-static" and "mox config describe-domains":
 		# Mailbox to deliver TLS reports to. Recommended value: TLSRPT.
 		Mailbox:
 
-		# Localpart at hostname to accept TLS reports at. Recommended value: tls-reports.
+		# Localpart at hostname to accept TLS reports at. Recommended value: tlsreports.
 		Localpart:
 
 	# Mailboxes to create for new accounts. Inbox is always created. Mailboxes can be
 	# given a 'special-use' role, which are understood by most mail clients. If
-	# absent/empty, the following mailboxes are created: Sent, Archive, Trash, Drafts
-	# and Junk. (optional)
+	# absent/empty, the following additional mailboxes are created: Sent, Archive,
+	# Trash, Drafts and Junk. (optional)
 	InitialMailboxes:
 
 		# Special-use roles to mailbox to create. (optional)
@@ -480,8 +632,10 @@ describe-static" and "mox config describe-domains":
 					Username:
 					Password:
 
-					# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256, SCRAM-SHA-1,
-					# CRAM-MD5. Not included by default: PLAIN. (optional)
+					# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
+					# SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
+					# PLAIN. Specify the strongest mechanism known to be implemented by the server to
+					# prevent mechanism downgrade attacks. (optional)
 					Mechanisms:
 						-
 
@@ -511,8 +665,10 @@ describe-static" and "mox config describe-domains":
 					Username:
 					Password:
 
-					# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256, SCRAM-SHA-1,
-					# CRAM-MD5. Not included by default: PLAIN. (optional)
+					# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
+					# SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
+					# PLAIN. Specify the strongest mechanism known to be implemented by the server to
+					# prevent mechanism downgrade attacks. (optional)
 					Mechanisms:
 						-
 
@@ -542,8 +698,10 @@ describe-static" and "mox config describe-domains":
 					Username:
 					Password:
 
-					# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256, SCRAM-SHA-1,
-					# CRAM-MD5. Not included by default: PLAIN. (optional)
+					# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
+					# SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
+					# PLAIN. Specify the strongest mechanism known to be implemented by the server to
+					# prevent mechanism downgrade attacks. (optional)
 					Mechanisms:
 						-
 
@@ -566,6 +724,28 @@ describe-static" and "mox config describe-domains":
 				# typically the hostname of the host in the Address field.
 				RemoteHostname:
 
+			# Like regular direct delivery, but allows to tweak outgoing connections.
+			# (optional)
+			Direct:
+
+				# If set, outgoing SMTP connections will *NOT* use IPv4 addresses to connect to
+				# remote SMTP servers. (optional)
+				DisableIPv4: false
+
+				# If set, outgoing SMTP connections will *NOT* use IPv6 addresses to connect to
+				# remote SMTP servers. (optional)
+				DisableIPv6: false
+
+			# Immediately fails the delivery attempt. (optional)
+			Fail:
+
+				# SMTP error code and optional enhanced error code to use for the failure. If
+				# empty, 554 is used (transaction failed). (optional)
+				SMTPCode: 0
+
+				# Message to include for the rejection. It will be shown in the DSN. (optional)
+				SMTPMessage:
+
 	# Do not send DMARC reports (aggregate only). By default, aggregate reports on
 	# DMARC evaluations are sent to domains if their DMARC policy requests them.
 	# Reports are sent at whole hours, with a minimum of 1 hour and maximum of 24
@@ -588,6 +768,15 @@ describe-static" and "mox config describe-domains":
 	# (optional)
 	OutgoingTLSReportsForAllSuccess: false
 
+	# Default maximum total message size in bytes for each individual account, only
+	# applicable if greater than zero. Can be overridden per account. Attempting to
+	# add new messages to an account beyond its maximum total size will result in an
+	# error. Useful to prevent a single account from filling storage. The quota only
+	# applies to the email message files, not to any file system overhead and also not
+	# the message index database file (account for approximately 15% overhead).
+	# (optional)
+	QuotaMessageSize: 0
+
 # domains.conf
 
 	# NOTE: This config file is in 'sconf' format. Indent with tabs. Comments must be
@@ -600,14 +789,43 @@ describe-static" and "mox config describe-domains":
 	Domains:
 		x:
 
+			# Disabled domains can be useful during/before migrations. Domains that are
+			# disabled can still be configured like normal, including adding addresses using
+			# the domain to accounts. However, disabled domains: 1. Do not try to fetch ACME
+			# certificates. TLS connections to host names involving the email domain will
+			# fail. A TLS certificate for the hostname (that wil be used as MX) itself will be
+			# requested. 2. Incoming deliveries over SMTP are rejected with a temporary error
+			# '450 4.2.1 recipient domain temporarily disabled'. 3. Submissions over SMTP
+			# using an (envelope) SMTP MAIL FROM address or message 'From' address of a
+			# disabled domain will be rejected with a temporary error '451 4.3.0 sender domain
+			# temporarily disabled'. Note that accounts with addresses at disabled domains can
+			# still log in and read email (unless the account itself is disabled). (optional)
+			Disabled: false
+
 			# Free-form description of domain. (optional)
 			Description:
 
+			# Hostname for client settings instead of the mail server hostname. E.g.
+			# mail.<domain>. For future migration to another mail operator without requiring
+			# all clients to update their settings, it is convenient to have client settings
+			# that reference a subdomain of the hosted domain instead of the hostname of the
+			# server where the mail is currently hosted. If empty, the hostname of the mail
+			# server is used for client configurations. Unicode name. (optional)
+			ClientSettingsDomain:
+
 			# If not empty, only the string before the separator is used to for email delivery
 			# decisions. For example, if set to "+", you+anything@example.com will be
 			# delivered to you@example.com. (optional)
 			LocalpartCatchallSeparator:
 
+			# Similar to LocalpartCatchallSeparator, but in case multiple are needed. For
+			# example both "+" and "-". Only of one LocalpartCatchallSeparator or
+			# LocalpartCatchallSeparators can be set. If set, the first separator is used to
+			# make unique addresses for outgoing SMTP connections with FromIDLoginAddresses.
+			# (optional)
+			LocalpartCatchallSeparators:
+				-
+
 			# If set, upper/lower case is relevant for email delivery. (optional)
 			LocalpartCaseSensitive: false
 
@@ -622,7 +840,7 @@ describe-static" and "mox config describe-domains":
 				Selectors:
 					x:
 
-						# sha256 (default) or (older, not recommended) sha1 (optional)
+						# sha256 (default) or (older, not recommended) sha1. (optional)
 						Hash:
 
 						# (optional)
@@ -667,11 +885,18 @@ describe-static" and "mox config describe-domains":
 			DMARC:
 
 				# Address-part before the @ that accepts DMARC reports. Must be
-				# non-internationalized. Recommended value: dmarc-reports.
+				# non-internationalized. Recommended value: dmarcreports.
 				Localpart:
 
-				# Alternative domain for report recipient address. Can be used to receive reports
-				# for other domains. Unicode name. (optional)
+				# Alternative domain for reporting address, for incoming reports. Typically empty,
+				# causing the domain wherein this config exists to be used. Can be used to receive
+				# reports for domains that aren't fully hosted on this server. Configure such a
+				# domain as a hosted domain without making all the DNS changes, and configure this
+				# field with a domain that is fully hosted on this server, so the localpart and
+				# the domain of this field form a reporting address. Then only update the DMARC
+				# DNS record for the not fully hosted domain, ensuring the reporting address is
+				# specified in its "rua" field as shown in the suggested DNS settings. Unicode
+				# name. (optional)
 				Domain:
 
 				# Account to deliver to.
@@ -680,17 +905,35 @@ describe-static" and "mox config describe-domains":
 				# Mailbox to deliver to, e.g. DMARC.
 				Mailbox:
 
-			# With MTA-STS a domain publishes, in DNS, presence of a policy for
-			# using/requiring TLS for SMTP connections. The policy is served over HTTPS.
-			# (optional)
+			# MTA-STS is a mechanism that allows publishing a policy with requirements for
+			# WebPKI-verified SMTP STARTTLS connections for email delivered to a domain.
+			# Existence of a policy is announced in a DNS TXT record (often
+			# unprotected/unverified, MTA-STS's weak spot). If a policy exists, it is fetched
+			# with a WebPKI-verified HTTPS request. The policy can indicate that
+			# WebPKI-verified SMTP STARTTLS is required, and which MX hosts (optionally with a
+			# wildcard pattern) are allowd. MX hosts to deliver to are still taken from DNS
+			# (again, not necessarily protected/verified), but messages will only be delivered
+			# to domains matching the MX hosts from the published policy. Mail servers look up
+			# the MTA-STS policy when first delivering to a domain, then keep a cached copy,
+			# periodically checking the DNS record if a new policy is available, and fetching
+			# and caching it if so. To update a policy, first serve a new policy with an
+			# updated policy ID, then update the DNS record (not the other way around). To
+			# remove an enforced policy, publish an updated policy with mode "none" for a long
+			# enough period so all cached policies have been refreshed (taking DNS TTL and
+			# policy max age into account), then remove the policy from DNS, wait for TTL to
+			# expire, and stop serving the policy. (optional)
 			MTASTS:
 
 				# Policies are versioned. The version must be specified in the DNS record. If you
-				# change a policy, first change it in mox, then update the DNS record.
+				# change a policy, first change it here to update the served policy, then update
+				# the DNS record with the updated policy ID.
 				PolicyID:
 
-				# testing, enforce or none. If set to enforce, a remote SMTP server will not
-				# deliver email to us if it cannot make a TLS connection.
+				# If set to "enforce", a remote SMTP server will not deliver email to us if it
+				# cannot make a WebPKI-verified SMTP STARTTLS connection. In mode "testing",
+				# deliveries can be done without verified TLS, but errors will be reported through
+				# TLS reporting. In mode "none", verified TLS is not required, used for phasing
+				# out an MTA-STS policy.
 				Mode:
 
 				# How long a remote mail server is allowed to cache a policy. Typically 1 or
@@ -710,11 +953,18 @@ describe-static" and "mox config describe-domains":
 			TLSRPT:
 
 				# Address-part before the @ that accepts TLSRPT reports. Recommended value:
-				# tls-reports.
+				# tlsreports.
 				Localpart:
 
-				# Alternative domain for report recipient address. Can be used to receive reports
-				# for other domains. Unicode name. (optional)
+				# Alternative domain for reporting address, for incoming reports. Typically empty,
+				# causing the domain wherein this config exists to be used. Can be used to receive
+				# reports for domains that aren't fully hosted on this server. Configure such a
+				# domain as a hosted domain without making all the DNS changes, and configure this
+				# field with a domain that is fully hosted on this server, so the localpart and
+				# the domain of this field form a reporting address. Then only update the TLSRPT
+				# DNS record for the not fully hosted domain, ensuring the reporting address is
+				# specified in its "rua" field as shown in the suggested DNS settings. Unicode
+				# name. (optional)
 				Domain:
 
 				# Account to deliver to.
@@ -747,11 +997,93 @@ describe-static" and "mox config describe-domains":
 					MinimumAttempts: 0
 					Transport:
 
-	# Accounts to which email can be delivered. An account can accept email for
-	# multiple domains, for multiple localparts, and deliver to multiple mailboxes.
+			# Aliases that cause messages to be delivered to one or more locally configured
+			# addresses. Keys are localparts (encoded, as they appear in email addresses).
+			# (optional)
+			Aliases:
+				x:
+
+					# Expanded addresses to deliver to. These must currently be of addresses of local
+					# accounts. To prevent duplicate messages, a member address that is also an
+					# explicit recipient in the SMTP transaction will only have the message delivered
+					# once. If the address in the message From header is a member, that member also
+					# won't receive the message.
+					Addresses:
+						-
+
+					# If true, anyone can send messages to the list. Otherwise only members, based on
+					# message From address, which is assumed to be DMARC-like-verified. (optional)
+					PostPublic: false
+
+					# If true, members can see addresses of members. (optional)
+					ListMembers: false
+
+					# If true, members are allowed to send messages with this alias address in the
+					# message From header. (optional)
+					AllowMsgFrom: false
+
+	# Accounts represent mox users, each with a password and email address(es) to
+	# which email can be delivered (possibly at different domains). Each account has
+	# its own on-disk directory holding its messages and index database. An account
+	# name is not an email address.
 	Accounts:
 		x:
 
+			# Webhooks for events about outgoing deliveries. (optional)
+			OutgoingWebhook:
+
+				# URL to POST webhooks.
+				URL:
+
+				# If not empty, value of Authorization header to add to HTTP requests. (optional)
+				Authorization:
+
+				# Events to send outgoing delivery notifications for. If absent, all events are
+				# sent. Valid values: delivered, suppressed, delayed, failed, relayed, expanded,
+				# canceled, unrecognized. (optional)
+				Events:
+					-
+
+			# Webhooks for events about incoming deliveries over SMTP. (optional)
+			IncomingWebhook:
+
+				# URL to POST webhooks to for incoming deliveries over SMTP.
+				URL:
+
+				# If not empty, value of Authorization header to add to HTTP requests. (optional)
+				Authorization:
+
+			# Login addresses that cause outgoing email to be sent with SMTP MAIL FROM
+			# addresses with a unique id after the localpart catchall separator (which must be
+			# enabled when addresses are specified here). Any delivery status notifications
+			# (DSN, e.g. for bounces), can be related to the original message and recipient
+			# with unique id's. You can login to an account with any valid email address,
+			# including variants with the localpart catchall separator. You can use this
+			# mechanism to both send outgoing messages with and without unique fromid for a
+			# given email address. With the webapi and webmail, a unique id will be generated.
+			# For submission, the id from the SMTP MAIL FROM command is used if present, and a
+			# unique id is generated otherwise. (optional)
+			FromIDLoginAddresses:
+				-
+
+			# Period to keep messages retired from the queue (delivered or failed) around.
+			# Keeping retired messages is useful for maintaining the suppression list for
+			# transactional email, for matching incoming DSNs to sent messages, and for
+			# debugging. The time at which to clean up (remove) is calculated at retire time.
+			# E.g. 168h (1 week). (optional)
+			KeepRetiredMessagePeriod: 0s
+
+			# Period to keep webhooks retired from the queue (delivered or failed) around.
+			# Useful for debugging. The time at which to clean up (remove) is calculated at
+			# retire time. E.g. 168h (1 week). (optional)
+			KeepRetiredWebhookPeriod: 0s
+
+			# If non-empty, login attempts on all protocols (e.g. SMTP/IMAP, web interfaces)
+			# is rejected with this error message. Useful during migrations. Incoming
+			# deliveries for addresses of this account are still accepted as normal.
+			# (optional)
+			LoginDisabled:
+
 			# Default domain for account. Deprecated behaviour: If a destination is not a full
 			# address but only a localpart, this domain is added to form a full address.
 			Domain:
@@ -763,11 +1095,13 @@ describe-static" and "mox config describe-domains":
 			# be overridden per destination. (optional)
 			FullName:
 
-			# Destinations, keys are email addresses (with IDNA domains). If the address is of
-			# the form '@domain', i.e. with localpart missing, it serves as a catchall for the
-			# domain, matching all messages that are not explicitly configured. Deprecated
-			# behaviour: If the address is not a full address but a localpart, it is combined
-			# with Domain to form a full address.
+			# Destinations, keys are email addresses (with IDNA domains). All destinations are
+			# allowed for logging in with IMAP/SMTP/webmail. If no destinations are
+			# configured, the account can not login. If the address is of the form '@domain',
+			# i.e. with localpart missing, it serves as a catchall for the domain, matching
+			# all messages that are not explicitly configured. Deprecated behaviour: If the
+			# address is not a full address but a localpart, it is combined with Domain to
+			# form a full address. (optional)
 			Destinations:
 				x:
 
@@ -785,6 +1119,10 @@ describe-static" and "mox config describe-domains":
 							# address (not the message From-header). E.g. '^user@example\.org$'. (optional)
 							SMTPMailFromRegexp:
 
+							# Matches if this regular expression matches (a substring of) the single address
+							# in the message From header. (optional)
+							MsgFromRegexp:
+
 							# Matches if this domain matches an SPF- and/or DKIM-verified (sub)domain.
 							# (optional)
 							VerifiedDomain:
@@ -803,7 +1141,7 @@ describe-static" and "mox config describe-domains":
 							# matches this ruleset. Can only be used together with SMTPMailFromRegexp and
 							# VerifiedDomain. SMTPMailFromRegexp must be set to the address used to deliver
 							# the forwarded message, e.g. '^user(|\+.*)@forward\.example$'. Changes to junk
-							# analysis: 1. Messages are not rejects for failing a DMARC policy, because a
+							# analysis: 1. Messages are not rejected for failing a DMARC policy, because a
 							# legitimate forwarded message without valid/intact/aligned DKIM signature would
 							# be rejected because any verified SPF domain will be 'unaligned', of the
 							# forwarding mail server. 2. The sending mail server IP address, and sending EHLO
@@ -835,6 +1173,31 @@ describe-static" and "mox config describe-domains":
 							# Mailbox to deliver to if this ruleset matches.
 							Mailbox:
 
+							# Free-form comments. (optional)
+							Comment:
+
+					# If non-empty, incoming delivery attempts to this destination will be rejected
+					# during SMTP RCPT TO with this error response line. Useful when a catchall
+					# address is configured for the domain and messages to some addresses should be
+					# rejected. The response line must start with an error code. Currently the
+					# following error resonse codes are allowed: 421 (temporary local error), 550
+					# (user not found). If the line consists of only an error code, an appropriate
+					# error message is added. Rejecting messages with a 4xx code invites later retries
+					# by the remote, while 5xx codes should prevent further delivery attempts.
+					# (optional)
+					SMTPError:
+
+					# If non-empty, an additional DMARC-like message authentication check is done for
+					# incoming messages, validating the domain in the From-header of the message.
+					# Messages without either an aligned SPF or aligned DKIM pass are rejected during
+					# the SMTP DATA command with a permanent error code followed by the message in
+					# this field. The domain in the message 'From' header is matched in relaxed or
+					# strict mode according to the domain's DMARC policy if present, or relaxed mode
+					# (organizational instead of exact domain match) otherwise. Useful for
+					# autoresponders that don't want to accept messages they don't want to send an
+					# automated reply to. (optional)
+					MessageAuthRequiredSMTPError:
+
 					# Full name to use in message From header when composing messages coming from this
 					# address with webmail. (optional)
 					FullName:
@@ -849,6 +1212,13 @@ describe-static" and "mox config describe-domains":
 				# How long unique values are accepted after generating, e.g. 12h.
 				Period: 0s
 
+			# Default maximum total message size in bytes for the account, overriding any
+			# globally configured default maximum size if non-zero. A negative value can be
+			# used to have no limit in case there is a limit by default. Attempting to add new
+			# messages to an account beyond its maximum total size will result in an error.
+			# Useful to prevent a single account from filling storage. (optional)
+			QuotaMessageSize: 0
+
 			# Mail that looks like spam will be rejected, but a copy can be stored temporarily
 			# in a mailbox, e.g. Rejects. If mail isn't coming in when you expect, you can
 			# look there. The mail still isn't accepted, so the remote mail server may retry
@@ -858,7 +1228,8 @@ describe-static" and "mox config describe-domains":
 			RejectsMailbox:
 
 			# Don't automatically delete mail in the RejectsMailbox listed above. This can be
-			# useful, e.g. for future spam training. (optional)
+			# useful, e.g. for future spam training. It can also cause storage to fill up.
+			# (optional)
 			KeepRejects: false
 
 			# Automatically set $Junk and $NotJunk flags based on mailbox messages are
@@ -867,11 +1238,11 @@ describe-static" and "mox config describe-domains":
 			# all move messages to a different mailbox, so this helps them. (optional)
 			AutomaticJunkFlags:
 
-				# If enabled, flags will be set automatically if they match a regular expression
-				# below. When two of the three mailbox regular expressions are set, the remaining
-				# one will match all unmatched messages. Messages are matched in the order
-				# specified and the search stops on the first match. Mailboxes are lowercased
-				# before matching.
+				# If enabled, junk/nonjunk flags will be set automatically if they match some of
+				# the regular expressions. When two of the three mailbox regular expressions are
+				# set, the remaining one will match all unmatched messages. Messages are matched
+				# in the order 'junk', 'neutral', 'not junk', and the search stops on the first
+				# match. Mailboxes are lowercased before matching.
 				Enabled: false
 
 				# Example: ^(junk|spam). (optional)
@@ -932,6 +1303,17 @@ describe-static" and "mox config describe-domains":
 			# this mail server in case of account compromise. Default 200. (optional)
 			MaxFirstTimeRecipientsPerDay: 0
 
+			# Do not apply a delay to SMTP connections before accepting an incoming message
+			# from a first-time sender. Can be useful for accounts that sends automated
+			# responses and want instant replies. (optional)
+			NoFirstTimeSenderDelay: false
+
+			# If set, this account cannot set a password of their own choice, but can only set
+			# a new randomly generated password, preventing password reuse across services and
+			# use of weak passwords. Custom account passwords can be set by the admin.
+			# (optional)
+			NoCustomPassword: false
+
 			# Routes for delivering outgoing messages through the queue. Each delivery attempt
 			# evaluates these account routes, domain routes and finally global routes. The
 			# transport of the first matching route is used in the delivery attempt. If no
@@ -961,12 +1343,15 @@ describe-static" and "mox config describe-domains":
 	WebDomainRedirects:
 		x:
 
-	# Handle webserver requests by serving static files, redirecting or
-	# reverse-proxying HTTP(s). The first matching WebHandler will handle the request.
-	# Built-in handlers, e.g. for account, admin, autoconfig and mta-sts always run
-	# first. If no handler matches, the response status code is file not found (404).
-	# If functionality you need is missng, simply forward the requests to an
-	# application that can provide the needed functionality. (optional)
+	# Handle webserver requests by serving static files, redirecting, reverse-proxying
+	# HTTP(s) or passing the request to an internal service. The first matching
+	# WebHandler will handle the request. Built-in system handlers, e.g. for ACME
+	# validation, autoconfig and mta-sts always run first. Built-in handlers for
+	# admin, account, webmail and webapi are evaluated after all handlers, including
+	# webhandlers (allowing for overrides of internal services for some domains). If
+	# no handler matches, the response status code is file not found (404). If
+	# webserver features are missing, forward the requests to an application that
+	# provides the needed functionality itself. (optional)
 	WebHandlers:
 		-
 
@@ -974,7 +1359,7 @@ describe-static" and "mox config describe-domains":
 			LogName:
 
 			# Both Domain and PathRegexp must match for this WebHandler to match a request.
-			# Exactly one of WebStatic, WebRedirect, WebForward must be set.
+			# Exactly one of WebStatic, WebRedirect, WebForward, WebInternal must be set.
 			Domain:
 
 			# Regular expression matched against request path, must always start with ^ to
@@ -1081,6 +1466,15 @@ describe-static" and "mox config describe-domains":
 				ResponseHeaders:
 					x:
 
+			# Pass request to internal service, like webmail, webapi, etc. (optional)
+			WebInternal:
+
+				# Path to use as root of internal service, e.g. /webmail/.
+				BasePath:
+
+				# Name of the service, values: admin, account, webmail, webapi.
+				Service:
+
 	# Routes for delivering outgoing messages through the queue. Each delivery attempt
 	# evaluates account routes, domain routes and finally these global routes. The
 	# transport of the first matching route is used in the delivery attempt. If no
@@ -1105,11 +1499,19 @@ describe-static" and "mox config describe-domains":
 			MinimumAttempts: 0
 			Transport:
 
+	# DNS blocklists to periodically check with if IPs we send from are present,
+	# without using them for checking incoming deliveries.. Also see DNSBLs in SMTP
+	# listeners in mox.conf, which specifies DNSBLs to use both for incoming
+	# deliveries and for checking our IPs against. Example DNSBLs: sbl.spamhaus.org,
+	# bl.spamcop.net. (optional)
+	MonitorDNSBLs:
+		-
+
 # Examples
 
 Mox includes configuration files to illustrate common setups. You can see these
-examples with "mox example", and print a specific example with "mox example
-<name>". Below are all examples included in mox.
+examples with "mox config example", and print a specific example with "mox
+config example <name>". Below are all examples included in mox.
 
 # Example webhandlers
 
@@ -1189,6 +1591,54 @@ examples with "mox example", and print a specific example with "mox example
 				ResponseHeaders:
 					X-Frame-Options: deny
 					X-Content-Type-Options: nosniff
+
+# Example transport
+
+	# Snippet for mox.conf, defining a transport called Example that connects on the
+	# SMTP submission with TLS port 465 ("submissions"), authenticating with
+	# SCRAM-SHA-256-PLUS (other providers may not support SCRAM-SHA-256-PLUS, but they
+	# typically do support the older CRAM-MD5).:
+
+	# Transport are mechanisms for delivering messages. Transports can be referenced
+	# from Routes in accounts, domains and the global configuration. There is always
+	# an implicit/fallback delivery transport doing direct delivery with SMTP from the
+	# outgoing message queue. Transports are typically only configured when using
+	# smarthosts, i.e. when delivering through another SMTP server. Zero or one
+	# transport methods must be set in a transport, never multiple. When using an
+	# external party to send email for a domain, keep in mind you may have to add
+	# their IP address to your domain's SPF record, and possibly additional DKIM
+	# records. (optional)
+	Transports:
+		Example:
+			# Submission SMTP over a TLS connection to submit email to a remote queue.
+			# (optional)
+			Submissions:
+				# Host name to connect to and for verifying its TLS certificate.
+				Host: smtp.example.com
+
+				# If set, authentication credentials for the remote server. (optional)
+				Auth:
+					Username: user@example.com
+					Password: test1234
+					Mechanisms:
+						# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
+						# SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
+						# PLAIN. Specify the strongest mechanism known to be implemented by the server to
+						# prevent mechanism downgrade attacks. (optional)
+
+						- SCRAM-SHA-256-PLUS
+
+
+	# Snippet for domains.conf, specifying a route that sends through the transport:
+
+	# Routes for delivering outgoing messages through the queue. Each delivery attempt
+	# evaluates account routes, domain routes and finally these global routes. The
+	# transport of the first matching route is used in the delivery attempt. If no
+	# routes match, which is the default with no configured routes, messages are
+	# delivered directly from the queue. (optional)
+	Routes:
+		-
+			Transport: Example
 */
 package config
 

ctl_test.go

@@ -1,26 +1,37 @@
-//go:build !quickstart && !integration
+//go:build !integration
 
 package main
 
 import (
 	"context"
+	"crypto/ed25519"
+	cryptorand "crypto/rand"
+	"crypto/x509"
 	"flag"
+	"fmt"
+	"log/slog"
+	"math/big"
 	"net"
 	"os"
 	"path/filepath"
 	"testing"
+	"time"
 
+	"github.com/mjl-/mox/config"
 	"github.com/mjl-/mox/dmarcdb"
 	"github.com/mjl-/mox/dns"
+	"github.com/mjl-/mox/imapclient"
 	"github.com/mjl-/mox/mlog"
 	"github.com/mjl-/mox/mox-"
 	"github.com/mjl-/mox/mtastsdb"
 	"github.com/mjl-/mox/queue"
+	"github.com/mjl-/mox/smtp"
 	"github.com/mjl-/mox/store"
 	"github.com/mjl-/mox/tlsrptdb"
 )
 
 var ctxbg = context.Background()
+var pkglog = mlog.New("ctl", nil)
 
 func tcheck(t *testing.T, err error, errmsg string) {
 	if err != nil {
@@ -34,156 +45,422 @@ func tcheck(t *testing.T, err error, errmsg string) {
 // unhandled errors would cause a panic.
 func TestCtl(t *testing.T) {
 	os.RemoveAll("testdata/ctl/data")
-	mox.ConfigStaticPath = filepath.FromSlash("testdata/ctl/mox.conf")
-	mox.ConfigDynamicPath = filepath.FromSlash("testdata/ctl/domains.conf")
-	if errs := mox.LoadConfig(ctxbg, true, false); len(errs) > 0 {
+	mox.ConfigStaticPath = filepath.FromSlash("testdata/ctl/config/mox.conf")
+	mox.ConfigDynamicPath = filepath.FromSlash("testdata/ctl/config/domains.conf")
+	if errs := mox.LoadConfig(ctxbg, pkglog, true, false); len(errs) > 0 {
 		t.Fatalf("loading mox config: %v", errs)
 	}
+	err := store.Init(ctxbg)
+	tcheck(t, err, "store init")
+	defer store.Close()
 	defer store.Switchboard()()
 
-	xlog := mlog.New("ctl")
+	err = queue.Init()
+	tcheck(t, err, "queue init")
+	defer queue.Shutdown()
 
-	testctl := func(fn func(clientctl *ctl)) {
+	var cid int64
+
+	testctl := func(fn func(clientxctl *ctl)) {
 		t.Helper()
 
 		cconn, sconn := net.Pipe()
-		clientctl := ctl{conn: cconn, log: xlog}
-		serverctl := ctl{conn: sconn, log: xlog}
-		go servectlcmd(ctxbg, &serverctl, func() {})
-		fn(&clientctl)
+		clientxctl := ctl{conn: cconn, log: pkglog}
+		serverxctl := ctl{conn: sconn, log: pkglog}
+		done := make(chan struct{})
+		go func() {
+			cid++
+			servectlcmd(ctxbg, &serverxctl, cid, func() {})
+			close(done)
+		}()
+		fn(&clientxctl)
 		cconn.Close()
+		<-done
 		sconn.Close()
 	}
 
 	// "deliver"
-	testctl(func(ctl *ctl) {
-		ctlcmdDeliver(ctl, "mjl@mox.example")
+	testctl(func(xctl *ctl) {
+		ctlcmdDeliver(xctl, "mjl@mox.example")
 	})
 
 	// "setaccountpassword"
-	testctl(func(ctl *ctl) {
-		ctlcmdSetaccountpassword(ctl, "mjl", "test4321")
+	testctl(func(xctl *ctl) {
+		ctlcmdSetaccountpassword(xctl, "mjl", "test4321")
 	})
 
-	err := queue.Init()
-	tcheck(t, err, "queue init")
-
-	// "queue"
-	testctl(func(ctl *ctl) {
-		ctlcmdQueueList(ctl)
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHoldrulesList(xctl)
 	})
 
-	// "queuekick"
-	testctl(func(ctl *ctl) {
-		ctlcmdQueueKick(ctl, 0, "", "", "")
+	// All messages.
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHoldrulesAdd(xctl, "", "", "")
+	})
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHoldrulesAdd(xctl, "mjl", "", "")
+	})
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHoldrulesAdd(xctl, "", "☺.mox.example", "")
+	})
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHoldrulesAdd(xctl, "mox", "☺.mox.example", "example.com")
+	})
+
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHoldrulesRemove(xctl, 1)
+	})
+
+	// Queue a message to list/change/dump.
+	msg := "Subject: subject\r\n\r\nbody\r\n"
+	msgFile, err := store.CreateMessageTemp(pkglog, "queuedump-test")
+	tcheck(t, err, "temp file")
+	_, err = msgFile.Write([]byte(msg))
+	tcheck(t, err, "write message")
+	_, err = msgFile.Seek(0, 0)
+	tcheck(t, err, "rewind message")
+	defer os.Remove(msgFile.Name())
+	defer msgFile.Close()
+	addr, err := smtp.ParseAddress("mjl@mox.example")
+	tcheck(t, err, "parse address")
+	qml := []queue.Msg{queue.MakeMsg(addr.Path(), addr.Path(), false, false, int64(len(msg)), "<random@localhost>", nil, nil, time.Now(), "subject")}
+	queue.Add(ctxbg, pkglog, "mjl", msgFile, qml...)
+	qmid := qml[0].ID
+
+	// Has entries now.
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHoldrulesList(xctl)
+	})
+
+	// "queuelist"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueList(xctl, queue.Filter{}, queue.Sort{})
+	})
+
+	// "queueholdset"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHoldSet(xctl, queue.Filter{}, true)
+	})
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHoldSet(xctl, queue.Filter{}, false)
+	})
+
+	// "queueschedule"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueSchedule(xctl, queue.Filter{}, true, time.Minute)
+	})
+
+	// "queuetransport"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueTransport(xctl, queue.Filter{}, "socks")
+	})
+
+	// "queuerequiretls"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueRequireTLS(xctl, queue.Filter{}, nil)
+	})
+
+	// "queuedump"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueDump(xctl, fmt.Sprintf("%d", qmid))
+	})
+
+	// "queuefail"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueFail(xctl, queue.Filter{})
 	})
 
 	// "queuedrop"
-	testctl(func(ctl *ctl) {
-		ctlcmdQueueDrop(ctl, 0, "", "")
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueDrop(xctl, queue.Filter{})
 	})
 
-	// no "queuedump", we don't have a message to dump, and the commands exits without a message.
+	// "queueholdruleslist"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHoldrulesList(xctl)
+	})
+
+	// "queueholdrulesadd"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHoldrulesAdd(xctl, "mjl", "", "")
+	})
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHoldrulesAdd(xctl, "mjl", "localhost", "")
+	})
+
+	// "queueholdrulesremove"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHoldrulesRemove(xctl, 2)
+	})
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHoldrulesList(xctl)
+	})
+
+	// "queuesuppresslist"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueSuppressList(xctl, "mjl")
+	})
+
+	// "queuesuppressadd"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueSuppressAdd(xctl, "mjl", "base@localhost")
+	})
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueSuppressAdd(xctl, "mjl", "other@localhost")
+	})
+
+	// "queuesuppresslookup"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueSuppressLookup(xctl, "mjl", "base@localhost")
+	})
+
+	// "queuesuppressremove"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueSuppressRemove(xctl, "mjl", "base@localhost")
+	})
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueSuppressList(xctl, "mjl")
+	})
+
+	// "queueretiredlist"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueRetiredList(xctl, queue.RetiredFilter{}, queue.RetiredSort{})
+	})
+
+	// "queueretiredprint"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueRetiredPrint(xctl, "1")
+	})
+
+	// "queuehooklist"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHookList(xctl, queue.HookFilter{}, queue.HookSort{})
+	})
+
+	// "queuehookschedule"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHookSchedule(xctl, queue.HookFilter{}, true, time.Minute)
+	})
+
+	// "queuehookprint"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHookPrint(xctl, "1")
+	})
+
+	// "queuehookcancel"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHookCancel(xctl, queue.HookFilter{})
+	})
+
+	// "queuehookretiredlist"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHookRetiredList(xctl, queue.HookRetiredFilter{}, queue.HookRetiredSort{})
+	})
+
+	// "queuehookretiredprint"
+	testctl(func(xctl *ctl) {
+		ctlcmdQueueHookRetiredPrint(xctl, "1")
+	})
 
 	// "importmbox"
-	testctl(func(ctl *ctl) {
-		ctlcmdImport(ctl, true, "mjl", "inbox", "testdata/importtest.mbox")
+	testctl(func(xctl *ctl) {
+		ctlcmdImport(xctl, true, "mjl", "inbox", "testdata/importtest.mbox")
 	})
 
 	// "importmaildir"
-	testctl(func(ctl *ctl) {
-		ctlcmdImport(ctl, false, "mjl", "inbox", "testdata/importtest.maildir")
+	testctl(func(xctl *ctl) {
+		ctlcmdImport(xctl, false, "mjl", "inbox", "testdata/importtest.maildir")
 	})
 
 	// "domainadd"
-	testctl(func(ctl *ctl) {
-		ctlcmdConfigDomainAdd(ctl, dns.Domain{ASCII: "mox2.example"}, "mjl", "")
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigDomainAdd(xctl, false, dns.Domain{ASCII: "mox2.example"}, "mjl", "")
 	})
 
 	// "accountadd"
-	testctl(func(ctl *ctl) {
-		ctlcmdConfigAccountAdd(ctl, "mjl2", "mjl2@mox2.example")
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigAccountAdd(xctl, "mjl2", "mjl2@mox2.example")
 	})
 
 	// "addressadd"
-	testctl(func(ctl *ctl) {
-		ctlcmdConfigAddressAdd(ctl, "mjl3@mox2.example", "mjl2")
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigAddressAdd(xctl, "mjl3@mox2.example", "mjl2")
 	})
 
 	// Add a message.
-	testctl(func(ctl *ctl) {
-		ctlcmdDeliver(ctl, "mjl3@mox2.example")
+	testctl(func(xctl *ctl) {
+		ctlcmdDeliver(xctl, "mjl3@mox2.example")
 	})
 	// "retrain", retrain junk filter.
-	testctl(func(ctl *ctl) {
-		ctlcmdRetrain(ctl, "mjl2")
+	testctl(func(xctl *ctl) {
+		ctlcmdRetrain(xctl, "mjl2")
 	})
 
 	// "addressrm"
-	testctl(func(ctl *ctl) {
-		ctlcmdConfigAddressRemove(ctl, "mjl3@mox2.example")
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigAddressRemove(xctl, "mjl3@mox2.example")
+	})
+
+	// "accountdisabled"
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigAccountDisabled(xctl, "mjl2", "testing")
+	})
+
+	// "accountlist"
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigAccountList(xctl)
+	})
+
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigAccountDisabled(xctl, "mjl2", "")
 	})
 
 	// "accountrm"
-	testctl(func(ctl *ctl) {
-		ctlcmdConfigAccountRemove(ctl, "mjl2")
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigAccountRemove(xctl, "mjl2")
+	})
+
+	// "domaindisabled"
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigDomainDisabled(xctl, dns.Domain{ASCII: "mox2.example"}, true)
+	})
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigDomainDisabled(xctl, dns.Domain{ASCII: "mox2.example"}, false)
 	})
 
 	// "domainrm"
-	testctl(func(ctl *ctl) {
-		ctlcmdConfigDomainRemove(ctl, dns.Domain{ASCII: "mox2.example"})
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigDomainRemove(xctl, dns.Domain{ASCII: "mox2.example"})
 	})
 
+	// "aliasadd"
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigAliasAdd(xctl, "support@mox.example", config.Alias{Addresses: []string{"mjl@mox.example"}})
+	})
+
+	// "aliaslist"
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigAliasList(xctl, "mox.example")
+	})
+
+	// "aliasprint"
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigAliasPrint(xctl, "support@mox.example")
+	})
+
+	// "aliasupdate"
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigAliasUpdate(xctl, "support@mox.example", "true", "true", "true")
+	})
+
+	// "aliasaddaddr"
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigAliasAddaddr(xctl, "support@mox.example", []string{"mjl2@mox.example"})
+	})
+
+	// "aliasrmaddr"
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigAliasRmaddr(xctl, "support@mox.example", []string{"mjl2@mox.example"})
+	})
+
+	// "aliasrm"
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigAliasRemove(xctl, "support@mox.example")
+	})
+
+	// accounttlspubkeyadd
+	certDER := fakeCert(t)
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigTlspubkeyAdd(xctl, "mjl@mox.example", "testkey", false, certDER)
+	})
+
+	// "accounttlspubkeylist"
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigTlspubkeyList(xctl, "")
+	})
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigTlspubkeyList(xctl, "mjl")
+	})
+
+	tpkl, err := store.TLSPublicKeyList(ctxbg, "")
+	tcheck(t, err, "list tls public keys")
+	if len(tpkl) != 1 {
+		t.Fatalf("got %d tls public keys, expected 1", len(tpkl))
+	}
+	fingerprint := tpkl[0].Fingerprint
+
+	// "accounttlspubkeyget"
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigTlspubkeyGet(xctl, fingerprint)
+	})
+
+	// "accounttlspubkeyrm"
+	testctl(func(xctl *ctl) {
+		ctlcmdConfigTlspubkeyRemove(xctl, fingerprint)
+	})
+
+	tpkl, err = store.TLSPublicKeyList(ctxbg, "")
+	tcheck(t, err, "list tls public keys")
+	if len(tpkl) != 0 {
+		t.Fatalf("got %d tls public keys, expected 0", len(tpkl))
+	}
+
 	// "loglevels"
-	testctl(func(ctl *ctl) {
-		ctlcmdLoglevels(ctl)
+	testctl(func(xctl *ctl) {
+		ctlcmdLoglevels(xctl)
 	})
 
 	// "setloglevels"
-	testctl(func(ctl *ctl) {
-		ctlcmdSetLoglevels(ctl, "", "debug")
+	testctl(func(xctl *ctl) {
+		ctlcmdSetLoglevels(xctl, "", "debug")
 	})
-	testctl(func(ctl *ctl) {
-		ctlcmdSetLoglevels(ctl, "smtpserver", "debug")
+	testctl(func(xctl *ctl) {
+		ctlcmdSetLoglevels(xctl, "smtpserver", "debug")
 	})
 
 	// Export data, import it again
-	xcmdExport(true, []string{filepath.FromSlash("testdata/ctl/data/tmp/export/mbox/"), filepath.FromSlash("testdata/ctl/data/accounts/mjl")}, nil)
-	xcmdExport(false, []string{filepath.FromSlash("testdata/ctl/data/tmp/export/maildir/"), filepath.FromSlash("testdata/ctl/data/accounts/mjl")}, nil)
-	testctl(func(ctl *ctl) {
-		ctlcmdImport(ctl, true, "mjl", "inbox", filepath.FromSlash("testdata/ctl/data/tmp/export/mbox/Inbox.mbox"))
+	xcmdExport(true, false, []string{filepath.FromSlash("testdata/ctl/data/tmp/export/mbox/"), filepath.FromSlash("testdata/ctl/data/accounts/mjl")}, &cmd{log: pkglog})
+	xcmdExport(false, false, []string{filepath.FromSlash("testdata/ctl/data/tmp/export/maildir/"), filepath.FromSlash("testdata/ctl/data/accounts/mjl")}, &cmd{log: pkglog})
+	testctl(func(xctl *ctl) {
+		ctlcmdImport(xctl, true, "mjl", "inbox", filepath.FromSlash("testdata/ctl/data/tmp/export/mbox/Inbox.mbox"))
 	})
-	testctl(func(ctl *ctl) {
-		ctlcmdImport(ctl, false, "mjl", "inbox", filepath.FromSlash("testdata/ctl/data/tmp/export/maildir/Inbox"))
+	testctl(func(xctl *ctl) {
+		ctlcmdImport(xctl, false, "mjl", "inbox", filepath.FromSlash("testdata/ctl/data/tmp/export/maildir/Inbox"))
 	})
 
 	// "recalculatemailboxcounts"
-	testctl(func(ctl *ctl) {
-		ctlcmdRecalculateMailboxCounts(ctl, "mjl")
+	testctl(func(xctl *ctl) {
+		ctlcmdRecalculateMailboxCounts(xctl, "mjl")
 	})
 
 	// "fixmsgsize"
-	testctl(func(ctl *ctl) {
-		ctlcmdFixmsgsize(ctl, "mjl")
+	testctl(func(xctl *ctl) {
+		ctlcmdFixmsgsize(xctl, "mjl")
 	})
-	testctl(func(ctl *ctl) {
-		acc, err := store.OpenAccount("mjl")
+	testctl(func(xctl *ctl) {
+		acc, err := store.OpenAccount(xctl.log, "mjl", false)
 		tcheck(t, err, "open account")
-		defer acc.Close()
+		defer func() {
+			acc.Close()
+			acc.WaitClosed()
+		}()
 
 		content := []byte("Subject: hi\r\n\r\nbody\r\n")
 
 		deliver := func(m *store.Message) {
 			t.Helper()
 			m.Size = int64(len(content))
-			msgf, err := store.CreateMessageTemp("ctltest")
+			msgf, err := store.CreateMessageTemp(xctl.log, "ctltest")
 			tcheck(t, err, "create temp file")
 			defer os.Remove(msgf.Name())
 			defer msgf.Close()
 			_, err = msgf.Write(content)
 			tcheck(t, err, "write message file")
-			err = acc.DeliverMailbox(xlog, "Inbox", m, msgf)
-			tcheck(t, err, "deliver message")
+
+			acc.WithWLock(func() {
+				err = acc.DeliverMailbox(xctl.log, "Inbox", m, msgf)
+				tcheck(t, err, "deliver message")
+			})
 		}
 
 		var msgBadSize store.Message
@@ -201,7 +478,7 @@ func TestCtl(t *testing.T) {
 		tcheck(t, err, "update mailbox size")
 
 		// Fix up the size.
-		ctlcmdFixmsgsize(ctl, "")
+		ctlcmdFixmsgsize(xctl, "")
 
 		err = acc.DB.Get(ctxbg, &msgBadSize)
 		tcheck(t, err, "get message")
@@ -211,39 +488,71 @@ func TestCtl(t *testing.T) {
 	})
 
 	// "reparse"
-	testctl(func(ctl *ctl) {
-		ctlcmdReparse(ctl, "mjl")
+	testctl(func(xctl *ctl) {
+		ctlcmdReparse(xctl, "mjl")
 	})
-	testctl(func(ctl *ctl) {
-		ctlcmdReparse(ctl, "")
+	testctl(func(xctl *ctl) {
+		ctlcmdReparse(xctl, "")
 	})
 
 	// "reassignthreads"
-	testctl(func(ctl *ctl) {
-		ctlcmdReassignthreads(ctl, "mjl")
+	testctl(func(xctl *ctl) {
+		ctlcmdReassignthreads(xctl, "mjl")
 	})
-	testctl(func(ctl *ctl) {
-		ctlcmdReassignthreads(ctl, "")
+	testctl(func(xctl *ctl) {
+		ctlcmdReassignthreads(xctl, "")
 	})
 
 	// "backup", backup account.
 	err = dmarcdb.Init()
 	tcheck(t, err, "dmarcdb init")
+	defer dmarcdb.Close()
 	err = mtastsdb.Init(false)
 	tcheck(t, err, "mtastsdb init")
+	defer mtastsdb.Close()
 	err = tlsrptdb.Init()
 	tcheck(t, err, "tlsrptdb init")
-	testctl(func(ctl *ctl) {
-		os.RemoveAll("testdata/ctl/data/tmp/backup-data")
+	defer tlsrptdb.Close()
+	testctl(func(xctl *ctl) {
+		os.RemoveAll("testdata/ctl/data/tmp/backup")
 		err := os.WriteFile("testdata/ctl/data/receivedid.key", make([]byte, 16), 0600)
 		tcheck(t, err, "writing receivedid.key")
-		ctlcmdBackup(ctl, filepath.FromSlash("testdata/ctl/data/tmp/backup-data"), false)
+		ctlcmdBackup(xctl, filepath.FromSlash("testdata/ctl/data/tmp/backup"), false)
 	})
 
 	// Verify the backup.
 	xcmd := cmd{
 		flag:     flag.NewFlagSet("", flag.ExitOnError),
-		flagArgs: []string{filepath.FromSlash("testdata/ctl/data/tmp/backup-data")},
+		flagArgs: []string{filepath.FromSlash("testdata/ctl/data/tmp/backup/data")},
 	}
 	cmdVerifydata(&xcmd)
+
+	// IMAP connection.
+	testctl(func(xctl *ctl) {
+		a, b := net.Pipe()
+		go func() {
+			opts := imapclient.Opts{
+				Logger: slog.Default().With("cid", mox.Cid()),
+				Error:  func(err error) { panic(err) },
+			}
+			client, err := imapclient.New(a, &opts)
+			tcheck(t, err, "new imapclient")
+			client.Select("inbox")
+			client.Logout()
+			defer a.Close()
+		}()
+		ctlcmdIMAPServe(xctl, "mjl@mox.example", b, b)
+	})
+}
+
+func fakeCert(t *testing.T) []byte {
+	t.Helper()
+	seed := make([]byte, ed25519.SeedSize)
+	privKey := ed25519.NewKeyFromSeed(seed) // Fake key, don't use this for real!
+	template := &x509.Certificate{
+		SerialNumber: big.NewInt(1), // Required field...
+	}
+	localCertBuf, err := x509.CreateCertificate(cryptorand.Reader, template, template, privKey.Public(), privKey)
+	tcheck(t, err, "making certificate")
+	return localCertBuf
 }

curves.go

@@ -0,0 +1,14 @@
+//go:build !go1.24
+
+package main
+
+import (
+	"crypto/tls"
+)
+
+var curvesList = []tls.CurveID{
+	tls.CurveP256,
+	tls.CurveP384,
+	tls.CurveP521,
+	tls.X25519,
+}

curves_go124.go

@@ -0,0 +1,15 @@
+//go:build go1.24
+
+package main
+
+import (
+	"crypto/tls"
+)
+
+var curvesList = []tls.CurveID{
+	tls.CurveP256,
+	tls.CurveP384,
+	tls.CurveP521,
+	tls.X25519,
+	tls.X25519MLKEM768,
+}

dane/dane.go

@@ -36,11 +36,11 @@
 //
 // For TLS certificate verification that requires PKIX/WebPKI/trusted-anchor
 // verification (all except DANE-EE), the potential second TLSA candidate base
-// domain name is also valid. With SMTP, additionally for hosts found in MX records
-// for a "next-hop domain", the "original next-hop domain" (domain of an email
-// address to deliver to) is also a valid name, as is the "CNAME-expanded original
-// next-hop domain", bringing the potential total allowed names to four (if CNAMEs
-// are followed for the MX hosts).
+// domain name is also a valid hostname. With SMTP, additionally for hosts found in
+// MX records for a "next-hop domain", the "original next-hop domain" (domain of an
+// email address to deliver to) is also a valid name, as is the "CNAME-expanded
+// original next-hop domain", bringing the potential total allowed names to four
+// (if CNAMEs are followed for the MX hosts).
 package dane
 
 // todo: why is https://datatracker.ietf.org/doc/html/draft-barnes-dane-uks-00 not in use? sounds reasonable.
@@ -55,33 +55,22 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
+	"log/slog"
 	"net"
 	"strings"
 	"time"
 
-	"github.com/prometheus/client_golang/prometheus"
-	"github.com/prometheus/client_golang/prometheus/promauto"
-
 	"github.com/mjl-/adns"
 
 	"github.com/mjl-/mox/dns"
 	"github.com/mjl-/mox/mlog"
-	"github.com/mjl-/mox/mox-"
+	"github.com/mjl-/mox/stub"
+	"slices"
 )
 
 var (
-	metricVerify = promauto.NewCounter(
-		prometheus.CounterOpts{
-			Name: "mox_dane_verify_total",
-			Help: "Total number of DANE verification attempts, including mox_dane_verify_errors_total.",
-		},
-	)
-	metricVerifyErrors = promauto.NewCounter(
-		prometheus.CounterOpts{
-			Name: "mox_dane_verify_errors_total",
-			Help: "Total number of DANE verification failures, causing connections to fail.",
-		},
-	)
+	MetricVerify       stub.Counter = stub.CounterIgnore{}
+	MetricVerifyErrors stub.Counter = stub.CounterIgnore{}
 )
 
 var (
@@ -116,10 +105,10 @@ func (e VerifyError) Unwrap() error {
 	return e.Err
 }
 
-// Dial looks up a DNSSEC-protected DANE TLSA record for the domain name and
+// Dial looks up DNSSEC-protected DANE TLSA records for the domain name and
 // port/service in address, checks for allowed usages, makes a network connection
-// and verifies the remote certificate against the TLSA records. If
-// verification succeeds, the verified record is returned.
+// and verifies the remote certificate against the TLSA records. If verification
+// succeeds, the verified record is returned.
 //
 // Different protocols require different usages. For example, SMTP with STARTTLS
 // for delivery only allows usages DANE-TA and DANE-EE. If allowedUsages is
@@ -132,8 +121,8 @@ func (e VerifyError) Unwrap() error {
 //     indicate DNSSEC errors.
 //   - ErrInsecure
 //   - VerifyError, potentially wrapping errors from crypto/x509.
-func Dial(ctx context.Context, resolver dns.Resolver, network, address string, allowedUsages []adns.TLSAUsage) (net.Conn, adns.TLSA, error) {
-	log := mlog.New("dane").WithContext(ctx)
+func Dial(ctx context.Context, elog *slog.Logger, resolver dns.Resolver, network, address string, allowedUsages []adns.TLSAUsage, pkixRoots *x509.CertPool) (net.Conn, adns.TLSA, error) {
+	log := mlog.New("dane", elog)
 
 	// Split host and port.
 	host, portstr, err := net.SplitHostPort(address)
@@ -226,12 +215,9 @@ func Dial(ctx context.Context, resolver dns.Resolver, network, address string, a
 	if allowedUsages != nil {
 		o := 0
 		for _, r := range records {
-			for _, usage := range allowedUsages {
-				if r.Usage == usage {
-					records[o] = r
-					o++
-					break
-				}
+			if slices.Contains(allowedUsages, r.Usage) {
+				records[o] = r
+				o++
 			}
 		}
 		records = records[:o]
@@ -272,10 +258,11 @@ func Dial(ctx context.Context, resolver dns.Resolver, network, address string, a
 	}
 
 	var verifiedRecord adns.TLSA
-	config := TLSClientConfig(log, records, baseDom, moreAllowedHosts, &verifiedRecord)
+	config := TLSClientConfig(log.Logger, records, baseDom, moreAllowedHosts, &verifiedRecord, pkixRoots)
 	tlsConn := tls.Client(conn, &config)
 	if err := tlsConn.HandshakeContext(ctx); err != nil {
-		conn.Close()
+		xerr := conn.Close()
+		log.Check(xerr, "closing connection")
 		return nil, adns.TLSA{}, err
 	}
 	return tlsConn, verifiedRecord, nil
@@ -284,7 +271,7 @@ func Dial(ctx context.Context, resolver dns.Resolver, network, address string, a
 // TLSClientConfig returns a tls.Config to be used for dialing/handshaking a
 // TLS connection with DANE verification.
 //
-// Callers should only pass records that are allowed for the use of DANE. DANE
+// Callers should only pass records that are allowed for the intended use. DANE
 // with SMTP only allows DANE-EE and DANE-TA usages, not the PKIX-usages.
 //
 // The config has InsecureSkipVerify set to true, with a custom VerifyConnection
@@ -295,13 +282,14 @@ func Dial(ctx context.Context, resolver dns.Resolver, network, address string, a
 //
 // If verifiedRecord is not nil, it is set to the record that was successfully
 // verified, if any.
-func TLSClientConfig(log *mlog.Log, records []adns.TLSA, allowedHost dns.Domain, moreAllowedHosts []dns.Domain, verifiedRecord *adns.TLSA) tls.Config {
+func TLSClientConfig(elog *slog.Logger, records []adns.TLSA, allowedHost dns.Domain, moreAllowedHosts []dns.Domain, verifiedRecord *adns.TLSA, pkixRoots *x509.CertPool) tls.Config {
+	log := mlog.New("dane", elog)
 	return tls.Config{
 		ServerName:         allowedHost.ASCII, // For SNI.
 		InsecureSkipVerify: true,
 		VerifyConnection: func(cs tls.ConnectionState) error {
-			verified, record, err := Verify(log, records, cs, allowedHost, moreAllowedHosts)
-			log.Debugx("dane verification", err, mlog.Field("verified", verified), mlog.Field("record", record))
+			verified, record, err := Verify(log.Logger, records, cs, allowedHost, moreAllowedHosts, pkixRoots)
+			log.Debugx("dane verification", err, slog.Bool("verified", verified), slog.Any("record", record))
 			if verified {
 				if verifiedRecord != nil {
 					*verifiedRecord = record
@@ -327,27 +315,33 @@ func TLSClientConfig(log *mlog.Log, records []adns.TLSA, allowedHost dns.Domain,
 //
 // When one of the records matches, Verify returns true, along with the matching
 // record and a nil error.
-// If there is no match, then in the typical case false, a zero record value and a
-// nil error is returned.
+// If there is no match, then in the typical case Verify returns: false, a zero
+// record value and a nil error.
 // If an error is encountered while verifying a record, e.g. for x509
 // trusted-anchor verification, an error may be returned, typically one or more
 // (wrapped) errors of type VerifyError.
-func Verify(log *mlog.Log, records []adns.TLSA, cs tls.ConnectionState, allowedHost dns.Domain, moreAllowedHosts []dns.Domain) (verified bool, matching adns.TLSA, rerr error) {
-	metricVerify.Inc()
+//
+// Verify is useful when DANE verification and its results has to be done
+// separately from other validation, e.g. for MTA-STS. The caller can create a
+// tls.Config with a VerifyConnection function that checks DANE and MTA-STS
+// separately.
+func Verify(elog *slog.Logger, records []adns.TLSA, cs tls.ConnectionState, allowedHost dns.Domain, moreAllowedHosts []dns.Domain, pkixRoots *x509.CertPool) (verified bool, matching adns.TLSA, rerr error) {
+	log := mlog.New("dane", elog)
+	MetricVerify.Inc()
 	if len(records) == 0 {
-		metricVerifyErrors.Inc()
+		MetricVerifyErrors.Inc()
 		return false, adns.TLSA{}, fmt.Errorf("verify requires at least one tlsa record")
 	}
 	var errs []error
 	for _, r := range records {
-		ok, err := verifySingle(log, r, cs, allowedHost, moreAllowedHosts)
+		ok, err := verifySingle(log, r, cs, allowedHost, moreAllowedHosts, pkixRoots)
 		if err != nil {
 			errs = append(errs, VerifyError{err, r})
 		} else if ok {
 			return true, r, nil
 		}
 	}
-	metricVerifyErrors.Inc()
+	MetricVerifyErrors.Inc()
 	return false, adns.TLSA{}, errors.Join(errs...)
 }
 
@@ -360,7 +354,7 @@ func Verify(log *mlog.Log, records []adns.TLSA, cs tls.ConnectionState, allowedH
 // errors while verifying certificates against a trust-anchor, an error can be
 // returned with one or more underlying x509 verification errors. A nil-nil error
 // is only returned when verified is false.
-func verifySingle(log *mlog.Log, tlsa adns.TLSA, cs tls.ConnectionState, allowedHost dns.Domain, moreAllowedHosts []dns.Domain) (verified bool, rerr error) {
+func verifySingle(log mlog.Log, tlsa adns.TLSA, cs tls.ConnectionState, allowedHost dns.Domain, moreAllowedHosts []dns.Domain, pkixRoots *x509.CertPool) (verified bool, rerr error) {
 	if len(cs.PeerCertificates) == 0 {
 		return false, fmt.Errorf("no server certificate")
 	}
@@ -397,7 +391,7 @@ func verifySingle(log *mlog.Log, tlsa adns.TLSA, cs tls.ConnectionState, allowed
 		opts := x509.VerifyOptions{
 			DNSName:       host.ASCII,
 			Intermediates: x509.NewCertPool(),
-			Roots:         mox.Conf.Static.TLS.CertPool,
+			Roots:         pkixRoots,
 		}
 		for _, cert := range cs.PeerCertificates[1:] {
 			opts.Intermediates.AddCert(cert)
@@ -453,7 +447,8 @@ func verifySingle(log *mlog.Log, tlsa adns.TLSA, cs tls.ConnectionState, allowed
 		// We set roots, so the system defaults don't get used. Verify checks the host name
 		// (set below) and checks for expiration.
 		opts := x509.VerifyOptions{
-			Roots: x509.NewCertPool(),
+			Intermediates: x509.NewCertPool(),
+			Roots:         x509.NewCertPool(),
 		}
 
 		// If the full certificate was included, we must add it to the valid roots, the TLS
@@ -470,11 +465,13 @@ func verifySingle(log *mlog.Log, tlsa adns.TLSA, cs tls.ConnectionState, allowed
 			}
 		}
 
-		for _, cert := range cs.PeerCertificates {
+		for i, cert := range cs.PeerCertificates {
 			if match(cert) {
 				opts.Roots.AddCert(cert)
 				found = true
 				break
+			} else if i > 0 {
+				opts.Intermediates.AddCert(cert)
 			}
 		}
 		if !found {
@@ -513,7 +510,7 @@ func verifySingle(log *mlog.Log, tlsa adns.TLSA, cs tls.ConnectionState, allowed
 
 	default:
 		// Unknown, perhaps defined in the future. Not an error.
-		log.Debug("unrecognized tlsa usage, skipping", mlog.Field("tlsausage", tlsa.Usage))
+		log.Debug("unrecognized tlsa usage, skipping", slog.Any("tlsausage", tlsa.Usage))
 		return false, nil
 	}
 }

dane/dane_test.go

@@ -17,15 +17,13 @@ import (
 	"reflect"
 	"strconv"
 	"sync/atomic"
-	"time"
-
 	"testing"
+	"time"
 
 	"github.com/mjl-/adns"
 
 	"github.com/mjl-/mox/dns"
 	"github.com/mjl-/mox/mlog"
-	"github.com/mjl-/mox/mox-"
 )
 
 func tcheckf(t *testing.T, err error, format string, args ...any) {
@@ -37,7 +35,7 @@ func tcheckf(t *testing.T, err error, format string, args ...any) {
 
 // Test dialing and DANE TLS verification.
 func TestDial(t *testing.T) {
-	mlog.SetConfig(map[string]mlog.Level{"": mlog.LevelDebug})
+	log := mlog.New("dane", nil)
 
 	// Create fake CA/trusted-anchor certificate.
 	taTempl := x509.Certificate{
@@ -135,11 +133,13 @@ func TestDial(t *testing.T) {
 	dialHost := "localhost"
 	var allowedUsages []adns.TLSAUsage
 
+	pkixRoots := x509.NewCertPool()
+
 	// Helper function for dialing with DANE.
 	test := func(resolver dns.Resolver, expRecord adns.TLSA, expErr any) {
 		t.Helper()
 
-		conn, record, err := Dial(context.Background(), resolver, "tcp", net.JoinHostPort(dialHost, portstr), allowedUsages)
+		conn, record, err := Dial(context.Background(), log.Logger, resolver, "tcp", net.JoinHostPort(dialHost, portstr), allowedUsages, pkixRoots)
 		if err == nil {
 			conn.Close()
 		}
@@ -455,11 +455,8 @@ func TestDial(t *testing.T) {
 	}
 	test(resolver, zeroRecord, &x509.UnknownAuthorityError{})
 
-	// Now we add the TA to the "system" trusted roots and try again.
-	pool, err := x509.SystemCertPool()
-	tcheckf(t, err, "get system certificate pool")
-	mox.Conf.Static.TLS.CertPool = pool
-	pool.AddCert(taCert)
+	// Now we add the TA to the "pkix" trusted roots and try again.
+	pkixRoots.AddCert(taCert)
 
 	// PKIXEE, will now succeed.
 	resolver = dns.MockResolver{

dane/examples_test.go

@@ -0,0 +1,32 @@
+package dane_test
+
+import (
+	"context"
+	"crypto/x509"
+	"log"
+	"log/slog"
+
+	"github.com/mjl-/adns"
+
+	"github.com/mjl-/mox/dane"
+	"github.com/mjl-/mox/dns"
+)
+
+func ExampleDial() {
+	ctx := context.Background()
+	resolver := dns.StrictResolver{}
+	usages := []adns.TLSAUsage{adns.TLSAUsageDANETA, adns.TLSAUsageDANEEE}
+	pkixRoots, err := x509.SystemCertPool()
+	if err != nil {
+		log.Fatalf("system pkix roots: %v", err)
+	}
+
+	// Connect to SMTP server, use STARTTLS, and verify TLS certificate with DANE.
+	conn, verifiedRecord, err := dane.Dial(ctx, slog.Default(), resolver, "tcp", "mx.example.com", usages, pkixRoots)
+	if err != nil {
+		log.Fatalf("dial: %v", err)
+	}
+	defer conn.Close()
+
+	log.Printf("connected, conn %v, verified record %s", conn, verifiedRecord)
+}

develop.txt

@@ -1,5 +1,34 @@
 This file has notes useful for mox developers.
 
+# Building & testing
+
+For a full build, you'll need a recent Go compiler/toolchain and nodejs/npm for
+the frontend. Run "make build" to do a full build. Run "make test" to run the
+test suite. With docker installed, you can run "make test-integration" to start
+up a few mox instances, a dns server, a postfix instance, and send email
+between them.
+
+The mox localserve command is a convenient way to test locally. Most of the
+code paths are reachable/testable with mox localserve, but some use cases will
+require a full setup.
+
+Before committing, run at least "make fmt" and "make check" (which requires
+staticcheck and ineffassign, run "make install-staticcheck install-ineffassign"
+once). Also run "make check-shadow" and fix any shadowed variables other than
+"err" (which are filtered out, but causes the command to always exit with an
+error code; run "make install-shadow" once to install the shadow command). If
+you've updated RFC references, run "make" in rfc/, it verifies the referenced
+files exist.
+
+When making changes to the public API of a package listed in
+apidiff/packages.txt, run "make genapidiff" to update the list of changes in
+the upcoming release (run "make install-apidiff" once to install the apidiff
+command).
+
+New features may be worth mentioning on the website, see website/ and
+instructions below.
+
+
 # Code style, guidelines, notes
 
 - Keep the same style as existing code.
@@ -10,6 +39,85 @@ This file has notes useful for mox developers.
   name/path manipulation. Do not remove/rename files that are still open.
 - Not all code uses adns, the DNSSEC-aware resolver. Such as code that makes
   http requests, like mtasts and autotls/autocert.
+- We don't have an internal/ directory, really just to prevent long paths in
+  the repo, and to keep all Go code matching *.go */*.go (without matching
+  vendor/). Part of the packages are reusable by other software. Those reusable
+  packages must not cause mox implementation details (such as bstore) to get out,
+  which would cause unexpected dependencies. Those packages also only expose the
+  standard slog package for logging, not our mlog package. Packages not intended
+  for reuse do use mlog as it is more convenient. Internally, we always use
+  mlog.Log to do the logging, wrapping an slog.Logger.
+- The code uses panic for error handling in quite a few places, including
+  smtpserver, imapserver and web API calls. Functions/methods, variables, struct
+  fields and types that begin with an "x" indicate they can panic on errors. Both
+  for i/o errors that are fatal for a connection, and also often for user-induced
+  errors, for example bad IMAP commands or invalid web API requests. These panics
+  are caught again at the top of a command or top of the connection. Write code
+  that is panic-safe, using defer to clean up and release resources.
+- Try to check all errors, at the minimum using mlog.Log.Check() to log an error
+  at the appropriate level. Also when just closing a file. Log messages sometimes
+  unexpectedly point out latent issues. Only when there is no point in logging,
+  for example when previous writes to stderr failed, can error logging be skipped.
+  Test code is less strict about checking errors.
+
+
+# Reusable packages
+
+Most non-server Go packages are meant to be reusable. This means internal
+details are not exposed in the API, and we don't make unneeded changes. We can
+still make breaking changes when it improves mox: We don't want to be stuck
+with bad API. Third party users aren't affected too seriously due to Go's
+minimal version selection. The reusable packages are in apidiff/packages.txt.
+We generate the incompatible changes with each release.
+
+
+# Web interfaces/frontend
+
+The web interface frontends (for webmail/, webadmin/ and webaccount/) are
+written in strict TypeScript. The web API is a simple self-documenting
+HTTP/JSON RPC API mechanism called sherpa,
+https://www.ueber.net/who/mjl/sherpa/. The web API exposes types and functions
+as implemented in Go, using https://github.com/mjl-/sherpa. API definitions in
+JSON form are generated with https://github.com/mjl-/sherpadoc. Those API
+definitions are used to generate TypeScript clients with by
+https://github.com/mjl-/sherpats/.
+
+The JavaScript that is generated from the TypeScript is included in the
+repository. This makes it available for inclusion in the binary, which is
+practical for users, and desirable given Go's reproducible builds. When
+developing, run "make" to also build the frontend code. Run "make
+install-frontend" once to install the TypeScript compiler into ./node_modules/.
+
+There are no other external (runtime or devtime) frontend dependencies. A
+light-weight abstraction over the DOM is provided by ./lib.ts. A bit more
+manual UI state management must be done compared to "frameworks", but it is
+little code, and this allows JavaScript/TypeScript developer to quickly get
+started. UI state is often encapsulated in a JavaScript object with a
+TypeScript interface exposing a "root" HTMLElement that is added to the DOM,
+and functions for accessing/changing the internal state, keeping the UI
+managable.
+
+
+# Website
+
+The content of the public website at https://www.xmox.nl is in website/, as
+markdown files. The website HTML is generated with "make genwebsite", which
+writes to website/html/ (files not committed).  The FAQ is taken from
+README.md, the protocol support table is generated from rfc/index.txt. The
+website is kept in this repository so a commit can change both the
+implementation and the documentation on the website. Some of the info in
+README.md is duplicated on the website, often more elaborate and possibly with
+a slightly less technical audience.  The website should also mostly be readable
+through the markdown in the git repo.
+
+Large files (images/videos) are in https://github.com/mjl-/mox-website-files to
+keep the repository reasonably sized.
+
+The public website may serve the content from the "website" branch. After a
+release, the main branch (with latest development code and corresponding
+changes to the website about new features) is merged into the website branch.
+Commits to the website branch (e.g. for a news item, or any other change
+unrelated to a new release) is merged back into the main branch.
 
 
 # TLS certificates
@@ -92,6 +200,7 @@ Listeners:
 				KeyFile: ../../cfssl/wildcard.$domain-key.pem
 ```
 
+
 # ACME
 
 https://github.com/letsencrypt/pebble is useful for testing with ACME. Start a
@@ -189,7 +298,7 @@ for i in 0 12; do
 done
 ```
 
-With the following "tobmox.sh" script:
+With the following "tombox.sh" script:
 
 ```
 #!/bin/sh
@@ -207,20 +316,30 @@ done
 
 - Gather feedback on recent changes.
 - Check if dependencies need updates.
+- Update to latest publicsuffix/ list.
 - Check code if there are deprecated features that can be removed.
-- Update features & roadmap in README.md
-- Write release notes.
-- Build and run tests with previous major Go release.
-- Run tests, including with race detector.
+- Generate apidiff and check if breaking changes can be prevented. Update moxtools.
+- Update features & roadmap in README.md and website.
+- Write release notes, copy from previous.
+- Build and run tests with previous major Go release, run "make docker-release" to test building images.
+- Run tests, including with race detector, also with TZ= for UTC-behaviour, and with -count 2.
 - Run integration and upgrade tests.
 - Run fuzzing tests for a while.
 - Deploy to test environment. Test the update instructions.
+- Test mox localserve on various OSes (linux, bsd, macos, windows).
 - Send and receive email through the major webmail providers, check headers.
 - Send and receive email with imap4/smtp clients.
 - Check DNS check admin page.
-- Check with https://internet.nl
-- Create git tag, push code.
-- Publish new docker image.
-- Publish signed release notes for updates.xmox.nl and update DNS record.
-- Publish new cross-referenced code/rfc to www.xmox.nl/xr/.
+- Check with https://internet.nl.
+- Move apidiff/next.txt to apidiff/<version>.txt, and create empty next.txt.
+- Add release to the Latest release & News sections of website/index.md.
+- Create git tag (note: "#" is comment, not title/header), push code.
+- Build and publish new docker image.
+- Deploy update to website.
 - Create new release on the github page, so watchers get a notification.
+  Copy/paste it manually from the tag text, and add link to download/compile
+  instructions to prevent confusion about "assets" github links to.
+- Publish new cross-referenced code/rfc to www.xmox.nl/xr/.
+- Update moxtools with latest version.
+- Update implementations support matrix.
+- Publish signed release notes for updates.xmox.nl and update DNS record.

dkim/dkim.go

@@ -21,43 +21,25 @@ import (
 	"fmt"
 	"hash"
 	"io"
+	"log/slog"
 	"strings"
 	"time"
 
-	"github.com/prometheus/client_golang/prometheus"
-	"github.com/prometheus/client_golang/prometheus/promauto"
-
-	"github.com/mjl-/mox/config"
 	"github.com/mjl-/mox/dns"
 	"github.com/mjl-/mox/mlog"
 	"github.com/mjl-/mox/moxio"
 	"github.com/mjl-/mox/publicsuffix"
 	"github.com/mjl-/mox/smtp"
+	"github.com/mjl-/mox/stub"
+	"slices"
 )
 
-var xlog = mlog.New("dkim")
+// If set, signatures for top-level domain "localhost" are accepted.
+var Localserve bool
 
 var (
-	metricSign = promauto.NewCounterVec(
-		prometheus.CounterOpts{
-			Name: "mox_dkim_sign_total",
-			Help: "DKIM messages signings, label key is the type of key, rsa or ed25519.",
-		},
-		[]string{
-			"key",
-		},
-	)
-	metricVerify = promauto.NewHistogramVec(
-		prometheus.HistogramOpts{
-			Name:    "mox_dkim_verify_duration_seconds",
-			Help:    "DKIM verify, including lookup, duration and result.",
-			Buckets: []float64{0.001, 0.005, 0.01, 0.05, 0.100, 0.5, 1, 5, 10, 20},
-		},
-		[]string{
-			"algorithm",
-			"status",
-		},
-	)
+	MetricSign   stub.CounterVec   = stub.CounterVecIgnore{}
+	MetricVerify stub.HistogramVec = stub.HistogramVecIgnore{}
 )
 
 var timeNow = time.Now // Replaced during tests.
@@ -122,12 +104,36 @@ type Result struct {
 
 // todo: use some io.Writer to hash the body and the header.
 
+// Selector holds selectors and key material to generate DKIM signatures.
+type Selector struct {
+	Hash          string   // "sha256" or the older "sha1".
+	HeaderRelaxed bool     // If the header is canonicalized in relaxed instead of simple mode.
+	BodyRelaxed   bool     // If the body is canonicalized in relaxed instead of simple mode.
+	Headers       []string // Headers to include in signature.
+
+	// Whether to "oversign" headers, ensuring additional/new values of existing
+	// headers cannot be added.
+	SealHeaders bool
+
+	// If > 0, period a signature is valid after signing, as duration, e.g. 72h. The
+	// period should be enough for delivery at the final destination, potentially with
+	// several hops/relays. In the order of days at least.
+	Expiration time.Duration
+
+	PrivateKey crypto.Signer // Either an *rsa.PrivateKey or ed25519.PrivateKey.
+	Domain     dns.Domain    // Of selector only, not FQDN.
+}
+
 // Sign returns line(s) with DKIM-Signature headers, generated according to the configuration.
-func Sign(ctx context.Context, localpart smtp.Localpart, domain dns.Domain, c config.DKIM, smtputf8 bool, msg io.ReaderAt) (headers string, rerr error) {
-	log := xlog.WithContext(ctx)
+func Sign(ctx context.Context, elog *slog.Logger, localpart smtp.Localpart, domain dns.Domain, selectors []Selector, smtputf8 bool, msg io.ReaderAt) (headers string, rerr error) {
+	log := mlog.New("dkim", elog)
 	start := timeNow()
 	defer func() {
-		log.Debugx("dkim sign result", rerr, mlog.Field("localpart", localpart), mlog.Field("domain", domain), mlog.Field("smtputf8", smtputf8), mlog.Field("duration", time.Since(start)))
+		log.Debugx("dkim sign result", rerr,
+			slog.Any("localpart", localpart),
+			slog.Any("domain", domain),
+			slog.Bool("smtputf8", smtputf8),
+			slog.Duration("duration", time.Since(start)))
 	}()
 
 	hdrs, bodyOffset, err := parseHeaders(bufio.NewReader(&moxio.AtReader{R: msg}))
@@ -151,26 +157,25 @@ func Sign(ctx context.Context, localpart smtp.Localpart, domain dns.Domain, c co
 
 	var bodyHashes = map[hashKey][]byte{}
 
-	for _, sign := range c.Sign {
-		sel := c.Selectors[sign]
+	for _, sel := range selectors {
 		sig := newSigWithDefaults()
 		sig.Version = 1
-		switch sel.Key.(type) {
+		switch sel.PrivateKey.(type) {
 		case *rsa.PrivateKey:
 			sig.AlgorithmSign = "rsa"
-			metricSign.WithLabelValues("rsa").Inc()
+			MetricSign.IncLabels("rsa")
 		case ed25519.PrivateKey:
 			sig.AlgorithmSign = "ed25519"
-			metricSign.WithLabelValues("ed25519").Inc()
+			MetricSign.IncLabels("ed25519")
 		default:
-			return "", fmt.Errorf("internal error, unknown pivate key %T", sel.Key)
+			return "", fmt.Errorf("internal error, unknown pivate key %T", sel.PrivateKey)
 		}
-		sig.AlgorithmHash = sel.HashEffective
+		sig.AlgorithmHash = sel.Hash
 		sig.Domain = domain
 		sig.Selector = sel.Domain
 		sig.Identity = &Identity{&localpart, domain}
-		sig.SignedHeaders = append([]string{}, sel.HeadersEffective...)
-		if !sel.DontSealHeaders {
+		sig.SignedHeaders = slices.Clone(sel.Headers)
+		if sel.SealHeaders {
 			// ../rfc/6376:2156
 			// Each time a header name is added to the signature, the next unused value is
 			// signed (in reverse order as they occur in the message). So we can add each
@@ -180,23 +185,23 @@ func Sign(ctx context.Context, localpart smtp.Localpart, domain dns.Domain, c co
 			for _, h := range hdrs {
 				counts[h.lkey]++
 			}
-			for _, h := range sel.HeadersEffective {
+			for _, h := range sel.Headers {
 				for j := counts[strings.ToLower(h)]; j > 0; j-- {
 					sig.SignedHeaders = append(sig.SignedHeaders, h)
 				}
 			}
 		}
 		sig.SignTime = timeNow().Unix()
-		if sel.ExpirationSeconds > 0 {
-			sig.ExpireTime = sig.SignTime + int64(sel.ExpirationSeconds)
+		if sel.Expiration > 0 {
+			sig.ExpireTime = sig.SignTime + int64(sel.Expiration/time.Second)
 		}
 
 		sig.Canonicalization = "simple"
-		if sel.Canonicalization.HeaderRelaxed {
+		if sel.HeaderRelaxed {
 			sig.Canonicalization = "relaxed"
 		}
 		sig.Canonicalization += "/"
-		if sel.Canonicalization.BodyRelaxed {
+		if sel.BodyRelaxed {
 			sig.Canonicalization += "relaxed"
 		} else {
 			sig.Canonicalization += "simple"
@@ -213,12 +218,12 @@ func Sign(ctx context.Context, localpart smtp.Localpart, domain dns.Domain, c co
 		// DKIM-Signature header.
 		// ../rfc/6376:1700
 
-		hk := hashKey{!sel.Canonicalization.BodyRelaxed, strings.ToLower(sig.AlgorithmHash)}
+		hk := hashKey{!sel.BodyRelaxed, strings.ToLower(sig.AlgorithmHash)}
 		if bh, ok := bodyHashes[hk]; ok {
 			sig.BodyHash = bh
 		} else {
 			br := bufio.NewReader(&moxio.AtReader{R: msg, Offset: int64(bodyOffset)})
-			bh, err = bodyHash(h.New(), !sel.Canonicalization.BodyRelaxed, br)
+			bh, err = bodyHash(h.New(), !sel.BodyRelaxed, br)
 			if err != nil {
 				return "", err
 			}
@@ -232,12 +237,12 @@ func Sign(ctx context.Context, localpart smtp.Localpart, domain dns.Domain, c co
 		}
 		verifySig := []byte(strings.TrimSuffix(sigh, "\r\n"))
 
-		dh, err := dataHash(h.New(), !sel.Canonicalization.HeaderRelaxed, sig, hdrs, verifySig)
+		dh, err := dataHash(h.New(), !sel.HeaderRelaxed, sig, hdrs, verifySig)
 		if err != nil {
 			return "", err
 		}
 
-		switch key := sel.Key.(type) {
+		switch key := sel.PrivateKey.(type) {
 		case *rsa.PrivateKey:
 			sig.Signature, err = key.Sign(cryptorand.Reader, dh, h)
 			if err != nil {
@@ -270,11 +275,16 @@ func Sign(ctx context.Context, localpart smtp.Localpart, domain dns.Domain, c co
 // record should be present.
 //
 // authentic indicates if DNS results were DNSSEC-verified.
-func Lookup(ctx context.Context, resolver dns.Resolver, selector, domain dns.Domain) (rstatus Status, rrecord *Record, rtxt string, authentic bool, rerr error) {
-	log := xlog.WithContext(ctx)
+func Lookup(ctx context.Context, elog *slog.Logger, resolver dns.Resolver, selector, domain dns.Domain) (rstatus Status, rrecord *Record, rtxt string, authentic bool, rerr error) {
+	log := mlog.New("dkim", elog)
 	start := timeNow()
 	defer func() {
-		log.Debugx("dkim lookup result", rerr, mlog.Field("selector", selector), mlog.Field("domain", domain), mlog.Field("status", rstatus), mlog.Field("record", rrecord), mlog.Field("duration", time.Since(start)))
+		log.Debugx("dkim lookup result", rerr,
+			slog.Any("selector", selector),
+			slog.Any("domain", domain),
+			slog.Any("status", rstatus),
+			slog.Any("record", rrecord),
+			slog.Duration("duration", time.Since(start)))
 	}()
 
 	name := selector.ASCII + "._domainkey." + domain.ASCII + "."
@@ -338,8 +348,8 @@ func Lookup(ctx context.Context, resolver dns.Resolver, selector, domain dns.Dom
 // verification failure is treated as actual failure. With ignoreTestMode
 // false, such verification failures are treated as if there is no signature by
 // returning StatusNone.
-func Verify(ctx context.Context, resolver dns.Resolver, smtputf8 bool, policy func(*Sig) error, r io.ReaderAt, ignoreTestMode bool) (results []Result, rerr error) {
-	log := xlog.WithContext(ctx)
+func Verify(ctx context.Context, elog *slog.Logger, resolver dns.Resolver, smtputf8 bool, policy func(*Sig) error, r io.ReaderAt, ignoreTestMode bool) (results []Result, rerr error) {
+	log := mlog.New("dkim", elog)
 	start := timeNow()
 	defer func() {
 		duration := float64(time.Since(start)) / float64(time.Second)
@@ -349,14 +359,19 @@ func Verify(ctx context.Context, resolver dns.Resolver, smtputf8 bool, policy fu
 				alg = r.Sig.Algorithm()
 			}
 			status := string(r.Status)
-			metricVerify.WithLabelValues(alg, status).Observe(duration)
+			MetricVerify.ObserveLabels(duration, alg, status)
 		}
 
 		if len(results) == 0 {
-			log.Debugx("dkim verify result", rerr, mlog.Field("smtputf8", smtputf8), mlog.Field("duration", time.Since(start)))
+			log.Debugx("dkim verify result", rerr, slog.Bool("smtputf8", smtputf8), slog.Duration("duration", time.Since(start)))
 		}
 		for _, result := range results {
-			log.Debugx("dkim verify result", result.Err, mlog.Field("smtputf8", smtputf8), mlog.Field("status", result.Status), mlog.Field("sig", result.Sig), mlog.Field("record", result.Record), mlog.Field("duration", time.Since(start)))
+			log.Debugx("dkim verify result", result.Err,
+				slog.Bool("smtputf8", smtputf8),
+				slog.Any("status", result.Status),
+				slog.Any("sig", result.Sig),
+				slog.Any("record", result.Record),
+				slog.Duration("duration", time.Since(start)))
 		}
 	}()
 
@@ -380,7 +395,7 @@ func Verify(ctx context.Context, resolver dns.Resolver, smtputf8 bool, policy fu
 			continue
 		}
 
-		h, canonHeaderSimple, canonDataSimple, err := checkSignatureParams(ctx, sig)
+		h, canonHeaderSimple, canonDataSimple, err := checkSignatureParams(ctx, log, sig)
 		if err != nil {
 			results = append(results, Result{StatusPermerror, sig, nil, false, err})
 			continue
@@ -394,7 +409,7 @@ func Verify(ctx context.Context, resolver dns.Resolver, smtputf8 bool, policy fu
 		}
 
 		br := bufio.NewReader(&moxio.AtReader{R: r, Offset: int64(bodyOffset)})
-		status, txt, authentic, err := verifySignature(ctx, resolver, sig, h, canonHeaderSimple, canonDataSimple, hdrs, verifySig, br, ignoreTestMode)
+		status, txt, authentic, err := verifySignature(ctx, log.Logger, resolver, sig, h, canonHeaderSimple, canonDataSimple, hdrs, verifySig, br, ignoreTestMode)
 		results = append(results, Result{status, sig, txt, authentic, err})
 	}
 	return results, nil
@@ -402,7 +417,7 @@ func Verify(ctx context.Context, resolver dns.Resolver, smtputf8 bool, policy fu
 
 // check if signature is acceptable.
 // Only looks at the signature parameters, not at the DNS record.
-func checkSignatureParams(ctx context.Context, sig *Sig) (hash crypto.Hash, canonHeaderSimple, canonBodySimple bool, rerr error) {
+func checkSignatureParams(ctx context.Context, log mlog.Log, sig *Sig) (hash crypto.Hash, canonHeaderSimple, canonBodySimple bool, rerr error) {
 	// "From" header is required, ../rfc/6376:2122 ../rfc/6376:2546
 	var from bool
 	for _, h := range sig.SignedHeaders {
@@ -431,7 +446,7 @@ func checkSignatureParams(ctx context.Context, sig *Sig) (hash crypto.Hash, cano
 	if subdom.Unicode != "" {
 		subdom.Unicode = "x." + subdom.Unicode
 	}
-	if orgDom := publicsuffix.Lookup(ctx, subdom); subdom.ASCII == orgDom.ASCII {
+	if orgDom := publicsuffix.Lookup(ctx, log.Logger, subdom); subdom.ASCII == orgDom.ASCII && !(Localserve && sig.Domain.ASCII == "localhost") {
 		return 0, false, false, fmt.Errorf("%w: %s", ErrTLD, sig.Domain)
 	}
 
@@ -480,9 +495,9 @@ func checkSignatureParams(ctx context.Context, sig *Sig) (hash crypto.Hash, cano
 }
 
 // lookup the public key in the DNS and verify the signature.
-func verifySignature(ctx context.Context, resolver dns.Resolver, sig *Sig, hash crypto.Hash, canonHeaderSimple, canonDataSimple bool, hdrs []header, verifySig []byte, body *bufio.Reader, ignoreTestMode bool) (Status, *Record, bool, error) {
+func verifySignature(ctx context.Context, elog *slog.Logger, resolver dns.Resolver, sig *Sig, hash crypto.Hash, canonHeaderSimple, canonDataSimple bool, hdrs []header, verifySig []byte, body *bufio.Reader, ignoreTestMode bool) (Status, *Record, bool, error) {
 	// ../rfc/6376:2604
-	status, record, _, authentic, err := Lookup(ctx, resolver, sig.Selector, sig.Domain)
+	status, record, _, authentic, err := Lookup(ctx, elog, resolver, sig.Selector, sig.Domain)
 	if err != nil {
 		// todo: for temporary errors, we could pass on information so caller returns a 4.7.5 ecode, ../rfc/6376:2777
 		return status, nil, authentic, err
@@ -534,7 +549,7 @@ func verifySignatureRecord(r *Record, sig *Sig, hash crypto.Hash, canonHeaderSim
 	if r.PublicKey == nil {
 		return StatusPermerror, ErrKeyRevoked
 	} else if rsaKey, ok := r.PublicKey.(*rsa.PublicKey); ok && rsaKey.N.BitLen() < 1024 {
-		// todo: find a reference that supports this.
+		// ../rfc/8301:157
 		return StatusPermerror, ErrWeakKey
 	}
 
@@ -825,8 +840,8 @@ func parseHeaders(br *bufio.Reader) ([]header, int, error) {
 			return nil, 0, fmt.Errorf("empty header key")
 		}
 		lkey = strings.ToLower(key)
-		value = append([]byte{}, t[1]...)
-		raw = append([]byte{}, line...)
+		value = slices.Clone(t[1])
+		raw = slices.Clone(line)
 	}
 	if key != "" {
 		l = append(l, header{key, lkey, value, raw})

dkim/dkim_test.go

@@ -15,10 +15,12 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/mjl-/mox/config"
 	"github.com/mjl-/mox/dns"
+	"github.com/mjl-/mox/mlog"
 )
 
+var pkglog = mlog.New("dkim", nil)
+
 func policyOK(sig *Sig) error {
 	return nil
 }
@@ -143,7 +145,7 @@ test
 		},
 	}
 
-	results, err := Verify(context.Background(), resolver, false, policyOK, strings.NewReader(message), false)
+	results, err := Verify(context.Background(), pkglog.Logger, resolver, false, policyOK, strings.NewReader(message), false)
 	if err != nil {
 		t.Fatalf("dkim verify: %v", err)
 	}
@@ -190,7 +192,7 @@ Joe.
 		},
 	}
 
-	results, err := Verify(context.Background(), resolver, false, policyOK, strings.NewReader(message), false)
+	results, err := Verify(context.Background(), pkglog.Logger, resolver, false, policyOK, strings.NewReader(message), false)
 	if err != nil {
 		t.Fatalf("dkim verify: %v", err)
 	}
@@ -219,50 +221,42 @@ test
 	rsaKey := getRSAKey(t)
 	ed25519Key := ed25519.NewKeyFromSeed(make([]byte, 32))
 
-	selrsa := config.Selector{
-		HashEffective:    "sha256",
-		Key:              rsaKey,
-		HeadersEffective: strings.Split("From,To,Cc,Bcc,Reply-To,References,In-Reply-To,Subject,Date,Message-ID,Content-Type", ","),
-		Domain:           dns.Domain{ASCII: "testrsa"},
+	selrsa := Selector{
+		Hash:       "sha256",
+		PrivateKey: rsaKey,
+		Headers:    strings.Split("From,To,Cc,Bcc,Reply-To,References,In-Reply-To,Subject,Date,Message-ID,Content-Type", ","),
+		Domain:     dns.Domain{ASCII: "testrsa"},
 	}
 
 	// Now with sha1 and relaxed canonicalization.
-	selrsa2 := config.Selector{
-		HashEffective:    "sha1",
-		Key:              rsaKey,
-		HeadersEffective: strings.Split("From,To,Cc,Bcc,Reply-To,References,In-Reply-To,Subject,Date,Message-ID,Content-Type", ","),
-		Domain:           dns.Domain{ASCII: "testrsa2"},
+	selrsa2 := Selector{
+		Hash:       "sha1",
+		PrivateKey: rsaKey,
+		Headers:    strings.Split("From,To,Cc,Bcc,Reply-To,References,In-Reply-To,Subject,Date,Message-ID,Content-Type", ","),
+		Domain:     dns.Domain{ASCII: "testrsa2"},
 	}
-	selrsa2.Canonicalization.HeaderRelaxed = true
-	selrsa2.Canonicalization.BodyRelaxed = true
+	selrsa2.HeaderRelaxed = true
+	selrsa2.BodyRelaxed = true
 
 	// Ed25519 key.
-	seled25519 := config.Selector{
-		HashEffective:    "sha256",
-		Key:              ed25519Key,
-		HeadersEffective: strings.Split("From,To,Cc,Bcc,Reply-To,References,In-Reply-To,Subject,Date,Message-ID,Content-Type", ","),
-		Domain:           dns.Domain{ASCII: "tested25519"},
+	seled25519 := Selector{
+		Hash:       "sha256",
+		PrivateKey: ed25519Key,
+		Headers:    strings.Split("From,To,Cc,Bcc,Reply-To,References,In-Reply-To,Subject,Date,Message-ID,Content-Type", ","),
+		Domain:     dns.Domain{ASCII: "tested25519"},
 	}
 	// Again ed25519, but without sealing headers. Use sha256 again, for reusing the body hash from the previous dkim-signature.
-	seled25519b := config.Selector{
-		HashEffective:    "sha256",
-		Key:              ed25519Key,
-		HeadersEffective: strings.Split("From,To,Cc,Bcc,Reply-To,Subject,Date", ","),
-		DontSealHeaders:  true,
-		Domain:           dns.Domain{ASCII: "tested25519b"},
-	}
-	dkimConf := config.DKIM{
-		Selectors: map[string]config.Selector{
-			"testrsa":      selrsa,
-			"testrsa2":     selrsa2,
-			"tested25519":  seled25519,
-			"tested25519b": seled25519b,
-		},
-		Sign: []string{"testrsa", "testrsa2", "tested25519", "tested25519b"},
+	seled25519b := Selector{
+		Hash:        "sha256",
+		PrivateKey:  ed25519Key,
+		Headers:     strings.Split("From,To,Cc,Bcc,Reply-To,Subject,Date", ","),
+		SealHeaders: true,
+		Domain:      dns.Domain{ASCII: "tested25519b"},
 	}
+	selectors := []Selector{selrsa, selrsa2, seled25519, seled25519b}
 
 	ctx := context.Background()
-	headers, err := Sign(ctx, "mjl", dns.Domain{ASCII: "mox.example"}, dkimConf, false, strings.NewReader(message))
+	headers, err := Sign(ctx, pkglog.Logger, "mjl", dns.Domain{ASCII: "mox.example"}, selectors, false, strings.NewReader(message))
 	if err != nil {
 		t.Fatalf("sign: %v", err)
 	}
@@ -293,7 +287,7 @@ test
 
 	nmsg := headers + message
 
-	results, err := Verify(ctx, resolver, false, policyOK, strings.NewReader(nmsg), false)
+	results, err := Verify(ctx, pkglog.Logger, resolver, false, policyOK, strings.NewReader(nmsg), false)
 	if err != nil {
 		t.Fatalf("verify: %s", err)
 	}
@@ -304,31 +298,31 @@ test
 	//log.Infof("nmsg\n%s", nmsg)
 
 	// Multiple From headers.
-	_, err = Sign(ctx, "mjl", dns.Domain{ASCII: "mox.example"}, dkimConf, false, strings.NewReader("From: <mjl@mox.example>\r\nFrom: <mjl@mox.example>\r\n\r\ntest"))
+	_, err = Sign(ctx, pkglog.Logger, "mjl", dns.Domain{ASCII: "mox.example"}, selectors, false, strings.NewReader("From: <mjl@mox.example>\r\nFrom: <mjl@mox.example>\r\n\r\ntest"))
 	if !errors.Is(err, ErrFrom) {
 		t.Fatalf("sign, got err %v, expected ErrFrom", err)
 	}
 
 	// No From header.
-	_, err = Sign(ctx, "mjl", dns.Domain{ASCII: "mox.example"}, dkimConf, false, strings.NewReader("Brom: <mjl@mox.example>\r\n\r\ntest"))
+	_, err = Sign(ctx, pkglog.Logger, "mjl", dns.Domain{ASCII: "mox.example"}, selectors, false, strings.NewReader("Brom: <mjl@mox.example>\r\n\r\ntest"))
 	if !errors.Is(err, ErrFrom) {
 		t.Fatalf("sign, got err %v, expected ErrFrom", err)
 	}
 
 	// Malformed headers.
-	_, err = Sign(ctx, "mjl", dns.Domain{ASCII: "mox.example"}, dkimConf, false, strings.NewReader(":\r\n\r\ntest"))
+	_, err = Sign(ctx, pkglog.Logger, "mjl", dns.Domain{ASCII: "mox.example"}, selectors, false, strings.NewReader(":\r\n\r\ntest"))
 	if !errors.Is(err, ErrHeaderMalformed) {
 		t.Fatalf("sign, got err %v, expected ErrHeaderMalformed", err)
 	}
-	_, err = Sign(ctx, "mjl", dns.Domain{ASCII: "mox.example"}, dkimConf, false, strings.NewReader(" From:<mjl@mox.example>\r\n\r\ntest"))
+	_, err = Sign(ctx, pkglog.Logger, "mjl", dns.Domain{ASCII: "mox.example"}, selectors, false, strings.NewReader(" From:<mjl@mox.example>\r\n\r\ntest"))
 	if !errors.Is(err, ErrHeaderMalformed) {
 		t.Fatalf("sign, got err %v, expected ErrHeaderMalformed", err)
 	}
-	_, err = Sign(ctx, "mjl", dns.Domain{ASCII: "mox.example"}, dkimConf, false, strings.NewReader("Frøm:<mjl@mox.example>\r\n\r\ntest"))
+	_, err = Sign(ctx, pkglog.Logger, "mjl", dns.Domain{ASCII: "mox.example"}, selectors, false, strings.NewReader("Frøm:<mjl@mox.example>\r\n\r\ntest"))
 	if !errors.Is(err, ErrHeaderMalformed) {
 		t.Fatalf("sign, got err %v, expected ErrHeaderMalformed", err)
 	}
-	_, err = Sign(ctx, "mjl", dns.Domain{ASCII: "mox.example"}, dkimConf, false, strings.NewReader("From:<mjl@mox.example>"))
+	_, err = Sign(ctx, pkglog.Logger, "mjl", dns.Domain{ASCII: "mox.example"}, selectors, false, strings.NewReader("From:<mjl@mox.example>"))
 	if !errors.Is(err, ErrHeaderMalformed) {
 		t.Fatalf("sign, got err %v, expected ErrHeaderMalformed", err)
 	}
@@ -355,9 +349,9 @@ test
 	var record *Record
 	var recordTxt string
 	var msg string
-	var sel config.Selector
-	var dkimConf config.DKIM
 	var policy func(*Sig) error
+	var sel Selector
+	var selectors []Selector
 	var signed bool
 	var signDomain dns.Domain
 
@@ -386,18 +380,13 @@ test
 			},
 		}
 
-		sel = config.Selector{
-			HashEffective:    "sha256",
-			Key:              key,
-			HeadersEffective: strings.Split("From,To,Cc,Bcc,Reply-To,References,In-Reply-To,Subject,Date,Message-ID,Content-Type", ","),
-			Domain:           dns.Domain{ASCII: "test"},
-		}
-		dkimConf = config.DKIM{
-			Selectors: map[string]config.Selector{
-				"test": sel,
-			},
-			Sign: []string{"test"},
+		sel = Selector{
+			Hash:       "sha256",
+			PrivateKey: key,
+			Headers:    strings.Split("From,To,Cc,Bcc,Reply-To,References,In-Reply-To,Subject,Date,Message-ID,Content-Type", ","),
+			Domain:     dns.Domain{ASCII: "test"},
 		}
+		selectors = []Selector{sel}
 
 		msg = message
 		signed = false
@@ -408,7 +397,7 @@ test
 
 		msg = strings.ReplaceAll(msg, "\n", "\r\n")
 
-		headers, err := Sign(context.Background(), "mjl", signDomain, dkimConf, false, strings.NewReader(msg))
+		headers, err := Sign(context.Background(), pkglog.Logger, "mjl", signDomain, selectors, false, strings.NewReader(msg))
 		if err != nil {
 			t.Fatalf("sign: %v", err)
 		}
@@ -425,7 +414,7 @@ test
 			sign()
 		}
 
-		results, err := Verify(context.Background(), resolver, true, policy, strings.NewReader(msg), false)
+		results, err := Verify(context.Background(), pkglog.Logger, resolver, true, policy, strings.NewReader(msg), false)
 		if (err == nil) != (expErr == nil) || err != nil && !errors.Is(err, expErr) {
 			t.Fatalf("got verify error %v, expected %v", err, expErr)
 		}
@@ -512,11 +501,9 @@ test
 	})
 	// Unknown canonicalization.
 	test(nil, StatusPermerror, ErrCanonicalizationUnknown, func() {
-		sel.Canonicalization.HeaderRelaxed = true
-		sel.Canonicalization.BodyRelaxed = true
-		dkimConf.Selectors = map[string]config.Selector{
-			"test": sel,
-		}
+		sel.HeaderRelaxed = true
+		sel.BodyRelaxed = true
+		selectors = []Selector{sel}
 
 		sign()
 		msg = strings.ReplaceAll(msg, "relaxed/relaxed", "bogus/bogus")
@@ -574,10 +561,8 @@ test
 		resolver.TXT = map[string][]string{
 			"test._domainkey.mox.example.": {txt},
 		}
-		sel.Key = key
-		dkimConf.Selectors = map[string]config.Selector{
-			"test": sel,
-		}
+		sel.PrivateKey = key
+		selectors = []Selector{sel}
 	})
 	// Key not allowed for email by DNS record. ../rfc/6376:1541
 	test(nil, StatusPermerror, ErrKeyNotForEmail, func() {
@@ -600,18 +585,14 @@ test
 
 	// Check that last-occurring header field is used.
 	test(nil, StatusFail, ErrSigVerify, func() {
-		sel.DontSealHeaders = true
-		dkimConf.Selectors = map[string]config.Selector{
-			"test": sel,
-		}
+		sel.SealHeaders = false
+		selectors = []Selector{sel}
 		sign()
 		msg = strings.ReplaceAll(msg, "\r\n\r\n", "\r\nsubject: another\r\n\r\n")
 	})
 	test(nil, StatusPass, nil, func() {
-		sel.DontSealHeaders = true
-		dkimConf.Selectors = map[string]config.Selector{
-			"test": sel,
-		}
+		sel.SealHeaders = false
+		selectors = []Selector{sel}
 		sign()
 		msg = "subject: another\r\n" + msg
 	})

dkim/parser.go

@@ -6,11 +6,15 @@ import (
 	"strconv"
 	"strings"
 
+	"golang.org/x/text/unicode/norm"
+
 	"github.com/mjl-/mox/dns"
-	"github.com/mjl-/mox/moxvar"
 	"github.com/mjl-/mox/smtp"
 )
 
+// Pedantic enables stricter parsing.
+var Pedantic bool
+
 type parseErr string
 
 func (e parseErr) Error() string {
@@ -200,7 +204,7 @@ func (p *parser) xdomainselector(isselector bool) dns.Domain {
 		// domain names must always be a-labels, ../rfc/6376:1115 ../rfc/6376:1187 ../rfc/6376:1303
 		// dkim selectors with underscores happen in the wild, accept them when not in
 		// pedantic mode. ../rfc/6376:581 ../rfc/5321:2303
-		return isalphadigit(c) || (i > 0 && (c == '-' || isselector && !moxvar.Pedantic && c == '_') && p.o+1 < len(p.s))
+		return isalphadigit(c) || (i > 0 && (c == '-' || isselector && !Pedantic && c == '_') && p.o+1 < len(p.s))
 	}
 	s := p.xtakefn1(false, subdomain)
 	for p.hasPrefix(".") {
@@ -273,11 +277,11 @@ func (p *parser) xlocalpart() smtp.Localpart {
 		}
 	}
 	// In the wild, some services use large localparts for generated (bounce) addresses.
-	if moxvar.Pedantic && len(s) > 64 || len(s) > 128 {
+	if Pedantic && len(s) > 64 || len(s) > 128 {
 		// ../rfc/5321:3486
 		p.xerrorf("localpart longer than 64 octets")
 	}
-	return smtp.Localpart(s)
+	return smtp.Localpart(norm.NFC.String(s))
 }
 
 func (p *parser) xquotedString() string {

dkim/sig.go

@@ -117,7 +117,7 @@ func (s *Sig) Header() (string, error) {
 			} else if i == len(s.SignedHeaders)-1 {
 				v += ";"
 			}
-			w.Addf(sep, v)
+			w.Addf(sep, "%s", v)
 		}
 	}
 	if len(s.CopiedHeaders) > 0 {
@@ -139,7 +139,7 @@ func (s *Sig) Header() (string, error) {
 			} else if i == len(s.CopiedHeaders)-1 {
 				v += ";"
 			}
-			w.Addf(sep, v)
+			w.Addf(sep, "%s", v)
 		}
 	}
 
@@ -147,7 +147,7 @@ func (s *Sig) Header() (string, error) {
 
 	w.Addf(" ", "b=")
 	if len(s.Signature) > 0 {
-		w.AddWrap([]byte(base64.StdEncoding.EncodeToString(s.Signature)))
+		w.AddWrap([]byte(base64.StdEncoding.EncodeToString(s.Signature)), false)
 	}
 	w.Add("\r\n")
 	return w.String(), nil

dkim/txt_test.go

@@ -32,7 +32,7 @@ func TestParseRecord(t *testing.T) {
 		}
 		if r != nil {
 			pk := r.Pubkey
-			for i := 0; i < 2; i++ {
+			for range 2 {
 				ntxt, err := r.Record()
 				if err != nil {
 					t.Fatalf("making record: %v", err)

dmarc/dmarc.go

@@ -14,34 +14,20 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	mathrand "math/rand"
+	"log/slog"
+	mathrand2 "math/rand/v2"
 	"time"
 
-	"github.com/prometheus/client_golang/prometheus"
-	"github.com/prometheus/client_golang/prometheus/promauto"
-
 	"github.com/mjl-/mox/dkim"
 	"github.com/mjl-/mox/dns"
 	"github.com/mjl-/mox/mlog"
 	"github.com/mjl-/mox/publicsuffix"
 	"github.com/mjl-/mox/spf"
+	"github.com/mjl-/mox/stub"
 )
 
-var xlog = mlog.New("dmarc")
-
 var (
-	metricDMARCVerify = promauto.NewHistogramVec(
-		prometheus.HistogramOpts{
-			Name:    "mox_dmarc_verify_duration_seconds",
-			Help:    "DMARC verify, including lookup, duration and result.",
-			Buckets: []float64{0.001, 0.005, 0.01, 0.05, 0.100, 0.5, 1, 5, 10, 20},
-		},
-		[]string{
-			"status",
-			"reject", // yes/no
-			"use",    // yes/no, if policy is used after random selection
-		},
-	)
+	MetricVerify stub.HistogramVec = stub.HistogramVecIgnore{}
 )
 
 // link errata:
@@ -71,7 +57,8 @@ const (
 // Result is a DMARC policy evaluation.
 type Result struct {
 	// Whether to reject the message based on policies. If false, the message should
-	// not necessarily be accepted, e.g. due to reputation or content-based analysis.
+	// not necessarily be accepted: other checks such as reputation-based and
+	// content-based analysis may lead to reject the message.
 	Reject bool
 	// Result of DMARC validation. A message can fail validation, but still
 	// not be rejected, e.g. if the policy is "none".
@@ -99,23 +86,28 @@ type Result struct {
 // domain is the domain with the DMARC record.
 //
 // rauthentic indicates if the DNS results were DNSSEC-verified.
-func Lookup(ctx context.Context, resolver dns.Resolver, from dns.Domain) (status Status, domain dns.Domain, record *Record, txt string, rauthentic bool, rerr error) {
-	log := xlog.WithContext(ctx)
+func Lookup(ctx context.Context, elog *slog.Logger, resolver dns.Resolver, msgFrom dns.Domain) (status Status, domain dns.Domain, record *Record, txt string, rauthentic bool, rerr error) {
+	log := mlog.New("dmarc", elog)
 	start := time.Now()
 	defer func() {
-		log.Debugx("dmarc lookup result", rerr, mlog.Field("fromdomain", from), mlog.Field("status", status), mlog.Field("domain", domain), mlog.Field("record", record), mlog.Field("duration", time.Since(start)))
+		log.Debugx("dmarc lookup result", rerr,
+			slog.Any("fromdomain", msgFrom),
+			slog.Any("status", status),
+			slog.Any("domain", domain),
+			slog.Any("record", record),
+			slog.Duration("duration", time.Since(start)))
 	}()
 
 	// ../rfc/7489:859 ../rfc/7489:1370
-	domain = from
+	domain = msgFrom
 	status, record, txt, authentic, err := lookupRecord(ctx, resolver, domain)
 	if status != StatusNone {
 		return status, domain, record, txt, authentic, err
 	}
 	if record == nil {
 		// ../rfc/7489:761 ../rfc/7489:1377
-		domain = publicsuffix.Lookup(ctx, from)
-		if domain == from {
+		domain = publicsuffix.Lookup(ctx, log.Logger, msgFrom)
+		if domain == msgFrom {
 			return StatusNone, domain, nil, txt, authentic, err
 		}
 
@@ -202,11 +194,16 @@ func lookupReportsRecord(ctx context.Context, resolver dns.Resolver, dmarcDomain
 // example in RFC 7489.
 //
 // authentic indicates if the DNS results were DNSSEC-verified.
-func LookupExternalReportsAccepted(ctx context.Context, resolver dns.Resolver, dmarcDomain dns.Domain, extDestDomain dns.Domain) (accepts bool, status Status, records []*Record, txts []string, authentic bool, rerr error) {
-	log := xlog.WithContext(ctx)
+func LookupExternalReportsAccepted(ctx context.Context, elog *slog.Logger, resolver dns.Resolver, dmarcDomain dns.Domain, extDestDomain dns.Domain) (accepts bool, status Status, records []*Record, txts []string, authentic bool, rerr error) {
+	log := mlog.New("dmarc", elog)
 	start := time.Now()
 	defer func() {
-		log.Debugx("dmarc externalreports result", rerr, mlog.Field("accepts", accepts), mlog.Field("dmarcdomain", dmarcDomain), mlog.Field("extdestdomain", extDestDomain), mlog.Field("records", records), mlog.Field("duration", time.Since(start)))
+		log.Debugx("dmarc externalreports result", rerr,
+			slog.Bool("accepts", accepts),
+			slog.Any("dmarcdomain", dmarcDomain),
+			slog.Any("extdestdomain", extDestDomain),
+			slog.Any("records", records),
+			slog.Duration("duration", time.Since(start)))
 	}()
 
 	status, records, txts, authentic, rerr = lookupReportsRecord(ctx, resolver, dmarcDomain, extDestDomain)
@@ -225,9 +222,10 @@ func LookupExternalReportsAccepted(ctx context.Context, resolver dns.Resolver, d
 // Verify always returns the result of verifying the DMARC policy
 // against the message (for inclusion in Authentication-Result headers).
 //
-// useResult indicates if the result should be applied in a policy decision.
-func Verify(ctx context.Context, resolver dns.Resolver, from dns.Domain, dkimResults []dkim.Result, spfResult spf.Status, spfIdentity *dns.Domain, applyRandomPercentage bool) (useResult bool, result Result) {
-	log := xlog.WithContext(ctx)
+// useResult indicates if the result should be applied in a policy decision,
+// based on the "pct" field in the DMARC record.
+func Verify(ctx context.Context, elog *slog.Logger, resolver dns.Resolver, msgFrom dns.Domain, dkimResults []dkim.Result, spfResult spf.Status, spfIdentity *dns.Domain, applyRandomPercentage bool) (useResult bool, result Result) {
+	log := mlog.New("dmarc", elog)
 	start := time.Now()
 	defer func() {
 		use := "no"
@@ -238,11 +236,18 @@ func Verify(ctx context.Context, resolver dns.Resolver, from dns.Domain, dkimRes
 		if result.Reject {
 			reject = "yes"
 		}
-		metricDMARCVerify.WithLabelValues(string(result.Status), reject, use).Observe(float64(time.Since(start)) / float64(time.Second))
-		log.Debugx("dmarc verify result", result.Err, mlog.Field("fromdomain", from), mlog.Field("dkimresults", dkimResults), mlog.Field("spfresult", spfResult), mlog.Field("status", result.Status), mlog.Field("reject", result.Reject), mlog.Field("use", useResult), mlog.Field("duration", time.Since(start)))
+		MetricVerify.ObserveLabels(float64(time.Since(start))/float64(time.Second), string(result.Status), reject, use)
+		log.Debugx("dmarc verify result", result.Err,
+			slog.Any("fromdomain", msgFrom),
+			slog.Any("dkimresults", dkimResults),
+			slog.Any("spfresult", spfResult),
+			slog.Any("status", result.Status),
+			slog.Bool("reject", result.Reject),
+			slog.Bool("use", useResult),
+			slog.Duration("duration", time.Since(start)))
 	}()
 
-	status, recordDomain, record, _, authentic, err := Lookup(ctx, resolver, from)
+	status, recordDomain, record, _, authentic, err := Lookup(ctx, log.Logger, resolver, msgFrom)
 	if record == nil {
 		return false, Result{false, status, false, false, recordDomain, record, authentic, err}
 	}
@@ -252,12 +257,12 @@ func Verify(ctx context.Context, resolver dns.Resolver, from dns.Domain, dkimRes
 
 	// Record can request sampling of messages to apply policy.
 	// See ../rfc/7489:1432
-	useResult = !applyRandomPercentage || record.Percentage == 100 || mathrand.Intn(100) < record.Percentage
+	useResult = !applyRandomPercentage || record.Percentage == 100 || mathrand2.IntN(100) < record.Percentage
 
 	// We treat "quarantine" and "reject" the same. Thus, we also don't "downgrade"
 	// from reject to quarantine if this message was sampled out.
 	// ../rfc/7489:1446 ../rfc/7489:1024
-	if recordDomain != from && record.SubdomainPolicy != PolicyEmpty {
+	if recordDomain != msgFrom && record.SubdomainPolicy != PolicyEmpty {
 		result.Reject = record.SubdomainPolicy != PolicyNone
 	} else {
 		result.Reject = record.Policy != PolicyNone
@@ -277,14 +282,14 @@ func Verify(ctx context.Context, resolver dns.Resolver, from dns.Domain, dkimRes
 		if r, ok := pubsuffixes[name]; ok {
 			return r
 		}
-		r := publicsuffix.Lookup(ctx, name)
+		r := publicsuffix.Lookup(ctx, log.Logger, name)
 		pubsuffixes[name] = r
 		return r
 	}
 
 	// ../rfc/7489:1319
 	// ../rfc/7489:544
-	if spfResult == spf.StatusPass && spfIdentity != nil && (*spfIdentity == from || result.Record.ASPF == "r" && pubsuffix(from) == pubsuffix(*spfIdentity)) {
+	if spfResult == spf.StatusPass && spfIdentity != nil && (*spfIdentity == msgFrom || result.Record.ASPF == "r" && pubsuffix(msgFrom) == pubsuffix(*spfIdentity)) {
 		result.AlignedSPFPass = true
 	}
 
@@ -295,7 +300,7 @@ func Verify(ctx context.Context, resolver dns.Resolver, from dns.Domain, dkimRes
 			continue
 		}
 		// ../rfc/7489:511
-		if dkimResult.Status == dkim.StatusPass && dkimResult.Sig != nil && (dkimResult.Sig.Domain == from || result.Record.ADKIM == "r" && pubsuffix(from) == pubsuffix(dkimResult.Sig.Domain)) {
+		if dkimResult.Status == dkim.StatusPass && dkimResult.Sig != nil && (dkimResult.Sig.Domain == msgFrom || result.Record.ADKIM == "r" && pubsuffix(msgFrom) == pubsuffix(dkimResult.Sig.Domain)) {
 			// ../rfc/7489:535
 			result.AlignedDKIMPass = true
 			break

dmarc/dmarc_test.go

@@ -8,9 +8,12 @@ import (
 
 	"github.com/mjl-/mox/dkim"
 	"github.com/mjl-/mox/dns"
+	"github.com/mjl-/mox/mlog"
 	"github.com/mjl-/mox/spf"
 )
 
+var pkglog = mlog.New("dmarc", nil)
+
 func TestLookup(t *testing.T) {
 	resolver := dns.MockResolver{
 		TXT: map[string][]string{
@@ -29,7 +32,7 @@ func TestLookup(t *testing.T) {
 	test := func(d string, expStatus Status, expDomain string, expRecord *Record, expErr error) {
 		t.Helper()
 
-		status, dom, record, _, _, err := Lookup(context.Background(), resolver, dns.Domain{ASCII: d})
+		status, dom, record, _, _, err := Lookup(context.Background(), pkglog.Logger, resolver, dns.Domain{ASCII: d})
 		if (err == nil) != (expErr == nil) || err != nil && !errors.Is(err, expErr) {
 			t.Fatalf("got err %#v, expected %#v", err, expErr)
 		}
@@ -68,7 +71,7 @@ func TestLookupExternalReportsAccepted(t *testing.T) {
 	test := func(dom, extdom string, expStatus Status, expAccepts bool, expErr error) {
 		t.Helper()
 
-		accepts, status, _, _, _, err := LookupExternalReportsAccepted(context.Background(), resolver, dns.Domain{ASCII: dom}, dns.Domain{ASCII: extdom})
+		accepts, status, _, _, _, err := LookupExternalReportsAccepted(context.Background(), pkglog.Logger, resolver, dns.Domain{ASCII: dom}, dns.Domain{ASCII: extdom})
 		if (err == nil) != (expErr == nil) || err != nil && !errors.Is(err, expErr) {
 			t.Fatalf("got err %#v, expected %#v", err, expErr)
 		}
@@ -124,7 +127,7 @@ func TestVerify(t *testing.T) {
 		if err != nil {
 			t.Fatalf("parsing domain: %v", err)
 		}
-		useResult, result := Verify(context.Background(), resolver, from, dkimResults, spfResult, spfIdentity, true)
+		useResult, result := Verify(context.Background(), pkglog.Logger, resolver, from, dkimResults, spfResult, spfIdentity, true)
 		if useResult != expUseResult || !equalResult(result, expResult) {
 			t.Fatalf("verify: got useResult %v, result %#v, expected %v %#v", useResult, result, expUseResult, expResult)
 		}

dmarc/examples_test.go

@@ -0,0 +1,85 @@
+package dmarc_test
+
+import (
+	"context"
+	"log"
+	"log/slog"
+	"net"
+	"strings"
+
+	"github.com/mjl-/mox/dkim"
+	"github.com/mjl-/mox/dmarc"
+	"github.com/mjl-/mox/dns"
+	"github.com/mjl-/mox/message"
+	"github.com/mjl-/mox/spf"
+)
+
+func ExampleLookup() {
+	ctx := context.Background()
+	resolver := dns.StrictResolver{}
+	msgFrom, err := dns.ParseDomain("sub.example.com")
+	if err != nil {
+		log.Fatalf("parsing from domain: %v", err)
+	}
+
+	// Lookup DMARC DNS record for domain.
+	status, domain, record, txt, authentic, err := dmarc.Lookup(ctx, slog.Default(), resolver, msgFrom)
+	if err != nil {
+		log.Fatalf("dmarc lookup: %v", err)
+	}
+
+	log.Printf("status %s, domain %s, record %v, txt %q, dnssec %v", status, domain, record, txt, authentic)
+}
+
+func ExampleVerify() {
+	ctx := context.Background()
+	resolver := dns.StrictResolver{}
+
+	// Message to verify.
+	msg := strings.NewReader("From: <sender@example.com>\r\nMore: headers\r\n\r\nBody\r\n")
+	msgFrom, _, _, err := message.From(slog.Default(), true, msg, nil)
+	if err != nil {
+		log.Fatalf("parsing message for from header: %v", err)
+	}
+
+	// Verify SPF, for use with DMARC.
+	args := spf.Args{
+		RemoteIP:       net.ParseIP("10.11.12.13"),
+		MailFromDomain: dns.Domain{ASCII: "sub.example.com"},
+	}
+	spfReceived, spfDomain, _, _, err := spf.Verify(ctx, slog.Default(), resolver, args)
+	if err != nil {
+		log.Printf("verifying spf: %v", err)
+	}
+
+	// Verify DKIM-Signature headers, for use with DMARC.
+	smtputf8 := false
+	ignoreTestMode := false
+	dkimResults, err := dkim.Verify(ctx, slog.Default(), resolver, smtputf8, dkim.DefaultPolicy, msg, ignoreTestMode)
+	if err != nil {
+		log.Printf("verifying dkim: %v", err)
+	}
+
+	// Verify DMARC, based on DKIM and SPF results.
+	applyRandomPercentage := true
+	useResult, result := dmarc.Verify(ctx, slog.Default(), resolver, msgFrom.Domain, dkimResults, spfReceived.Result, &spfDomain, applyRandomPercentage)
+
+	// Print results.
+	log.Printf("dmarc status: %s", result.Status)
+	log.Printf("use result: %v", useResult)
+	if useResult && result.Reject {
+		log.Printf("should reject message")
+	}
+	log.Printf("result: %#v", result)
+}
+
+func ExampleParseRecord() {
+	txt := "v=DMARC1; p=reject; rua=mailto:postmaster@mox.example"
+
+	record, isdmarc, err := dmarc.ParseRecord(txt)
+	if err != nil {
+		log.Fatalf("parsing dmarc record: %v (isdmarc: %v)", err, isdmarc)
+	}
+
+	log.Printf("parsed record: %v", record)
+}

dmarc/parse.go

@@ -19,12 +19,17 @@ func (e parseErr) Error() string {
 // for easy comparison.
 //
 // DefaultRecord provides default values for tags not present in s.
+//
+// isdmarc indicates if the record starts tag "v" with value "DMARC1", and should
+// be treated as a valid DMARC record. Used to detect possibly multiple DMARC
+// records (invalid) for a domain with multiple TXT record (quite common).
 func ParseRecord(s string) (record *Record, isdmarc bool, rerr error) {
 	return parseRecord(s, true)
 }
 
 // ParseRecordNoRequired is like ParseRecord, but don't check for required fields
-// for regular DMARC records. Useful for checking the _report._dmarc record.
+// for regular DMARC records. Useful for checking the _report._dmarc record,
+// used for opting into receiving reports for other domains.
 func ParseRecordNoRequired(s string) (record *Record, isdmarc bool, rerr error) {
 	return parseRecord(s, false)
 }
@@ -87,9 +92,9 @@ func parseRecord(s string, checkRequired bool) (record *Record, isdmarc bool, re
 				// ../rfc/7489:1105
 				p.xerrorf("p= (policy) must be first tag")
 			}
-			r.Policy = DMARCPolicy(p.xtakelist("none", "quarantine", "reject"))
+			r.Policy = Policy(p.xtakelist("none", "quarantine", "reject"))
 		case "sp":
-			r.SubdomainPolicy = DMARCPolicy(p.xkeyword())
+			r.SubdomainPolicy = Policy(p.xkeyword())
 			// note: we check if the value is valid before returning.
 		case "rua":
 			r.AggregateReportAddresses = append(r.AggregateReportAddresses, p.xuri())

dmarc/txt.go

@@ -5,18 +5,16 @@ import (
 	"strings"
 )
 
-// todo: DMARCPolicy should be named just Policy, but this is causing conflicting types in sherpadoc output. should somehow get the dmarc-prefix only in the sherpadoc.
-
 // Policy as used in DMARC DNS record for "p=" or "sp=".
-type DMARCPolicy string
+type Policy string
 
 // ../rfc/7489:1157
 
 const (
-	PolicyEmpty      DMARCPolicy = "" // Only for the optional Record.SubdomainPolicy.
-	PolicyNone       DMARCPolicy = "none"
-	PolicyQuarantine DMARCPolicy = "quarantine"
-	PolicyReject     DMARCPolicy = "reject"
+	PolicyEmpty      Policy = "" // Only for the optional Record.SubdomainPolicy.
+	PolicyNone       Policy = "none"
+	PolicyQuarantine Policy = "quarantine"
+	PolicyReject     Policy = "reject"
 )
 
 // URI is a destination address for reporting.
@@ -55,17 +53,17 @@ const (
 //
 //	v=DMARC1; p=reject; rua=mailto:postmaster@mox.example
 type Record struct {
-	Version                    string      // "v=DMARC1"
-	Policy                     DMARCPolicy // Required, for "p=".
-	SubdomainPolicy            DMARCPolicy // Like policy but for subdomains. Optional, for "sp=".
-	AggregateReportAddresses   []URI       // Optional, for "rua=".
-	FailureReportAddresses     []URI       // Optional, for "ruf="
-	ADKIM                      Align       // "r" (default) for relaxed or "s" for simple. For "adkim=".
-	ASPF                       Align       // "r" (default) for relaxed or "s" for simple. For "aspf=".
-	AggregateReportingInterval int         // Default 86400. For "ri="
-	FailureReportingOptions    []string    // "0" (default), "1", "d", "s". For "fo=".
-	ReportingFormat            []string    // "afrf" (default). Ffor "rf=".
-	Percentage                 int         // Between 0 and 100, default 100. For "pct=".
+	Version                    string   // "v=DMARC1", fixed.
+	Policy                     Policy   // Required, for "p=".
+	SubdomainPolicy            Policy   // Like policy but for subdomains. Optional, for "sp=".
+	AggregateReportAddresses   []URI    // Optional, for "rua=". Destination addresses for aggregate reports.
+	FailureReportAddresses     []URI    // Optional, for "ruf=". Destination addresses for failure reports.
+	ADKIM                      Align    // Alignment: "r" (default) for relaxed or "s" for simple. For "adkim=".
+	ASPF                       Align    // Alignment: "r" (default) for relaxed or "s" for simple. For "aspf=".
+	AggregateReportingInterval int      // In seconds, default 86400. For "ri="
+	FailureReportingOptions    []string // "0" (default), "1", "d", "s". For "fo=".
+	ReportingFormat            []string // "afrf" (default). For "rf=".
+	Percentage                 int      // Between 0 and 100, default 100. For "pct=". Policy applies randomly to this percentage of messages.
 }
 
 // DefaultRecord holds the defaults for a DMARC record.

dmarcdb/dmarcdb.go

@@ -11,7 +11,17 @@
 package dmarcdb
 
 import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/mjl-/bstore"
+
+	"github.com/mjl-/mox/mlog"
 	"github.com/mjl-/mox/mox-"
+	"github.com/mjl-/mox/moxvar"
 )
 
 // Init opens the databases.
@@ -19,11 +29,49 @@ import (
 // The incoming reports and evaluations for outgoing reports are in separate
 // databases for simpler file-based handling of the databases.
 func Init() error {
-	if _, err := reportsDB(mox.Shutdown); err != nil {
-		return err
+	if ReportsDB != nil || EvalDB != nil {
+		return fmt.Errorf("already initialized")
 	}
-	if _, err := evalDB(mox.Shutdown); err != nil {
-		return err
+
+	log := mlog.New("dmarcdb", nil)
+	var err error
+
+	ReportsDB, err = openReportsDB(mox.Shutdown, log)
+	if err != nil {
+		return fmt.Errorf("open reports db: %v", err)
 	}
+
+	EvalDB, err = openEvalDB(mox.Shutdown, log)
+	if err != nil {
+		return fmt.Errorf("open eval db: %v", err)
+	}
+
 	return nil
 }
+
+func Close() error {
+	if err := ReportsDB.Close(); err != nil {
+		return fmt.Errorf("closing reports db: %w", err)
+	}
+	ReportsDB = nil
+
+	if err := EvalDB.Close(); err != nil {
+		return fmt.Errorf("closing eval db: %w", err)
+	}
+	EvalDB = nil
+	return nil
+}
+
+func openReportsDB(ctx context.Context, log mlog.Log) (*bstore.DB, error) {
+	p := mox.DataDirPath("dmarcrpt.db")
+	os.MkdirAll(filepath.Dir(p), 0770)
+	opts := bstore.Options{Timeout: 5 * time.Second, Perm: 0660, RegisterLogger: moxvar.RegisterLogger(p, log.Logger)}
+	return bstore.Open(ctx, p, &opts, ReportsDBTypes...)
+}
+
+func openEvalDB(ctx context.Context, log mlog.Log) (*bstore.DB, error) {
+	p := mox.DataDirPath("dmarceval.db")
+	os.MkdirAll(filepath.Dir(p), 0770)
+	opts := bstore.Options{Timeout: 5 * time.Second, Perm: 0660, RegisterLogger: moxvar.RegisterLogger(p, log.Logger)}
+	return bstore.Open(ctx, p, &opts, EvalDBTypes...)
+}

dmarcdb/eval.go

@@ -9,21 +9,19 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"log/slog"
+	"maps"
 	"mime"
 	"mime/multipart"
 	"net/textproto"
 	"net/url"
 	"os"
-	"path/filepath"
 	"runtime/debug"
-	"sort"
+	"slices"
 	"strings"
 	"sync"
 	"time"
 
-	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"
-
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
 
@@ -65,8 +63,7 @@ var (
 	// Exported for backups. For incoming deliveries the SMTP server adds evaluations
 	// to the database. Every hour, a goroutine wakes up that gathers evaluations from
 	// the last hour(s), sends a report, and removes the evaluations from the database.
-	EvalDB    *bstore.DB
-	evalMutex sync.Mutex
+	EvalDB *bstore.DB
 )
 
 // Evaluation is the result of an evaluation of a DMARC policy, to be included
@@ -161,21 +158,6 @@ func (e Evaluation) ReportRecord(count int) dmarcrpt.ReportRecord {
 	}
 }
 
-func evalDB(ctx context.Context) (rdb *bstore.DB, rerr error) {
-	evalMutex.Lock()
-	defer evalMutex.Unlock()
-	if EvalDB == nil {
-		p := mox.DataDirPath("dmarceval.db")
-		os.MkdirAll(filepath.Dir(p), 0770)
-		db, err := bstore.Open(ctx, p, &bstore.Options{Timeout: 5 * time.Second, Perm: 0660}, EvalDBTypes...)
-		if err != nil {
-			return nil, err
-		}
-		EvalDB = db
-	}
-	return EvalDB, nil
-}
-
 var intervalOpts = []int{24, 12, 8, 6, 4, 3, 2}
 
 func intervalHours(seconds int) int {
@@ -196,23 +178,13 @@ func intervalHours(seconds int) int {
 func AddEvaluation(ctx context.Context, aggregateReportingIntervalSeconds int, e *Evaluation) error {
 	e.IntervalHours = intervalHours(aggregateReportingIntervalSeconds)
 
-	db, err := evalDB(ctx)
-	if err != nil {
-		return err
-	}
-
 	e.ID = 0
-	return db.Insert(ctx, e)
+	return EvalDB.Insert(ctx, e)
 }
 
 // Evaluations returns all evaluations in the database.
 func Evaluations(ctx context.Context) ([]Evaluation, error) {
-	db, err := evalDB(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	q := bstore.QueryDB[Evaluation](ctx, db)
+	q := bstore.QueryDB[Evaluation](ctx, EvalDB)
 	q.SortAsc("Evaluated")
 	return q.List()
 }
@@ -228,14 +200,9 @@ type EvaluationStat struct {
 
 // EvaluationStats returns evaluation counts and report-sending status per domain.
 func EvaluationStats(ctx context.Context) (map[string]EvaluationStat, error) {
-	db, err := evalDB(ctx)
-	if err != nil {
-		return nil, err
-	}
-
 	r := map[string]EvaluationStat{}
 
-	err = bstore.QueryDB[Evaluation](ctx, db).ForEach(func(e Evaluation) error {
+	err := bstore.QueryDB[Evaluation](ctx, EvalDB).ForEach(func(e Evaluation) error {
 		if stat, ok := r[e.PolicyDomain]; ok {
 			if !slices.Contains(stat.Dispositions, string(e.Disposition)) {
 				stat.Dispositions = append(stat.Dispositions, string(e.Disposition))
@@ -262,12 +229,7 @@ func EvaluationStats(ctx context.Context) (map[string]EvaluationStat, error) {
 
 // EvaluationsDomain returns all evaluations for a domain.
 func EvaluationsDomain(ctx context.Context, domain dns.Domain) ([]Evaluation, error) {
-	db, err := evalDB(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	q := bstore.QueryDB[Evaluation](ctx, db)
+	q := bstore.QueryDB[Evaluation](ctx, EvalDB)
 	q.FilterNonzero(Evaluation{PolicyDomain: domain.Name()})
 	q.SortAsc("Evaluated")
 	return q.List()
@@ -276,14 +238,9 @@ func EvaluationsDomain(ctx context.Context, domain dns.Domain) ([]Evaluation, er
 // RemoveEvaluationsDomain removes evaluations for domain so they won't be sent in
 // an aggregate report.
 func RemoveEvaluationsDomain(ctx context.Context, domain dns.Domain) error {
-	db, err := evalDB(ctx)
-	if err != nil {
-		return err
-	}
-
-	q := bstore.QueryDB[Evaluation](ctx, db)
+	q := bstore.QueryDB[Evaluation](ctx, EvalDB)
 	q.FilterNonzero(Evaluation{PolicyDomain: domain.Name()})
-	_, err = q.Delete()
+	_, err := q.Delete()
 	return err
 }
 
@@ -293,20 +250,20 @@ var jitterRand = mox.NewPseudoRand()
 // Jitter so we don't cause load at exactly whole hours, other processes may
 // already be doing that.
 var jitteredTimeUntil = func(t time.Time) time.Duration {
-	return time.Until(t.Add(time.Duration(30+jitterRand.Intn(60)) * time.Second))
+	return time.Until(t.Add(time.Duration(30+jitterRand.IntN(60)) * time.Second))
 }
 
 // Start launches a goroutine that wakes up at each whole hour (plus jitter) and
 // sends DMARC reports to domains that requested them.
 func Start(resolver dns.Resolver) {
 	go func() {
-		log := mlog.New("dmarcdb")
+		log := mlog.New("dmarcdb", nil)
 
 		defer func() {
 			// In case of panic don't take the whole program down.
 			x := recover()
 			if x != nil {
-				log.Error("recover from panic", mlog.Field("panic", x))
+				log.Error("recover from panic", slog.Any("panic", x))
 				debug.PrintStack()
 				metrics.PanicInc(metrics.Dmarcdb)
 			}
@@ -317,12 +274,6 @@ func Start(resolver dns.Resolver) {
 
 		ctx := mox.Shutdown
 
-		db, err := evalDB(ctx)
-		if err != nil {
-			log.Errorx("opening dmarc evaluations database for sending dmarc aggregate reports, not sending reports", err)
-			return
-		}
-
 		for {
 			now := time.Now()
 			nextEnd := nextWholeHour(now)
@@ -354,12 +305,12 @@ func Start(resolver dns.Resolver) {
 			// 24 hour interval). They should have been processed by now. We may have kept them
 			// during temporary errors, but persistent temporary errors shouldn't fill up our
 			// database. This also cleans up evaluations that were all optional for a domain.
-			_, err := bstore.QueryDB[Evaluation](ctx, db).FilterLess("Evaluated", nextEnd.Add(-48*time.Hour)).Delete()
+			_, err := bstore.QueryDB[Evaluation](ctx, EvalDB).FilterLess("Evaluated", nextEnd.Add(-48*time.Hour)).Delete()
 			log.Check(err, "removing stale dmarc evaluations from database")
 
 			clog := log.WithCid(mox.Cid())
-			clog.Info("sending dmarc aggregate reports", mlog.Field("end", nextEnd.UTC()), mlog.Field("intervals", intervals))
-			if err := sendReports(ctx, clog, resolver, db, nextEnd, intervals); err != nil {
+			clog.Info("sending dmarc aggregate reports", slog.Time("end", nextEnd.UTC()), slog.Any("intervals", intervals))
+			if err := sendReports(ctx, clog, resolver, EvalDB, nextEnd, intervals); err != nil {
 				clog.Errorx("sending dmarc aggregate reports", err)
 				metricReportError.Inc()
 			} else {
@@ -393,7 +344,7 @@ var sleepBetween = func(ctx context.Context, between time.Duration) (ok bool) {
 
 // sendReports gathers all policy domains that have evaluations that should
 // receive a DMARC report and sends a report to each.
-func sendReports(ctx context.Context, log *mlog.Log, resolver dns.Resolver, db *bstore.DB, endTime time.Time, intervals []int) error {
+func sendReports(ctx context.Context, log mlog.Log, resolver dns.Resolver, db *bstore.DB, endTime time.Time, intervals []int) error {
 	ivals := make([]any, len(intervals))
 	for i, v := range intervals {
 		ivals[i] = v
@@ -452,14 +403,14 @@ func sendReports(ctx context.Context, log *mlog.Log, resolver dns.Resolver, db *
 				// In case of panic don't take the whole program down.
 				x := recover()
 				if x != nil {
-					log.Error("unhandled panic in dmarcdb sendReports", mlog.Field("panic", x))
+					log.Error("unhandled panic in dmarcdb sendReports", slog.Any("panic", x))
 					debug.PrintStack()
 					metrics.PanicInc(metrics.Dmarcdb)
 				}
 			}()
 			defer wg.Done()
 
-			rlog := log.WithCid(mox.Cid()).Fields(mlog.Field("domain", domain))
+			rlog := log.WithCid(mox.Cid()).With(slog.Any("domain", domain))
 			rlog.Info("sending dmarc report")
 			if _, err := sendReportDomain(ctx, rlog, resolver, db, endTime, domain); err != nil {
 				rlog.Errorx("sending dmarc aggregate report to domain", err)
@@ -478,8 +429,8 @@ type recipient struct {
 	maxSize uint64
 }
 
-func parseRecipient(log *mlog.Log, uri dmarc.URI) (r recipient, ok bool) {
-	log = log.Fields(mlog.Field("uri", uri.Address))
+func parseRecipient(log mlog.Log, uri dmarc.URI) (r recipient, ok bool) {
+	log = log.With(slog.Any("uri", uri.Address))
 
 	u, err := url.Parse(uri.Address)
 	if err != nil {
@@ -510,14 +461,14 @@ func parseRecipient(log *mlog.Log, uri dmarc.URI) (r recipient, ok bool) {
 		r.maxSize *= 1024 * 1024 * 1024 * 1024
 	case "":
 	default:
-		log.Debug("unrecognized max size unit in dmarc record rua value", mlog.Field("unit", uri.Unit))
+		log.Debug("unrecognized max size unit in dmarc record rua value", slog.String("unit", uri.Unit))
 		return r, false
 	}
 
 	return r, true
 }
 
-func removeEvaluations(ctx context.Context, log *mlog.Log, db *bstore.DB, endTime time.Time, domain string) {
+func removeEvaluations(ctx context.Context, log mlog.Log, db *bstore.DB, endTime time.Time, domain string) {
 	q := bstore.QueryDB[Evaluation](ctx, db)
 	q.FilterLess("Evaluated", endTime)
 	q.FilterNonzero(Evaluation{PolicyDomain: domain})
@@ -528,7 +479,7 @@ func removeEvaluations(ctx context.Context, log *mlog.Log, db *bstore.DB, endTim
 // replaceable for testing.
 var queueAdd = queue.Add
 
-func sendReportDomain(ctx context.Context, log *mlog.Log, resolver dns.Resolver, db *bstore.DB, endTime time.Time, domain string) (cleanup bool, rerr error) {
+func sendReportDomain(ctx context.Context, log mlog.Log, resolver dns.Resolver, db *bstore.DB, endTime time.Time, domain string) (cleanup bool, rerr error) {
 	dom, err := dns.ParseDomain(domain)
 	if err != nil {
 		return false, fmt.Errorf("parsing domain for sending reports: %v", err)
@@ -567,7 +518,7 @@ func sendReportDomain(ctx context.Context, log *mlog.Log, resolver dns.Resolver,
 	// evaluations regardless. We always use the latest DMARC record when sending, but
 	// we'll lump all policies of the last interval into one report.
 	// ../rfc/7489:1714
-	status, _, record, _, _, err := dmarc.Lookup(ctx, resolver, dom)
+	status, _, record, _, _, err := dmarc.Lookup(ctx, log.Logger, resolver, dom)
 	if err != nil {
 		// todo future: we could perhaps still send this report, assuming the values we know. in case of temporary error, we could also schedule again regardless of next interval hour (we would now only retry a 24h-interval report after 24h passed).
 		// Remove records unless it was a temporary error. We'll try again next round.
@@ -588,8 +539,8 @@ func sendReportDomain(ctx context.Context, log *mlog.Log, resolver dns.Resolver,
 
 		// Check if domain of rua recipient has the same organizational domain as for the
 		// evaluations. If not, we need to verify we are allowed to send.
-		ruaOrgDom := publicsuffix.Lookup(ctx, r.address.Domain)
-		evalOrgDom := publicsuffix.Lookup(ctx, dom)
+		ruaOrgDom := publicsuffix.Lookup(ctx, log.Logger, r.address.Domain)
+		evalOrgDom := publicsuffix.Lookup(ctx, log.Logger, dom)
 
 		if ruaOrgDom == evalOrgDom {
 			recipients = append(recipients, r)
@@ -599,12 +550,12 @@ func sendReportDomain(ctx context.Context, log *mlog.Log, resolver dns.Resolver,
 		// Verify and follow addresses in other organizational domain through
 		// <policydomain>._report._dmarc.<host> lookup.
 		// ../rfc/7489:1556
-		accepts, status, records, _, _, err := dmarc.LookupExternalReportsAccepted(ctx, resolver, evalOrgDom, r.address.Domain)
+		accepts, status, records, _, _, err := dmarc.LookupExternalReportsAccepted(ctx, log.Logger, resolver, evalOrgDom, r.address.Domain)
 		log.Debugx("checking if rua address with different organization domain has opted into receiving dmarc reports", err,
-			mlog.Field("policydomain", evalOrgDom),
-			mlog.Field("destinationdomain", r.address.Domain),
-			mlog.Field("accepts", accepts),
-			mlog.Field("status", status))
+			slog.Any("policydomain", evalOrgDom),
+			slog.Any("destinationdomain", r.address.Domain),
+			slog.Bool("accepts", accepts),
+			slog.Any("status", status))
 		if status == dmarc.StatusTemperror {
 			// With a temporary error, we'll try to get the report the delivered anyway,
 			// perhaps there are multiple recipients.
@@ -626,7 +577,7 @@ func sendReportDomain(ctx context.Context, log *mlog.Log, resolver dns.Resolver,
 		// alternative addresses and no new address specified).
 		// ../rfc/7489:1600
 		foundReplacement := false
-		rlog := log.Fields(mlog.Field("followedaddress", uri.Address))
+		rlog := log.With(slog.Any("followedaddress", uri.Address))
 		for _, record := range records {
 			for _, exturi := range record.AggregateReportAddresses {
 				extr, ok := parseRecipient(rlog, exturi)
@@ -634,10 +585,10 @@ func sendReportDomain(ctx context.Context, log *mlog.Log, resolver dns.Resolver,
 					continue
 				}
 				if extr.address.Domain != r.address.Domain {
-					rlog.Debug("rua address in external _report dmarc record has different host than initial dmarc record, ignoring new name", mlog.Field("externaladdress", extr.address))
+					rlog.Debug("rua address in external _report dmarc record has different host than initial dmarc record, ignoring new name", slog.Any("externaladdress", extr.address))
 					errors = append(errors, fmt.Sprintf("rua %s is external domain with a replacement address %s with different host", r.address, extr.address))
 				} else {
-					rlog.Debug("using replacement rua address from external _report dmarc record", mlog.Field("externaladdress", extr.address))
+					rlog.Debug("using replacement rua address from external _report dmarc record", slog.Any("externaladdress", extr.address))
 					foundReplacement = true
 					recipients = append(recipients, extr)
 				}
@@ -736,15 +687,13 @@ func sendReportDomain(ctx context.Context, log *mlog.Log, resolver dns.Resolver,
 	report.PolicyPublished = last.PolicyPublished
 
 	// Process records in-order for testable results.
-	recstrs := maps.Keys(counts)
-	sort.Strings(recstrs)
-	for _, recstr := range recstrs {
+	for _, recstr := range slices.Sorted(maps.Keys(counts)) {
 		rc := counts[recstr]
 		rc.ReportRecord.Row.Count = rc.count
 		report.Records = append(report.Records, rc.ReportRecord)
 	}
 
-	reportFile, err := store.CreateMessageTemp("dmarcreportout")
+	reportFile, err := store.CreateMessageTemp(log, "dmarcreportout")
 	if err != nil {
 		return false, fmt.Errorf("creating temporary file for outgoing dmarc aggregate report: %v", err)
 	}
@@ -767,7 +716,7 @@ func sendReportDomain(ctx context.Context, log *mlog.Log, resolver dns.Resolver,
 		return true, fmt.Errorf("writing dmarc aggregate report as xml with gzip: %v", err)
 	}
 
-	msgf, err := store.CreateMessageTemp("dmarcreportmsgout")
+	msgf, err := store.CreateMessageTemp(log, "dmarcreportmsgout")
 	if err != nil {
 		return false, fmt.Errorf("creating temporary message file with outgoing dmarc aggregate report: %v", err)
 	}
@@ -778,7 +727,7 @@ func sendReportDomain(ctx context.Context, log *mlog.Log, resolver dns.Resolver,
 	// DKIM keys, so we can DKIM-sign our reports. SPF should pass anyway.
 	// A single report can contain deliveries from a single policy domain
 	// to multiple of our configured domains.
-	from := smtp.Address{Localpart: "postmaster", Domain: mox.Conf.Static.HostnameDomain}
+	from := smtp.NewAddress("postmaster", mox.Conf.Static.HostnameDomain)
 
 	// Subject follows the form in RFC. ../rfc/7489:1871
 	subject := fmt.Sprintf("Report Domain: %s Submitter: %s Report-ID: <%s>", dom.ASCII, mox.Conf.Static.HostnameDomain.ASCII, report.ReportMetadata.ReportID)
@@ -828,7 +777,7 @@ Period: %s - %s UTC
 			return false, fmt.Errorf("querying suppress list: %v", err)
 		}
 		if exists {
-			log.Info("suppressing outgoing dmarc aggregate report", mlog.Field("reportingaddress", rcpt.address))
+			log.Info("suppressing outgoing dmarc aggregate report", slog.Any("reportingaddress", rcpt.address))
 			continue
 		}
 
@@ -841,19 +790,19 @@ Period: %s - %s UTC
 			continue
 		}
 
-		qm := queue.MakeMsg(mox.Conf.Static.Postmaster.Account, from.Path(), rcpt.address.Path(), has8bit, smtputf8, msgSize, messageID, []byte(msgPrefix), nil)
+		qm := queue.MakeMsg(from.Path(), rcpt.address.Path(), has8bit, smtputf8, msgSize, messageID, []byte(msgPrefix), nil, time.Now(), subject)
 		// Don't try as long as regular deliveries, and stop before we would send the
 		// delayed DSN. Though we also won't send that due to IsDMARCReport.
 		qm.MaxAttempts = 5
 		qm.IsDMARCReport = true
 
-		err = queueAdd(ctx, log, &qm, msgf)
+		err = queueAdd(ctx, log, mox.Conf.Static.Postmaster.Account, msgf, qm)
 		if err != nil {
 			tempError = true
 			log.Errorx("queueing message with dmarc aggregate report", err)
 			metricReportError.Inc()
 		} else {
-			log.Debug("dmarc aggregate report queued", mlog.Field("recipient", rcpt.address))
+			log.Debug("dmarc aggregate report queued", slog.Any("recipient", rcpt.address))
 			queued = true
 			metricReport.Inc()
 		}
@@ -873,8 +822,16 @@ Period: %s - %s UTC
 	return true, nil
 }
 
-func composeAggregateReport(ctx context.Context, log *mlog.Log, mf *os.File, fromAddr smtp.Address, recipients []message.NameAddress, subject, text, filename string, reportXMLGzipFile *os.File) (msgPrefix string, has8bit, smtputf8 bool, messageID string, rerr error) {
-	xc := message.NewComposer(mf, 100*1024*1024)
+func composeAggregateReport(ctx context.Context, log mlog.Log, mf *os.File, fromAddr smtp.Address, recipients []message.NameAddress, subject, text, filename string, reportXMLGzipFile *os.File) (msgPrefix string, has8bit, smtputf8 bool, messageID string, rerr error) {
+	// We only use smtputf8 if we have to, with a utf-8 localpart. For IDNA, we use ASCII domains.
+	smtputf8 = fromAddr.Localpart.IsInternational()
+	for _, r := range recipients {
+		if smtputf8 {
+			smtputf8 = r.Address.Localpart.IsInternational()
+			break
+		}
+	}
+	xc := message.NewComposer(mf, 100*1024*1024, smtputf8)
 	defer func() {
 		x := recover()
 		if x == nil {
@@ -887,14 +844,6 @@ func composeAggregateReport(ctx context.Context, log *mlog.Log, mf *os.File, fro
 		panic(x)
 	}()
 
-	// We only use smtputf8 if we have to, with a utf-8 localpart. For IDNA, we use ASCII domains.
-	for _, a := range recipients {
-		if a.Address.Localpart.IsInternational() {
-			xc.SMTPUTF8 = true
-			break
-		}
-	}
-
 	xc.HeaderAddrs("From", []message.NameAddress{{Address: fromAddr}})
 	xc.HeaderAddrs("To", recipients)
 	xc.Subject(subject)
@@ -910,7 +859,7 @@ func composeAggregateReport(ctx context.Context, log *mlog.Log, mf *os.File, fro
 	xc.Line()
 
 	// Textual part, just mentioning this is a DMARC report.
-	textBody, ct, cte := xc.TextPart(text)
+	textBody, ct, cte := xc.TextPart("plain", text)
 	textHdr := textproto.MIMEHeader{}
 	textHdr.Set("Content-Type", ct)
 	textHdr.Set("Content-Transfer-Encoding", cte)
@@ -946,10 +895,10 @@ func composeAggregateReport(ctx context.Context, log *mlog.Log, mf *os.File, fro
 // Though this functionality is quite underspecified, we'll do our best to send our
 // an error report in case our report is too large for all recipients.
 // ../rfc/7489:1918
-func sendErrorReport(ctx context.Context, log *mlog.Log, db *bstore.DB, fromAddr smtp.Address, recipients []message.NameAddress, reportDomain dns.Domain, reportID string, reportMsgSize int64) error {
+func sendErrorReport(ctx context.Context, log mlog.Log, db *bstore.DB, fromAddr smtp.Address, recipients []message.NameAddress, reportDomain dns.Domain, reportID string, reportMsgSize int64) error {
 	log.Debug("no reporting addresses willing to accept report given size, queuing short error message")
 
-	msgf, err := store.CreateMessageTemp("dmarcreportmsg-out")
+	msgf, err := store.CreateMessageTemp(log, "dmarcreportmsg-out")
 	if err != nil {
 		return fmt.Errorf("creating temporary message file for outgoing dmarc error report: %v", err)
 	}
@@ -992,29 +941,37 @@ Submitting-URI: %s
 			return fmt.Errorf("querying suppress list: %v", err)
 		}
 		if exists {
-			log.Info("suppressing outgoing dmarc error report", mlog.Field("reportingaddress", rcpt.Address))
+			log.Info("suppressing outgoing dmarc error report", slog.Any("reportingaddress", rcpt.Address))
 			continue
 		}
 
-		qm := queue.MakeMsg(mox.Conf.Static.Postmaster.Account, fromAddr.Path(), rcpt.Address.Path(), has8bit, smtputf8, msgSize, messageID, []byte(msgPrefix), nil)
+		qm := queue.MakeMsg(fromAddr.Path(), rcpt.Address.Path(), has8bit, smtputf8, msgSize, messageID, []byte(msgPrefix), nil, time.Now(), subject)
 		// Don't try as long as regular deliveries, and stop before we would send the
 		// delayed DSN. Though we also won't send that due to IsDMARCReport.
 		qm.MaxAttempts = 5
 		qm.IsDMARCReport = true
 
-		if err := queueAdd(ctx, log, &qm, msgf); err != nil {
+		if err := queueAdd(ctx, log, mox.Conf.Static.Postmaster.Account, msgf, qm); err != nil {
 			log.Errorx("queueing message with dmarc error report", err)
 			metricReportError.Inc()
 		} else {
-			log.Debug("dmarc error report queued", mlog.Field("recipient", rcpt))
+			log.Debug("dmarc error report queued", slog.Any("recipient", rcpt))
 			metricReport.Inc()
 		}
 	}
 	return nil
 }
 
-func composeErrorReport(ctx context.Context, log *mlog.Log, mf *os.File, fromAddr smtp.Address, recipients []message.NameAddress, subject, text string) (msgPrefix string, has8bit, smtputf8 bool, messageID string, rerr error) {
-	xc := message.NewComposer(mf, 100*1024*1024)
+func composeErrorReport(ctx context.Context, log mlog.Log, mf *os.File, fromAddr smtp.Address, recipients []message.NameAddress, subject, text string) (msgPrefix string, has8bit, smtputf8 bool, messageID string, rerr error) {
+	// We only use smtputf8 if we have to, with a utf-8 localpart. For IDNA, we use ASCII domains.
+	smtputf8 = fromAddr.Localpart.IsInternational()
+	for _, r := range recipients {
+		if smtputf8 {
+			smtputf8 = r.Address.Localpart.IsInternational()
+			break
+		}
+	}
+	xc := message.NewComposer(mf, 100*1024*1024, smtputf8)
 	defer func() {
 		x := recover()
 		if x == nil {
@@ -1027,14 +984,6 @@ func composeErrorReport(ctx context.Context, log *mlog.Log, mf *os.File, fromAdd
 		panic(x)
 	}()
 
-	// We only use smtputf8 if we have to, with a utf-8 localpart. For IDNA, we use ASCII domains.
-	for _, a := range recipients {
-		if a.Address.Localpart.IsInternational() {
-			xc.SMTPUTF8 = true
-			break
-		}
-	}
-
 	xc.HeaderAddrs("From", []message.NameAddress{{Address: fromAddr}})
 	xc.HeaderAddrs("To", recipients)
 	xc.Header("Subject", subject)
@@ -1044,7 +993,7 @@ func composeErrorReport(ctx context.Context, log *mlog.Log, mf *os.File, fromAdd
 	xc.Header("User-Agent", "mox/"+moxvar.Version)
 	xc.Header("MIME-Version", "1.0")
 
-	textBody, ct, cte := xc.TextPart(text)
+	textBody, ct, cte := xc.TextPart("plain", text)
 	xc.Header("Content-Type", ct)
 	xc.Header("Content-Transfer-Encoding", cte)
 	xc.Line()
@@ -1058,7 +1007,7 @@ func composeErrorReport(ctx context.Context, log *mlog.Log, mf *os.File, fromAdd
 	return msgPrefix, xc.Has8bit, xc.SMTPUTF8, messageID, nil
 }
 
-func dkimSign(ctx context.Context, log *mlog.Log, fromAddr smtp.Address, smtputf8 bool, mf *os.File) string {
+func dkimSign(ctx context.Context, log mlog.Log, fromAddr smtp.Address, smtputf8 bool, mf *os.File) string {
 	// Add DKIM-Signature headers if we have a key for (a higher) domain than the from
 	// address, which is a host name. A signature will only be useful with higher-level
 	// domains if they have a relaxed dkim check (which is the default). If the dkim
@@ -1067,8 +1016,9 @@ func dkimSign(ctx context.Context, log *mlog.Log, fromAddr smtp.Address, smtputf
 	var zerodom dns.Domain
 	for fd != zerodom {
 		confDom, ok := mox.Conf.Domain(fd)
-		if len(confDom.DKIM.Sign) > 0 {
-			dkimHeaders, err := dkim.Sign(ctx, fromAddr.Localpart, fd, confDom.DKIM, smtputf8, mf)
+		selectors := mox.DKIMSelectors(confDom.DKIM)
+		if len(selectors) > 0 && !confDom.Disabled {
+			dkimHeaders, err := dkim.Sign(ctx, log.Logger, fromAddr.Localpart, fd, selectors, smtputf8, mf)
 			if err != nil {
 				log.Errorx("dkim-signing dmarc report, continuing without signature", err)
 				metricReportError.Inc()
@@ -1089,46 +1039,26 @@ func dkimSign(ctx context.Context, log *mlog.Log, fromAddr smtp.Address, smtputf
 
 // SuppressAdd adds an address to the suppress list.
 func SuppressAdd(ctx context.Context, ba *SuppressAddress) error {
-	db, err := evalDB(ctx)
-	if err != nil {
-		return err
-	}
-
-	return db.Insert(ctx, ba)
+	return EvalDB.Insert(ctx, ba)
 }
 
 // SuppressList returns all reporting addresses on the suppress list.
 func SuppressList(ctx context.Context) ([]SuppressAddress, error) {
-	db, err := evalDB(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return bstore.QueryDB[SuppressAddress](ctx, db).SortDesc("ID").List()
+	return bstore.QueryDB[SuppressAddress](ctx, EvalDB).SortDesc("ID").List()
 }
 
 // SuppressRemove removes a reporting address record from the suppress list.
 func SuppressRemove(ctx context.Context, id int64) error {
-	db, err := evalDB(ctx)
-	if err != nil {
-		return err
-	}
-
-	return db.Delete(ctx, &SuppressAddress{ID: id})
+	return EvalDB.Delete(ctx, &SuppressAddress{ID: id})
 }
 
 // SuppressUpdate updates the until field of a reporting address record.
 func SuppressUpdate(ctx context.Context, id int64, until time.Time) error {
-	db, err := evalDB(ctx)
-	if err != nil {
-		return err
-	}
-
 	ba := SuppressAddress{ID: id}
-	err = db.Get(ctx, &ba)
+	err := EvalDB.Get(ctx, &ba)
 	if err != nil {
 		return err
 	}
 	ba.Until = until
-	return db.Update(ctx, &ba)
+	return EvalDB.Update(ctx, &ba)
 }

dmarcdb/eval_test.go

@@ -19,6 +19,7 @@ import (
 	"github.com/mjl-/mox/mox-"
 	"github.com/mjl-/mox/moxio"
 	"github.com/mjl-/mox/queue"
+	"slices"
 )
 
 func tcheckf(t *testing.T, err error, format string, args ...any) {
@@ -40,13 +41,13 @@ func TestEvaluations(t *testing.T) {
 	mox.Context = ctxbg
 	mox.ConfigStaticPath = filepath.FromSlash("../testdata/dmarcdb/mox.conf")
 	mox.MustLoadConfig(true, false)
-	EvalDB = nil
 
-	_, err := evalDB(ctxbg)
-	tcheckf(t, err, "database")
+	os.Remove(mox.DataDirPath("dmarceval.db"))
+	err := Init()
+	tcheckf(t, err, "init")
 	defer func() {
-		EvalDB.Close()
-		EvalDB = nil
+		err := Close()
+		tcheckf(t, err, "close")
 	}()
 
 	parseJSON := func(s string) (e Evaluation) {
@@ -156,19 +157,17 @@ func TestEvaluations(t *testing.T) {
 }
 
 func TestSendReports(t *testing.T) {
-	mlog.SetConfig(map[string]mlog.Level{"": mlog.LevelDebug})
-
 	os.RemoveAll("../testdata/dmarcdb/data")
 	mox.Context = ctxbg
 	mox.ConfigStaticPath = filepath.FromSlash("../testdata/dmarcdb/mox.conf")
 	mox.MustLoadConfig(true, false)
-	EvalDB = nil
 
-	db, err := evalDB(ctxbg)
-	tcheckf(t, err, "database")
+	os.Remove(mox.DataDirPath("dmarceval.db"))
+	err := Init()
+	tcheckf(t, err, "init")
 	defer func() {
-		EvalDB.Close()
-		EvalDB = nil
+		err := Close()
+		tcheckf(t, err, "close")
 	}()
 
 	resolver := dns.MockResolver{
@@ -287,18 +286,23 @@ func TestSendReports(t *testing.T) {
 		mox.Shutdown, mox.ShutdownCancel = context.WithCancel(ctxbg)
 
 		for _, e := range evals {
-			err := db.Insert(ctxbg, &e)
+			err := EvalDB.Insert(ctxbg, &e)
 			tcheckf(t, err, "inserting evaluation")
 		}
 
 		aggrAddrs := map[string]struct{}{}
 		errorAddrs := map[string]struct{}{}
 
-		queueAdd = func(ctx context.Context, log *mlog.Log, qm *queue.Msg, msgFile *os.File) error {
+		queueAdd = func(ctx context.Context, log mlog.Log, senderAccount string, msgFile *os.File, qml ...queue.Msg) error {
+			if len(qml) != 1 {
+				return fmt.Errorf("queued %d messages, expected 1", len(qml))
+			}
+			qm := qml[0]
+
 			// Read message file. Also write copy to disk for inspection.
 			buf, err := io.ReadAll(&moxio.AtReader{R: msgFile})
 			tcheckf(t, err, "read report message")
-			err = os.WriteFile("../testdata/dmarcdb/data/report.eml", append(append([]byte{}, qm.MsgPrefix...), buf...), 0600)
+			err = os.WriteFile("../testdata/dmarcdb/data/report.eml", slices.Concat(qm.MsgPrefix, buf), 0600)
 			tcheckf(t, err, "write report message")
 
 			var feedback *dmarcrpt.Feedback
@@ -309,7 +313,7 @@ func TestSendReports(t *testing.T) {
 			} else {
 				aggrAddrs[addr] = struct{}{}
 
-				feedback, err = dmarcrpt.ParseMessageReport(log, msgFile)
+				feedback, err = dmarcrpt.ParseMessageReport(log.Logger, msgFile)
 				tcheckf(t, err, "parsing generated report message")
 			}
 
@@ -353,13 +357,13 @@ func TestSendReports(t *testing.T) {
 
 	// Address is suppressed.
 	sa := SuppressAddress{ReportingAddress: "dmarcrpt@sender.example", Until: time.Now().Add(time.Minute)}
-	err = db.Insert(ctxbg, &sa)
+	err = EvalDB.Insert(ctxbg, &sa)
 	tcheckf(t, err, "insert suppress address")
 	test([]Evaluation{eval}, map[string]struct{}{}, map[string]struct{}{}, nil)
 
 	// Suppression has expired.
 	sa.Until = time.Now().Add(-time.Minute)
-	err = db.Update(ctxbg, &sa)
+	err = EvalDB.Update(ctxbg, &sa)
 	tcheckf(t, err, "update suppress address")
 	test([]Evaluation{eval}, map[string]struct{}{"dmarcrpt@sender.example": {}}, map[string]struct{}{}, expFeedback)
 

dmarcdb/main_test.go

@@ -0,0 +1,17 @@
+package dmarcdb
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/mjl-/mox/metrics"
+)
+
+func TestMain(m *testing.M) {
+	m.Run()
+	if metrics.Panics.Load() > 0 {
+		fmt.Println("unhandled panics encountered")
+		os.Exit(2)
+	}
+}

dmarcdb/reports.go

@@ -3,9 +3,6 @@ package dmarcdb
 import (
 	"context"
 	"fmt"
-	"os"
-	"path/filepath"
-	"sync"
 	"time"
 
 	"github.com/prometheus/client_golang/prometheus"
@@ -15,13 +12,11 @@ import (
 
 	"github.com/mjl-/mox/dmarcrpt"
 	"github.com/mjl-/mox/dns"
-	"github.com/mjl-/mox/mox-"
 )
 
 var (
 	ReportsDBTypes = []any{DomainFeedback{}} // Types stored in DB.
 	ReportsDB      *bstore.DB                // Exported for backups.
-	reportsMutex   sync.Mutex
 )
 
 var (
@@ -59,38 +54,18 @@ type DomainFeedback struct {
 	dmarcrpt.Feedback
 }
 
-func reportsDB(ctx context.Context) (rdb *bstore.DB, rerr error) {
-	reportsMutex.Lock()
-	defer reportsMutex.Unlock()
-	if ReportsDB == nil {
-		p := mox.DataDirPath("dmarcrpt.db")
-		os.MkdirAll(filepath.Dir(p), 0770)
-		db, err := bstore.Open(ctx, p, &bstore.Options{Timeout: 5 * time.Second, Perm: 0660}, ReportsDBTypes...)
-		if err != nil {
-			return nil, err
-		}
-		ReportsDB = db
-	}
-	return ReportsDB, nil
-}
-
 // AddReport adds a DMARC aggregate feedback report from an email to the database,
 // and updates prometheus metrics.
 //
 // fromDomain is the domain in the report message From header.
 func AddReport(ctx context.Context, f *dmarcrpt.Feedback, fromDomain dns.Domain) error {
-	db, err := reportsDB(ctx)
-	if err != nil {
-		return err
-	}
-
 	d, err := dns.ParseDomain(f.PolicyPublished.Domain)
 	if err != nil {
 		return fmt.Errorf("parsing domain in report: %v", err)
 	}
 
 	df := DomainFeedback{0, d.Name(), fromDomain.Name(), *f}
-	if err := db.Insert(ctx, &df); err != nil {
+	if err := ReportsDB.Insert(ctx, &df); err != nil {
 		return err
 	}
 
@@ -129,38 +104,23 @@ func AddReport(ctx context.Context, f *dmarcrpt.Feedback, fromDomain dns.Domain)
 
 // Records returns all reports in the database.
 func Records(ctx context.Context) ([]DomainFeedback, error) {
-	db, err := reportsDB(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return bstore.QueryDB[DomainFeedback](ctx, db).List()
+	return bstore.QueryDB[DomainFeedback](ctx, ReportsDB).List()
 }
 
 // RecordID returns the report for the ID.
 func RecordID(ctx context.Context, id int64) (DomainFeedback, error) {
-	db, err := reportsDB(ctx)
-	if err != nil {
-		return DomainFeedback{}, err
-	}
-
 	e := DomainFeedback{ID: id}
-	err = db.Get(ctx, &e)
+	err := ReportsDB.Get(ctx, &e)
 	return e, err
 }
 
 // RecordsPeriodDomain returns the reports overlapping start and end, for the given
 // domain. If domain is empty, all records match for domain.
 func RecordsPeriodDomain(ctx context.Context, start, end time.Time, domain string) ([]DomainFeedback, error) {
-	db, err := reportsDB(ctx)
-	if err != nil {
-		return nil, err
-	}
-
 	s := start.Unix()
 	e := end.Unix()
 
-	q := bstore.QueryDB[DomainFeedback](ctx, db)
+	q := bstore.QueryDB[DomainFeedback](ctx, ReportsDB)
 	if domain != "" {
 		q.FilterNonzero(DomainFeedback{Domain: domain})
 	}

dmarcdb/reports_test.go

@@ -20,16 +20,12 @@ func TestDMARCDB(t *testing.T) {
 	mox.ConfigStaticPath = filepath.FromSlash("../testdata/dmarcdb/mox.conf")
 	mox.MustLoadConfig(true, false)
 
-	dbpath := mox.DataDirPath("dmarcrpt.db")
-	os.MkdirAll(filepath.Dir(dbpath), 0770)
-
-	if err := Init(); err != nil {
-		t.Fatalf("init database: %s", err)
-	}
-	defer os.Remove(dbpath)
+	os.Remove(mox.DataDirPath("dmarcrpt.db"))
+	err := Init()
+	tcheckf(t, err, "init")
 	defer func() {
-		ReportsDB.Close()
-		ReportsDB = nil
+		err := Close()
+		tcheckf(t, err, "close")
 	}()
 
 	feedback := &dmarcrpt.Feedback{

dmarcrpt/feedback.go

@@ -47,6 +47,8 @@ type PolicyPublished struct {
 type Alignment string
 
 const (
+	AlignmentAbsent Alignment = ""
+
 	AlignmentRelaxed Alignment = "r" // Subdomains match the DMARC from-domain.
 	AlignmentStrict  Alignment = "s" // Only exact from-domain match.
 )
@@ -56,6 +58,8 @@ const (
 type Disposition string
 
 const (
+	DispositionAbsent Disposition = ""
+
 	DispositionNone       Disposition = "none"
 	DispositionQuarantine Disposition = "quarantine"
 	DispositionReject     Disposition = "reject"
@@ -87,6 +91,8 @@ type PolicyEvaluated struct {
 type DMARCResult string
 
 const (
+	DMARCAbsent DMARCResult = ""
+
 	DMARCPass DMARCResult = "pass"
 	DMARCFail DMARCResult = "fail"
 )
@@ -101,6 +107,8 @@ type PolicyOverrideReason struct {
 type PolicyOverride string
 
 const (
+	PolicyOverrideAbsent PolicyOverride = ""
+
 	PolicyOverrideForwarded        PolicyOverride = "forwarded"
 	PolicyOverrideSampledOut       PolicyOverride = "sampled_out"
 	PolicyOverrideTrustedForwarder PolicyOverride = "trusted_forwarder"
@@ -130,6 +138,8 @@ type DKIMAuthResult struct {
 type DKIMResult string
 
 const (
+	DKIMAbsent DKIMResult = ""
+
 	DKIMNone      DKIMResult = "none"
 	DKIMPass      DKIMResult = "pass"
 	DKIMFail      DKIMResult = "fail"
@@ -148,6 +158,8 @@ type SPFAuthResult struct {
 type SPFDomainScope string
 
 const (
+	SPFDomainScopeAbsent SPFDomainScope = ""
+
 	SPFDomainScopeHelo     SPFDomainScope = "helo"  // SMTP EHLO
 	SPFDomainScopeMailFrom SPFDomainScope = "mfrom" // SMTP "MAIL FROM".
 )
@@ -155,6 +167,8 @@ const (
 type SPFResult string
 
 const (
+	SPFAbsent SPFResult = ""
+
 	SPFNone      SPFResult = "none"
 	SPFNeutral   SPFResult = "neutral"
 	SPFPass      SPFResult = "pass"

dmarcrpt/parse.go

@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"log/slog"
 	"net/http"
 	"strings"
 
@@ -34,9 +35,10 @@ func ParseReport(r io.Reader) (*Feedback, error) {
 // ParseMessageReport parses an aggregate feedback report from a mail message. The
 // maximum message size is 15MB, the maximum report size after decompression is
 // 20MB.
-func ParseMessageReport(log *mlog.Log, r io.ReaderAt) (*Feedback, error) {
+func ParseMessageReport(elog *slog.Logger, r io.ReaderAt) (*Feedback, error) {
+	log := mlog.New("dmarcrpt", elog)
 	// ../rfc/7489:1801
-	p, err := message.Parse(log, true, &moxio.LimitAtReader{R: r, Limit: 15 * 1024 * 1024})
+	p, err := message.Parse(log.Logger, true, &moxio.LimitAtReader{R: r, Limit: 15 * 1024 * 1024})
 	if err != nil {
 		return nil, fmt.Errorf("parsing mail message: %s", err)
 	}
@@ -44,17 +46,17 @@ func ParseMessageReport(log *mlog.Log, r io.ReaderAt) (*Feedback, error) {
 	return parseMessageReport(log, p)
 }
 
-func parseMessageReport(log *mlog.Log, p message.Part) (*Feedback, error) {
+func parseMessageReport(log mlog.Log, p message.Part) (*Feedback, error) {
 	// Pretty much any mime structure is allowed. ../rfc/7489:1861
 	// In practice, some parties will send the report as the only (non-multipart)
 	// content of the message.
 
 	if p.MediaType != "MULTIPART" {
-		return parseReport(p)
+		return parseReport(log, p)
 	}
 
 	for {
-		sp, err := p.ParseNextPart(log)
+		sp, err := p.ParseNextPart(log.Logger)
 		if err == io.EOF {
 			return nil, ErrNoReport
 		}
@@ -70,7 +72,7 @@ func parseMessageReport(log *mlog.Log, p message.Part) (*Feedback, error) {
 	}
 }
 
-func parseReport(p message.Part) (*Feedback, error) {
+func parseReport(log mlog.Log, p message.Part) (*Feedback, error) {
 	ct := strings.ToLower(p.MediaType + "/" + p.MediaSubType)
 	r := p.Reader()
 
@@ -91,7 +93,7 @@ func parseReport(p message.Part) (*Feedback, error) {
 	switch ct {
 	case "application/zip":
 		// Google sends messages with direct application/zip content-type.
-		return parseZip(r)
+		return parseZip(log, r)
 	case "application/gzip", "application/x-gzip":
 		gzr, err := gzip.NewReader(r)
 		if err != nil {
@@ -104,7 +106,7 @@ func parseReport(p message.Part) (*Feedback, error) {
 	return nil, ErrNoReport
 }
 
-func parseZip(r io.Reader) (*Feedback, error) {
+func parseZip(log mlog.Log, r io.Reader) (*Feedback, error) {
 	buf, err := io.ReadAll(r)
 	if err != nil {
 		return nil, fmt.Errorf("reading feedback: %s", err)
@@ -120,6 +122,9 @@ func parseZip(r io.Reader) (*Feedback, error) {
 	if err != nil {
 		return nil, fmt.Errorf("opening file in zip: %s", err)
 	}
-	defer f.Close()
+	defer func() {
+		err := f.Close()
+		log.Check(err, "closing report file in zip file")
+	}()
 	return ParseReport(f)
 }

dmarcrpt/parse_test.go

@@ -11,7 +11,7 @@ import (
 	"github.com/mjl-/mox/mlog"
 )
 
-var xlog = mlog.New("dmarcrpt")
+var pkglog = mlog.New("dmarcrpt", nil)
 
 const reportExample = `<?xml version="1.0" encoding="UTF-8" ?>
 <feedback>
@@ -137,7 +137,7 @@ func TestParseMessageReport(t *testing.T) {
 		if err != nil {
 			t.Fatalf("open %q: %s", p, err)
 		}
-		_, err = ParseMessageReport(xlog, f)
+		_, err = ParseMessageReport(pkglog.Logger, f)
 		if err != nil {
 			t.Fatalf("ParseMessageReport: %q: %s", p, err)
 		}
@@ -145,7 +145,7 @@ func TestParseMessageReport(t *testing.T) {
 	}
 
 	// No report in a non-multipart message.
-	_, err = ParseMessageReport(xlog, strings.NewReader("From: <mjl@mox.example>\r\n\r\nNo report.\r\n"))
+	_, err = ParseMessageReport(pkglog.Logger, strings.NewReader("From: <mjl@mox.example>\r\n\r\nNo report.\r\n"))
 	if err != ErrNoReport {
 		t.Fatalf("message without report, got err %#v, expected ErrNoreport", err)
 	}
@@ -171,7 +171,7 @@ MIME-Version: 1.0
 
 --===============5735553800636657282==--
 `, "\n", "\r\n")
-	_, err = ParseMessageReport(xlog, strings.NewReader(multipartNoreport))
+	_, err = ParseMessageReport(pkglog.Logger, strings.NewReader(multipartNoreport))
 	if err != ErrNoReport {
 		t.Fatalf("message without report, got err %#v, expected ErrNoreport", err)
 	}

dns/dns.go

@@ -5,30 +5,35 @@ package dns
 import (
 	"errors"
 	"fmt"
+	"net"
 	"strings"
 
 	"golang.org/x/net/idna"
 
 	"github.com/mjl-/adns"
-
-	"github.com/mjl-/mox/moxvar"
 )
 
+// Pedantic enables stricter parsing.
+var Pedantic bool
+
 var (
 	errTrailingDot = errors.New("dns name has trailing dot")
 	errUnderscore  = errors.New("domain name with underscore")
 	errIDNA        = errors.New("idna")
+	errIPNotName   = errors.New("ip address while name required")
 )
 
 // Domain is a domain name, with one or more labels, with at least an ASCII
 // representation, and for IDNA non-ASCII domains a unicode representation.
-// The ASCII string must be used for DNS lookups.
+// The ASCII string must be used for DNS lookups. The strings do not have a
+// trailing dot. When using with StrictResolver, add the trailing dot.
 type Domain struct {
 	// A non-unicode domain, e.g. with A-labels (xn--...) or NR-LDH (non-reserved
-	// letters/digits/hyphens) labels. Always in lower case.
+	// letters/digits/hyphens) labels. Always in lower case. No trailing dot.
 	ASCII string
 
-	// Name as U-labels. Empty if this is an ASCII-only domain.
+	// Name as U-labels, in Unicode NFC. Empty if this is an ASCII-only domain. No
+	// trailing dot.
 	Unicode string
 }
 
@@ -67,7 +72,8 @@ func (d Domain) String() string {
 }
 
 // LogString returns a domain for logging.
-// For IDNA names, the string contains both the unicode and ASCII name.
+// For IDNA names, the string is the slash-separated Unicode and ASCII name.
+// For ASCII-only domain names, just the ASCII string is returned.
 func (d Domain) LogString() string {
 	if d.Unicode == "" {
 		return d.ASCII
@@ -84,12 +90,19 @@ func (d Domain) IsZero() bool {
 // labels (unicode).
 // Names are IDN-canonicalized and lower-cased.
 // Characters in unicode can be replaced by equivalents. E.g. "Ⓡ" to "r". This
-// means you should only compare parsed domain names, never strings directly.
+// means you should only compare parsed domain names, never unparsed strings
+// directly.
 func ParseDomain(s string) (Domain, error) {
 	if strings.HasSuffix(s, ".") {
 		return Domain{}, errTrailingDot
 	}
 
+	// IPv4 addresses would be accepted by idna lookups. TLDs cannot be all numerical,
+	// so IP addresses are not valid DNS names.
+	if net.ParseIP(s) != nil {
+		return Domain{}, errIPNotName
+	}
+
 	ascii, err := idna.Lookup.ToASCII(s)
 	if err != nil {
 		return Domain{}, fmt.Errorf("%w: to ascii: %v", errIDNA, err)
@@ -113,7 +126,7 @@ func ParseDomain(s string) (Domain, error) {
 // is not enabled. Used for interoperability, e.g. domains may specify MX
 // targets with underscores.
 func ParseDomainLax(s string) (Domain, error) {
-	if moxvar.Pedantic || !strings.Contains(s, "_") {
+	if Pedantic || !strings.Contains(s, "_") {
 		return ParseDomain(s)
 	}
 
@@ -143,16 +156,19 @@ func ParseDomainLax(s string) (Domain, error) {
 	return Domain{ASCII: s}, nil
 }
 
-// IsNotFound returns whether an error is an adns.DNSError with IsNotFound set.
+// IsNotFound returns whether an error is an adns.DNSError or net.DNSError with
+// IsNotFound set.
+//
 // IsNotFound means the requested type does not exist for the given domain (a
 // nodata or nxdomain response). It doesn't not necessarily mean no other types for
 // that name exist.
 //
 // A DNS server can respond to a lookup with an error "nxdomain" to indicate a
 // name does not exist (at all), or with a success status with an empty list.
-// The Go resolver returns an IsNotFound error for both cases, there is no need
-// to explicitly check for zero entries.
+// The adns resolver (just like the Go resolver) returns an IsNotFound error for
+// both cases, there is no need to explicitly check for zero entries.
 func IsNotFound(err error) bool {
-	var dnsErr *adns.DNSError
-	return err != nil && errors.As(err, &dnsErr) && dnsErr.IsNotFound
+	var adnsErr *adns.DNSError
+	var dnsErr *net.DNSError
+	return err != nil && (errors.As(err, &adnsErr) && adnsErr.IsNotFound || errors.As(err, &dnsErr) && dnsErr.IsNotFound)
 }

dns/examples_test.go

@@ -0,0 +1,36 @@
+package dns_test
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/mjl-/mox/dns"
+)
+
+func ExampleParseDomain() {
+	// ASCII-only domain.
+	basic, err := dns.ParseDomain("example.com")
+	if err != nil {
+		log.Fatalf("parse domain: %v", err)
+	}
+	fmt.Printf("%s\n", basic)
+
+	// IDNA domain xn--74h.example.
+	smile, err := dns.ParseDomain("☺.example")
+	if err != nil {
+		log.Fatalf("parse domain: %v", err)
+	}
+	fmt.Printf("%s\n", smile)
+
+	// ASCII only domain curl.se in surprisingly allowed spelling.
+	surprising, err := dns.ParseDomain("ℂᵤⓇℒ。𝐒🄴")
+	if err != nil {
+		log.Fatalf("parse domain: %v", err)
+	}
+	fmt.Printf("%s\n", surprising)
+
+	// Output:
+	// example.com
+	// ☺.example/xn--74h.example
+	// curl.se
+}

dns/mock.go

@@ -4,8 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
-
-	"golang.org/x/exp/slices"
+	"slices"
 
 	"github.com/mjl-/adns"
 )

dns/resolver.go

@@ -4,43 +4,29 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"log/slog"
 	"net"
 	"os"
 	"runtime"
 	"strings"
 	"time"
 
-	"github.com/prometheus/client_golang/prometheus"
-	"github.com/prometheus/client_golang/prometheus/promauto"
-
 	"github.com/mjl-/adns"
 
 	"github.com/mjl-/mox/mlog"
+	"github.com/mjl-/mox/stub"
 )
 
 // todo future: replace with a dnssec capable resolver
 // todo future: change to interface that is closer to DNS. 1. expose nxdomain vs success with zero entries: nxdomain means the name does not exist for any dns resource record type, success with zero records means the name exists for other types than the requested type; 2. add ability to not follow cname records when resolving. the net resolver automatically follows cnames for LookupHost, LookupIP, LookupIPAddr. when resolving names found in mx records, we explicitly must not follow cnames. that seems impossible at the moment. 3. when looking up a cname, actually lookup the record? "net" LookupCNAME will return the requested name with no error if there is no CNAME record. because it returns the canonical name.
 // todo future: add option to not use anything in the cache, for the admin pages where you check the latest DNS settings, ignoring old cached info.
 
-var xlog = mlog.New("dns")
-
 func init() {
 	net.DefaultResolver.StrictErrors = true
 }
 
 var (
-	metricLookup = promauto.NewHistogramVec(
-		prometheus.HistogramOpts{
-			Name:    "mox_dns_lookup_duration_seconds",
-			Help:    "DNS lookups.",
-			Buckets: []float64{0.001, 0.005, 0.01, 0.05, 0.100, 0.5, 1, 5, 10, 20, 30},
-		},
-		[]string{
-			"pkg",
-			"type",   // Lower-case Resolver method name without leading Lookup.
-			"result", // ok, nxdomain, temporary, timeout, canceled, error
-		},
-	)
+	MetricLookup stub.HistogramVec = stub.HistogramVecIgnore{}
 )
 
 // Resolver is the interface strict resolver implements.
@@ -74,6 +60,15 @@ func WithPackage(resolver Resolver, name string) Resolver {
 type StrictResolver struct {
 	Pkg      string         // Name of subsystem that is making DNS requests, for metrics.
 	Resolver *adns.Resolver // Where the actual lookups are done. If nil, adns.DefaultResolver is used for lookups.
+	Log      *slog.Logger
+}
+
+func (r StrictResolver) log() mlog.Log {
+	pkg := r.Pkg
+	if pkg == "" {
+		pkg = "dns"
+	}
+	return mlog.New(pkg, r.Log)
 }
 
 var _ Resolver = StrictResolver{}
@@ -97,7 +92,7 @@ func metricLookupObserve(pkg, typ string, err error, start time.Time) {
 	default:
 		result = "error"
 	}
-	metricLookup.WithLabelValues(pkg, typ, result).Observe(float64(time.Since(start)) / float64(time.Second))
+	MetricLookup.ObserveLabels(float64(time.Since(start))/float64(time.Second), pkg, typ, result)
 }
 
 func (r StrictResolver) WithPackage(name string) Resolver {
@@ -133,13 +128,12 @@ func (r StrictResolver) LookupPort(ctx context.Context, network, service string)
 	start := time.Now()
 	defer func() {
 		metricLookupObserve(r.Pkg, "port", err, start)
-		xlog.WithContext(ctx).Debugx("dns lookup result", err,
-			mlog.Field("pkg", r.Pkg),
-			mlog.Field("type", "port"),
-			mlog.Field("network", network),
-			mlog.Field("service", service),
-			mlog.Field("resp", resp),
-			mlog.Field("duration", time.Since(start)),
+		r.log().WithContext(ctx).Debugx("dns lookup result", err,
+			slog.String("type", "port"),
+			slog.String("network", network),
+			slog.String("service", service),
+			slog.Int("resp", resp),
+			slog.Duration("duration", time.Since(start)),
 		)
 	}()
 	defer resolveErrorHint(&err)
@@ -152,13 +146,12 @@ func (r StrictResolver) LookupAddr(ctx context.Context, addr string) (resp []str
 	start := time.Now()
 	defer func() {
 		metricLookupObserve(r.Pkg, "addr", err, start)
-		xlog.WithContext(ctx).Debugx("dns lookup result", err,
-			mlog.Field("pkg", r.Pkg),
-			mlog.Field("type", "addr"),
-			mlog.Field("addr", addr),
-			mlog.Field("resp", resp),
-			mlog.Field("authentic", result.Authentic),
-			mlog.Field("duration", time.Since(start)),
+		r.log().WithContext(ctx).Debugx("dns lookup result", err,
+			slog.String("type", "addr"),
+			slog.String("addr", addr),
+			slog.Any("resp", resp),
+			slog.Bool("authentic", result.Authentic),
+			slog.Duration("duration", time.Since(start)),
 		)
 	}()
 	defer resolveErrorHint(&err)
@@ -179,13 +172,12 @@ func (r StrictResolver) LookupCNAME(ctx context.Context, host string) (resp stri
 	start := time.Now()
 	defer func() {
 		metricLookupObserve(r.Pkg, "cname", err, start)
-		xlog.WithContext(ctx).Debugx("dns lookup result", err,
-			mlog.Field("pkg", r.Pkg),
-			mlog.Field("type", "cname"),
-			mlog.Field("host", host),
-			mlog.Field("resp", resp),
-			mlog.Field("authentic", result.Authentic),
-			mlog.Field("duration", time.Since(start)),
+		r.log().WithContext(ctx).Debugx("dns lookup result", err,
+			slog.String("type", "cname"),
+			slog.String("host", host),
+			slog.String("resp", resp),
+			slog.Bool("authentic", result.Authentic),
+			slog.Duration("duration", time.Since(start)),
 		)
 	}()
 	defer resolveErrorHint(&err)
@@ -209,13 +201,12 @@ func (r StrictResolver) LookupHost(ctx context.Context, host string) (resp []str
 	start := time.Now()
 	defer func() {
 		metricLookupObserve(r.Pkg, "host", err, start)
-		xlog.WithContext(ctx).Debugx("dns lookup result", err,
-			mlog.Field("pkg", r.Pkg),
-			mlog.Field("type", "host"),
-			mlog.Field("host", host),
-			mlog.Field("resp", resp),
-			mlog.Field("authentic", result.Authentic),
-			mlog.Field("duration", time.Since(start)),
+		r.log().WithContext(ctx).Debugx("dns lookup result", err,
+			slog.String("type", "host"),
+			slog.String("host", host),
+			slog.Any("resp", resp),
+			slog.Bool("authentic", result.Authentic),
+			slog.Duration("duration", time.Since(start)),
 		)
 	}()
 	defer resolveErrorHint(&err)
@@ -231,14 +222,13 @@ func (r StrictResolver) LookupIP(ctx context.Context, network, host string) (res
 	start := time.Now()
 	defer func() {
 		metricLookupObserve(r.Pkg, "ip", err, start)
-		xlog.WithContext(ctx).Debugx("dns lookup result", err,
-			mlog.Field("pkg", r.Pkg),
-			mlog.Field("type", "ip"),
-			mlog.Field("network", network),
-			mlog.Field("host", host),
-			mlog.Field("resp", resp),
-			mlog.Field("authentic", result.Authentic),
-			mlog.Field("duration", time.Since(start)),
+		r.log().WithContext(ctx).Debugx("dns lookup result", err,
+			slog.String("type", "ip"),
+			slog.String("network", network),
+			slog.String("host", host),
+			slog.Any("resp", resp),
+			slog.Bool("authentic", result.Authentic),
+			slog.Duration("duration", time.Since(start)),
 		)
 	}()
 	defer resolveErrorHint(&err)
@@ -254,13 +244,12 @@ func (r StrictResolver) LookupIPAddr(ctx context.Context, host string) (resp []n
 	start := time.Now()
 	defer func() {
 		metricLookupObserve(r.Pkg, "ipaddr", err, start)
-		xlog.WithContext(ctx).Debugx("dns lookup result", err,
-			mlog.Field("pkg", r.Pkg),
-			mlog.Field("type", "ipaddr"),
-			mlog.Field("host", host),
-			mlog.Field("resp", resp),
-			mlog.Field("authentic", result.Authentic),
-			mlog.Field("duration", time.Since(start)),
+		r.log().WithContext(ctx).Debugx("dns lookup result", err,
+			slog.String("type", "ipaddr"),
+			slog.String("host", host),
+			slog.Any("resp", resp),
+			slog.Bool("authentic", result.Authentic),
+			slog.Duration("duration", time.Since(start)),
 		)
 	}()
 	defer resolveErrorHint(&err)
@@ -276,13 +265,12 @@ func (r StrictResolver) LookupMX(ctx context.Context, name string) (resp []*net.
 	start := time.Now()
 	defer func() {
 		metricLookupObserve(r.Pkg, "mx", err, start)
-		xlog.WithContext(ctx).Debugx("dns lookup result", err,
-			mlog.Field("pkg", r.Pkg),
-			mlog.Field("type", "mx"),
-			mlog.Field("name", name),
-			mlog.Field("resp", resp),
-			mlog.Field("authentic", result.Authentic),
-			mlog.Field("duration", time.Since(start)),
+		r.log().WithContext(ctx).Debugx("dns lookup result", err,
+			slog.String("type", "mx"),
+			slog.String("name", name),
+			slog.Any("resp", resp),
+			slog.Bool("authentic", result.Authentic),
+			slog.Duration("duration", time.Since(start)),
 		)
 	}()
 	defer resolveErrorHint(&err)
@@ -298,13 +286,12 @@ func (r StrictResolver) LookupNS(ctx context.Context, name string) (resp []*net.
 	start := time.Now()
 	defer func() {
 		metricLookupObserve(r.Pkg, "ns", err, start)
-		xlog.WithContext(ctx).Debugx("dns lookup result", err,
-			mlog.Field("pkg", r.Pkg),
-			mlog.Field("type", "ns"),
-			mlog.Field("name", name),
-			mlog.Field("resp", resp),
-			mlog.Field("authentic", result.Authentic),
-			mlog.Field("duration", time.Since(start)),
+		r.log().WithContext(ctx).Debugx("dns lookup result", err,
+			slog.String("type", "ns"),
+			slog.String("name", name),
+			slog.Any("resp", resp),
+			slog.Bool("authentic", result.Authentic),
+			slog.Duration("duration", time.Since(start)),
 		)
 	}()
 	defer resolveErrorHint(&err)
@@ -320,16 +307,15 @@ func (r StrictResolver) LookupSRV(ctx context.Context, service, proto, name stri
 	start := time.Now()
 	defer func() {
 		metricLookupObserve(r.Pkg, "srv", err, start)
-		xlog.WithContext(ctx).Debugx("dns lookup result", err,
-			mlog.Field("pkg", r.Pkg),
-			mlog.Field("type", "srv"),
-			mlog.Field("service", service),
-			mlog.Field("proto", proto),
-			mlog.Field("name", name),
-			mlog.Field("resp0", resp0),
-			mlog.Field("resp1", resp1),
-			mlog.Field("authentic", result.Authentic),
-			mlog.Field("duration", time.Since(start)),
+		r.log().WithContext(ctx).Debugx("dns lookup result", err,
+			slog.String("type", "srv"),
+			slog.String("service", service),
+			slog.String("proto", proto),
+			slog.String("name", name),
+			slog.String("resp0", resp0),
+			slog.Any("resp1", resp1),
+			slog.Bool("authentic", result.Authentic),
+			slog.Duration("duration", time.Since(start)),
 		)
 	}()
 	defer resolveErrorHint(&err)
@@ -345,13 +331,12 @@ func (r StrictResolver) LookupTXT(ctx context.Context, name string) (resp []stri
 	start := time.Now()
 	defer func() {
 		metricLookupObserve(r.Pkg, "txt", err, start)
-		xlog.WithContext(ctx).Debugx("dns lookup result", err,
-			mlog.Field("pkg", r.Pkg),
-			mlog.Field("type", "txt"),
-			mlog.Field("name", name),
-			mlog.Field("resp", resp),
-			mlog.Field("authentic", result.Authentic),
-			mlog.Field("duration", time.Since(start)),
+		r.log().WithContext(ctx).Debugx("dns lookup result", err,
+			slog.String("type", "txt"),
+			slog.String("name", name),
+			slog.Any("resp", resp),
+			slog.Bool("authentic", result.Authentic),
+			slog.Duration("duration", time.Since(start)),
 		)
 	}()
 	defer resolveErrorHint(&err)
@@ -367,15 +352,14 @@ func (r StrictResolver) LookupTLSA(ctx context.Context, port int, protocol, host
 	start := time.Now()
 	defer func() {
 		metricLookupObserve(r.Pkg, "tlsa", err, start)
-		xlog.WithContext(ctx).Debugx("dns lookup result", err,
-			mlog.Field("pkg", r.Pkg),
-			mlog.Field("type", "tlsa"),
-			mlog.Field("port", port),
-			mlog.Field("protocol", protocol),
-			mlog.Field("host", host),
-			mlog.Field("resp", resp),
-			mlog.Field("authentic", result.Authentic),
-			mlog.Field("duration", time.Since(start)),
+		r.log().WithContext(ctx).Debugx("dns lookup result", err,
+			slog.String("type", "tlsa"),
+			slog.Int("port", port),
+			slog.String("protocol", protocol),
+			slog.String("host", host),
+			slog.Any("resp", resp),
+			slog.Bool("authentic", result.Authentic),
+			slog.Duration("duration", time.Since(start)),
 		)
 	}()
 	defer resolveErrorHint(&err)

dnsbl/dnsbl.go

@@ -1,39 +1,39 @@
 // Package dnsbl implements DNS block lists (RFC 5782), for checking incoming messages from sources without reputation.
+//
+// A DNS block list contains IP addresses that should be blocked. The DNSBL is
+// queried using DNS "A" lookups. The DNSBL starts at a "zone", e.g.
+// "dnsbl.example". To look up whether an IP address is listed, a DNS name is
+// composed: For 10.11.12.13, that name would be "13.12.11.10.dnsbl.example". If
+// the lookup returns "record does not exist", the IP is not listed. If an IP
+// address is returned, the IP is listed. If an IP is listed, an additional TXT
+// lookup is done for more information about the block. IPv6 addresses are also
+// looked up with an DNS "A" lookup of a name similar to an IPv4 address, but with
+// 4-bit hexadecimal dot-separated characters, in reverse.
+//
+// The health of a DNSBL "zone" can be checked through a lookup of 127.0.0.1
+// (must not be present) and 127.0.0.2 (must be present).
 package dnsbl
 
 import (
 	"context"
 	"errors"
 	"fmt"
+	"log/slog"
 	"net"
 	"strconv"
 	"strings"
 	"time"
 
-	"github.com/prometheus/client_golang/prometheus"
-	"github.com/prometheus/client_golang/prometheus/promauto"
-
 	"github.com/mjl-/mox/dns"
 	"github.com/mjl-/mox/mlog"
+	"github.com/mjl-/mox/stub"
 )
 
-var xlog = mlog.New("dnsbl")
-
 var (
-	metricLookup = promauto.NewHistogramVec(
-		prometheus.HistogramOpts{
-			Name:    "mox_dnsbl_lookup_duration_seconds",
-			Help:    "DNSBL lookup",
-			Buckets: []float64{0.001, 0.005, 0.01, 0.05, 0.100, 0.5, 1, 5, 10, 20},
-		},
-		[]string{
-			"zone",
-			"status",
-		},
-	)
+	MetricLookup stub.HistogramVec = stub.HistogramVecIgnore{}
 )
 
-var ErrDNS = errors.New("dnsbl: dns error")
+var ErrDNS = errors.New("dnsbl: dns error") // Temporary error.
 
 // Status is the result of a DNSBL lookup.
 type Status string
@@ -45,12 +45,17 @@ var (
 )
 
 // Lookup checks if "ip" occurs in the DNS block list "zone" (e.g. dnsbl.example.org).
-func Lookup(ctx context.Context, resolver dns.Resolver, zone dns.Domain, ip net.IP) (rstatus Status, rexplanation string, rerr error) {
-	log := xlog.WithContext(ctx)
+func Lookup(ctx context.Context, elog *slog.Logger, resolver dns.Resolver, zone dns.Domain, ip net.IP) (rstatus Status, rexplanation string, rerr error) {
+	log := mlog.New("dnsbl", elog)
 	start := time.Now()
 	defer func() {
-		metricLookup.WithLabelValues(zone.Name(), string(rstatus)).Observe(float64(time.Since(start)) / float64(time.Second))
-		log.Debugx("dnsbl lookup result", rerr, mlog.Field("zone", zone), mlog.Field("ip", ip), mlog.Field("status", rstatus), mlog.Field("explanation", rexplanation), mlog.Field("duration", time.Since(start)))
+		MetricLookup.ObserveLabels(float64(time.Since(start))/float64(time.Second), zone.Name(), string(rstatus))
+		log.Debugx("dnsbl lookup result", rerr,
+			slog.Any("zone", zone),
+			slog.Any("ip", ip),
+			slog.Any("status", rstatus),
+			slog.String("explanation", rexplanation),
+			slog.Duration("duration", time.Since(start)))
 	}()
 
 	b := &strings.Builder{}
@@ -93,7 +98,7 @@ func Lookup(ctx context.Context, resolver dns.Resolver, zone dns.Domain, ip net.
 	if dns.IsNotFound(err) {
 		return StatusFail, "", nil
 	} else if err != nil {
-		log.Debugx("looking up txt record from dnsbl", err, mlog.Field("addr", addr))
+		log.Debugx("looking up txt record from dnsbl", err, slog.String("addr", addr))
 		return StatusFail, "", nil
 	}
 	return StatusFail, strings.Join(txts, "; "), nil
@@ -104,16 +109,16 @@ func Lookup(ctx context.Context, resolver dns.Resolver, zone dns.Domain, ip net.
 // Users of a DNSBL should periodically check if the DNSBL is still operating
 // properly.
 // For temporary errors, ErrDNS is returned.
-func CheckHealth(ctx context.Context, resolver dns.Resolver, zone dns.Domain) (rerr error) {
-	log := xlog.WithContext(ctx)
+func CheckHealth(ctx context.Context, elog *slog.Logger, resolver dns.Resolver, zone dns.Domain) (rerr error) {
+	log := mlog.New("dnsbl", elog)
 	start := time.Now()
 	defer func() {
-		log.Debugx("dnsbl healthcheck result", rerr, mlog.Field("zone", zone), mlog.Field("duration", time.Since(start)))
+		log.Debugx("dnsbl healthcheck result", rerr, slog.Any("zone", zone), slog.Duration("duration", time.Since(start)))
 	}()
 
 	// ../rfc/5782:355
-	status1, _, err1 := Lookup(ctx, resolver, zone, net.IPv4(127, 0, 0, 1))
-	status2, _, err2 := Lookup(ctx, resolver, zone, net.IPv4(127, 0, 0, 2))
+	status1, _, err1 := Lookup(ctx, log.Logger, resolver, zone, net.IPv4(127, 0, 0, 1))
+	status2, _, err2 := Lookup(ctx, log.Logger, resolver, zone, net.IPv4(127, 0, 0, 2))
 	if status1 == StatusPass && status2 == StatusFail {
 		return nil
 	} else if status1 == StatusFail {

dnsbl/dnsbl_test.go

@@ -6,10 +6,12 @@ import (
 	"testing"
 
 	"github.com/mjl-/mox/dns"
+	"github.com/mjl-/mox/mlog"
 )
 
 func TestDNSBL(t *testing.T) {
 	ctx := context.Background()
+	log := mlog.New("dnsbl", nil)
 
 	resolver := dns.MockResolver{
 		A: map[string][]string{
@@ -23,7 +25,7 @@ func TestDNSBL(t *testing.T) {
 		},
 	}
 
-	if status, expl, err := Lookup(ctx, resolver, dns.Domain{ASCII: "example.com"}, net.ParseIP("10.0.0.1")); err != nil {
+	if status, expl, err := Lookup(ctx, log.Logger, resolver, dns.Domain{ASCII: "example.com"}, net.ParseIP("10.0.0.1")); err != nil {
 		t.Fatalf("lookup: %v", err)
 	} else if status != StatusFail {
 		t.Fatalf("lookup, got status %v, expected fail", status)
@@ -31,7 +33,7 @@ func TestDNSBL(t *testing.T) {
 		t.Fatalf("lookup, got explanation %q", expl)
 	}
 
-	if status, expl, err := Lookup(ctx, resolver, dns.Domain{ASCII: "example.com"}, net.ParseIP("2001:db8:1:2:3:4:567:89ab")); err != nil {
+	if status, expl, err := Lookup(ctx, log.Logger, resolver, dns.Domain{ASCII: "example.com"}, net.ParseIP("2001:db8:1:2:3:4:567:89ab")); err != nil {
 		t.Fatalf("lookup: %v", err)
 	} else if status != StatusFail {
 		t.Fatalf("lookup, got status %v, expected fail", status)
@@ -39,17 +41,17 @@ func TestDNSBL(t *testing.T) {
 		t.Fatalf("lookup, got explanation %q", expl)
 	}
 
-	if status, _, err := Lookup(ctx, resolver, dns.Domain{ASCII: "example.com"}, net.ParseIP("10.0.0.2")); err != nil {
+	if status, _, err := Lookup(ctx, log.Logger, resolver, dns.Domain{ASCII: "example.com"}, net.ParseIP("10.0.0.2")); err != nil {
 		t.Fatalf("lookup: %v", err)
 	} else if status != StatusPass {
 		t.Fatalf("lookup, got status %v, expected pass", status)
 	}
 
 	// ../rfc/5782:357
-	if err := CheckHealth(ctx, resolver, dns.Domain{ASCII: "example.com"}); err != nil {
+	if err := CheckHealth(ctx, log.Logger, resolver, dns.Domain{ASCII: "example.com"}); err != nil {
 		t.Fatalf("dnsbl not healthy: %v", err)
 	}
-	if err := CheckHealth(ctx, resolver, dns.Domain{ASCII: "example.org"}); err == nil {
+	if err := CheckHealth(ctx, log.Logger, resolver, dns.Domain{ASCII: "example.org"}); err == nil {
 		t.Fatalf("bad dnsbl is healthy")
 	}
 
@@ -58,7 +60,7 @@ func TestDNSBL(t *testing.T) {
 			"1.0.0.127.example.com.": {"127.0.0.2"}, // Should not be present in healthy dnsbl.
 		},
 	}
-	if err := CheckHealth(ctx, unhealthyResolver, dns.Domain{ASCII: "example.com"}); err == nil {
+	if err := CheckHealth(ctx, log.Logger, unhealthyResolver, dns.Domain{ASCII: "example.com"}); err == nil {
 		t.Fatalf("bad dnsbl is healthy")
 	}
 }

dnsbl/examples_test.go

@@ -0,0 +1,30 @@
+package dnsbl_test
+
+import (
+	"context"
+	"log"
+	"log/slog"
+	"net"
+
+	"github.com/mjl-/mox/dns"
+	"github.com/mjl-/mox/dnsbl"
+)
+
+func ExampleLookup() {
+	ctx := context.Background()
+	resolver := dns.StrictResolver{}
+
+	// Lookup if ip 127.0.0.2 is in spamhaus blocklist at zone sbl.spamhaus.org.
+	status, explanation, err := dnsbl.Lookup(ctx, slog.Default(), resolver, dns.Domain{ASCII: "sbl.spamhaus.org"}, net.ParseIP("127.0.0.2"))
+	if err != nil {
+		log.Fatalf("dnsbl lookup: %v", err)
+	}
+	switch status {
+	case dnsbl.StatusTemperr:
+		log.Printf("dnsbl lookup, temporary dns error: %v", err)
+	case dnsbl.StatusPass:
+		log.Printf("dnsbl lookup, ip not listed")
+	case dnsbl.StatusFail:
+		log.Printf("dnsbl lookup, ip listed: %s", explanation)
+	}
+}

docker-compose-imaptest.yml

@@ -1,13 +1,12 @@
-version: '3.7'
 services:
   mox:
     build:
       context: .
       dockerfile: Dockerfile.moximaptest
     volumes:
-      - ./testdata/imaptest/config:/mox/config
-      - ./testdata/imaptest/data:/mox/data
-      - ./testdata/imaptest/imaptest.mbox:/mox/imaptest.mbox
+      - ./testdata/imaptest/config:/mox/config:z
+      - ./testdata/imaptest/data:/mox/data:z
+      - ./testdata/imaptest/imaptest.mbox:/mox/imaptest.mbox:z
     working_dir: /mox
     tty: true # For job control with set -m.
     command: sh -c 'set -m; mox serve & sleep 1; echo testtest | mox setaccountpassword mjl; fg'
@@ -24,7 +23,7 @@ services:
     command: host=mox port=1143 'user=mjl@mox.example' pass=testtest mbox=/imaptest/imaptest.mbox
     working_dir: /imaptest
     volumes:
-      - ./testdata/imaptest:/imaptest
+      - ./testdata/imaptest:/imaptest:z
     depends_on:
       mox:
         condition: service_healthy

docker-compose-integration.yml

@@ -1,4 +1,3 @@
-version: '3.7'
 services:
   # We run integration_test.go from this container, it connects to the other mox instances.
   test:
@@ -9,11 +8,11 @@ services:
     # dials in integration_test.go succeed.
     command: ["sh", "-c", "set -ex; cat /integration/tmp-pebble-ca.pem /integration/tls/ca.pem >>/etc/ssl/certs/ca-certificates.crt; go test -tags integration"]
     volumes:
-      - ./.go:/.go
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
-      - ./testdata/integration:/integration
-      - ./testdata/integration/moxsubmit.conf:/etc/moxsubmit.conf
-      - .:/mox
+      - ./.go:/.go:z
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+      - ./testdata/integration:/integration:z
+      - ./testdata/integration/moxsubmit.conf:/etc/moxsubmit.conf:z
+      - .:/mox:z
     environment:
       GOCACHE: /.go/.cache/go-build
     depends_on:
@@ -26,6 +25,8 @@ services:
         condition: service_healthy
       localserve:
         condition: service_healthy
+      moxacmepebblealpn:
+        condition: service_healthy
     networks:
       mailnet1:
         ipv4_address: 172.28.1.50
@@ -39,8 +40,8 @@ services:
       MOX_UID: "${MOX_UID}"
     command: ["sh", "-c", "/integration/moxacmepebble.sh"]
     volumes:
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
-      - ./testdata/integration:/integration
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+      - ./testdata/integration:/integration:z
     healthcheck:
       test: netstat -nlt | grep ':25 '
       interval: 1s
@@ -64,8 +65,8 @@ services:
       MOX_UID: "${MOX_UID}"
     command: ["sh", "-c", "/integration/moxmail2.sh"]
     volumes:
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
-      - ./testdata/integration:/integration
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+      - ./testdata/integration:/integration:z
     healthcheck:
       test: netstat -nlt | grep ':25 '
       interval: 1s
@@ -83,15 +84,40 @@ services:
       mailnet1:
         ipv4_address: 172.28.1.20
 
+  # Third mox instance that uses ACME with pebble and has ALPN enabled.
+  moxacmepebblealpn:
+    hostname: moxacmepebblealpn.mox1.example
+    domainname: mox1.example
+    image: mox_integration_moxmail
+    environment:
+      MOX_UID: "${MOX_UID}"
+    command: ["sh", "-c", "/integration/moxacmepebblealpn.sh"]
+    volumes:
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+      - ./testdata/integration:/integration:z
+    healthcheck:
+      test: netstat -nlt | grep ':25 '
+      interval: 1s
+      timeout: 1s
+      retries: 10
+    depends_on:
+      dns:
+        condition: service_healthy
+      acmepebble:
+        condition: service_healthy
+    networks:
+      mailnet1:
+        ipv4_address: 172.28.1.80
+
   localserve:
     hostname: localserve.mox1.example
     domainname: mox1.example
     image: mox_integration_moxmail
     command: ["sh", "-c", "set -e; chmod o+r /etc/resolv.conf; mox -checkconsistency localserve -ip 172.28.1.60"]
     volumes:
-      - ./.go:/.go
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
-      - .:/mox
+      - ./.go:/.go:z
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+      - .:/mox:z
     environment:
       GOCACHE: /.go/.cache/go-build
     healthcheck:
@@ -114,8 +140,8 @@ services:
       context: testdata/integration
     volumes:
       # todo: figure out how to mount files with a uid that the process in the container can read...
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
-    command: ["sh", "-c", "set -e; chmod o+r /etc/resolv.conf; (echo 'maillog_file = /dev/stdout'; echo 'mydestination = $$myhostname, localhost.$$mydomain, localhost, $$mydomain') >>/etc/postfix/main.cf; echo 'root: moxtest1@mox1.example' >>/etc/postfix/aliases; newaliases; postfix start-fg"]
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+    command: ["sh", "-c", "set -e; chmod o+r /etc/resolv.conf; (echo 'maillog_file = /dev/stdout'; echo 'mydestination = $$myhostname, localhost.$$mydomain, localhost, $$mydomain'; echo 'smtp_tls_security_level = may') >>/etc/postfix/main.cf; echo 'root: postfix@mox1.example' >>/etc/postfix/aliases; newaliases; postfix start-fg"]
     healthcheck:
       test: netstat -nlt | grep ':25 '
       interval: 1s
@@ -135,8 +161,8 @@ services:
       # todo: figure out how to build from dockerfile with empty context without creating empty dirs in file system.
       context: testdata/integration
     volumes:
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
-      - ./testdata/integration:/integration
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+      - ./testdata/integration:/integration:z
     # We start with a base example.zone, but moxacmepebble appends its records,
     # followed by moxmail2. They restart unbound after appending records.
     command: ["sh", "-c", "set -ex; ls -l /etc/resolv.conf; chmod o+r /etc/resolv.conf; install -m 640 -o unbound /integration/unbound.conf /etc/unbound/; chmod 755 /integration; chmod 644 /integration/*.zone; cp /integration/example.zone /integration/example-integration.zone; ls -ld /integration /integration/reverse.zone; unbound -d -p -v"]
@@ -156,8 +182,8 @@ services:
     hostname: acmepebble.example
     image: docker.io/letsencrypt/pebble:v2.3.1@sha256:fc5a537bf8fbc7cc63aa24ec3142283aa9b6ba54529f86eb8ff31fbde7c5b258
     volumes:
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
-      - ./testdata/integration:/integration
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+      - ./testdata/integration:/integration:z
     command: ["sh", "-c", "set -ex; mount; ls -l /etc/resolv.conf; chmod o+r /etc/resolv.conf; pebble -config /integration/pebble-config.json"]
     ports:
       - 14000:14000  # ACME port

docker-compose.yml

@@ -10,8 +10,23 @@
 # After following the quickstart instructions you can start mox:
 #
 # 	docker-compose up
+#
+#
+# If you want to run "mox localserve", you could start it like this:
+#
+#	docker run \
+#		-p 127.0.0.1:25:1025 \
+#		-p 127.0.0.1:465:1465 \
+#		-p 127.0.0.1:587:1587 \
+#		-p 127.0.0.1:993:1993 \
+#		-p 127.0.0.1:143:1143 \
+#		-p 127.0.0.1:443:1443 \
+#		-p 127.0.0.1:80:1080 \
+#		r.xmox.nl/mox:latest mox localserve -ip 0.0.0.0
+#
+# The -ip flag ensures connections to the published ports make it to mox, and it
+# prevents listening on ::1 (IPv6 is not enabled in docker by default).
 
-version: '3.7'
 services:
   mox:
     # Replace "latest" with the version you want to run, see https://r.xmox.nl/r/mox/.
@@ -23,11 +38,11 @@ services:
     # machine, and the IPs of incoming connections for spam filtering.
     network_mode: 'host'
     volumes:
-      - ./config:/mox/config
-      - ./data:/mox/data
+      - ./config:/mox/config:z
+      - ./data:/mox/data:z
       # web is optional but recommended to bind in, useful for serving static files with
       # the webserver.
-      - ./web:/mox/web
+      - ./web:/mox/web:z
     working_dir: /mox
     restart: on-failure
     healthcheck:

dsn/dsn.go

@@ -5,22 +5,17 @@ package dsn
 import (
 	"bufio"
 	"bytes"
-	"context"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
 	"mime/multipart"
 	"net/textproto"
-	"strconv"
 	"strings"
 	"time"
 
-	"github.com/mjl-/mox/dkim"
-	"github.com/mjl-/mox/dns"
 	"github.com/mjl-/mox/message"
 	"github.com/mjl-/mox/mlog"
-	"github.com/mjl-/mox/mox-"
 	"github.com/mjl-/mox/smtp"
 )
 
@@ -46,13 +41,18 @@ type Message struct {
 	// Message subject header, e.g. describing mail delivery failure.
 	Subject string
 
-	// Set when message is composed.
 	MessageID string
 
 	// References header, with Message-ID of original message this DSN is about. So
 	// mail user-agents will thread the DSN with the original message.
 	References string
 
+	// For message submitted with FUTURERELEASE SMTP extension. Value is either "for;"
+	// plus original interval in seconds or "until;" plus original UTC RFC3339
+	// date-time.
+	FutureReleaseRequest string
+	// ../rfc/4865:315
+
 	// Human-readable text explaining the failure. Line endings should be
 	// bare newlines, not \r\n. They are converted to \r\n when composing.
 	TextBody string
@@ -99,9 +99,10 @@ type Recipient struct {
 	Action         Action
 
 	// Enhanced status code. First digit indicates permanent or temporary
-	// error. If the string contains more than just a status, that
-	// additional text is added as comment when composing a DSN.
+	// error.
 	Status string
+	// For additional details, included in comment.
+	StatusComment string
 
 	// Optional fields.
 	// Original intended recipient of message. Used with the DSN extensions ORCPT
@@ -113,10 +114,10 @@ type Recipient struct {
 	// deliveries.
 	RemoteMTA NameIP
 
-	// If RemoteMTA is present, DiagnosticCode is from remote. When
-	// creating a DSN, additional text in the string will be added to the
-	// DSN as comment.
-	DiagnosticCode  string
+	// DiagnosticCodeSMTP are the full SMTP response lines, space separated. The marshaled
+	// form starts with "smtp; ", this value does not.
+	DiagnosticCodeSMTP string
+
 	LastAttemptDate time.Time
 	FinalLogID      string
 
@@ -134,8 +135,8 @@ type Recipient struct {
 // supports smtputf8. This influences the message media (sub)types used for the
 // DSN.
 //
-// DKIM signatures are added if DKIM signing is configured for the "from" domain.
-func (m *Message) Compose(log *mlog.Log, smtputf8 bool) ([]byte, error) {
+// Called may want to add DKIM-Signature headers.
+func (m *Message) Compose(log mlog.Log, smtputf8 bool) ([]byte, error) {
 	// ../rfc/3462:119
 	// ../rfc/3464:377
 	// We'll make a multipart/report with 2 or 3 parts:
@@ -166,7 +167,9 @@ func (m *Message) Compose(log *mlog.Log, smtputf8 bool) ([]byte, error) {
 	header("From", fmt.Sprintf("<%s>", m.From.XString(smtputf8))) // todo: would be good to have a local ascii-only name for this address.
 	header("To", fmt.Sprintf("<%s>", m.To.XString(smtputf8)))     // todo: we could just leave this out if it has utf-8 and remote does not support utf-8.
 	header("Subject", m.Subject)
-	m.MessageID = mox.MessageIDGen(smtputf8)
+	if m.MessageID == "" {
+		return nil, fmt.Errorf("missing message-id")
+	}
 	header("Message-Id", fmt.Sprintf("<%s>", m.MessageID))
 	if m.References != "" {
 		header("References", m.References)
@@ -233,6 +236,10 @@ func (m *Message) Compose(log *mlog.Log, smtputf8 bool) ([]byte, error) {
 		status("Received-From-MTA", fmt.Sprintf("dns;%s (%s)", m.ReceivedFromMTA.Name, smtp.AddressLiteral(m.ReceivedFromMTA.ConnIP)))
 	}
 	status("Arrival-Date", m.ArrivalDate.Format(message.RFC5322Z)) // ../rfc/3464:758
+	if m.FutureReleaseRequest != "" {
+		// ../rfc/4865:320
+		status("Future-Release-Request", m.FutureReleaseRequest)
+	}
 
 	// Then per-recipient fields. ../rfc/3464:769
 	// todo: should also handle other address types. at least recognize "unknown". Probably just store this field. ../rfc/3464:819
@@ -265,11 +272,9 @@ func (m *Message) Compose(log *mlog.Log, smtputf8 bool) ([]byte, error) {
 				st = "2.0.0"
 			}
 		}
-		var rest string
-		st, rest = codeLine(st)
 		statusLine := st
-		if rest != "" {
-			statusLine += " (" + rest + ")"
+		if r.StatusComment != "" {
+			statusLine += " (" + r.StatusComment + ")"
 		}
 		status("Status", statusLine) // ../rfc/3464:975
 		if !r.RemoteMTA.IsZero() {
@@ -281,14 +286,9 @@ func (m *Message) Compose(log *mlog.Log, smtputf8 bool) ([]byte, error) {
 			status("Remote-MTA", s)
 		}
 		// Presence of Diagnostic-Code indicates the code is from Remote-MTA. ../rfc/3464:1053
-		if r.DiagnosticCode != "" {
-			diagCode, rest := codeLine(r.DiagnosticCode)
-			diagLine := diagCode
-			if rest != "" {
-				diagLine += " (" + rest + ")"
-			}
-			// ../rfc/6533:589
-			status("Diagnostic-Code", "smtp; "+diagLine)
+		if r.DiagnosticCodeSMTP != "" {
+			// ../rfc/3461:1342 ../rfc/6533:589
+			status("Diagnostic-Code", "smtp; "+r.DiagnosticCodeSMTP)
 		}
 		if !r.LastAttemptDate.IsZero() {
 			status("Last-Attempt-Date", r.LastAttemptDate.Format(message.RFC5322Z)) // ../rfc/3464:1076
@@ -340,10 +340,7 @@ func (m *Message) Compose(log *mlog.Log, smtputf8 bool) ([]byte, error) {
 			data := base64.StdEncoding.EncodeToString(headers)
 			for len(data) > 0 {
 				line := data
-				n := len(line)
-				if n > 78 {
-					n = 78
-				}
+				n := min(len(line), 76) // ../rfc/2045:1372
 				line, data = data[:n], data[n:]
 				if _, err := origp.Write([]byte(line + "\r\n")); err != nil {
 					return nil, err
@@ -365,31 +362,6 @@ func (m *Message) Compose(log *mlog.Log, smtputf8 bool) ([]byte, error) {
 	}
 
 	data := msgw.w.Bytes()
-
-	// Add DKIM signature for domain, even if higher up than the full mail hostname.
-	// This helps with an assumed (because default) relaxed DKIM policy. If the DMARC
-	// policy happens to be strict, the signature won't help, but won't hurt either.
-	fd := m.From.IPDomain.Domain
-	var zerodom dns.Domain
-	for fd != zerodom {
-		confDom, ok := mox.Conf.Domain(fd)
-		if !ok {
-			var nfd dns.Domain
-			_, nfd.ASCII, _ = strings.Cut(fd.ASCII, ".")
-			_, nfd.Unicode, _ = strings.Cut(fd.Unicode, ".")
-			fd = nfd
-			continue
-		}
-
-		dkimHeaders, err := dkim.Sign(context.Background(), m.From.Localpart, fd, confDom.DKIM, smtputf8, bytes.NewReader(data))
-		if err != nil {
-			log.Errorx("dsn: dkim sign for domain, returning unsigned dsn", err, mlog.Field("domain", fd))
-		} else {
-			data = append([]byte(dkimHeaders), data...)
-		}
-		break
-	}
-
 	return data, nil
 }
 
@@ -406,34 +378,3 @@ func (w *errWriter) Write(buf []byte) (int, error) {
 	w.err = err
 	return n, err
 }
-
-// split a line into enhanced status code and rest.
-func codeLine(s string) (string, string) {
-	t := strings.SplitN(s, " ", 2)
-	l := strings.Split(t[0], ".")
-	if len(l) != 3 {
-		return "", s
-	}
-	for i, e := range l {
-		_, err := strconv.ParseInt(e, 10, 32)
-		if err != nil {
-			return "", s
-		}
-		if i == 0 && len(e) != 1 {
-			return "", s
-		}
-	}
-
-	var rest string
-	if len(t) == 2 {
-		rest = t[1]
-	}
-	return t[0], rest
-}
-
-// HasCode returns whether line starts with an enhanced SMTP status code.
-func HasCode(line string) bool {
-	// ../rfc/3464:986
-	ecode, _ := codeLine(line)
-	return ecode != ""
-}

dsn/dsn_test.go

@@ -2,25 +2,21 @@ package dsn
 
 import (
 	"bytes"
-	"context"
 	"fmt"
 	"io"
 	"net"
-	"path/filepath"
 	"reflect"
 	"strings"
 	"testing"
 	"time"
 
-	"github.com/mjl-/mox/dkim"
 	"github.com/mjl-/mox/dns"
 	"github.com/mjl-/mox/message"
 	"github.com/mjl-/mox/mlog"
-	"github.com/mjl-/mox/mox-"
 	"github.com/mjl-/mox/smtp"
 )
 
-var xlog = mlog.New("dsn")
+var pkglog = mlog.New("dsn", nil)
 
 func xparseDomain(s string) dns.Domain {
 	d, err := dns.ParseDomain(s)
@@ -36,7 +32,7 @@ func xparseIPDomain(s string) dns.IPDomain {
 
 func tparseMessage(t *testing.T, data []byte, nparts int) (*Message, *message.Part) {
 	t.Helper()
-	m, p, err := Parse(xlog, bytes.NewReader(data))
+	m, p, err := Parse(pkglog.Logger, bytes.NewReader(data))
 	if err != nil {
 		t.Fatalf("parsing dsn: %v", err)
 	}
@@ -54,8 +50,8 @@ func tcheckType(t *testing.T, p *message.Part, mt, mst, cte string) {
 	if !strings.EqualFold(p.MediaSubType, mst) {
 		t.Fatalf("got mediasubtype %q, expected %q", p.MediaSubType, mst)
 	}
-	if !strings.EqualFold(p.ContentTransferEncoding, cte) {
-		t.Fatalf("got content-transfer-encoding %q, expected %q", p.ContentTransferEncoding, cte)
+	if !(cte == "" && p.ContentTransferEncoding == nil || cte != "" && p.ContentTransferEncoding != nil && strings.EqualFold(cte, *p.ContentTransferEncoding)) {
+		t.Fatalf("got content-transfer-encoding %v, expected %v", p.ContentTransferEncoding, cte)
 	}
 }
 
@@ -75,7 +71,7 @@ func tcompareReader(t *testing.T, r io.Reader, exp []byte) {
 }
 
 func TestDSN(t *testing.T) {
-	log := mlog.New("dsn")
+	log := mlog.New("dsn", nil)
 
 	now := time.Now()
 
@@ -83,14 +79,16 @@ func TestDSN(t *testing.T) {
 	m := Message{
 		SMTPUTF8: false,
 
-		From:     smtp.Path{Localpart: "postmaster", IPDomain: xparseIPDomain("mox.example")},
-		To:       smtp.Path{Localpart: "mjl", IPDomain: xparseIPDomain("remote.example")},
-		Subject:  "dsn",
-		TextBody: "delivery failure\n",
+		From:      smtp.Path{Localpart: "postmaster", IPDomain: xparseIPDomain("mox.example")},
+		To:        smtp.Path{Localpart: "mjl", IPDomain: xparseIPDomain("remote.example")},
+		Subject:   "dsn",
+		MessageID: "test@localhost",
+		TextBody:  "delivery failure\n",
 
-		ReportingMTA:    "mox.example",
-		ReceivedFromMTA: smtp.Ehlo{Name: xparseIPDomain("relay.example"), ConnIP: net.ParseIP("10.10.10.10")},
-		ArrivalDate:     now,
+		ReportingMTA:         "mox.example",
+		ReceivedFromMTA:      smtp.Ehlo{Name: xparseIPDomain("relay.example"), ConnIP: net.ParseIP("10.10.10.10")},
+		ArrivalDate:          now,
+		FutureReleaseRequest: "for;123",
 
 		Recipients: []Recipient{
 			{
@@ -107,6 +105,7 @@ func TestDSN(t *testing.T) {
 	if err != nil {
 		t.Fatalf("composing dsn: %v", err)
 	}
+
 	pmsg, part := tparseMessage(t, msgbuf, 3)
 	tcheckType(t, part, "multipart", "report", "")
 	tcheckType(t, &part.Parts[0], "text", "plain", "7bit")
@@ -130,35 +129,15 @@ func TestDSN(t *testing.T) {
 	tcompareReader(t, part.Parts[2].Reader(), m.Original)
 	tcompare(t, pmsg.Recipients[0].FinalRecipient, m.Recipients[0].FinalRecipient)
 
-	// Test for valid DKIM signature.
-	mox.Context = context.Background()
-	mox.ConfigStaticPath = filepath.FromSlash("../testdata/dsn/mox.conf")
-	mox.MustLoadConfig(true, false)
-	msgbuf, err = m.Compose(log, false)
-	if err != nil {
-		t.Fatalf("composing utf-8 dsn with utf-8 support: %v", err)
-	}
-	resolver := &dns.MockResolver{
-		TXT: map[string][]string{
-			"testsel._domainkey.mox.example.": {"v=DKIM1;h=sha256;t=s;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ZId3ys70VFspp/VMFaxMOrNjHNPg04NOE1iShih16b3Ex7hHBOgC1UvTGSmrMlbCB1OxTXkvf6jW6S4oYRnZYVNygH6zKUwYYhaSaGIg1xA/fDn+IgcTRyLoXizMUgUgpTGyxhNrwIIWv+i7jjbs3TKpP3NU4owQ/rxowmSNqg+fHIF1likSvXvljYS" + "jaFXXnWfYibW7TdDCFFpN4sB5o13+as0u4vLw6MvOi59B1tLype1LcHpi1b9PfxNtznTTdet3kL0paxIcWtKHT0LDPUos8YYmiPa5nGbUqlC7d+4YT2jQPvwGxCws1oo2Tw6nj1UaihneYGAyvEky49FBwIDAQAB"},
-		},
-	}
-	results, err := dkim.Verify(context.Background(), resolver, false, func(*dkim.Sig) error { return nil }, bytes.NewReader(msgbuf), false)
-	if err != nil {
-		t.Fatalf("dkim verify: %v", err)
-	}
-	if len(results) != 1 || results[0].Status != dkim.StatusPass {
-		t.Fatalf("dkim result not pass, %#v", results)
-	}
-
 	// An utf-8 message.
 	m = Message{
 		SMTPUTF8: true,
 
-		From:     smtp.Path{Localpart: "postmæster", IPDomain: xparseIPDomain("møx.example")},
-		To:       smtp.Path{Localpart: "møx", IPDomain: xparseIPDomain("remøte.example")},
-		Subject:  "dsn¡",
-		TextBody: "delivery failure¿\n",
+		From:      smtp.Path{Localpart: "postmæster", IPDomain: xparseIPDomain("møx.example")},
+		To:        smtp.Path{Localpart: "møx", IPDomain: xparseIPDomain("remøte.example")},
+		Subject:   "dsn¡",
+		MessageID: "test@localhost",
+		TextBody:  "delivery failure¿\n",
 
 		ReportingMTA:    "mox.example",
 		ReceivedFromMTA: smtp.Ehlo{Name: xparseIPDomain("reläy.example"), ConnIP: net.ParseIP("10.10.10.10")},
@@ -213,34 +192,3 @@ func TestDSN(t *testing.T) {
 	tcheckType(t, &part.Parts[1], "message", "global-delivery-status", "8bit")
 	tcompare(t, pmsg.Recipients[0].FinalRecipient, m.Recipients[0].FinalRecipient)
 }
-
-func TestCode(t *testing.T) {
-	testCodeLine := func(line, ecode, rest string) {
-		t.Helper()
-		e, r := codeLine(line)
-		if e != ecode || r != rest {
-			t.Fatalf("codeLine %q: got %q %q, expected %q %q", line, e, r, ecode, rest)
-		}
-	}
-	testCodeLine("4.0.0", "4.0.0", "")
-	testCodeLine("4.0.0 more", "4.0.0", "more")
-	testCodeLine("other", "", "other")
-	testCodeLine("other more", "", "other more")
-
-	testHasCode := func(line string, exp bool) {
-		t.Helper()
-		got := HasCode(line)
-		if got != exp {
-			t.Fatalf("HasCode %q: got %v, expected %v", line, got, exp)
-		}
-	}
-	testHasCode("4.0.0", true)
-	testHasCode("5.7.28", true)
-	testHasCode("10.0.0", false) // first number must be single digit.
-	testHasCode("4.1.1 more", true)
-	testHasCode("other ", false)
-	testHasCode("4.2.", false)
-	testHasCode("4.2. ", false)
-	testHasCode(" 4.2.4", false)
-	testHasCode(" 4.2.4 ", false)
-}

dsn/parse.go

@@ -4,6 +4,7 @@ import (
 	"bufio"
 	"fmt"
 	"io"
+	"log/slog"
 	"net/textproto"
 	"strconv"
 	"strings"
@@ -13,6 +14,7 @@ import (
 	"github.com/mjl-/mox/message"
 	"github.com/mjl-/mox/mlog"
 	"github.com/mjl-/mox/smtp"
+	"slices"
 )
 
 // Parse reads a DSN message.
@@ -23,17 +25,19 @@ import (
 // The first return value is the machine-parsed DSN message. The second value is
 // the entire MIME multipart message. Use its Parts field to access the
 // human-readable text and optional original message/headers.
-func Parse(log *mlog.Log, r io.ReaderAt) (*Message, *message.Part, error) {
+func Parse(elog *slog.Logger, r io.ReaderAt) (*Message, *message.Part, error) {
+	log := mlog.New("dsn", elog)
+
 	// DSNs can mix and match subtypes with and without utf-8. ../rfc/6533:441
 
-	part, err := message.Parse(log, false, r)
+	part, err := message.Parse(log.Logger, false, r)
 	if err != nil {
 		return nil, nil, fmt.Errorf("parsing message: %v", err)
 	}
 	if part.MediaType != "MULTIPART" || part.MediaSubType != "REPORT" {
 		return nil, nil, fmt.Errorf(`message has content-type %q, must have "message/report"`, strings.ToLower(part.MediaType+"/"+part.MediaSubType))
 	}
-	err = part.Walk(log, nil)
+	err = part.Walk(log.Logger, nil)
 	if err != nil {
 		return nil, nil, fmt.Errorf("parsing message parts: %v", err)
 	}
@@ -62,7 +66,11 @@ func Parse(log *mlog.Log, r io.ReaderAt) (*Message, *message.Part, error) {
 		if err != nil {
 			return smtp.Path{}, fmt.Errorf("parsing domain: %v", err)
 		}
-		return smtp.Path{Localpart: smtp.Localpart(a.User), IPDomain: dns.IPDomain{Domain: d}}, nil
+		lp, err := smtp.ParseLocalpart(a.User)
+		if err != nil {
+			return smtp.Path{}, fmt.Errorf("parsing localpart: %v", err)
+		}
+		return smtp.Path{Localpart: lp, IPDomain: dns.IPDomain{Domain: d}}, nil
 	}
 	if len(part.Envelope.From) == 1 {
 		m.From, err = addressPath(part.Envelope.From[0])
@@ -210,19 +218,21 @@ func parseRecipientHeader(mr *textproto.Reader, utf8 bool) (Recipient, error) {
 		case "Action":
 			a := Action(strings.ToLower(v))
 			actions := []Action{Failed, Delayed, Delivered, Relayed, Expanded}
-			var ok bool
-			for _, x := range actions {
-				if a == x {
-					ok = true
-					break
-				}
-			}
-			if !ok {
+			if slices.Contains(actions, a) {
+				r.Action = a
+			} else {
 				err = fmt.Errorf("unrecognized action %q", v)
 			}
 		case "Status":
 			// todo: parse the enhanced status code?
 			r.Status = v
+			t := strings.SplitN(v, "(", 2)
+			v = strings.TrimSpace(v)
+			if len(t) == 2 && strings.HasSuffix(v, ")") {
+				r.Status = strings.TrimSpace(t[0])
+				r.StatusComment = strings.TrimSpace(strings.TrimSuffix(t[1], ")"))
+			}
+
 		case "Remote-Mta":
 			r.RemoteMTA = NameIP{Name: v}
 		case "Diagnostic-Code":
@@ -234,7 +244,7 @@ func parseRecipientHeader(mr *textproto.Reader, utf8 bool) (Recipient, error) {
 			} else if len(t) != 2 {
 				err = fmt.Errorf("missing semicolon to separate diagnostic-type from code")
 			} else {
-				r.DiagnosticCode = strings.TrimSpace(t[1])
+				r.DiagnosticCodeSMTP = strings.TrimSpace(t[1])
 			}
 		case "Last-Attempt-Date":
 			r.LastAttemptDate, err = parseDateTime(v)
@@ -307,17 +317,18 @@ func parseAddress(s string, utf8 bool) (smtp.Path, error) {
 		}
 	}
 	// todo: more proper parser
-	t = strings.SplitN(s, "@", 2)
-	if len(t) != 2 || t[0] == "" || t[1] == "" {
+	t = strings.Split(s, "@")
+	if len(t) == 1 {
 		return smtp.Path{}, fmt.Errorf("invalid email address")
 	}
-	d, err := dns.ParseDomain(t[1])
+	d, err := dns.ParseDomain(t[len(t)-1])
 	if err != nil {
 		return smtp.Path{}, fmt.Errorf("parsing domain: %v", err)
 	}
 	var lp string
 	var esc string
-	for _, c := range t[0] {
+	lead := strings.Join(t[:len(t)-1], "@")
+	for _, c := range lead {
 		if esc == "" && c == '\\' || esc == `\` && (c == 'x' || c == 'X') || esc == `\x` && c == '{' {
 			if c == 'X' {
 				c = 'x'
@@ -341,7 +352,11 @@ func parseAddress(s string, utf8 bool) (smtp.Path, error) {
 	if esc != "" {
 		return smtp.Path{}, fmt.Errorf("parsing localpart: unfinished embedded unicode char")
 	}
-	p := smtp.Path{Localpart: smtp.Localpart(lp), IPDomain: dns.IPDomain{Domain: d}}
+	localpart, err := smtp.ParseLocalpart(lp)
+	if err != nil {
+		return smtp.Path{}, fmt.Errorf("parsing localpart: %v", err)
+	}
+	p := smtp.Path{Localpart: localpart, IPDomain: dns.IPDomain{Domain: d}}
 	return p, nil
 }
 

examples.go

@@ -0,0 +1,325 @@
+package main
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"log"
+	"reflect"
+	"strings"
+	"time"
+
+	"github.com/mjl-/sconf"
+
+	"github.com/mjl-/mox/config"
+	"github.com/mjl-/mox/mox-"
+	"github.com/mjl-/mox/smtp"
+	"github.com/mjl-/mox/webhook"
+)
+
+func cmdExample(c *cmd) {
+	c.params = "[name]"
+	c.help = `List available examples, or print a specific example.`
+
+	args := c.Parse()
+	if len(args) > 1 {
+		c.Usage()
+	}
+
+	var match func() string
+	for _, ex := range examples {
+		if len(args) == 0 {
+			fmt.Println(ex.Name)
+		} else if args[0] == ex.Name {
+			match = ex.Get
+		}
+	}
+	if len(args) == 0 {
+		return
+	}
+	if match == nil {
+		log.Fatalln("not found")
+	}
+	fmt.Print(match())
+}
+
+func cmdConfigExample(c *cmd) {
+	c.params = "[name]"
+	c.help = `List available config examples, or print a specific example.`
+
+	args := c.Parse()
+	if len(args) > 1 {
+		c.Usage()
+	}
+
+	var match func() string
+	for _, ex := range configExamples {
+		if len(args) == 0 {
+			fmt.Println(ex.Name)
+		} else if args[0] == ex.Name {
+			match = ex.Get
+		}
+	}
+	if len(args) == 0 {
+		return
+	}
+	if match == nil {
+		log.Fatalln("not found")
+	}
+	fmt.Print(match())
+}
+
+var configExamples = []struct {
+	Name string
+	Get  func() string
+}{
+	{
+		"webhandlers",
+		func() string {
+			const webhandlers = `# Snippet of domains.conf to configure WebDomainRedirects and WebHandlers.
+
+# Redirect all requests for mox.example to https://www.mox.example.
+WebDomainRedirects:
+	mox.example: www.mox.example
+
+# Each request is matched against these handlers until one matches and serves it.
+WebHandlers:
+	-
+		# Redirect all plain http requests to https, leaving path, query strings, etc
+		# intact. When the request is already to https, the destination URL would have the
+		# same scheme, host and path, causing this redirect handler to not match the
+		# request (and not cause a redirect loop) and the webserver to serve the request
+		# with a later handler.
+		LogName: redirhttps
+		Domain: www.mox.example
+		PathRegexp: ^/
+		# Could leave DontRedirectPlainHTTP at false if it wasn't for this being an
+		# example for doing this redirect.
+		DontRedirectPlainHTTP: true
+		WebRedirect:
+			BaseURL: https://www.mox.example
+	-
+		# The name of the handler, used in logging and metrics.
+		LogName: staticmjl
+		# With ACME configured, each configured domain will automatically get a TLS
+		# certificate on first request.
+		Domain: www.mox.example
+		PathRegexp: ^/who/mjl/
+		WebStatic:
+			StripPrefix: /who/mjl
+			# Requested path /who/mjl/inferno/ resolves to local web/mjl/inferno.
+			# If a directory contains an index.html, it is served when a directory is requested.
+			Root: web/mjl
+			# With ListFiles true, if a directory does not contain an index.html, the contents are listed.
+			ListFiles: true
+			ResponseHeaders:
+				X-Mox: hi
+	-
+		LogName: redir
+		Domain: www.mox.example
+		PathRegexp: ^/redir/a/b/c
+		# Don't redirect from plain HTTP to HTTPS.
+		DontRedirectPlainHTTP: true
+		WebRedirect:
+			# Just change the domain and add query string set fragment. No change to scheme.
+			# Path will start with /redir/a/b/c (and whathever came after) because no
+			# OrigPathRegexp+ReplacePath is set.
+			BaseURL: //moxest.example?q=1#frag
+			# Default redirection is 308 - Permanent Redirect.
+			StatusCode: 307
+	-
+		LogName: oldnew
+		Domain: www.mox.example
+		PathRegexp: ^/old/
+		WebRedirect:
+			# Replace path, leaving rest of URL intact.
+			OrigPathRegexp: ^/old/(.*)
+			ReplacePath: /new/$1
+	-
+		LogName: app
+		Domain: www.mox.example
+		PathRegexp: ^/app/
+		WebForward:
+			# Strip the path matched by PathRegexp before forwarding the request. So original
+			# request /app/api become just /api.
+			StripPath: true
+			# URL of backend, where requests are forwarded to. The path in the URL is kept,
+			# so for incoming request URL /app/api, the outgoing request URL has path /app-v2/api.
+			# Requests are made with Go's net/http DefaultTransporter, including using
+			# HTTP_PROXY and HTTPS_PROXY environment variables.
+			URL: http://127.0.0.1:8900/app-v2/
+			# Add headers to response.
+			ResponseHeaders:
+				X-Frame-Options: deny
+				X-Content-Type-Options: nosniff
+`
+			// Parse just so we know we have the syntax right.
+			// todo: ideally we would have a complete config file and parse it fully.
+			var conf struct {
+				WebDomainRedirects map[string]string
+				WebHandlers        []config.WebHandler
+			}
+			err := sconf.Parse(strings.NewReader(webhandlers), &conf)
+			xcheckf(err, "parsing webhandlers example")
+			return webhandlers
+		},
+	},
+	{
+		"transport",
+		func() string {
+			const moxconf = `# Snippet for mox.conf, defining a transport called Example that connects on the
+# SMTP submission with TLS port 465 ("submissions"), authenticating with
+# SCRAM-SHA-256-PLUS (other providers may not support SCRAM-SHA-256-PLUS, but they
+# typically do support the older CRAM-MD5).:
+
+# Transport are mechanisms for delivering messages. Transports can be referenced
+# from Routes in accounts, domains and the global configuration. There is always
+# an implicit/fallback delivery transport doing direct delivery with SMTP from the
+# outgoing message queue. Transports are typically only configured when using
+# smarthosts, i.e. when delivering through another SMTP server. Zero or one
+# transport methods must be set in a transport, never multiple. When using an
+# external party to send email for a domain, keep in mind you may have to add
+# their IP address to your domain's SPF record, and possibly additional DKIM
+# records. (optional)
+Transports:
+	Example:
+		# Submission SMTP over a TLS connection to submit email to a remote queue.
+		# (optional)
+		Submissions:
+			# Host name to connect to and for verifying its TLS certificate.
+			Host: smtp.example.com
+
+			# If set, authentication credentials for the remote server. (optional)
+			Auth:
+				Username: user@example.com
+				Password: test1234
+				Mechanisms:
+					# Allowed authentication mechanisms. Defaults to SCRAM-SHA-256-PLUS,
+					# SCRAM-SHA-256, SCRAM-SHA-1-PLUS, SCRAM-SHA-1, CRAM-MD5. Not included by default:
+					# PLAIN. Specify the strongest mechanism known to be implemented by the server to
+					# prevent mechanism downgrade attacks. (optional)
+
+					- SCRAM-SHA-256-PLUS
+`
+
+			const domainsconf = `# Snippet for domains.conf, specifying a route that sends through the transport:
+
+# Routes for delivering outgoing messages through the queue. Each delivery attempt
+# evaluates account routes, domain routes and finally these global routes. The
+# transport of the first matching route is used in the delivery attempt. If no
+# routes match, which is the default with no configured routes, messages are
+# delivered directly from the queue. (optional)
+Routes:
+	-
+		Transport: Example
+`
+
+			var static struct {
+				Transports map[string]config.Transport
+			}
+			var dynamic struct {
+				Routes []config.Route
+			}
+			err := sconf.Parse(strings.NewReader(moxconf), &static)
+			xcheckf(err, "parsing moxconf example")
+			err = sconf.Parse(strings.NewReader(domainsconf), &dynamic)
+			xcheckf(err, "parsing domainsconf example")
+			return moxconf + "\n\n" + domainsconf
+		},
+	},
+}
+
+var exampleTime = time.Date(2024, time.March, 27, 0, 0, 0, 0, time.UTC)
+
+var examples = []struct {
+	Name string
+	Get  func() string
+}{
+	{
+		"webhook-outgoing-delivered",
+		func() string {
+			v := webhook.Outgoing{
+				Version:       0,
+				Event:         webhook.EventDelivered,
+				QueueMsgID:    101,
+				FromID:        base64.RawURLEncoding.EncodeToString([]byte("0123456789abcdef")),
+				MessageID:     "<QnxzgulZK51utga6agH_rg@mox.example>",
+				Subject:       "subject of original message",
+				WebhookQueued: exampleTime,
+				Extra:         map[string]string{},
+				SMTPCode:      smtp.C250Completed,
+			}
+			return "Example webhook HTTP POST JSON body for successful outgoing delivery:\n\n\t" + formatJSON(v)
+		},
+	},
+	{
+		"webhook-outgoing-dsn-failed",
+		func() string {
+			v := webhook.Outgoing{
+				Version:          0,
+				Event:            webhook.EventFailed,
+				DSN:              true,
+				Suppressing:      true,
+				QueueMsgID:       102,
+				FromID:           base64.RawURLEncoding.EncodeToString([]byte("0123456789abcdef")),
+				MessageID:        "<QnxzgulZK51utga6agH_rg@mox.example>",
+				Subject:          "subject of original message",
+				WebhookQueued:    exampleTime,
+				Extra:            map[string]string{"userid": "456"},
+				Error:            "timeout connecting to host",
+				SMTPCode:         smtp.C554TransactionFailed,
+				SMTPEnhancedCode: "5." + smtp.SeNet4Other0,
+			}
+			return `Example webhook HTTP POST JSON body for failed delivery based on incoming DSN
+message, with custom extra data fields (from original submission), and adding address to the suppression list:
+
+	` + formatJSON(v)
+		},
+	},
+	{
+		"webhook-incoming-basic",
+		func() string {
+			v := webhook.Incoming{
+				Version:   0,
+				From:      []webhook.NameAddress{{Address: "mox@localhost"}},
+				To:        []webhook.NameAddress{{Address: "mjl@localhost"}},
+				Subject:   "hi",
+				MessageID: "<QnxzgulZK51utga6agH_rg@mox.example>",
+				Date:      &exampleTime,
+				Text:      "hello world ☺\n",
+				Structure: webhook.Structure{
+					ContentType:       "text/plain",
+					ContentTypeParams: map[string]string{"charset": "utf-8"},
+					DecodedSize:       int64(len("hello world ☺\r\n")),
+					Parts:             []webhook.Structure{},
+				},
+				Meta: webhook.IncomingMeta{
+					MsgID:               201,
+					MailFrom:            "mox@localhost",
+					MailFromValidated:   false,
+					MsgFromValidated:    true,
+					RcptTo:              "mjl@localhost",
+					DKIMVerifiedDomains: []string{"localhost"},
+					RemoteIP:            "127.0.0.1",
+					Received:            exampleTime.Add(3 * time.Second),
+					MailboxName:         "Inbox",
+					Automated:           false,
+				},
+			}
+			return "Example JSON body for webhooks for incoming delivery of basic message:\n\n\t" + formatJSON(v)
+		},
+	},
+}
+
+func formatJSON(v any) string {
+	nv, _ := mox.FillNil(reflect.ValueOf(v))
+	v = nv.Interface()
+	var b bytes.Buffer
+	enc := json.NewEncoder(&b)
+	enc.SetIndent("\t", "\t")
+	enc.SetEscapeHTML(false)
+	err := enc.Encode(v)
+	xcheckf(err, "encoding to json")
+	return b.String()
+}

export.go

@@ -8,25 +8,26 @@ import (
 
 	"github.com/mjl-/bstore"
 
-	"github.com/mjl-/mox/mlog"
 	"github.com/mjl-/mox/store"
 )
 
 func cmdExportMaildir(c *cmd) {
-	c.params = "dst-dir account-path [mailbox]"
+	c.params = "[-single] dst-dir account-path [mailbox]"
 	c.help = `Export one or all mailboxes from an account in maildir format.
 
 Export bypasses a running mox instance. It opens the account mailbox/message
 database file directly. This may block if a running mox instance also has the
 database open, e.g. for IMAP connections. To export from a running instance, use
-the accounts web page.
+the accounts web page or webmail.
 `
+	var single bool
+	c.flag.BoolVar(&single, "single", false, "export single mailbox, without any children. disabled if mailbox isn't specified.")
 	args := c.Parse()
-	xcmdExport(false, args, c)
+	xcmdExport(false, single, args, c)
 }
 
 func cmdExportMbox(c *cmd) {
-	c.params = "dst-dir account-path [mailbox]"
+	c.params = "[-single] dst-dir account-path [mailbox]"
 	c.help = `Export messages from one or all mailboxes in an account in mbox format.
 
 Using mbox is not recommended. Maildir is a better format.
@@ -34,17 +35,19 @@ Using mbox is not recommended. Maildir is a better format.
 Export bypasses a running mox instance. It opens the account mailbox/message
 database file directly. This may block if a running mox instance also has the
 database open, e.g. for IMAP connections. To export from a running instance, use
-the accounts web page.
+the accounts web page or webmail.
 
 For mbox export, "mboxrd" is used where message lines starting with the magic
 "From " string are escaped by prepending a >. All ">*From " are escaped,
 otherwise reconstructing the original could lose a ">".
 `
+	var single bool
+	c.flag.BoolVar(&single, "single", false, "export single mailbox, without any children. disabled if mailbox isn't specified.")
 	args := c.Parse()
-	xcmdExport(true, args, c)
+	xcmdExport(true, single, args, c)
 }
 
-func xcmdExport(mbox bool, args []string, c *cmd) {
+func xcmdExport(mbox, single bool, args []string, c *cmd) {
 	if len(args) != 2 && len(args) != 3 {
 		c.Usage()
 	}
@@ -54,10 +57,13 @@ func xcmdExport(mbox bool, args []string, c *cmd) {
 	var mailbox string
 	if len(args) == 3 {
 		mailbox = args[2]
+	} else {
+		single = false
 	}
 
 	dbpath := filepath.Join(accountDir, "index.db")
-	db, err := bstore.Open(context.Background(), dbpath, &bstore.Options{Timeout: 5 * time.Second, Perm: 0660}, store.DBTypes...)
+	opts := bstore.Options{Timeout: 5 * time.Second, Perm: 0660, RegisterLogger: c.log.Logger}
+	db, err := bstore.Open(context.Background(), dbpath, &opts, store.DBTypes...)
 	xcheckf(err, "open database %q", dbpath)
 	defer func() {
 		if err := db.Close(); err != nil {
@@ -66,7 +72,7 @@ func xcmdExport(mbox bool, args []string, c *cmd) {
 	}()
 
 	a := store.DirArchiver{Dir: dst}
-	err = store.ExportMessages(context.Background(), mlog.New("export"), db, accountDir, a, !mbox, mailbox)
+	err = store.ExportMessages(context.Background(), c.log, db, accountDir, a, !mbox, mailbox, nil, !single)
 	xcheckf(err, "exporting messages")
 	err = a.Close()
 	xcheckf(err, "closing archiver")

fixjshintlines.sh

@@ -1,4 +0,0 @@
-#!/bin/sh
-# change output to regular filename:linenumber format for easier opening.
-arg=$(echo $1 | sed 's,/,\\/,')
-exec sed "s/^\([^:]*\): line \([0-9][0-9]*\), \(.*\)\$/${arg}\1:\2: \3/"

genapidoc.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+set -eu
+
+# we rewrite some dmarcprt and tlsrpt enums into untyped strings: real-world
+# reports have invalid values, and our loose Go typed strings accept all values,
+# but we don't want the typescript runtime checker to fail on those unrecognized
+# values.
+(cd webadmin && CGO_ENABLED=0 go run ../vendor/github.com/mjl-/sherpadoc/cmd/sherpadoc/*.go -adjust-function-names none -rename 'config Domain ConfigDomain,dmarc Policy DMARCPolicy,mtasts MX STSMX,tlsrptdb Record TLSReportRecord,tlsrptdb SuppressAddress TLSRPTSuppressAddress,dmarcrpt DKIMResult string,dmarcrpt SPFResult string,dmarcrpt SPFDomainScope string,dmarcrpt DMARCResult string,dmarcrpt PolicyOverride string,dmarcrpt Alignment string,dmarcrpt Disposition string,tlsrpt PolicyType string,tlsrpt ResultType string' Admin) >webadmin/api.json
+(cd webaccount && CGO_ENABLED=0 go run ../vendor/github.com/mjl-/sherpadoc/cmd/sherpadoc/*.go -adjust-function-names none Account) >webaccount/api.json
+(cd webmail && CGO_ENABLED=0 go run ../vendor/github.com/mjl-/sherpadoc/cmd/sherpadoc/*.go -adjust-function-names none Webmail) >webmail/api.json

gendoc.sh

@@ -1,28 +1,34 @@
-#!/bin/sh
+#!/usr/bin/env sh
 
+# ./doc.go
 (
 cat <<EOF
 /*
 Command mox is a modern, secure, full-featured, open source mail server for
 low-maintenance self-hosted email.
 
-# Commands
+Mox is started with the "serve" subcommand, but mox also has many other
+subcommands.
+
+Many of those commands talk to a running mox instance, through the ctl file in
+the data directory. Specify the configuration file (that holds the path to the
+data directory) through the -config flag or MOXCONF environment variable.
+
+Commands that don't talk to a running mox instance are often for
+testing/debugging email functionality. For example for parsing an email message,
+or looking up SPF/DKIM/DMARC records.
+
+Below is the usage information as printed by the command when started without
+any parameters. Followed by the help and usage information for each command.
+
+
+# Usage
 
 EOF
 
-./mox 2>&1 | sed 's/^\( *\|usage: \)/\t/'
-
-cat <<EOF
-
-Many commands talk to a running mox instance, through the ctl file in the data
-directory. Specify the configuration file (that holds the path to the data
-directory) through the -config flag or MOXCONF environment variable.
-
-EOF
-
-# setting XDG_CONFIG_HOME ensures "mox localserve" has reasonable default
-# values in its help output.
-XDG_CONFIG_HOME='$userconfigdir' ./mox helpall 2>&1
+./mox 2>&1 | sed -e 's/^usage: */	/' -e 's/^  */	/'
+echo
+./mox helpall 2>&1
 
 cat <<EOF
 */
@@ -33,47 +39,70 @@ EOF
 )>doc.go
 gofmt -w doc.go
 
+# ./config/doc.go
 (
 cat <<EOF
 /*
-Package config holds the configuration file definitions for mox.conf (Static)
-and domains.conf (Dynamic).
+Package config holds the configuration file definitions.
 
-These config files are in "sconf" format.  Summarized: Indent with tabs, "#" as
-first non-whitespace character makes the line a comment (you cannot have a line
-with both a value and a comment), strings are not quoted/escaped and can never
-span multiple lines. See https://pkg.go.dev/github.com/mjl-/sconf for details.
+Mox uses two config files:
+
+1. mox.conf, also called the static configuration file.
+2. domains.conf, also called the dynamic configuration file.
+
+The static configuration file is never reloaded during the lifetime of a
+running mox instance. After changes to mox.conf, mox must be restarted for the
+changes to take effect.
+
+The dynamic configuration file is reloaded automatically when it changes.
+If the file contains an error after the change, the reload is aborted and the
+previous version remains active.
+
+Below are "empty" config files, generated from the config file definitions in
+the source code, along with comments explaining the fields. Fields named "x" are
+placeholders for user-chosen map keys.
+
+# sconf
+
+The config files are in "sconf" format. Properties of sconf files:
+
+- Indentation with tabs only.
+- "#" as first non-whitespace character makes the line a comment. Lines with a
+  value cannot also have a comment.
+- Values don't have syntax indicating their type. For example, strings are
+  not quoted/escaped and can never span multiple lines.
+- Fields that are optional can be left out completely. But the value of an
+  optional field may itself have required fields.
+
+See https://pkg.go.dev/github.com/mjl-/sconf for details.
 
-Annotated empty/default configuration files you could use as a starting point
-for your mox.conf and domains.conf, as generated by "mox config
-describe-static" and "mox config describe-domains":
 
 # mox.conf
 
 EOF
-./mox config describe-static | sed 's/^/\t/'
+./mox config describe-static | sed 's/^/	/'
 
 cat <<EOF
 
 # domains.conf
 
 EOF
-./mox config describe-domains | sed 's/^/\t/'
+./mox config describe-domains | sed 's/^/	/'
 
 cat <<EOF
 
 # Examples
 
 Mox includes configuration files to illustrate common setups. You can see these
-examples with "mox example", and print a specific example with "mox example
-<name>". Below are all examples included in mox.
+examples with "mox config example", and print a specific example with "mox
+config example <name>". Below are all examples included in mox.
 
 EOF
 
-for ex in $(./mox example); do
+for ex in $(./mox config example); do
 	echo '# Example '$ex
 	echo
-	./mox example $ex | sed 's/^/\t/'
+	./mox config example $ex | sed 's/^/	/'
 	echo
 done
 
@@ -85,3 +114,7 @@ package config
 EOF
 )>config/doc.go
 gofmt -w config/doc.go
+
+# ./webapi/doc.go
+./webapi/gendoc.sh >webapi/doc.go
+gofmt -w webapi/doc.go

genlicenses.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+rm -r licenses
+set -e
+for p in $(cd vendor && find . -iname '*license*' -or -iname '*licence*' -or -iname '*notice*' -or -iname '*patent*'); do
+	(set +e; mkdir -p $(dirname licenses/$p))
+	cp vendor/$p licenses/$p
+done

gentestdata.go

@@ -30,7 +30,7 @@ import (
 
 func cmdGentestdata(c *cmd) {
 	c.unlisted = true
-	c.params = "dest-dir"
+	c.params = "destdir"
 	c.help = `Generate a data directory populated, for testing upgrades.`
 	args := c.Parse()
 	if len(args) != 1 {
@@ -54,7 +54,6 @@ func cmdGentestdata(c *cmd) {
 		return f
 	}
 
-	log := mlog.New("gentestdata")
 	ctxbg := context.Background()
 	mox.Conf.Log[""] = mlog.LevelInfo
 	mlog.SetConfig(mox.Conf.Log)
@@ -188,6 +187,12 @@ Accounts:
 	err = os.WriteFile(filepath.Join(destDataDir, "moxversion"), []byte(moxvar.Version), 0660)
 	xcheckf(err, "writing moxversion")
 
+	// Populate auth.db
+	err = store.Init(ctxbg)
+	xcheckf(err, "store init")
+	err = store.TLSPublicKeyAdd(ctxbg, &store.TLSPublicKey{Name: "testkey", Fingerprint: "...", Type: "ecdsa-p256", CertDER: []byte("..."), Account: "test0", LoginAddress: "test0@mox.example"})
+	xcheckf(err, "adding tlspubkey")
+
 	// Populate dmarc.db.
 	err = dmarcdb.Init()
 	xcheckf(err, "dmarcdb init")
@@ -202,7 +207,7 @@ Accounts:
 	mtastsPolicy := mtasts.Policy{
 		Version: "STSv1",
 		Mode:    mtasts.ModeTesting,
-		MX: []mtasts.STSMX{
+		MX: []mtasts.MX{
 			{Domain: dns.Domain{ASCII: "mx1.example.com"}},
 			{Domain: dns.Domain{ASCII: "mx2.example.com"}},
 			{Domain: dns.Domain{ASCII: "backup-example.com"}, Wildcard: true},
@@ -215,9 +220,10 @@ Accounts:
 	// Populate tlsrpt.db.
 	err = tlsrptdb.Init()
 	xcheckf(err, "tlsrptdb init")
-	tlsr, err := tlsrpt.Parse(strings.NewReader(tlsReport))
+	tlsreportJSON, err := tlsrpt.Parse(strings.NewReader(tlsReport))
 	xcheckf(err, "parsing tls report")
-	err = tlsrptdb.AddReport(ctxbg, dns.Domain{ASCII: "mox.example"}, "tlsrpt@mox.example", false, tlsr)
+	tlsr := tlsreportJSON.Convert()
+	err = tlsrptdb.AddReport(ctxbg, c.log, dns.Domain{ASCII: "mox.example"}, "tlsrpt@mox.example", false, &tlsr)
 	xcheckf(err, "adding tls report")
 
 	// Populate queue, with a message.
@@ -228,28 +234,27 @@ Accounts:
 	prefix := []byte{}
 	mf := tempfile()
 	xcheckf(err, "temp file for queue message")
-	defer os.Remove(mf.Name())
-	defer mf.Close()
+	defer store.CloseRemoveTempFile(c.log, mf, "test message")
 	const qmsg = "From: <test0@mox.example>\r\nTo: <other@remote.example>\r\nSubject: test\r\n\r\nthe message...\r\n"
 	_, err = fmt.Fprint(mf, qmsg)
 	xcheckf(err, "writing message")
-	qm := queue.MakeMsg("test0", mailfrom, rcptto, false, false, int64(len(qmsg)), "<test@localhost>", prefix, nil)
-	err = queue.Add(ctxbg, log, &qm, mf)
+	qm := queue.MakeMsg(mailfrom, rcptto, false, false, int64(len(qmsg)), "<test@localhost>", prefix, nil, time.Now(), "test")
+	err = queue.Add(ctxbg, c.log, "test0", mf, qm)
 	xcheckf(err, "enqueue message")
 
 	// Create three accounts.
 	// First account without messages.
-	accTest0, err := store.OpenAccount("test0")
+	accTest0, err := store.OpenAccount(c.log, "test0", false)
 	xcheckf(err, "open account test0")
-	err = accTest0.ThreadingWait(log)
+	err = accTest0.ThreadingWait(c.log)
 	xcheckf(err, "wait for threading to finish")
 	err = accTest0.Close()
 	xcheckf(err, "close account")
 
 	// Second account with one message.
-	accTest1, err := store.OpenAccount("test1")
+	accTest1, err := store.OpenAccount(c.log, "test1", false)
 	xcheckf(err, "open account test1")
-	err = accTest1.ThreadingWait(log)
+	err = accTest1.ThreadingWait(c.log)
 	xcheckf(err, "wait for threading to finish")
 	err = accTest1.DB.Write(ctxbg, func(tx *bstore.Tx) error {
 		inbox, err := bstore.QueryTx[store.Mailbox](tx).FilterNonzero(store.Mailbox{Name: "Inbox"}).Get()
@@ -258,7 +263,6 @@ Accounts:
 		m := store.Message{
 			MailboxID:          inbox.ID,
 			MailboxOrigID:      inbox.ID,
-			MailboxDestinedID:  inbox.ID,
 			RemoteIP:           "1.2.3.4",
 			RemoteIPMasked1:    "1.2.3.4",
 			RemoteIPMasked2:    "1.2.3.0",
@@ -283,20 +287,13 @@ Accounts:
 		}
 		mf := tempfile()
 		xcheckf(err, "creating temp file for delivery")
+		defer store.CloseRemoveTempFile(c.log, mf, "test message")
 		_, err = fmt.Fprint(mf, msg)
 		xcheckf(err, "writing deliver message to file")
-		err = accTest1.DeliverMessage(log, tx, &m, mf, false, true, false)
 
-		mfname := mf.Name()
-		xcheckf(err, "add message to account test1")
-		err = mf.Close()
-		xcheckf(err, "closing file")
-		err = os.Remove(mfname)
-		xcheckf(err, "removing temp message file")
+		err = accTest1.MessageAdd(c.log, tx, &inbox, &m, mf, store.AddOpts{})
+		xcheckf(err, "deliver message")
 
-		err = tx.Get(&inbox)
-		xcheckf(err, "get inbox")
-		inbox.Add(m.MailboxCounts())
 		err = tx.Update(&inbox)
 		xcheckf(err, "update inbox")
 
@@ -307,9 +304,9 @@ Accounts:
 	xcheckf(err, "close account")
 
 	// Third account with two messages and junkfilter.
-	accTest2, err := store.OpenAccount("test2")
+	accTest2, err := store.OpenAccount(c.log, "test2", false)
 	xcheckf(err, "open account test2")
-	err = accTest2.ThreadingWait(log)
+	err = accTest2.ThreadingWait(c.log)
 	xcheckf(err, "wait for threading to finish")
 	err = accTest2.DB.Write(ctxbg, func(tx *bstore.Tx) error {
 		inbox, err := bstore.QueryTx[store.Mailbox](tx).FilterNonzero(store.Mailbox{Name: "Inbox"}).Get()
@@ -318,7 +315,6 @@ Accounts:
 		m0 := store.Message{
 			MailboxID:          inbox.ID,
 			MailboxOrigID:      inbox.ID,
-			MailboxDestinedID:  inbox.ID,
 			RemoteIP:           "::1",
 			RemoteIPMasked1:    "::",
 			RemoteIPMasked2:    "::",
@@ -343,20 +339,11 @@ Accounts:
 		}
 		mf0 := tempfile()
 		xcheckf(err, "creating temp file for delivery")
+		defer store.CloseRemoveTempFile(c.log, mf0, "test message")
 		_, err = fmt.Fprint(mf0, msg0)
 		xcheckf(err, "writing deliver message to file")
-		err = accTest2.DeliverMessage(log, tx, &m0, mf0, false, false, false)
+		err = accTest2.MessageAdd(c.log, tx, &inbox, &m0, mf0, store.AddOpts{})
 		xcheckf(err, "add message to account test2")
-
-		mf0name := mf0.Name()
-		err = mf0.Close()
-		xcheckf(err, "closing file")
-		err = os.Remove(mf0name)
-		xcheckf(err, "removing temp message file")
-
-		err = tx.Get(&inbox)
-		xcheckf(err, "get inbox")
-		inbox.Add(m0.MailboxCounts())
 		err = tx.Update(&inbox)
 		xcheckf(err, "update inbox")
 
@@ -365,29 +352,19 @@ Accounts:
 		const prefix1 = "Extra: test\r\n"
 		const msg1 = "From: <other@remote.example>\r\nTo: <☹@xn--74h.example>\r\nSubject: test\r\n\r\nthe message...\r\n"
 		m1 := store.Message{
-			MailboxID:         sent.ID,
-			MailboxOrigID:     sent.ID,
-			MailboxDestinedID: sent.ID,
-			Flags:             store.Flags{Seen: true, Junk: true},
-			Size:              int64(len(prefix1) + len(msg1)),
-			MsgPrefix:         []byte(prefix1),
+			MailboxID:     sent.ID,
+			MailboxOrigID: sent.ID,
+			Flags:         store.Flags{Seen: true, Junk: true},
+			Size:          int64(len(prefix1) + len(msg1)),
+			MsgPrefix:     []byte(prefix1),
 		}
 		mf1 := tempfile()
 		xcheckf(err, "creating temp file for delivery")
+		defer store.CloseRemoveTempFile(c.log, mf1, "test message")
 		_, err = fmt.Fprint(mf1, msg1)
 		xcheckf(err, "writing deliver message to file")
-		err = accTest2.DeliverMessage(log, tx, &m1, mf1, false, false, false)
+		err = accTest2.MessageAdd(c.log, tx, &sent, &m1, mf1, store.AddOpts{})
 		xcheckf(err, "add message to account test2")
-
-		mf1name := mf1.Name()
-		err = mf1.Close()
-		xcheckf(err, "closing file")
-		err = os.Remove(mf1name)
-		xcheckf(err, "removing temp message file")
-
-		err = tx.Get(&sent)
-		xcheckf(err, "get sent")
-		sent.Add(m1.MailboxCounts())
 		err = tx.Update(&sent)
 		xcheckf(err, "update sent")
 

gents.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+set -eu
+
+# generate new typescript client, only install it when it is different, so we
+# don't trigger frontend builds needlessly.
+go run vendor/github.com/mjl-/sherpats/cmd/sherpats/main.go -bytes-to-string -slices-nullable -maps-nullable -nullable-optional -namespace api api <$1 >$2.tmp
+if cmp -s $2 $2.tmp; then
+	rm $2.tmp
+else
+	mv $2.tmp $2
+fi

genwebsite.sh

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+
+mkdir website/html 2>/dev/null
+rm -r website/html/* 2>/dev/null
+
+set -euo pipefail
+
+commithash=$(git rev-parse --short HEAD)
+commitdate=$(git log -1 --date=format:"%Y-%m-%d" --format="%ad")
+export commithash
+export commitdate
+
+# Link to static files and cross-references.
+ln -sf ../../../mox-website-files/files website/html/files
+ln -sf ../../rfc/xr website/html/xr
+
+
+# All commands below are executed relative to ./website/
+cd website
+
+go run website.go -root -title 'Mox: modern, secure, all-in-one mail server' 'Mox' < index.md >html/index.html
+
+mkdir html/features
+(
+	cat features/index.md
+	echo
+	sed -n -e 's/^# Roadmap/## Roadmap/' -e '/# FAQ/q' -e '/# Roadmap/,/# FAQ/p' < ../README.md
+	echo
+	echo 'Also see the [Protocols](../protocols/) page for implementation status, and (non)-plans.'
+) | go run website.go 'Features' >html/features/index.html
+
+mkdir html/screenshots
+go run website.go 'Screenshots' < screenshots/index.md >html/screenshots/index.html
+
+mkdir html/install
+go run website.go 'Install' < install/index.md >html/install/index.html
+
+mkdir html/faq
+sed -n '/# FAQ/,//p' < ../README.md | go run website.go 'FAQ' >html/faq/index.html
+
+mkdir html/config
+(
+	echo '# Config reference'
+	echo
+	sed -n '/^Package config holds /,/\*\//p' < ../config/doc.go | grep -v -E '^(Package config holds |\*/)' | sed 's/^# /## /'
+) | go run website.go 'Config reference' >html/config/index.html
+
+mkdir html/commands
+(
+	echo '# Command reference'
+	echo
+	sed -n '/^Mox is started /,/\*\//p' < ../doc.go | grep -v '\*/' | sed 's/^# /## /'
+) | go run website.go 'Command reference' >html/commands/index.html
+
+mkdir html/protocols
+go run website.go -protocols 'Protocols' <../rfc/index.txt >html/protocols/index.html
+
+mkdir html/b
+cat <<'EOF' >html/b/index.html
+<!doctype html>
+<html>
+	<head>
+		<meta charset="utf-8" />
+		<title>mox build</title>
+		<meta name="viewport" content="width=device-width, initial-scale=1" />
+		<link rel="icon" href="noNeedlessFaviconRequestsPlease:" />
+		<style>
+body { padding: 1em; }
+* { font-size: 18px; font-family: ubuntu, lato, sans-serif; margin: 0; padding: 0; box-sizing: border-box; }
+p { max-width: 50em; margin-bottom: 2ex; }
+pre { font-family: 'ubuntu mono', monospace; }
+pre, blockquote { padding: 1em; background-color: #eee; border-radius: .25em; display: inline-block; margin-bottom: 1em; }
+h1 { margin: 1em 0 .5em 0; }
+		</style>
+	</head>
+	<body>
+<script>
+const elem = (name, ...s) => {
+	const e = document.createElement(name)
+	e.append(...s)
+	return e
+}
+const link = (url, anchor) => {
+	const e = document.createElement('a')
+	e.setAttribute('href', url)
+	e.setAttribute('rel', 'noopener')
+	e.append(anchor || url)
+	return e
+}
+let h = location.hash.substring(1)
+const ok = /^[a-zA-Z0-9_\.]+$/.test(h)
+if (!ok) {
+	h = '<tag-or-branch-or-commithash>'
+}
+const init = () => {
+	document.body.append(
+		elem('p', 'Compile or download any version of mox, by tag (release), branch or commit hash.'),
+		elem('h1', 'Compile'),
+		elem('p', 'Run:'),
+		elem('pre', 'CGO_ENABLED=0 GOBIN=$PWD go install github.com/mjl-/mox@'+h),
+		elem('p', 'Mox is tested with the Go toolchain versions that are still have support: The most recent version, and the version before.'),
+		elem('h1', 'Download'),
+		elem('p', 'Download a binary for your platform:'),
+		elem('blockquote', ok ?
+			link('https://beta.gobuilds.org/github.com/mjl-/mox@'+h) :
+			'https://beta.gobuilds.org/github.com/mjl-/mox@'+h
+		),
+		elem('p', 'Because mox is written in Go, builds are reproducible, also when cross-compiling. Gobuilds.org is a service that builds Go applications on-demand with the latest Go toolchain/runtime.'),
+		elem('h1', 'Localserve'),
+		elem('p', 'Changes to mox can often be most easily tested locally with ', link('../features/#hdr-localserve', '"mox localserve"'), ', without having to update your running mail server.'),
+	)
+}
+window.addEventListener('load', init)
+</script>
+	</body>
+</html>
+EOF

go.mod

@@ -1,36 +1,37 @@
 module github.com/mjl-/mox
 
-go 1.20
+go 1.23.0
 
 require (
-	github.com/mjl-/adns v0.0.0-20231109160910-82839fe3e6ae
-	github.com/mjl-/autocert v0.0.0-20231013072455-c361ae2e20a6
-	github.com/mjl-/bstore v0.0.3
-	github.com/mjl-/sconf v0.0.5
-	github.com/mjl-/sherpa v0.6.6
-	github.com/mjl-/sherpadoc v0.0.12
+	github.com/mjl-/adns v0.0.0-20250321173553-ab04b05bdfea
+	github.com/mjl-/autocert v0.0.0-20250321204043-abab2b936e31
+	github.com/mjl-/bstore v0.0.9
+	github.com/mjl-/flate v0.0.0-20250221133712-6372d09eb978
+	github.com/mjl-/sconf v0.0.7
+	github.com/mjl-/sherpa v0.6.7
+	github.com/mjl-/sherpadoc v0.0.16
 	github.com/mjl-/sherpaprom v0.0.2
-	github.com/mjl-/sherpats v0.0.4
-	github.com/prometheus/client_golang v1.17.0
-	go.etcd.io/bbolt v1.3.8
-	golang.org/x/crypto v0.15.0
-	golang.org/x/exp v0.0.0-20231108232855-2478ac86f678
-	golang.org/x/net v0.18.0
-	golang.org/x/text v0.14.0
+	github.com/mjl-/sherpats v0.0.6
+	github.com/prometheus/client_golang v1.18.0
+	github.com/russross/blackfriday/v2 v2.1.0
+	go.etcd.io/bbolt v1.3.11
+	golang.org/x/crypto v0.37.0
+	golang.org/x/net v0.39.0
+	golang.org/x/sys v0.32.0
+	golang.org/x/text v0.24.0
 	rsc.io/qr v0.2.0
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	github.com/mjl-/xfmt v0.0.2 // indirect
-	github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 // indirect
-	github.com/prometheus/common v0.44.0 // indirect
-	github.com/prometheus/procfs v0.11.1 // indirect
-	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/sys v0.14.0 // indirect
-	golang.org/x/tools v0.15.0 // indirect
+	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/common v0.45.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 )

go.sum

@@ -15,33 +15,34 @@ github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
-github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/mjl-/adns v0.0.0-20231109160910-82839fe3e6ae h1:P/kTaQbDFSbmDK+RVjwu7mPyr6a6XyHqHu1PlRMEbAU=
-github.com/mjl-/adns v0.0.0-20231109160910-82839fe3e6ae/go.mod h1:v47qUMJnipnmDTRGaHwpCwzE6oypa5K33mUvBfzZBn8=
-github.com/mjl-/autocert v0.0.0-20231013072455-c361ae2e20a6 h1:TEXyTghAN9pmV2ffzdnhmzkML08e1Z/oGywJ9eunbRI=
-github.com/mjl-/autocert v0.0.0-20231013072455-c361ae2e20a6/go.mod h1:taMFU86abMxKLPV4Bynhv8enbYmS67b8LG80qZv2Qus=
-github.com/mjl-/bstore v0.0.3 h1:7lpZfzADXYbodan3s8Tb5aXXK90oKB9vdDvz0MC5jrw=
-github.com/mjl-/bstore v0.0.3/go.mod h1:/cD25FNBaDfvL/plFRxI3Ba3E+wcB0XVOS8nJDqndg0=
-github.com/mjl-/sconf v0.0.5 h1:4CMUTENpSnaeP2g6RKtrs8udTxnJgjX2MCCovxGId6s=
-github.com/mjl-/sconf v0.0.5/go.mod h1:uF8OdWtLT8La3i4ln176i1pB0ps9pXGCaABEU55ZkE0=
-github.com/mjl-/sherpa v0.6.6 h1:4Xc4/s12W2I/C1genIL8l4ZCLMsTo8498cPSjQcIHGc=
-github.com/mjl-/sherpa v0.6.6/go.mod h1:dSpAOdgpwdqQZ72O4n3EHo/tR68eKyan8tYYraUMPNc=
+github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
+github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
+github.com/mjl-/adns v0.0.0-20250321173553-ab04b05bdfea h1:8dftsVL1tHhRksXzFZRhSJ7gSlcy/t87Nvucs3JnTGE=
+github.com/mjl-/adns v0.0.0-20250321173553-ab04b05bdfea/go.mod h1:rWZMqGA2HoBm5b5q/A5J8u1sSVuEYh6zBz9tMoVs+RU=
+github.com/mjl-/autocert v0.0.0-20250321204043-abab2b936e31 h1:6MFGOLPGf6VzHWkKv8waSzJMMS98EFY2LVKPRHffCyo=
+github.com/mjl-/autocert v0.0.0-20250321204043-abab2b936e31/go.mod h1:taMFU86abMxKLPV4Bynhv8enbYmS67b8LG80qZv2Qus=
+github.com/mjl-/bstore v0.0.9 h1:j8HVXL10Arbk4ujeRGwns8gipH1N1TZn853inQ42FgY=
+github.com/mjl-/bstore v0.0.9/go.mod h1:xzIpSfcFosgPJ6h+vsdIt0pzCq4i8hhMuHPQJ0aHQhM=
+github.com/mjl-/flate v0.0.0-20250221133712-6372d09eb978 h1:Eg5DfI3/00URzGErujKus6a3O0kyXzF8vjoDZzH/gig=
+github.com/mjl-/flate v0.0.0-20250221133712-6372d09eb978/go.mod h1:QBkFtjai3AiQQuUu7pVh6PA06Vd3oa68E+vddf/UBOs=
+github.com/mjl-/sconf v0.0.7 h1:bdBcSFZCDFMm/UdBsgNCsjkYmKrSgYwp7rAOoufwHe4=
+github.com/mjl-/sconf v0.0.7/go.mod h1:uF8OdWtLT8La3i4ln176i1pB0ps9pXGCaABEU55ZkE0=
+github.com/mjl-/sherpa v0.6.7 h1:C5F8XQdV5nCuS4fvB+ye/ziUQrajEhOoj/t2w5T14BY=
+github.com/mjl-/sherpa v0.6.7/go.mod h1:dSpAOdgpwdqQZ72O4n3EHo/tR68eKyan8tYYraUMPNc=
 github.com/mjl-/sherpadoc v0.0.0-20190505200843-c0a7f43f5f1d/go.mod h1:5khTKxoKKNXcB8bkVUO6GlzC7PFtMmkHq578lPbmnok=
-github.com/mjl-/sherpadoc v0.0.12 h1:6hVe2Z0DnwjC0bfuOwfz8ov7JTCUU49cEaj7h22NiPk=
-github.com/mjl-/sherpadoc v0.0.12/go.mod h1:vh5zcsk3j/Tvm725EY+unTZb3EZcZcpiEQzrODSa6+I=
+github.com/mjl-/sherpadoc v0.0.16 h1:BdlFNXfnTaA7qO54kof4xpNFJxYBTY0cIObRk7QAP6M=
+github.com/mjl-/sherpadoc v0.0.16/go.mod h1:vh5zcsk3j/Tvm725EY+unTZb3EZcZcpiEQzrODSa6+I=
 github.com/mjl-/sherpaprom v0.0.2 h1:1dlbkScsNafM5jURI44uiWrZMSwfZtcOFEEq7vx2C1Y=
 github.com/mjl-/sherpaprom v0.0.2/go.mod h1:cl5nMNOvqhzMiQJ2FzccQ9ReivjHXe53JhOVkPfSvw4=
-github.com/mjl-/sherpats v0.0.4 h1:rZkJO4YV4MfuCi3E4ifzbhpY6VgZgsQoOcL04ABEib4=
-github.com/mjl-/sherpats v0.0.4/go.mod h1:MoNZJtLmu8oCZ4Ocv5vZksENN4pp6/SJMlg9uTII4KA=
+github.com/mjl-/sherpats v0.0.6 h1:2lSoJbb+jkjLOdlvoMxItq0QQrrnkH+rnm3PMRfpbmA=
+github.com/mjl-/sherpats v0.0.6/go.mod h1:MoNZJtLmu8oCZ4Ocv5vZksENN4pp6/SJMlg9uTII4KA=
 github.com/mjl-/xfmt v0.0.2 h1:6dLgd6U3bmDJKtTxsaSYYyMaORoO4hKBAJo4XKkPRko=
 github.com/mjl-/xfmt v0.0.2/go.mod h1:DIEOLmETMQHHr4OgwPG7iC37rDiN9MaZIZxNm5hBtL8=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
@@ -49,66 +50,68 @@ github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=
-github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=
+github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
+github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 h1:v7DLqVdK4VrYkVD5diGdl4sxJurKJEMnODWRJlxV9oM=
-github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
+github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
+github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
 github.com/prometheus/common v0.3.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
-github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
+github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
+github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190503130316-740c07785007/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI=
-github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY=
+github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
+github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
+github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
-go.etcd.io/bbolt v1.3.8 h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA=
-go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0=
+go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
-golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
-golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 h1:mchzmB1XO2pMaKFRqk/+MV3mgGG96aqaPXaMifQU47w=
-golang.org/x/exp v0.0.0-20231108232855-2478ac86f678/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
-golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.15.0 h1:zdAyfUGbYmuVokhzVmghFl2ZJh5QhcfebBgmVPFYA+8=
-golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 rsc.io/qr v0.2.0 h1:6vBLea5/NRMVTz8V66gipeLycZMl/+UlFmk8DvqQ6WY=
 rsc.io/qr v0.2.0/go.mod h1:IF+uZjkb9fqyeF/4tlBoynqmQxUoPfWEKh921coOuXs=

http/autoconf.go

@@ -3,6 +3,7 @@ package http
 import (
 	"encoding/xml"
 	"fmt"
+	"log/slog"
 	"net/http"
 	"strings"
 
@@ -10,8 +11,8 @@ import (
 	"github.com/prometheus/client_golang/prometheus/promauto"
 	"rsc.io/qr"
 
-	"github.com/mjl-/mox/mlog"
-	"github.com/mjl-/mox/mox-"
+	"github.com/mjl-/mox/admin"
+	"github.com/mjl-/mox/dns"
 	"github.com/mjl-/mox/smtp"
 )
 
@@ -55,7 +56,7 @@ var (
 // User should create a DNS record: autoconfig.<domain> (CNAME or A).
 // See https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat
 func autoconfHandle(w http.ResponseWriter, r *http.Request) {
-	log := xlog.WithContext(r.Context())
+	log := pkglog.WithContext(r.Context())
 
 	var addrDom string
 	defer func() {
@@ -63,20 +64,36 @@ func autoconfHandle(w http.ResponseWriter, r *http.Request) {
 	}()
 
 	email := r.FormValue("emailaddress")
-	log.Debug("autoconfig request", mlog.Field("email", email))
-	addr, err := smtp.ParseAddress(email)
-	if err != nil {
-		http.Error(w, "400 - bad request - invalid parameter emailaddress", http.StatusBadRequest)
-		return
+	log.Debug("autoconfig request", slog.String("email", email))
+	var domain dns.Domain
+	if email == "" {
+		email = "%EMAILADDRESS%"
+		// Declare this here rather than using := to avoid shadowing domain from
+		// the outer scope.
+		var err error
+		domain, err = dns.ParseDomain(r.Host)
+		if err != nil {
+			http.Error(w, fmt.Sprintf("400 - bad request - invalid domain: %s", r.Host), http.StatusBadRequest)
+			return
+		}
+		domain.ASCII = strings.TrimPrefix(domain.ASCII, "autoconfig.")
+		domain.Unicode = strings.TrimPrefix(domain.Unicode, "autoconfig.")
+	} else {
+		addr, err := smtp.ParseAddress(email)
+		if err != nil {
+			http.Error(w, "400 - bad request - invalid parameter emailaddress", http.StatusBadRequest)
+			return
+		}
+		domain = addr.Domain
 	}
 
-	socketType := func(tlsMode mox.TLSMode) (string, error) {
+	socketType := func(tlsMode admin.TLSMode) (string, error) {
 		switch tlsMode {
-		case mox.TLSModeImmediate:
+		case admin.TLSModeImmediate:
 			return "SSL", nil
-		case mox.TLSModeSTARTTLS:
+		case admin.TLSModeSTARTTLS:
 			return "STARTTLS", nil
-		case mox.TLSModeNone:
+		case admin.TLSModeNone:
 			return "plain", nil
 		default:
 			return "", fmt.Errorf("unknown tls mode %v", tlsMode)
@@ -84,7 +101,7 @@ func autoconfHandle(w http.ResponseWriter, r *http.Request) {
 	}
 
 	var imapTLS, submissionTLS string
-	config, err := mox.ClientConfigDomain(addr.Domain)
+	config, err := admin.ClientConfigDomain(domain)
 	if err == nil {
 		imapTLS, err = socketType(config.IMAP.TLSMode)
 	}
@@ -99,37 +116,67 @@ func autoconfHandle(w http.ResponseWriter, r *http.Request) {
 	// Thunderbird doesn't seem to allow U-labels, always return ASCII names.
 	var resp autoconfigResponse
 	resp.Version = "1.1"
-	resp.EmailProvider.ID = addr.Domain.ASCII
-	resp.EmailProvider.Domain = addr.Domain.ASCII
+	resp.EmailProvider.ID = domain.ASCII
+	resp.EmailProvider.Domain = domain.ASCII
 	resp.EmailProvider.DisplayName = email
-	resp.EmailProvider.DisplayShortName = addr.Domain.ASCII
+	resp.EmailProvider.DisplayShortName = domain.ASCII
 
 	// todo: specify SCRAM-SHA-256 once thunderbird and autoconfig supports it. or perhaps that will fall under "password-encrypted" by then.
+	// todo: let user configure they prefer or require tls client auth and specify "TLS-client-cert"
 
-	resp.EmailProvider.IncomingServer.Type = "imap"
-	resp.EmailProvider.IncomingServer.Hostname = config.IMAP.Host.ASCII
-	resp.EmailProvider.IncomingServer.Port = config.IMAP.Port
-	resp.EmailProvider.IncomingServer.SocketType = imapTLS
-	resp.EmailProvider.IncomingServer.Username = email
-	resp.EmailProvider.IncomingServer.Authentication = "password-encrypted"
+	incoming := incomingServer{
+		"imap",
+		config.IMAP.Host.ASCII,
+		config.IMAP.Port,
+		imapTLS,
+		email,
+		"password-encrypted",
+	}
+	resp.EmailProvider.IncomingServers = append(resp.EmailProvider.IncomingServers, incoming)
+	if config.IMAP.EnabledOnHTTPS {
+		tlsMode, _ := socketType(admin.TLSModeImmediate)
+		incomingALPN := incomingServer{
+			"imap",
+			config.IMAP.Host.ASCII,
+			443,
+			tlsMode,
+			email,
+			"password-encrypted",
+		}
+		resp.EmailProvider.IncomingServers = append(resp.EmailProvider.IncomingServers, incomingALPN)
+	}
 
-	resp.EmailProvider.OutgoingServer.Type = "smtp"
-	resp.EmailProvider.OutgoingServer.Hostname = config.Submission.Host.ASCII
-	resp.EmailProvider.OutgoingServer.Port = config.Submission.Port
-	resp.EmailProvider.OutgoingServer.SocketType = submissionTLS
-	resp.EmailProvider.OutgoingServer.Username = email
-	resp.EmailProvider.OutgoingServer.Authentication = "password-encrypted"
+	outgoing := outgoingServer{
+		"smtp",
+		config.Submission.Host.ASCII,
+		config.Submission.Port,
+		submissionTLS,
+		email,
+		"password-encrypted",
+	}
+	resp.EmailProvider.OutgoingServers = append(resp.EmailProvider.OutgoingServers, outgoing)
+	if config.Submission.EnabledOnHTTPS {
+		tlsMode, _ := socketType(admin.TLSModeImmediate)
+		outgoingALPN := outgoingServer{
+			"smtp",
+			config.Submission.Host.ASCII,
+			443,
+			tlsMode,
+			email,
+			"password-encrypted",
+		}
+		resp.EmailProvider.OutgoingServers = append(resp.EmailProvider.OutgoingServers, outgoingALPN)
+	}
 
 	// todo: should we put the email address in the URL?
-	resp.ClientConfigUpdate.URL = fmt.Sprintf("https://autoconfig.%s/mail/config-v1.1.xml", addr.Domain.ASCII)
+	resp.ClientConfigUpdate.URL = fmt.Sprintf("https://autoconfig.%s/mail/config-v1.1.xml", domain.ASCII)
 
 	w.Header().Set("Content-Type", "application/xml; charset=utf-8")
 	enc := xml.NewEncoder(w)
 	enc.Indent("", "\t")
 	fmt.Fprint(w, xml.Header)
-	if err := enc.Encode(resp); err != nil {
-		log.Errorx("marshal autoconfig response", err)
-	}
+	err = enc.Encode(resp)
+	log.Check(err, "write autoconfig xml response")
 }
 
 // Autodiscover from Microsoft, also used by Thunderbird.
@@ -143,7 +190,7 @@ func autoconfHandle(w http.ResponseWriter, r *http.Request) {
 //
 // Thunderbird does understand autodiscover.
 func autodiscoverHandle(w http.ResponseWriter, r *http.Request) {
-	log := xlog.WithContext(r.Context())
+	log := pkglog.WithContext(r.Context())
 
 	var addrDom string
 	defer func() {
@@ -161,7 +208,7 @@ func autodiscoverHandle(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	log.Debug("autodiscover request", mlog.Field("email", req.Request.EmailAddress))
+	log.Debug("autodiscover request", slog.String("email", req.Request.EmailAddress))
 
 	addr, err := smtp.ParseAddress(req.Request.EmailAddress)
 	if err != nil {
@@ -170,13 +217,13 @@ func autodiscoverHandle(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// tlsmode returns the "ssl" and "encryption" fields.
-	tlsmode := func(tlsMode mox.TLSMode) (string, string, error) {
+	tlsmode := func(tlsMode admin.TLSMode) (string, string, error) {
 		switch tlsMode {
-		case mox.TLSModeImmediate:
+		case admin.TLSModeImmediate:
 			return "on", "TLS", nil
-		case mox.TLSModeSTARTTLS:
+		case admin.TLSModeSTARTTLS:
 			return "on", "", nil
-		case mox.TLSModeNone:
+		case admin.TLSModeNone:
 			return "off", "", nil
 		default:
 			return "", "", fmt.Errorf("unknown tls mode %v", tlsMode)
@@ -185,7 +232,7 @@ func autodiscoverHandle(w http.ResponseWriter, r *http.Request) {
 
 	var imapSSL, imapEncryption string
 	var submissionSSL, submissionEncryption string
-	config, err := mox.ClientConfigDomain(addr.Domain)
+	config, err := admin.ClientConfigDomain(addr.Domain)
 	if err == nil {
 		imapSSL, imapEncryption, err = tlsmode(config.IMAP.TLSMode)
 	}
@@ -208,6 +255,8 @@ func autodiscoverHandle(w http.ResponseWriter, r *http.Request) {
 
 	w.Header().Set("Content-Type", "application/xml; charset=utf-8")
 
+	// todo: let user configure they prefer or require tls client auth and add "AuthPackage" with value "certificate" to Protocol? see https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxdscli/21fd2dd5-c4ee-485b-94fb-e7db5da93726
+
 	resp := autodiscoverResponse{}
 	resp.XMLName.Local = "Autodiscover"
 	resp.XMLName.Space = "http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"
@@ -242,9 +291,8 @@ func autodiscoverHandle(w http.ResponseWriter, r *http.Request) {
 	enc := xml.NewEncoder(w)
 	enc.Indent("", "\t")
 	fmt.Fprint(w, xml.Header)
-	if err := enc.Encode(resp); err != nil {
-		log.Errorx("marshal autodiscover response", err)
-	}
+	err = enc.Encode(resp)
+	log.Check(err, "marshal autodiscover xml response")
 }
 
 // Thunderbird requests these URLs for autoconfig/autodiscover:
@@ -252,6 +300,22 @@ func autodiscoverHandle(w http.ResponseWriter, r *http.Request) {
 // https://autodiscover.example.org/autodiscover/autodiscover.xml
 // https://example.org/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=user%40example.org
 // https://example.org/autodiscover/autodiscover.xml
+type incomingServer struct {
+	Type           string `xml:"type,attr"`
+	Hostname       string `xml:"hostname"`
+	Port           int    `xml:"port"`
+	SocketType     string `xml:"socketType"`
+	Username       string `xml:"username"`
+	Authentication string `xml:"authentication"`
+}
+type outgoingServer struct {
+	Type           string `xml:"type,attr"`
+	Hostname       string `xml:"hostname"`
+	Port           int    `xml:"port"`
+	SocketType     string `xml:"socketType"`
+	Username       string `xml:"username"`
+	Authentication string `xml:"authentication"`
+}
 type autoconfigResponse struct {
 	XMLName xml.Name `xml:"clientConfig"`
 	Version string   `xml:"version,attr"`
@@ -262,23 +326,8 @@ type autoconfigResponse struct {
 		DisplayName      string `xml:"displayName"`
 		DisplayShortName string `xml:"displayShortName"`
 
-		IncomingServer struct {
-			Type           string `xml:"type,attr"`
-			Hostname       string `xml:"hostname"`
-			Port           int    `xml:"port"`
-			SocketType     string `xml:"socketType"`
-			Username       string `xml:"username"`
-			Authentication string `xml:"authentication"`
-		} `xml:"incomingServer"`
-
-		OutgoingServer struct {
-			Type           string `xml:"type,attr"`
-			Hostname       string `xml:"hostname"`
-			Port           int    `xml:"port"`
-			SocketType     string `xml:"socketType"`
-			Username       string `xml:"username"`
-			Authentication string `xml:"authentication"`
-		} `xml:"outgoingServer"`
+		IncomingServers []incomingServer `xml:"incomingServer"`
+		OutgoingServers []outgoingServer `xml:"outgoingServer"`
 	} `xml:"emailProvider"`
 
 	ClientConfigUpdate struct {
@@ -324,6 +373,8 @@ type autodiscoverProtocol struct {
 // Serve a .mobileconfig file. This endpoint is not a standard place where Apple
 // devices look. We point to it from the account page.
 func mobileconfigHandle(w http.ResponseWriter, r *http.Request) {
+	log := pkglog.WithContext(r.Context())
+
 	if r.Method != "GET" {
 		http.Error(w, "405 - method not allowed - get required", http.StatusMethodNotAllowed)
 		return
@@ -349,12 +400,15 @@ func mobileconfigHandle(w http.ResponseWriter, r *http.Request) {
 	filename = strings.ReplaceAll(filename, "@", "-at-")
 	filename = "email-account-" + filename + ".mobileconfig"
 	h.Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, filename))
-	w.Write(buf)
+	_, err = w.Write(buf)
+	log.Check(err, "writing mobileconfig response")
 }
 
 // Serve a png file with qrcode with the link to the .mobileconfig file, should be
 // helpful for mobile devices.
 func mobileconfigQRCodeHandle(w http.ResponseWriter, r *http.Request) {
+	log := pkglog.WithContext(r.Context())
+
 	if r.Method != "GET" {
 		http.Error(w, "405 - method not allowed - get required", http.StatusMethodNotAllowed)
 		return
@@ -381,5 +435,6 @@ func mobileconfigQRCodeHandle(w http.ResponseWriter, r *http.Request) {
 	}
 	h := w.Header()
 	h.Set("Content-Type", "image/png")
-	w.Write(code.PNG())
+	_, err = w.Write(code.PNG())
+	log.Check(err, "writing mobileconfig qr code")
 }

http/gzcache.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"log/slog"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -75,7 +76,7 @@ func loadStaticGzipCache(dir string, maxSize int64) {
 	os.MkdirAll(dir, 0700)
 	entries, err := os.ReadDir(dir)
 	if err != nil && !os.IsNotExist(err) {
-		xlog.Errorx("listing static gzip cache files", err, mlog.Field("dir", dir))
+		pkglog.Errorx("listing static gzip cache files", err, slog.String("dir", dir))
 	}
 	for _, e := range entries {
 		name := e.Name()
@@ -111,9 +112,12 @@ func loadStaticGzipCache(dir string, maxSize int64) {
 			atime, err = statAtime(fi.Sys())
 		}
 		if err != nil {
-			xlog.Infox("removing unusable/unrecognized file in static gzip cache dir", err)
+			pkglog.Infox("removing unusable/unrecognized file in static gzip cache dir", err)
 			xerr := os.Remove(filepath.Join(dir, name))
-			xlog.Check(xerr, "removing unusable file in static gzip cache dir", mlog.Field("error", err), mlog.Field("dir", dir), mlog.Field("filename", name))
+			pkglog.Check(xerr, "removing unusable file in static gzip cache dir",
+				slog.Any("error", err),
+				slog.String("dir", dir),
+				slog.String("filename", name))
 			continue
 		}
 		staticgzcache.paths[path] = gzfile{
@@ -163,7 +167,7 @@ func (c *gzcache) evictPath(path string) {
 	c.unlink(gf.use)
 	c.size -= gf.gzsize
 	err := os.Remove(staticCachePath(c.dir, path, gf.mtime))
-	xlog.Check(err, "removing cached gzipped static file", mlog.Field("path", path))
+	pkglog.Check(err, "removing cached gzipped static file", slog.String("path", path))
 }
 
 // Open cached file for path, requiring it has mtime. If there is no usable cached
@@ -189,7 +193,7 @@ func (c *gzcache) openPath(path string, mtime int64) (*os.File, int64) {
 	p := staticCachePath(c.dir, path, gf.mtime)
 	f, err := os.Open(p)
 	if err != nil {
-		xlog.Errorx("open static cached gzip file, removing from cache", err, mlog.Field("path", path))
+		pkglog.Errorx("open static cached gzip file, removing from cache", err, slog.String("path", path))
 		// Perhaps someone removed the file? Remove from cache, it will be recreated.
 		c.evictPath(path)
 		return nil, 0
@@ -303,8 +307,8 @@ type staticgzcacheReplacer struct {
 	handled bool
 }
 
-func (w *staticgzcacheReplacer) logger() *mlog.Log {
-	return xlog.WithContext(w.r.Context())
+func (w *staticgzcacheReplacer) logger() mlog.Log {
+	return pkglog.WithContext(w.r.Context())
 }
 
 // Header returns the header of the underlying ResponseWriter.
@@ -353,7 +357,7 @@ func (w *staticgzcacheReplacer) WriteHeader(statusCode int) {
 		p := staticCachePath(staticgzcache.dir, w.uncomprPath, w.uncomprMtime.UnixNano())
 		ngzf, err := os.OpenFile(p, os.O_CREATE|os.O_EXCL|os.O_RDWR, 0600)
 		if err != nil {
-			w.logger().Errorx("create new static gzip cache file", err, mlog.Field("requestpath", w.uncomprPath), mlog.Field("fspath", p))
+			w.logger().Errorx("create new static gzip cache file", err, slog.String("requestpath", w.uncomprPath), slog.String("fspath", p))
 			staticgzcache.abortPath(w.uncomprPath)
 			return
 		}
@@ -361,9 +365,9 @@ func (w *staticgzcacheReplacer) WriteHeader(statusCode int) {
 			if ngzf != nil {
 				staticgzcache.abortPath(w.uncomprPath)
 				err := ngzf.Close()
-				w.logger().Check(err, "closing failed static gzip cache file", mlog.Field("requestpath", w.uncomprPath), mlog.Field("fspath", p))
+				w.logger().Check(err, "closing failed static gzip cache file", slog.String("requestpath", w.uncomprPath), slog.String("fspath", p))
 				err = os.Remove(p)
-				w.logger().Check(err, "removing failed static gzip cache file", mlog.Field("requestpath", w.uncomprPath), mlog.Field("fspath", p))
+				w.logger().Check(err, "removing failed static gzip cache file", slog.String("requestpath", w.uncomprPath), slog.String("fspath", p))
 			}
 		}()
 

http/main_test.go

@@ -0,0 +1,17 @@
+package http
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/mjl-/mox/metrics"
+)
+
+func TestMain(m *testing.M) {
+	m.Run()
+	if metrics.Panics.Load() > 0 {
+		fmt.Println("unhandled panics encountered")
+		os.Exit(2)
+	}
+}

http/mobileconfig.go

@@ -6,13 +6,11 @@ import (
 	"crypto/sha256"
 	"encoding/xml"
 	"fmt"
-	"sort"
+	"maps"
+	"slices"
 	"strings"
 
-	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"
-
-	"github.com/mjl-/mox/mox-"
+	"github.com/mjl-/mox/admin"
 	"github.com/mjl-/mox/smtp"
 )
 
@@ -39,8 +37,7 @@ func (m dict) MarshalXML(e *xml.Encoder, start xml.StartElement) error {
 	if err := e.EncodeToken(xml.StartElement{Name: xml.Name{Local: "dict"}}); err != nil {
 		return err
 	}
-	l := maps.Keys(m)
-	sort.Strings(l)
+	l := slices.Sorted(maps.Keys(m))
 	for _, k := range l {
 		tokens := []xml.Token{
 			xml.StartElement{Name: xml.Name{Local: "key"}},
@@ -64,7 +61,7 @@ func (m dict) MarshalXML(e *xml.Encoder, start xml.StartElement) error {
 		case int:
 			tokens = []xml.Token{
 				xml.StartElement{Name: xml.Name{Local: "integer"}},
-				xml.CharData([]byte(fmt.Sprintf("%d", v))),
+				xml.CharData(fmt.Appendf(nil, "%d", v)),
 				xml.EndElement{Name: xml.Name{Local: "integer"}},
 			}
 		case bool:
@@ -122,7 +119,7 @@ func MobileConfig(addresses []string, fullName string) ([]byte, error) {
 		return nil, fmt.Errorf("parsing address: %v", err)
 	}
 
-	config, err := mox.ClientConfigDomain(addr.Domain)
+	config, err := admin.ClientConfigDomain(addr.Domain)
 	if err != nil {
 		return nil, fmt.Errorf("getting config for domain: %v", err)
 	}
@@ -175,12 +172,12 @@ func MobileConfig(addresses []string, fullName string) ([]byte, error) {
 					"IncomingMailServerUsername":             addresses[0],
 					"IncomingMailServerHostName":             config.IMAP.Host.ASCII,
 					"IncomingMailServerPortNumber":           config.IMAP.Port,
-					"IncomingMailServerUseSSL":               config.IMAP.TLSMode == mox.TLSModeImmediate,
+					"IncomingMailServerUseSSL":               config.IMAP.TLSMode == admin.TLSModeImmediate,
 					"OutgoingMailServerAuthentication":       "EmailAuthCRAMMD5", // SCRAM not an option at time of writing...
 					"OutgoingMailServerHostName":             config.Submission.Host.ASCII,
 					"OutgoingMailServerPortNumber":           config.Submission.Port,
 					"OutgoingMailServerUsername":             addresses[0],
-					"OutgoingMailServerUseSSL":               config.Submission.TLSMode == mox.TLSModeImmediate,
+					"OutgoingMailServerUseSSL":               config.Submission.TLSMode == admin.TLSModeImmediate,
 					"OutgoingPasswordSameAsIncomingPassword": true,
 					"PayloadIdentifier":                      reverseAddr + ".email.account",
 					"PayloadType":                            "com.apple.mail.managed",

http/mtasts.go

@@ -1,6 +1,7 @@
 package http
 
 import (
+	"log/slog"
 	"net"
 	"net/http"
 	"strings"
@@ -13,8 +14,8 @@ import (
 )
 
 func mtastsPolicyHandle(w http.ResponseWriter, r *http.Request) {
-	log := func() *mlog.Log {
-		return xlog.WithContext(r.Context())
+	log := func() mlog.Log {
+		return pkglog.WithContext(r.Context())
 	}
 
 	host := strings.ToLower(r.Host)
@@ -30,7 +31,7 @@ func mtastsPolicyHandle(w http.ResponseWriter, r *http.Request) {
 	}
 	domain, err := dns.ParseDomain(host)
 	if err != nil {
-		log().Errorx("mtasts policy request: bad domain", err, mlog.Field("host", host))
+		log().Errorx("mtasts policy request: bad domain", err, slog.String("host", host))
 		http.NotFound(w, r)
 		return
 	}
@@ -42,16 +43,16 @@ func mtastsPolicyHandle(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	var mxs []mtasts.STSMX
+	var mxs []mtasts.MX
 	for _, s := range sts.MX {
-		var mx mtasts.STSMX
+		var mx mtasts.MX
 		if strings.HasPrefix(s, "*.") {
 			mx.Wildcard = true
 			s = s[2:]
 		}
 		d, err := dns.ParseDomain(s)
 		if err != nil {
-			log().Errorx("bad domain in mtasts config", err, mlog.Field("domain", s))
+			log().Errorx("bad domain in mtasts config", err, slog.String("domain", s))
 			http.Error(w, "500 - internal server error - invalid domain in configuration", http.StatusInternalServerError)
 			return
 		}
@@ -59,7 +60,7 @@ func mtastsPolicyHandle(w http.ResponseWriter, r *http.Request) {
 		mxs = append(mxs, mx)
 	}
 	if len(mxs) == 0 {
-		mxs = []mtasts.STSMX{{Domain: mox.Conf.Static.HostnameDomain}}
+		mxs = []mtasts.MX{{Domain: mox.Conf.Static.HostnameDomain}}
 	}
 
 	policy := mtasts.Policy{

http/web_test.go

@@ -6,10 +6,8 @@ import (
 	"net/http/httptest"
 	"os"
 	"path/filepath"
-	"strings"
 	"testing"
 
-	"github.com/mjl-/mox/dns"
 	"github.com/mjl-/mox/mox-"
 )
 
@@ -19,20 +17,8 @@ func TestServeHTTP(t *testing.T) {
 	mox.ConfigDynamicPath = filepath.Join(filepath.Dir(mox.ConfigStaticPath), "domains.conf")
 	mox.MustLoadConfig(true, false)
 
-	srv := &serve{
-		PathHandlers: []pathHandler{
-			{
-				HostMatch: func(dom dns.Domain) bool {
-					return strings.HasPrefix(dom.ASCII, "mta-sts.")
-				},
-				Path: "/.well-known/mta-sts.txt",
-				Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-					w.Write([]byte("mta-sts!"))
-				}),
-			},
-		},
-		Webserver: true,
-	}
+	portSrvs := portServes("local", mox.Conf.Static.Listeners["local"])
+	srv := portSrvs[80]
 
 	test := func(method, target string, expCode int, expContent string, expHeaders map[string]string) {
 		t.Helper()
@@ -43,22 +29,22 @@ func TestServeHTTP(t *testing.T) {
 		srv.ServeHTTP(rw, req)
 		resp := rw.Result()
 		if resp.StatusCode != expCode {
-			t.Fatalf("got statuscode %d, expected %d", resp.StatusCode, expCode)
+			t.Errorf("got statuscode %d, expected %d", resp.StatusCode, expCode)
 		}
 		if expContent != "" {
 			s := rw.Body.String()
 			if s != expContent {
-				t.Fatalf("got response data %q, expected %q", s, expContent)
+				t.Errorf("got response data %q, expected %q", s, expContent)
 			}
 		}
 		for k, v := range expHeaders {
 			if xv := resp.Header.Get(k); xv != v {
-				t.Fatalf("got %q for header %q, expected %q", xv, k, v)
+				t.Errorf("got %q for header %q, expected %q", xv, k, v)
 			}
 		}
 	}
 
-	test("GET", "http://mta-sts.mox.example/.well-known/mta-sts.txt", http.StatusOK, "mta-sts!", nil)
+	test("GET", "http://mta-sts.mox.example/.well-known/mta-sts.txt", http.StatusOK, "version: STSv1\nmode: enforce\nmax_age: 86400\nmx: mox.example\n", nil)
 	test("GET", "http://mox.example/.well-known/mta-sts.txt", http.StatusNotFound, "", nil) // mta-sts endpoint not in this domain.
 	test("GET", "http://mta-sts.mox.example/static/", http.StatusNotFound, "", nil)         // static not served on this domain.
 	test("GET", "http://mta-sts.mox.example/other", http.StatusNotFound, "", nil)
@@ -66,4 +52,24 @@ func TestServeHTTP(t *testing.T) {
 	test("GET", "http://mox.example/static/index.html", http.StatusOK, "html\n", map[string]string{"X-Test": "mox"})
 	test("GET", "http://mox.example/static/dir/", http.StatusOK, "", map[string]string{"X-Test": "mox"}) // Dir listing.
 	test("GET", "http://mox.example/other", http.StatusNotFound, "", nil)
+
+	// Webmail on IP, localhost, mail host, clientsettingsdomain, not others.
+	test("GET", "http://127.0.0.1/webmail/", http.StatusOK, "", nil)
+	test("GET", "http://localhost/webmail/", http.StatusOK, "", nil)
+	test("GET", "http://mox.example/webmail/", http.StatusOK, "", nil)
+	test("GET", "http://mail.mox.example/webmail/", http.StatusOK, "", nil)
+	test("GET", "http://mail.other.example/webmail/", http.StatusNotFound, "", nil)
+	test("GET", "http://remotehost/webmail/", http.StatusNotFound, "", nil)
+
+	// admin on IP, localhost, mail host, not clientsettingsdomain.
+	test("GET", "http://127.0.0.1/admin/", http.StatusOK, "", nil)
+	test("GET", "http://localhost/admin/", http.StatusOK, "", nil)
+	test("GET", "http://mox.example/admin/", http.StatusPermanentRedirect, "", nil) // Override by WebHandler.
+	test("GET", "http://mail.mox.example/admin/", http.StatusNotFound, "", nil)
+
+	// account is off.
+	test("GET", "http://127.0.0.1/", http.StatusNotFound, "", nil)
+	test("GET", "http://localhost/", http.StatusNotFound, "", nil)
+	test("GET", "http://mox.example/", http.StatusNotFound, "", nil)
+	test("GET", "http://mail.mox.example/", http.StatusNotFound, "", nil)
 }

http/webserver.go

@@ -13,6 +13,7 @@ import (
 	"io"
 	"io/fs"
 	golog "log"
+	"log/slog"
 	"net"
 	"net/http"
 	"net/http/httputil"
@@ -29,7 +30,6 @@ import (
 	"github.com/mjl-/mox/dns"
 	"github.com/mjl-/mox/mlog"
 	"github.com/mjl-/mox/mox-"
-	"github.com/mjl-/mox/moxio"
 )
 
 func recvid(r *http.Request) string {
@@ -45,11 +45,13 @@ func recvid(r *http.Request) string {
 // WebHandle runs after the built-in handlers for mta-sts, autoconfig, etc.
 // If no handler matched, false is returned.
 // WebHandle sets w.Name to that of the matching handler.
-func WebHandle(w *loggingWriter, r *http.Request, host dns.Domain) (handled bool) {
-	redirects, handlers := mox.Conf.WebServer()
+func WebHandle(w *loggingWriter, r *http.Request, host dns.IPDomain) (handled bool) {
+	conf := mox.Conf.DynamicConfig()
+	redirects := conf.WebDNSDomainRedirects
+	handlers := conf.WebHandlers
 
 	for from, to := range redirects {
-		if host != from {
+		if host.Domain != from {
 			continue
 		}
 		u := r.URL
@@ -61,7 +63,7 @@ func WebHandle(w *loggingWriter, r *http.Request, host dns.Domain) (handled bool
 	}
 
 	for _, h := range handlers {
-		if host != h.DNSDomain {
+		if host.Domain != h.DNSDomain {
 			continue
 		}
 		loc := h.Path.FindStringIndex(r.URL.Path)
@@ -96,6 +98,10 @@ func WebHandle(w *loggingWriter, r *http.Request, host dns.Domain) (handled bool
 			w.Handler = h.Name
 			return true
 		}
+		if h.WebInternal != nil && HandleInternal(h.WebInternal, w, r) {
+			w.Handler = h.Name
+			return true
+		}
 	}
 	w.Compress = false
 	return false
@@ -149,8 +155,8 @@ table > tbody > tr:nth-child(odd) { background-color: #f8f8f8; }
 // file is returned. Otherwise, for directories with ListFiles configured, a
 // directory listing is returned.
 func HandleStatic(h *config.WebStatic, compress bool, w http.ResponseWriter, r *http.Request) (handled bool) {
-	log := func() *mlog.Log {
-		return xlog.WithContext(r.Context())
+	log := func() mlog.Log {
+		return pkglog.WithContext(r.Context())
 	}
 	if r.Method != "GET" && r.Method != "HEAD" {
 		if h.ContinueNotFound {
@@ -208,35 +214,45 @@ func HandleStatic(h *config.WebStatic, compress bool, w http.ResponseWriter, r *
 			}
 			http.NotFound(w, r)
 			return true
+		} else if errors.Is(err, syscall.ENAMETOOLONG) {
+			http.NotFound(w, r)
+			return true
 		} else if os.IsPermission(err) {
 			// If we tried opening a directory, we may not have permission to read it, but
 			// still access files inside it (execute bit), such as index.html. So try to serve it.
 			index, err := os.Open(filepath.Join(fspath, "index.html"))
-			if err == nil {
-				defer index.Close()
-				var ifi os.FileInfo
-				ifi, err = index.Stat()
-				if err != nil {
-					log().Errorx("stat index.html in directory we cannot list", err, mlog.Field("url", r.URL), mlog.Field("fspath", fspath))
-					http.Error(w, "500 - internal server error"+recvid(r), http.StatusInternalServerError)
-					return true
-				}
-				w.Header().Set("Content-Type", "text/html; charset=utf-8")
-				serveFile("index.html", ifi, index)
+			if err != nil {
+				http.Error(w, "403 - permission denied", http.StatusForbidden)
 				return true
 			}
-			http.Error(w, "403 - permission denied", http.StatusForbidden)
+			defer func() {
+				err := index.Close()
+				log().Check(err, "closing index file for serving")
+			}()
+			var ifi os.FileInfo
+			ifi, err = index.Stat()
+			if err != nil {
+				log().Errorx("stat index.html in directory we cannot list", err, slog.Any("url", r.URL), slog.String("fspath", fspath))
+				http.Error(w, "500 - internal server error"+recvid(r), http.StatusInternalServerError)
+				return true
+			}
+			w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			serveFile("index.html", ifi, index)
 			return true
 		}
-		log().Errorx("open file for static file serving", err, mlog.Field("url", r.URL), mlog.Field("fspath", fspath))
+		log().Errorx("open file for static file serving", err, slog.Any("url", r.URL), slog.String("fspath", fspath))
 		http.Error(w, "500 - internal server error"+recvid(r), http.StatusInternalServerError)
 		return true
 	}
-	defer f.Close()
+	defer func() {
+		if err := f.Close(); err != nil {
+			log().Check(err, "closing file for static file serving")
+		}
+	}()
 
 	fi, err := f.Stat()
 	if err != nil {
-		log().Errorx("stat file for static file serving", err, mlog.Field("url", r.URL), mlog.Field("fspath", fspath))
+		log().Errorx("stat file for static file serving", err, slog.Any("url", r.URL), slog.String("fspath", fspath))
 		http.Error(w, "500 - internal server error"+recvid(r), http.StatusInternalServerError)
 		return true
 	}
@@ -264,7 +280,12 @@ func HandleStatic(h *config.WebStatic, compress bool, w http.ResponseWriter, r *
 			http.Error(w, "403 - permission denied", http.StatusForbidden)
 			return true
 		} else if err == nil {
-			defer index.Close()
+			defer func() {
+				if err := index.Close(); err != nil {
+					log().Check(err, "closing index file for serving")
+				}
+			}()
+
 			var ifi os.FileInfo
 			ifi, err = index.Stat()
 			if err == nil {
@@ -274,7 +295,7 @@ func HandleStatic(h *config.WebStatic, compress bool, w http.ResponseWriter, r *
 			}
 		}
 		if !os.IsNotExist(err) {
-			log().Errorx("stat for static file serving", err, mlog.Field("url", r.URL), mlog.Field("fspath", fspath))
+			log().Errorx("stat for static file serving", err, slog.Any("url", r.URL), slog.String("fspath", fspath))
 			http.Error(w, "500 - internal server error"+recvid(r), http.StatusInternalServerError)
 			return true
 		}
@@ -315,7 +336,7 @@ func HandleStatic(h *config.WebStatic, compress bool, w http.ResponseWriter, r *
 			if err == io.EOF {
 				break
 			} else if err != nil {
-				log().Errorx("reading directory for file listing", err, mlog.Field("url", r.URL), mlog.Field("fspath", fspath))
+				log().Errorx("reading directory for file listing", err, slog.Any("url", r.URL), slog.String("fspath", fspath))
 				http.Error(w, "500 - internal server error"+recvid(r), http.StatusInternalServerError)
 				return true
 			}
@@ -331,8 +352,8 @@ func HandleStatic(h *config.WebStatic, compress bool, w http.ResponseWriter, r *
 			}
 		}
 		err = lsTemplate.Execute(w, map[string]any{"Files": files})
-		if err != nil && !moxio.IsClosed(err) {
-			log().Errorx("executing directory listing template", err)
+		if err != nil {
+			log().Check(err, "executing directory listing template")
 		}
 		return true
 	}
@@ -393,13 +414,19 @@ func HandleRedirect(h *config.WebRedirect, w http.ResponseWriter, r *http.Reques
 	return true
 }
 
+// HandleInternal passes the request to an internal service.
+func HandleInternal(h *config.WebInternal, w http.ResponseWriter, r *http.Request) (handled bool) {
+	h.Handler.ServeHTTP(w, r)
+	return true
+}
+
 // HandleForward handles a request by forwarding it to another webserver and
 // passing the response on. I.e. a reverse proxy. It handles websocket
 // connections by monitoring the websocket handshake and then just passing along the
 // websocket frames.
 func HandleForward(h *config.WebForward, w http.ResponseWriter, r *http.Request, path string) (handled bool) {
-	log := func() *mlog.Log {
-		return xlog.WithContext(r.Context())
+	log := func() mlog.Log {
+		return pkglog.WithContext(r.Context())
 	}
 
 	xr := *r
@@ -459,13 +486,13 @@ func HandleForward(h *config.WebForward, w http.ResponseWriter, r *http.Request,
 	// ReverseProxy will append any remaining path to the configured target URL.
 	proxy := httputil.NewSingleHostReverseProxy(h.TargetURL)
 	proxy.FlushInterval = time.Duration(-1) // Flush after each write.
-	proxy.ErrorLog = golog.New(mlog.ErrWriter(mlog.New("net/http/httputil").WithContext(r.Context()), mlog.LevelDebug, "reverseproxy error"), "", 0)
+	proxy.ErrorLog = golog.New(mlog.LogWriter(mlog.New("net/http/httputil", nil).WithContext(r.Context()), mlog.LevelDebug, "reverseproxy error"), "", 0)
 	proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
 		if errors.Is(err, context.Canceled) {
-			log().Debugx("forwarding request to backend webserver", err, mlog.Field("url", r.URL))
+			log().Debugx("forwarding request to backend webserver", err, slog.Any("url", r.URL))
 			return
 		}
-		log().Errorx("forwarding request to backend webserver", err, mlog.Field("url", r.URL))
+		log().Errorx("forwarding request to backend webserver", err, slog.Any("url", r.URL))
 		if os.IsTimeout(err) {
 			http.Error(w, "504 - gateway timeout"+recvid(r), http.StatusGatewayTimeout)
 		} else {
@@ -493,8 +520,8 @@ var errNotImplemented = errors.New("functionality not yet implemented")
 // work for little benefit. Besides, the whole point of websockets is to exchange
 // bytes without HTTP being in the way, so let's do that.
 func forwardWebsocket(h *config.WebForward, w http.ResponseWriter, r *http.Request, path string) (handled bool) {
-	log := func() *mlog.Log {
-		return xlog.WithContext(r.Context())
+	log := func() mlog.Log {
+		return pkglog.WithContext(r.Context())
 	}
 
 	lw := w.(*loggingWriter)
@@ -579,7 +606,9 @@ func forwardWebsocket(h *config.WebForward, w http.ResponseWriter, r *http.Reque
 	}
 	defer func() {
 		if beconn != nil {
-			beconn.Close()
+			if err := beconn.Close(); err != nil {
+				log().Check(err, "closing backend websocket connection")
+			}
 		}
 	}()
 
@@ -595,7 +624,9 @@ func forwardWebsocket(h *config.WebForward, w http.ResponseWriter, r *http.Reque
 	}
 	defer func() {
 		if cconn != nil {
-			cconn.Close()
+			if err := cconn.Close(); err != nil {
+				log().Check(err, "closing client websocket connection")
+			}
 		}
 	}()
 
@@ -648,8 +679,12 @@ func forwardWebsocket(h *config.WebForward, w http.ResponseWriter, r *http.Reque
 	// connection whose closing was already announced with a websocket frame.
 	lw.error(<-errc)
 	// Close connections so other goroutine stops as well.
-	cconn.Close()
-	beconn.Close()
+	if err := cconn.Close(); err != nil {
+		log().Check(err, "closing client websocket connection")
+	}
+	if err := beconn.Close(); err != nil {
+		log().Check(err, "closing backend websocket connection")
+	}
 	// Wait for goroutine so it has updated the logWriter.Size*Client fields before we
 	// continue with logging.
 	<-errc
@@ -658,8 +693,8 @@ func forwardWebsocket(h *config.WebForward, w http.ResponseWriter, r *http.Reque
 }
 
 func websocketTransact(ctx context.Context, targetURL *url.URL, r *http.Request) (rresp *http.Response, rconn net.Conn, rerr error) {
-	log := func() *mlog.Log {
-		return xlog.WithContext(r.Context())
+	log := func() mlog.Log {
+		return pkglog.WithContext(r.Context())
 	}
 
 	// Dial the backend, possibly doing TLS. We assume the net/http DefaultTransport is
@@ -702,7 +737,9 @@ func websocketTransact(ctx context.Context, targetURL *url.URL, r *http.Request)
 	}
 	defer func() {
 		if rerr != nil {
-			conn.Close()
+			if xerr := conn.Close(); xerr != nil {
+				log().Check(xerr, "cleaning up websocket connection")
+			}
 		}
 	}()
 
@@ -729,7 +766,9 @@ func websocketTransact(ctx context.Context, targetURL *url.URL, r *http.Request)
 	}
 	defer func() {
 		if rerr != nil {
-			resp.Body.Close()
+			if xerr := resp.Body.Close(); xerr != nil {
+				log().Check(xerr, "closing response body after error")
+			}
 		}
 	}()
 	if err := conn.SetDeadline(time.Time{}); err != nil {

http/webserver_test.go

@@ -134,6 +134,10 @@ func TestWebserver(t *testing.T) {
 
 	test("GET", "http://mox.example/bogus", nil, http.StatusNotFound, "", nil)         // path not registered.
 	test("GET", "http://bogus.mox.example/static/", nil, http.StatusNotFound, "", nil) // domain not registered.
+	test("GET", "http://mox.example/xadmin/", nil, http.StatusOK, "", nil)             // internal admin service
+	test("GET", "http://mox.example/xaccount/", nil, http.StatusOK, "", nil)           // internal account service
+	test("GET", "http://mox.example/xwebmail/", nil, http.StatusOK, "", nil)           // internal webmail service
+	test("GET", "http://mox.example/xwebapi/v0/", nil, http.StatusOK, "", nil)         // internal webapi service
 
 	npaths := len(staticgzcache.paths)
 	if npaths != 1 {
@@ -335,5 +339,4 @@ func TestWebsocket(t *testing.T) {
 		w.WriteHeader(http.StatusSwitchingProtocols)
 	})
 	test("GET", wsreqhdrs, http.StatusSwitchingProtocols, wsresphdrs)
-
 }

imapclient/client.go

@@ -1,39 +1,102 @@
 /*
-Package imapclient provides an IMAP4 client, primarily for testing the IMAP4 server.
+Package imapclient provides an IMAP4 client implementing IMAP4rev1 (RFC 3501),
+IMAP4rev2 (RFC 9051) and various extensions.
 
-Commands can be sent to the server free-form, but responses are parsed strictly.
-Behaviour that may not be required by the IMAP4 specification may be expected by
-this client.
+Warning: Currently primarily for testing the mox IMAP4 server. Behaviour that
+may not be required by the IMAP4 specification may be expected by this client.
+
+See [Conn] for a high-level client for executing IMAP commands. Use its embedded
+[Proto] for lower-level writing of commands and reading of responses.
 */
 package imapclient
 
-/*
-- Try to keep the parsing method names and the types similar to the ABNF names in the RFCs.
-
-- todo: have mode for imap4rev1 vs imap4rev2, refusing what is not allowed. we are accepting too much now.
-- todo: stricter parsing. xnonspace() and xword() should be replaced by proper parsers.
-*/
-
 import (
 	"bufio"
+	"crypto/tls"
 	"fmt"
+	"io"
+	"log/slog"
 	"net"
-	"reflect"
 	"strings"
+
+	"github.com/mjl-/mox/mlog"
+	"github.com/mjl-/mox/moxio"
 )
 
-// Conn is an IMAP connection to a server.
+// Conn is an connection to an IMAP server.
+//
+// Method names on Conn are the names of IMAP commands. CloseMailbox, which
+// executes the IMAP CLOSE command, is an exception. The Close method closes the
+// connection.
+//
+// The methods starting with MSN are the original (old) IMAP commands. The variants
+// starting with UID should almost always be used instead, if available.
+//
+// The methods on Conn typically return errors of type Error or Response. Error
+// represents protocol and i/o level errors, including io.ErrDeadlineExceeded and
+// various errors for closed connections. Response is returned as error if the IMAP
+// result is NO or BAD instead of OK. The responses returned by the IMAP command
+// methods can also be non-zero on errors. Callers may wish to process any untagged
+// responses.
+//
+// The IMAP command methods defined on Conn don't interpret the untagged responses
+// except for  untagged CAPABILITY and untagged ENABLED responses, and the
+// CAPABILITY response code. Fields CapAvailable and CapEnabled are updated when
+// those untagged responses are received.
+//
+// Capabilities indicate which optional IMAP functionality is supported by a
+// server. Capabilities are typically implicitly enabled when the client sends a
+// command using syntax of an optional extension. Extensions without new syntax
+// from client to server, but with new behaviour or syntax from server to client,
+// the client needs to explicitly enable the capability with the ENABLE command,
+// see the Enable method.
 type Conn struct {
-	conn      net.Conn
-	r         *bufio.Reader
-	panic     bool
+	// If true, server sent a PREAUTH tag and the connection is already authenticated,
+	// e.g. based on TLS certificate authentication.
+	Preauth bool
+
+	// Capabilities available at server, from CAPABILITY command or response code.
+	CapAvailable []Capability
+	// Capabilities marked as enabled by the server, typically after an ENABLE command.
+	CapEnabled []Capability
+
+	// Proto provides lower-level functions for interacting with the IMAP connection,
+	// such as reading and writing individual lines/commands/responses.
+	Proto
+}
+
+// Proto provides low-level operations for writing requests and reading responses
+// on an IMAP connection.
+//
+// To implement the IDLE command, write "IDLE" using [Proto.WriteCommandf], then
+// read a line with [Proto.Readline]. If it starts with "+ ", the connection is in
+// idle mode and untagged responses can be read using [Proto.ReadUntagged]. If the
+// line doesn't start with "+ ", use [ParseResult] to interpret it as a response to
+// IDLE, which should be a NO or BAD. To abort idle mode, write "DONE" using
+// [Proto.Writelinef] and wait until a result line has been read.
+type Proto struct {
+	// Connection, may be original TCP or TLS connection. Reads go through c.br, and
+	// writes through c.xbw. The "x" for the writes indicate that failed writes cause
+	// an i/o panic, which is either turned into a returned error, or passed on (see
+	// boolean panic). The reader and writer wrap a tracing reading/writer and may wrap
+	// flate compression.
+	conn         net.Conn
+	connBroken   bool // If connection is broken, we won't flush (and write) again.
+	br           *bufio.Reader
+	tr           *moxio.TraceReader
+	xbw          *bufio.Writer
+	compress     bool // If compression is enabled, we must flush flateWriter and its target original bufio writer.
+	xflateWriter *moxio.FlateWriter
+	xflateBW     *bufio.Writer
+	xtw          *moxio.TraceWriter
+
+	log       mlog.Log
+	errHandle func(err error) // If set, called for all errors. Can panic. Used for imapserver tests.
 	tagGen    int
 	record    bool // If true, bytes read are added to recordBuf. recorded() resets.
 	recordBuf []byte
 
-	LastTag      string
-	CapAvailable map[Capability]struct{} // Capabilities available at server, from CAPABILITY command or response code.
-	CapEnabled   map[Capability]struct{} // Capabilities enabled through ENABLE command.
+	lastTag string
 }
 
 // Error is a parse or other protocol error.
@@ -47,22 +110,52 @@ func (e Error) Unwrap() error {
 	return e.err
 }
 
-// New creates a new client on conn.
+// Opts has optional fields that influence behaviour of a Conn.
+type Opts struct {
+	Logger *slog.Logger
+
+	// Error is called for IMAP-level and connection-level errors during the IMAP
+	// command methods on Conn, not for errors in calls on Proto. Error is allowed to
+	// call panic.
+	Error func(err error)
+}
+
+// New initializes a new IMAP client on conn.
 //
-// If xpanic is true, functions that would return an error instead panic. For parse
-// errors, the resulting stack traces show typically show what was being parsed.
+// Conn should normally be a TLS connection, typically connected to port 993 of an
+// IMAP server. Alternatively, conn can be a plain TCP connection to port 143. TLS
+// should be enabled on plain TCP connections with the [Conn.StartTLS] method.
 //
-// The initial untagged greeting response is read and must be "OK".
-func New(conn net.Conn, xpanic bool) (client *Conn, rerr error) {
+// The initial untagged greeting response is read and must be "OK" or
+// "PREAUTH". If preauth, the connection is already in authenticated state,
+// typically through TLS client certificate. This is indicated in Conn.Preauth.
+//
+// Logging is written to opts.Logger. In particular, IMAP protocol traces are
+// written with prefixes "CR: " and "CW: " (client read/write) as quoted strings at
+// levels Debug-4, with authentication messages at Debug-6 and (user) data at level
+// Debug-8.
+func New(conn net.Conn, opts *Opts) (client *Conn, rerr error) {
 	c := Conn{
-		conn:         conn,
-		r:            bufio.NewReader(conn),
-		panic:        xpanic,
-		CapAvailable: map[Capability]struct{}{},
-		CapEnabled:   map[Capability]struct{}{},
+		Proto: Proto{conn: conn},
 	}
 
-	defer c.recover(&rerr)
+	var clog *slog.Logger
+	if opts != nil {
+		c.errHandle = opts.Error
+		clog = opts.Logger
+	} else {
+		clog = slog.Default()
+	}
+	c.log = mlog.New("imapclient", clog)
+
+	c.tr = moxio.NewTraceReader(c.log, "CR: ", &c)
+	c.br = bufio.NewReader(c.tr)
+
+	// Writes are buffered and write to Conn, which may panic.
+	c.xtw = moxio.NewTraceWriter(c.log, "CW: ", &c)
+	c.xbw = bufio.NewWriter(c.xtw)
+
+	defer c.recoverErr(&rerr)
 	tag := c.xnonspace()
 	if tag != "*" {
 		c.xerrorf("expected untagged *, got %q", tag)
@@ -74,9 +167,15 @@ func New(conn net.Conn, xpanic bool) (client *Conn, rerr error) {
 		if x.Status != OK {
 			c.xerrorf("greeting, got status %q, expected OK", x.Status)
 		}
+		if x.Code != nil {
+			if caps, ok := x.Code.(CodeCapability); ok {
+				c.CapAvailable = caps
+			}
+		}
 		return &c, nil
 	case UntaggedPreauth:
-		c.xerrorf("greeting: unexpected preauth")
+		c.Preauth = true
+		return &c, nil
 	case UntaggedBye:
 		c.xerrorf("greeting: server sent bye")
 	default:
@@ -85,8 +184,16 @@ func New(conn net.Conn, xpanic bool) (client *Conn, rerr error) {
 	panic("not reached")
 }
 
-func (c *Conn) recover(rerr *error) {
-	if c.panic {
+func (c *Conn) recoverErr(rerr *error) {
+	c.recover(rerr, nil)
+}
+
+func (c *Conn) recover(rerr *error, resp *Response) {
+	if *rerr != nil {
+		if r, ok := (*rerr).(Response); ok && resp != nil {
+			*resp = r
+		}
+		c.errHandle(*rerr)
 		return
 	}
 
@@ -94,200 +201,431 @@ func (c *Conn) recover(rerr *error) {
 	if x == nil {
 		return
 	}
-	err, ok := x.(Error)
-	if !ok {
+	var err error
+	switch e := x.(type) {
+	case Error:
+		err = e
+	case Response:
+		err = e
+		if resp != nil {
+			*resp = e
+		}
+	default:
 		panic(x)
 	}
+	if c.errHandle != nil {
+		c.errHandle(err)
+	}
 	*rerr = err
 }
 
-func (c *Conn) xerrorf(format string, args ...any) {
-	panic(Error{fmt.Errorf(format, args...)})
-}
+func (p *Proto) recover(rerr *error) {
+	if *rerr != nil {
+		return
+	}
 
-func (c *Conn) xcheckf(err error, format string, args ...any) {
-	if err != nil {
-		c.xerrorf("%s: %w", fmt.Sprintf(format, args...), err)
+	x := recover()
+	if x == nil {
+		return
+	}
+	switch e := x.(type) {
+	case Error:
+		*rerr = e
+	default:
+		panic(x)
 	}
 }
 
-func (c *Conn) xcheck(err error) {
+func (p *Proto) xerrorf(format string, args ...any) {
+	panic(Error{fmt.Errorf(format, args...)})
+}
+
+func (p *Proto) xcheckf(err error, format string, args ...any) {
+	if err != nil {
+		p.xerrorf("%s: %w", fmt.Sprintf(format, args...), err)
+	}
+}
+
+func (p *Proto) xcheck(err error) {
 	if err != nil {
 		panic(err)
 	}
 }
 
-// Commandf writes a free-form IMAP command to the server.
-// If tag is empty, a next unique tag is assigned.
-func (c *Conn) Commandf(tag string, format string, args ...any) (rerr error) {
-	defer c.recover(&rerr)
-
-	if tag == "" {
-		tag = c.nextTag()
+// xresponse sets resp if err is a Response and resp is not nil.
+func (p *Proto) xresponse(err error, resp *Response) {
+	if err == nil {
+		return
 	}
-	c.LastTag = tag
+	if r, ok := err.(Response); ok && resp != nil {
+		*resp = r
+	}
+	panic(err)
+}
 
-	_, err := fmt.Fprintf(c.conn, "%s %s\r\n", tag, fmt.Sprintf(format, args...))
-	c.xcheckf(err, "write command")
+// Write writes directly to underlying connection (TCP, TLS). For internal use
+// only, to implement io.Writer. Write errors do take the connection's panic mode
+// into account, i.e. Write can panic.
+func (p *Proto) Write(buf []byte) (n int, rerr error) {
+	defer p.recover(&rerr)
+
+	n, rerr = p.conn.Write(buf)
+	if rerr != nil {
+		p.connBroken = true
+	}
+	p.xcheckf(rerr, "write")
+	return n, nil
+}
+
+// Read reads directly from the underlying connection (TCP, TLS). For internal use
+// only, to implement io.Reader.
+func (p *Proto) Read(buf []byte) (n int, err error) {
+	return p.conn.Read(buf)
+}
+
+func (p *Proto) xflush() {
+	// Not writing any more when connection is broken.
+	if p.connBroken {
+		return
+	}
+
+	err := p.xbw.Flush()
+	p.xcheckf(err, "flush")
+
+	// If compression is active, we need to flush the deflate stream.
+	if p.compress {
+		err := p.xflateWriter.Flush()
+		p.xcheckf(err, "flush deflate")
+		err = p.xflateBW.Flush()
+		p.xcheckf(err, "flush deflate buffer")
+	}
+}
+
+func (p *Proto) xtraceread(level slog.Level) func() {
+	if p.tr == nil {
+		// For ParseUntagged and other parse functions.
+		return func() {}
+	}
+	p.tr.SetTrace(level)
+	return func() {
+		p.tr.SetTrace(mlog.LevelTrace)
+	}
+}
+
+func (p *Proto) xtracewrite(level slog.Level) func() {
+	if p.xtw == nil {
+		// For ParseUntagged and other parse functions.
+		return func() {}
+	}
+
+	p.xflush()
+	p.xtw.SetTrace(level)
+	return func() {
+		p.xflush()
+		p.xtw.SetTrace(mlog.LevelTrace)
+	}
+}
+
+// Close closes the connection, flushing and closing any compression and TLS layer.
+//
+// You may want to call Logout first. Closing a connection with a mailbox with
+// deleted messages not yet expunged will not expunge those messages.
+//
+// Closing a TLS connection that is logged out, or closing a TLS connection with
+// compression enabled (i.e. two layered streams), may cause spurious errors
+// because the server may immediate close the underlying connection when it sees
+// the connection is being closed.
+func (c *Conn) Close() (rerr error) {
+	defer c.recoverErr(&rerr)
+
+	if c.conn == nil {
+		return nil
+	}
+	if !c.connBroken && c.xflateWriter != nil {
+		err := c.xflateWriter.Close()
+		c.xcheckf(err, "close deflate writer")
+		err = c.xflateBW.Flush()
+		c.xcheckf(err, "flush deflate buffer")
+		c.xflateWriter = nil
+		c.xflateBW = nil
+	}
+	err := c.conn.Close()
+	c.xcheckf(err, "close connection")
+	c.conn = nil
 	return
 }
 
-func (c *Conn) nextTag() string {
-	c.tagGen++
-	return fmt.Sprintf("x%03d", c.tagGen)
+// TLSConnectionState returns the TLS connection state if the connection uses TLS,
+// either because the conn passed to [New] was a TLS connection, or because
+// [Conn.StartTLS] was called.
+func (c *Conn) TLSConnectionState() *tls.ConnectionState {
+	if conn, ok := c.conn.(*tls.Conn); ok {
+		cs := conn.ConnectionState()
+		return &cs
+	}
+	return nil
 }
 
-// Response reads from the IMAP server until a tagged response line is found.
+// WriteCommandf writes a free-form IMAP command to the server. An ending \r\n is
+// written too.
+//
+// If tag is empty, a next unique tag is assigned.
+func (p *Proto) WriteCommandf(tag string, format string, args ...any) (rerr error) {
+	defer p.recover(&rerr)
+
+	if tag == "" {
+		p.nextTag()
+	} else {
+		p.lastTag = tag
+	}
+
+	fmt.Fprintf(p.xbw, "%s %s\r\n", p.lastTag, fmt.Sprintf(format, args...))
+	p.xflush()
+	return
+}
+
+func (p *Proto) nextTag() string {
+	p.tagGen++
+	p.lastTag = fmt.Sprintf("x%03d", p.tagGen)
+	return p.lastTag
+}
+
+// LastTag returns the tag last used for a command. For checking against a command
+// completion result.
+func (p *Proto) LastTag() string {
+	return p.lastTag
+}
+
+// LastTagSet sets a new last tag, as used for checking against a command completion result.
+func (p *Proto) LastTagSet(tag string) {
+	p.lastTag = tag
+}
+
+// ReadResponse reads from the IMAP server until a tagged response line is found.
 // The tag must be the same as the tag for the last written command.
-// Result holds the status of the command. The caller must check if this the status is OK.
-func (c *Conn) Response() (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
+//
+// If an error is returned, resp can still be non-empty, and a caller may wish to
+// process resp.Untagged.
+//
+// Caller should check resp.Status for the result of the command too.
+//
+// Common types for the return error:
+// - Error, for protocol errors
+// - Various I/O errors from the underlying connection, including os.ErrDeadlineExceeded
+func (p *Proto) ReadResponse() (resp Response, rerr error) {
+	defer p.recover(&rerr)
 
 	for {
-		tag := c.xnonspace()
-		c.xspace()
+		tag := p.xnonspace()
+		p.xspace()
 		if tag == "*" {
-			untagged = append(untagged, c.xuntagged())
+			resp.Untagged = append(resp.Untagged, p.xuntagged())
 			continue
 		}
 
-		if tag != c.LastTag {
-			c.xerrorf("got tag %q, expected %q", tag, c.LastTag)
+		if tag != p.lastTag {
+			p.xerrorf("got tag %q, expected %q", tag, p.lastTag)
 		}
 
-		status := c.xstatus()
-		c.xspace()
-		result = c.xresult(status)
-		c.xcrlf()
+		status := p.xstatus()
+		p.xspace()
+		resp.Result = p.xresult(status)
+		p.xcrlf()
 		return
 	}
 }
 
-// ReadUntagged reads a single untagged response line.
-// Useful for reading lines from IDLE.
-func (c *Conn) ReadUntagged() (untagged Untagged, rerr error) {
-	defer c.recover(&rerr)
-
-	tag := c.xnonspace()
-	if tag != "*" {
-		c.xerrorf("got tag %q, expected untagged", tag)
+// ParseCode parses a response code. The string must not have enclosing brackets.
+//
+// Example:
+//
+//	"APPENDUID 123 10"
+func ParseCode(s string) (code Code, rerr error) {
+	p := Proto{br: bufio.NewReader(strings.NewReader(s + "]"))}
+	defer p.recover(&rerr)
+	code = p.xrespCode()
+	p.xtake("]")
+	buf, err := io.ReadAll(p.br)
+	p.xcheckf(err, "read")
+	if len(buf) != 0 {
+		p.xerrorf("leftover data %q", buf)
 	}
-	c.xspace()
-	ut := c.xuntagged()
+	return code, nil
+}
+
+// ParseResult parses a line, including required crlf, as a command result line.
+//
+// Example:
+//
+//	"tag1 OK [APPENDUID 123 10] message added\r\n"
+func ParseResult(s string) (tag string, result Result, rerr error) {
+	p := Proto{br: bufio.NewReader(strings.NewReader(s))}
+	defer p.recover(&rerr)
+	tag = p.xnonspace()
+	p.xspace()
+	status := p.xstatus()
+	p.xspace()
+	result = p.xresult(status)
+	p.xcrlf()
+	return
+}
+
+// ReadUntagged reads a single untagged response line.
+func (p *Proto) ReadUntagged() (untagged Untagged, rerr error) {
+	defer p.recover(&rerr)
+	return p.readUntagged()
+}
+
+// ParseUntagged parses a line, including required crlf, as untagged response.
+//
+// Example:
+//
+//	"* BYE shutting down connection\r\n"
+func ParseUntagged(s string) (untagged Untagged, rerr error) {
+	p := Proto{br: bufio.NewReader(strings.NewReader(s))}
+	defer p.recover(&rerr)
+	untagged, rerr = p.readUntagged()
+	return
+}
+
+func (p *Proto) readUntagged() (untagged Untagged, rerr error) {
+	defer p.recover(&rerr)
+	tag := p.xnonspace()
+	if tag != "*" {
+		p.xerrorf("got tag %q, expected untagged", tag)
+	}
+	p.xspace()
+	ut := p.xuntagged()
 	return ut, nil
 }
 
 // Readline reads a line, including CRLF.
 // Used with IDLE and synchronous literals.
-func (c *Conn) Readline() (line string, rerr error) {
-	defer c.recover(&rerr)
+func (p *Proto) Readline() (line string, rerr error) {
+	defer p.recover(&rerr)
 
-	line, err := c.r.ReadString('\n')
-	c.xcheckf(err, "read line")
+	line, err := p.br.ReadString('\n')
+	p.xcheckf(err, "read line")
 	return line, nil
 }
 
-// ReadContinuation reads a line. If it is a continuation, i.e. starts with a +, it
-// is returned without leading "+ " and without trailing crlf. Otherwise, a command
-// response is returned. A successfully read continuation can return an empty line.
-// Callers should check rerr and result.Status being empty to check if a
-// continuation was read.
-func (c *Conn) ReadContinuation() (line string, untagged []Untagged, result Result, rerr error) {
-	if !c.peek('+') {
-		untagged, result, rerr = c.Response()
-		c.xcheckf(rerr, "reading non-continuation response")
-		c.xerrorf("response status %q, expected OK", result.Status)
+func (c *Conn) readContinuation() (line string, rerr error) {
+	defer c.recover(&rerr, nil)
+	line, rerr = c.ReadContinuation()
+	if rerr != nil {
+		if resp, ok := rerr.(Response); ok {
+			c.processUntagged(resp.Untagged)
+			c.processResult(resp.Result)
+		}
 	}
-	c.xtake("+ ")
-	line, err := c.Readline()
-	c.xcheckf(err, "read line")
+	return
+}
+
+// ReadContinuation reads a line. If it is a continuation, i.e. starts with "+", it
+// is returned without leading "+ " and without trailing crlf. Otherwise, an error
+// is returned, which can be a Response with Untagged that a caller may wish to
+// process. A successfully read continuation can return an empty line.
+func (p *Proto) ReadContinuation() (line string, rerr error) {
+	defer p.recover(&rerr)
+
+	if !p.peek('+') {
+		var resp Response
+		resp, rerr = p.ReadResponse()
+		if rerr == nil {
+			rerr = resp
+		}
+		return "", rerr
+	}
+	p.xtake("+ ")
+	line, err := p.Readline()
+	p.xcheckf(err, "read line")
 	line = strings.TrimSuffix(line, "\r\n")
 	return
 }
 
 // Writelinef writes the formatted format and args as a single line, adding CRLF.
 // Used with IDLE and synchronous literals.
-func (c *Conn) Writelinef(format string, args ...any) (rerr error) {
-	defer c.recover(&rerr)
+func (p *Proto) Writelinef(format string, args ...any) (rerr error) {
+	defer p.recover(&rerr)
 
 	s := fmt.Sprintf(format, args...)
-	_, err := fmt.Fprintf(c.conn, "%s\r\n", s)
-	c.xcheckf(err, "writeline")
+	fmt.Fprintf(p.xbw, "%s\r\n", s)
+	p.xflush()
 	return nil
 }
 
-// Write writes directly to the connection. Write errors do take the connections
-// panic mode into account, i.e. Write can panic.
-func (c *Conn) Write(buf []byte) (n int, rerr error) {
-	defer c.recover(&rerr)
+// WriteSyncLiteral first writes the synchronous literal size, then reads the
+// continuation "+" and finally writes the data. If the literal is not accepted, an
+// error is returned, which may be a Response.
+func (p *Proto) WriteSyncLiteral(s string) (rerr error) {
+	defer p.recover(&rerr)
 
-	n, rerr = c.conn.Write(buf)
-	c.xcheckf(rerr, "write")
-	return n, nil
-}
+	fmt.Fprintf(p.xbw, "{%d}\r\n", len(s))
+	p.xflush()
 
-// WriteSyncLiteral first writes the synchronous literal size, then read the
-// continuation "+" and finally writes the data.
-func (c *Conn) WriteSyncLiteral(s string) (rerr error) {
-	defer c.recover(&rerr)
+	plus, err := p.br.Peek(1)
+	p.xcheckf(err, "read continuation")
+	if plus[0] == '+' {
+		_, err = p.Readline()
+		p.xcheckf(err, "read continuation line")
 
-	_, err := fmt.Fprintf(c.conn, "{%d}\r\n", len(s))
-	c.xcheckf(err, "write sync literal size")
-	line, err := c.Readline()
-	c.xcheckf(err, "read line")
-	if !strings.HasPrefix(line, "+") {
-		c.xerrorf("no continuation received for sync literal")
+		defer p.xtracewrite(mlog.LevelTracedata)()
+		_, err = p.xbw.Write([]byte(s))
+		p.xcheckf(err, "write literal data")
+		p.xtracewrite(mlog.LevelTrace)
+		return nil
 	}
-	_, err = c.conn.Write([]byte(s))
-	c.xcheckf(err, "write literal data")
-	return nil
+	var resp Response
+	resp, rerr = p.ReadResponse()
+	if rerr == nil {
+		rerr = resp
+	}
+	return
 }
 
-// Transactf writes format and args as an IMAP command, using Commandf with an
+func (c *Conn) processUntagged(l []Untagged) {
+	for _, ut := range l {
+		switch e := ut.(type) {
+		case UntaggedCapability:
+			c.CapAvailable = []Capability(e)
+		case UntaggedEnabled:
+			c.CapEnabled = append(c.CapEnabled, e...)
+		}
+	}
+}
+
+func (c *Conn) processResult(r Result) {
+	if r.Code == nil {
+		return
+	}
+	switch e := r.Code.(type) {
+	case CodeCapability:
+		c.CapAvailable = []Capability(e)
+	}
+}
+
+// transactf writes format and args as an IMAP command, using Commandf with an
 // empty tag. I.e. format must not contain a tag. Transactf then reads a response
 // using ReadResponse and checks the result status is OK.
-func (c *Conn) Transactf(format string, args ...any) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
+func (c *Conn) transactf(format string, args ...any) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
 
-	err := c.Commandf("", format, args...)
+	err := c.WriteCommandf("", format, args...)
 	if err != nil {
-		return nil, Result{}, err
+		return Response{}, err
 	}
-	return c.ResponseOK()
+
+	return c.responseOK()
 }
 
-func (c *Conn) ResponseOK() (untagged []Untagged, result Result, rerr error) {
-	untagged, result, rerr = c.Response()
-	if rerr != nil {
-		return nil, Result{}, rerr
-	}
-	if result.Status != OK {
-		c.xerrorf("response status %q, expected OK", result.Status)
-	}
-	return untagged, result, rerr
-}
+func (c *Conn) responseOK() (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
 
-func (c *Conn) xgetUntagged(l []Untagged, dst any) {
-	if len(l) != 1 {
-		c.xerrorf("got %d untagged, expected 1: %v", len(l), l)
+	resp, rerr = c.ReadResponse()
+	c.processUntagged(resp.Untagged)
+	c.processResult(resp.Result)
+	if rerr == nil && resp.Status != OK {
+		rerr = resp
 	}
-	got := l[0]
-	gotv := reflect.ValueOf(got)
-	dstv := reflect.ValueOf(dst)
-	if gotv.Type() != dstv.Type().Elem() {
-		c.xerrorf("got %v, expected %v", gotv.Type(), dstv.Type().Elem())
-	}
-	dstv.Elem().Set(gotv)
-}
-
-// Close closes the connection without writing anything to the server.
-// You may want to call Logout. Closing a connection with a mailbox with deleted
-// message not yet expunged will not expunge those messages.
-func (c *Conn) Close() error {
-	var err error
-	if c.conn != nil {
-		err = c.conn.Close()
-		c.conn = nil
-	}
-	return err
+	return
 }

imapclient/cmds.go

@@ -6,81 +6,139 @@ import (
 	"encoding/base64"
 	"fmt"
 	"hash"
+	"io"
 	"strings"
 	"time"
 
+	"github.com/mjl-/flate"
+
+	"github.com/mjl-/mox/mlog"
+	"github.com/mjl-/mox/moxio"
 	"github.com/mjl-/mox/scram"
 )
 
-// Capability requests a list of capabilities from the server. They are returned in
-// an UntaggedCapability response. The server also sends capabilities in initial
-// server greeting, in the response code.
-func (c *Conn) Capability() (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("capability")
+// Capability writes the IMAP4 "CAPABILITY" command, requesting a list of
+// capabilities from the server. They are returned in an UntaggedCapability
+// response. The server also sends capabilities in initial server greeting, in the
+// response code.
+func (c *Conn) Capability() (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("capability")
 }
 
-// Noop does nothing on its own, but a server will return any pending untagged
-// responses for new message delivery and changes to mailboxes.
-func (c *Conn) Noop() (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("noop")
+// Noop writes the IMAP4 "NOOP" command, which does nothing on its own, but a
+// server will return any pending untagged responses for new message delivery and
+// changes to mailboxes.
+func (c *Conn) Noop() (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("noop")
 }
 
-// Logout ends the IMAP session by writing a LOGOUT command. Close must still be
-// called on this client to close the socket.
-func (c *Conn) Logout() (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("logout")
+// Logout ends the IMAP4 session by writing an IMAP "LOGOUT" command. [Conn.Close]
+// must still be called on this client to close the socket.
+func (c *Conn) Logout() (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("logout")
 }
 
-// Starttls enables TLS on the connection with the STARTTLS command.
-func (c *Conn) Starttls(config *tls.Config) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	untagged, result, rerr = c.Transactf("starttls")
+// StartTLS enables TLS on the connection with the IMAP4 "STARTTLS" command.
+func (c *Conn) StartTLS(config *tls.Config) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	resp, rerr = c.transactf("starttls")
 	c.xcheckf(rerr, "starttls command")
-	conn := tls.Client(c.conn, config)
-	err := conn.Handshake()
+
+	conn := c.xprefixConn()
+	tlsConn := tls.Client(conn, config)
+	err := tlsConn.Handshake()
 	c.xcheckf(err, "tls handshake")
-	c.conn = conn
-	c.r = bufio.NewReader(conn)
-	return untagged, result, nil
-}
-
-// Login authenticates with username and password
-func (c *Conn) Login(username, password string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("login %s %s", astring(username), astring(password))
-}
-
-// Authenticate with plaintext password using AUTHENTICATE PLAIN.
-func (c *Conn) AuthenticatePlain(username, password string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-
-	untagged, result, rerr = c.Transactf("authenticate plain %s", base64.StdEncoding.EncodeToString(fmt.Appendf(nil, "\u0000%s\u0000%s", username, password)))
+	c.conn = tlsConn
 	return
 }
 
-// Authenticate with SCRAM-SHA-1 or SCRAM-SHA-256, where the password is not
-// exchanged in original plaintext form, but only derived hashes are exchanged by
-// both parties as proof of knowledge of password.
-func (c *Conn) AuthenticateSCRAM(method string, h func() hash.Hash, username, password string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
+// Login authenticates using the IMAP4 "LOGIN" command, sending the plain text
+// password to the server.
+//
+// Authentication is not allowed while the "LOGINDISABLED" capability is announced.
+// Call [Conn.StartTLS] first.
+//
+// See [Conn.AuthenticateSCRAM] for a better authentication mechanism.
+func (c *Conn) Login(username, password string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
 
-	sc := scram.NewClient(h, username, "")
+	fmt.Fprintf(c.xbw, "%s login %s ", c.nextTag(), astring(username))
+	defer c.xtracewrite(mlog.LevelTraceauth)()
+	fmt.Fprintf(c.xbw, "%s\r\n", astring(password))
+	c.xtracewrite(mlog.LevelTrace) // Restore.
+	return c.responseOK()
+}
+
+// AuthenticatePlain executes the AUTHENTICATE command with SASL mechanism "PLAIN",
+// sending the password in plain text password to the server.
+//
+// Required capability: "AUTH=PLAIN"
+//
+// Authentication is not allowed while the "LOGINDISABLED" capability is announced.
+// Call [Conn.StartTLS] first.
+//
+// See [Conn.AuthenticateSCRAM] for a better authentication mechanism.
+func (c *Conn) AuthenticatePlain(username, password string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+
+	err := c.WriteCommandf("", "authenticate plain")
+	c.xcheckf(err, "writing authenticate command")
+	_, rerr = c.readContinuation()
+	c.xresponse(rerr, &resp)
+
+	defer c.xtracewrite(mlog.LevelTraceauth)()
+	xw := base64.NewEncoder(base64.StdEncoding, c.xbw)
+	fmt.Fprintf(xw, "\u0000%s\u0000%s", username, password)
+	xw.Close()
+	c.xtracewrite(mlog.LevelTrace) // Restore.
+	fmt.Fprintf(c.xbw, "\r\n")
+	c.xflush()
+	return c.responseOK()
+}
+
+// todo: implement cram-md5, write its credentials as traceauth.
+
+// AuthenticateSCRAM executes the IMAP4 "AUTHENTICATE" command with one of the
+// following SASL mechanisms: SCRAM-SHA-256(-PLUS) or SCRAM-SHA-1(-PLUS).//
+//
+// With SCRAM, the password is not sent to the server in plain text, but only
+// derived hashes are exchanged by both parties as proof of knowledge of password.
+//
+// Authentication is not allowed while the "LOGINDISABLED" capability is announced.
+// Call [Conn.StartTLS] first.
+//
+// Required capability: SCRAM-SHA-256-PLUS, SCRAM-SHA-256, SCRAM-SHA-1-PLUS,
+// SCRAM-SHA-1.
+//
+// The PLUS variants bind the authentication exchange to the TLS connection,
+// detecting MitM attacks.
+func (c *Conn) AuthenticateSCRAM(mechanism string, h func() hash.Hash, username, password string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+
+	var cs *tls.ConnectionState
+	lmech := strings.ToLower(mechanism)
+	if strings.HasSuffix(lmech, "-plus") {
+		tlsConn, ok := c.conn.(*tls.Conn)
+		if !ok {
+			c.xerrorf("cannot use scram plus without tls")
+		}
+		xcs := tlsConn.ConnectionState()
+		cs = &xcs
+	}
+	sc := scram.NewClient(h, username, "", false, cs)
 	clientFirst, err := sc.ClientFirst()
 	c.xcheckf(err, "scram clientFirst")
-	c.LastTag = c.nextTag()
-	err = c.Writelinef("%s authenticate %s %s", c.LastTag, method, base64.StdEncoding.EncodeToString([]byte(clientFirst)))
+	// todo: only send clientFirst if server has announced SASL-IR
+	err = c.Writelinef("%s authenticate %s %s", c.nextTag(), mechanism, base64.StdEncoding.EncodeToString([]byte(clientFirst)))
 	c.xcheckf(err, "writing command line")
 
 	xreadContinuation := func() []byte {
 		var line string
-		line, untagged, result, rerr = c.ReadContinuation()
-		c.xcheckf(err, "read continuation")
-		if result.Status != "" {
-			c.xerrorf("unexpected status %q", result.Status)
-		}
+		line, rerr = c.readContinuation()
+		c.xresponse(rerr, &resp)
 		buf, err := base64.StdEncoding.DecodeString(line)
 		c.xcheckf(err, "parsing base64 from remote")
 		return buf
@@ -100,83 +158,131 @@ func (c *Conn) AuthenticateSCRAM(method string, h func() hash.Hash, username, pa
 	err = c.Writelinef("%s", base64.StdEncoding.EncodeToString(nil))
 	c.xcheckf(err, "scram client end")
 
-	return c.ResponseOK()
+	return c.responseOK()
 }
 
-// Enable enables capabilities for use with the connection, verifying the server has indeed enabled them.
-func (c *Conn) Enable(capabilities ...string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
+// CompressDeflate enables compression with deflate on the connection by executing
+// the IMAP4 "COMPRESS=DEFAULT" command.
+//
+// Required capability: "COMPRESS=DEFLATE".
+//
+// State: Authenticated or selected.
+func (c *Conn) CompressDeflate() (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
 
-	untagged, result, rerr = c.Transactf("enable %s", strings.Join(capabilities, " "))
+	resp, rerr = c.transactf("compress deflate")
 	c.xcheck(rerr)
-	var enabled UntaggedEnabled
-	c.xgetUntagged(untagged, &enabled)
-	got := map[string]struct{}{}
-	for _, cap := range enabled {
-		got[cap] = struct{}{}
-	}
-	for _, cap := range capabilities {
-		if _, ok := got[cap]; !ok {
-			c.xerrorf("capability %q not enabled by server", cap)
-		}
-	}
+
+	c.xflateBW = bufio.NewWriter(c)
+	fw0, err := flate.NewWriter(c.xflateBW, flate.DefaultCompression)
+	c.xcheckf(err, "deflate") // Cannot happen.
+	fw := moxio.NewFlateWriter(fw0)
+
+	c.compress = true
+	c.xflateWriter = fw
+	c.xtw = moxio.NewTraceWriter(mlog.New("imapclient", nil), "CW: ", fw)
+	c.xbw = bufio.NewWriter(c.xtw)
+
+	rc := c.xprefixConn()
+	fr := flate.NewReaderPartial(rc)
+	c.tr = moxio.NewTraceReader(mlog.New("imapclient", nil), "CR: ", fr)
+	c.br = bufio.NewReader(c.tr)
+
 	return
 }
 
-// Select opens mailbox as active mailbox.
-func (c *Conn) Select(mailbox string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("select %s", astring(mailbox))
+// Enable enables capabilities for use with the connection by executing the IMAP4 "ENABLE" command.
+//
+// Required capability: "ENABLE" or "IMAP4rev2"
+func (c *Conn) Enable(capabilities ...Capability) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+
+	var caps strings.Builder
+	for _, c := range capabilities {
+		caps.WriteString(" " + string(c))
+	}
+	return c.transactf("enable%s", caps.String())
 }
 
-// Examine opens mailbox as active mailbox read-only.
-func (c *Conn) Examine(mailbox string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("examine %s", astring(mailbox))
+// Select opens the mailbox with the IMAP4 "SELECT" command.
+//
+// If a mailbox is selected/active, it is automatically deselected before
+// selecting the mailbox, without permanently removing ("expunging") messages
+// marked \Deleted.
+//
+// If the mailbox cannot be opened, the connection is left in Authenticated state,
+// not Selected.
+func (c *Conn) Select(mailbox string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("select %s", astring(mailbox))
 }
 
-// Create makes a new mailbox on the server.
-func (c *Conn) Create(mailbox string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("create %s", astring(mailbox))
+// Examine opens the mailbox like [Conn.Select], but read-only, with the IMAP4
+// "EXAMINE" command.
+func (c *Conn) Examine(mailbox string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("examine %s", astring(mailbox))
 }
 
-// Delete removes an entire mailbox and its messages.
-func (c *Conn) Delete(mailbox string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("delete %s", astring(mailbox))
+// Create makes a new mailbox on the server using the IMAP4 "CREATE" command.
+//
+// SpecialUse can only be used on servers that announced the "CREATE-SPECIAL-USE"
+// capability. Specify flags like \Archive, \Drafts, \Junk, \Sent, \Trash, \All.
+func (c *Conn) Create(mailbox string, specialUse []string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	var useStr string
+	if len(specialUse) > 0 {
+		useStr = fmt.Sprintf(" USE (%s)", strings.Join(specialUse, " "))
+	}
+	return c.transactf("create %s%s", astring(mailbox), useStr)
 }
 
-// Rename changes the name of a mailbox and all its child mailboxes.
-func (c *Conn) Rename(omailbox, nmailbox string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("rename %s %s", astring(omailbox), astring(nmailbox))
+// Delete removes an entire mailbox and its messages using the IMAP4 "DELETE"
+// command.
+func (c *Conn) Delete(mailbox string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("delete %s", astring(mailbox))
 }
 
-// Subscribe marks a mailbox as subscribed. The mailbox does not have to exist. It
-// is not an error if the mailbox is already subscribed.
-func (c *Conn) Subscribe(mailbox string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("subscribe %s", astring(mailbox))
+// Rename changes the name of a mailbox and all its child mailboxes
+// using the IMAP4 "RENAME" command.
+func (c *Conn) Rename(omailbox, nmailbox string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("rename %s %s", astring(omailbox), astring(nmailbox))
 }
 
-// Unsubscribe marks a mailbox as unsubscribed.
-func (c *Conn) Unsubscribe(mailbox string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("unsubscribe %s", astring(mailbox))
+// Subscribe marks a mailbox as subscribed using the IMAP4 "SUBSCRIBE" command.
+//
+// The mailbox does not have to exist. It is not an error if the mailbox is already
+// subscribed.
+func (c *Conn) Subscribe(mailbox string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("subscribe %s", astring(mailbox))
 }
 
-// List lists mailboxes with the basic LIST syntax.
+// Unsubscribe marks a mailbox as unsubscribed using the IMAP4 "UNSUBSCRIBE"
+// command.
+func (c *Conn) Unsubscribe(mailbox string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("unsubscribe %s", astring(mailbox))
+}
+
+// List lists mailboxes using the IMAP4 "LIST" command with the basic LIST syntax.
 // Pattern can contain * (match any) or % (match any except hierarchy delimiter).
-func (c *Conn) List(pattern string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf(`list "" %s`, astring(pattern))
+func (c *Conn) List(pattern string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf(`list "" %s`, astring(pattern))
 }
 
-// ListFull lists mailboxes with the extended LIST syntax requesting all supported data.
+// ListFull lists mailboxes using the LIST command with the extended LIST
+// syntax requesting all supported data.
+//
+// Required capability: "LIST-EXTENDED". If "IMAP4rev2" is announced, the command
+// is also available but only with a single pattern.
+//
 // Pattern can contain * (match any) or % (match any except hierarchy delimiter).
-func (c *Conn) ListFull(subscribedOnly bool, patterns ...string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
+func (c *Conn) ListFull(subscribedOnly bool, patterns ...string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
 	var subscribedStr string
 	if subscribedOnly {
 		subscribedStr = "subscribed recursivematch"
@@ -184,110 +290,313 @@ func (c *Conn) ListFull(subscribedOnly bool, patterns ...string) (untagged []Unt
 	for i, s := range patterns {
 		patterns[i] = astring(s)
 	}
-	return c.Transactf(`list (%s) "" (%s) return (subscribed children special-use status (messages uidnext uidvalidity unseen deleted size recent appendlimit))`, subscribedStr, strings.Join(patterns, " "))
+	return c.transactf(`list (%s) "" (%s) return (subscribed children special-use status (messages uidnext uidvalidity unseen deleted size recent appendlimit))`, subscribedStr, strings.Join(patterns, " "))
 }
 
-// Namespace returns the hiearchy separator in an UntaggedNamespace response with personal/shared/other namespaces if present.
-func (c *Conn) Namespace() (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("namespace")
+// Namespace requests the hiearchy separator using the IMAP4 "NAMESPACE" command.
+//
+// Required capability: "NAMESPACE" or "IMAP4rev2".
+//
+// Server will return an UntaggedNamespace response with personal/shared/other
+// namespaces if present.
+func (c *Conn) Namespace() (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("namespace")
 }
 
-// Status requests information about a mailbox, such as number of messages, size, etc.
-func (c *Conn) Status(mailbox string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("status %s", astring(mailbox))
-}
-
-// Append adds message to mailbox with flags and optional receive time.
-func (c *Conn) Append(mailbox string, flags []string, received *time.Time, message []byte) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	var date string
-	if received != nil {
-		date = ` "` + received.Format("_2-Jan-2006 15:04:05 -0700") + `"`
+// Status requests information about a mailbox using the IMAP4 "STATUS" command. For
+// example, number of messages, size, etc. At least one attribute required.
+func (c *Conn) Status(mailbox string, attrs ...StatusAttr) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	l := make([]string, len(attrs))
+	for i, a := range attrs {
+		l[i] = string(a)
 	}
-	return c.Transactf("append %s (%s)%s {%d+}\r\n%s", astring(mailbox), strings.Join(flags, " "), date, len(message), message)
+	return c.transactf("status %s (%s)", astring(mailbox), strings.Join(l, " "))
 }
 
-// note: No idle command. Idle is better implemented by writing the request and reading and handling the responses as they come in.
-
-// CloseMailbox closes the currently selected/active mailbox, permanently removing
-// any messages marked with \Deleted.
-func (c *Conn) CloseMailbox() (untagged []Untagged, result Result, rerr error) {
-	return c.Transactf("close")
+// Append represents a parameter to the IMAP4 "APPEND" or "REPLACE" commands, for
+// adding a message to mailbox, or replacing a message with a new version in a
+// mailbox.
+type Append struct {
+	Flags    []string   // Optional, flags for the new message.
+	Received *time.Time // Optional, the INTERNALDATE field, typically time at which a message was received.
+	Size     int64
+	Data     io.Reader // Required, must return Size bytes.
 }
 
-// Unselect closes the currently selected/active mailbox, but unlike CloseMailbox
-// does not permanently remove any messages marked with \Deleted.
-func (c *Conn) Unselect() (untagged []Untagged, result Result, rerr error) {
-	return c.Transactf("unselect")
+// Append adds message to mailbox with flags and optional receive time using the
+// IMAP4 "APPEND" command.
+func (c *Conn) Append(mailbox string, message Append) (resp Response, rerr error) {
+	return c.MultiAppend(mailbox, message)
 }
 
-// Expunge removes messages marked as deleted for the selected mailbox.
-func (c *Conn) Expunge() (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("expunge")
+// MultiAppend atomatically adds multiple messages to the mailbox.
+//
+// Required capability: "MULTIAPPEND"
+func (c *Conn) MultiAppend(mailbox string, message Append, more ...Append) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+
+	fmt.Fprintf(c.xbw, "%s append %s", c.nextTag(), astring(mailbox))
+
+	msgs := append([]Append{message}, more...)
+	for _, m := range msgs {
+		var date string
+		if m.Received != nil {
+			date = ` "` + m.Received.Format("_2-Jan-2006 15:04:05 -0700") + `"`
+		}
+
+		// todo: use literal8 if needed, with "UTF8()" if required.
+		// todo: for larger messages, use a synchronizing literal.
+
+		fmt.Fprintf(c.xbw, " (%s)%s {%d+}\r\n", strings.Join(m.Flags, " "), date, m.Size)
+		defer c.xtracewrite(mlog.LevelTracedata)()
+		_, err := io.Copy(c.xbw, m.Data)
+		c.xcheckf(err, "write message data")
+		c.xtracewrite(mlog.LevelTrace) // Restore
+	}
+
+	fmt.Fprintf(c.xbw, "\r\n")
+	c.xflush()
+	return c.responseOK()
 }
 
-// UIDExpunge is like expunge, but only removes messages matching uidSet.
-func (c *Conn) UIDExpunge(uidSet NumSet) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("uid expunge %s", uidSet.String())
+// note: No Idle or Notify command. Idle/Notify is better implemented by
+// writing the request and reading and handling the responses as they come in.
+
+// CloseMailbox closes the selected/active mailbox using the IMAP4 "CLOSE" command,
+// permanently removing ("expunging") any messages marked with \Deleted.
+//
+// See [Conn.Unselect] for closing a mailbox without permanently removing messages.
+func (c *Conn) CloseMailbox() (resp Response, rerr error) {
+	return c.transactf("close")
+}
+
+// Unselect closes the selected/active mailbox using the IMAP4 "UNSELECT" command,
+// but unlike MailboxClose does not permanently remove ("expunge") any messages
+// marked with \Deleted.
+//
+// Required capability: "UNSELECT" or "IMAP4rev2".
+//
+// If Unselect is not available, call [Conn.Select] with a non-existent mailbox for
+// the same effect: Deselecting a mailbox without permanently removing messages
+// marked \Deleted.
+func (c *Conn) Unselect() (resp Response, rerr error) {
+	return c.transactf("unselect")
+}
+
+// Expunge removes all messages marked as deleted for the selected mailbox using
+// the IMAP4 "EXPUNGE" command. If other sessions marked messages as deleted, even
+// if they aren't visible in the session, they are removed as well.
+//
+// UIDExpunge gives more control over which the messages that are removed.
+func (c *Conn) Expunge() (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("expunge")
+}
+
+// UIDExpunge is like expunge, but only removes messages matching UID set, using
+// the IMAP4 "UID EXPUNGE" command.
+//
+// Required capability: "UIDPLUS" or "IMAP4rev2".
+func (c *Conn) UIDExpunge(uidSet NumSet) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("uid expunge %s", uidSet.String())
 }
 
 // Note: No search, fetch command yet due to its large syntax.
 
-// StoreFlagsSet stores a new set of flags for messages from seqset with the STORE command.
-// If silent, no untagged responses with the updated flags will be sent by the server.
-func (c *Conn) StoreFlagsSet(seqset string, silent bool, flags ...string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
+// MSNStoreFlagsSet stores a new set of flags for messages matching message
+// sequence numbers (MSNs) from sequence set with the IMAP4 "STORE" command.
+//
+// If silent, no untagged responses with the updated flags will be sent by the
+// server.
+//
+// Method [Conn.UIDStoreFlagsSet], which operates on a uid set, should be
+// preferred.
+func (c *Conn) MSNStoreFlagsSet(seqset string, silent bool, flags ...string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
 	item := "flags"
 	if silent {
 		item += ".silent"
 	}
-	return c.Transactf("store %s %s (%s)", seqset, item, strings.Join(flags, " "))
+	return c.transactf("store %s %s (%s)", seqset, item, strings.Join(flags, " "))
 }
 
-// StoreFlagsAdd is like StoreFlagsSet, but only adds flags, leaving current flags on the message intact.
-func (c *Conn) StoreFlagsAdd(seqset string, silent bool, flags ...string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
+// MSNStoreFlagsAdd is like [Conn.MSNStoreFlagsSet], but only adds flags, leaving
+// current flags on the message intact.
+//
+// Method [Conn.UIDStoreFlagsAdd], which operates on a uid set, should be
+// preferred.
+func (c *Conn) MSNStoreFlagsAdd(seqset string, silent bool, flags ...string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
 	item := "+flags"
 	if silent {
 		item += ".silent"
 	}
-	return c.Transactf("store %s %s (%s)", seqset, item, strings.Join(flags, " "))
+	return c.transactf("store %s %s (%s)", seqset, item, strings.Join(flags, " "))
 }
 
-// StoreFlagsClear is like StoreFlagsSet, but only removes flags, leaving other flags on the message intact.
-func (c *Conn) StoreFlagsClear(seqset string, silent bool, flags ...string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
+// MSNStoreFlagsClear is like [Conn.MSNStoreFlagsSet], but only removes flags,
+// leaving other flags on the message intact.
+//
+// Method [Conn.UIDStoreFlagsClear], which operates on a uid set, should be
+// preferred.
+func (c *Conn) MSNStoreFlagsClear(seqset string, silent bool, flags ...string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
 	item := "-flags"
 	if silent {
 		item += ".silent"
 	}
-	return c.Transactf("store %s %s (%s)", seqset, item, strings.Join(flags, " "))
+	return c.transactf("store %s %s (%s)", seqset, item, strings.Join(flags, " "))
 }
 
-// Copy adds messages from the sequences in seqSet in the currently selected/active mailbox to dstMailbox.
-func (c *Conn) Copy(seqSet NumSet, dstMailbox string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("copy %s %s", seqSet.String(), astring(dstMailbox))
+// UIDStoreFlagsSet stores a new set of flags for messages matching UIDs from
+// uidSet with the IMAP4 "UID STORE" command.
+//
+// If silent, no untagged responses with the updated flags will be sent by the
+// server.
+//
+// Required capability: "UIDPLUS" or "IMAP4rev2".
+func (c *Conn) UIDStoreFlagsSet(uidSet string, silent bool, flags ...string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	item := "flags"
+	if silent {
+		item += ".silent"
+	}
+	return c.transactf("uid store %s %s (%s)", uidSet, item, strings.Join(flags, " "))
 }
 
-// UIDCopy is like copy, but operates on UIDs.
-func (c *Conn) UIDCopy(uidSet NumSet, dstMailbox string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("uid copy %s %s", uidSet.String(), astring(dstMailbox))
+// UIDStoreFlagsAdd is like UIDStoreFlagsSet, but only adds flags, leaving
+// current flags on the message intact.
+//
+// Required capability: "UIDPLUS" or "IMAP4rev2".
+func (c *Conn) UIDStoreFlagsAdd(uidSet string, silent bool, flags ...string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	item := "+flags"
+	if silent {
+		item += ".silent"
+	}
+	return c.transactf("uid store %s %s (%s)", uidSet, item, strings.Join(flags, " "))
 }
 
-// Move moves messages from the sequences in seqSet in the currently selected/active mailbox to dstMailbox.
-func (c *Conn) Move(seqSet NumSet, dstMailbox string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("move %s %s", seqSet.String(), astring(dstMailbox))
+// UIDStoreFlagsClear is like UIDStoreFlagsSet, but only removes flags, leaving
+// other flags on the message intact.
+//
+// Required capability: "UIDPLUS" or "IMAP4rev2".
+func (c *Conn) UIDStoreFlagsClear(uidSet string, silent bool, flags ...string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	item := "-flags"
+	if silent {
+		item += ".silent"
+	}
+	return c.transactf("uid store %s %s (%s)", uidSet, item, strings.Join(flags, " "))
 }
 
-// UIDMove is like move, but operates on UIDs.
-func (c *Conn) UIDMove(uidSet NumSet, dstMailbox string) (untagged []Untagged, result Result, rerr error) {
-	defer c.recover(&rerr)
-	return c.Transactf("uid move %s %s", uidSet.String(), astring(dstMailbox))
+// MSNCopy adds messages from the sequences in the sequence set in the
+// selected/active mailbox to destMailbox using the IMAP4 "COPY" command.
+//
+// Method [Conn.UIDCopy], operating on UIDs instead of sequence numbers, should be
+// preferred.
+func (c *Conn) MSNCopy(seqSet string, destMailbox string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("copy %s %s", seqSet, astring(destMailbox))
+}
+
+// UIDCopy is like copy, but operates on UIDs, using the IMAP4 "UID COPY" command.
+//
+// Required capability: "UIDPLUS" or "IMAP4rev2".
+func (c *Conn) UIDCopy(uidSet string, destMailbox string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("uid copy %s %s", uidSet, astring(destMailbox))
+}
+
+// MSNSearch returns messages from the sequence set in the selected/active mailbox
+// that match the search critera using the IMAP4 "SEARCH" command.
+//
+// Method [Conn.UIDSearch], operating on UIDs instead of sequence numbers, should be
+// preferred.
+func (c *Conn) MSNSearch(seqSet string, criteria string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("seach %s %s", seqSet, criteria)
+}
+
+// UIDSearch returns messages from the uid set in the selected/active mailbox that
+// match the search critera using the IMAP4 "SEARCH" command.
+//
+// Criteria is a search program, see RFC 9051 and RFC 3501 for details.
+//
+// Required capability: "UIDPLUS" or "IMAP4rev2".
+func (c *Conn) UIDSearch(seqSet string, criteria string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("seach %s %s", seqSet, criteria)
+}
+
+// MSNMove moves messages from the sequence set in the selected/active mailbox to
+// destMailbox using the IMAP4 "MOVE" command.
+//
+// Required capability: "MOVE" or "IMAP4rev2".
+//
+// Method [Conn.UIDMove], operating on UIDs instead of sequence numbers, should be
+// preferred.
+func (c *Conn) MSNMove(seqSet string, destMailbox string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("move %s %s", seqSet, astring(destMailbox))
+}
+
+// UIDMove is like move, but operates on UIDs, using the IMAP4 "UID MOVE" command.
+//
+// Required capability: "MOVE" or "IMAP4rev2".
+func (c *Conn) UIDMove(uidSet string, destMailbox string) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+	return c.transactf("uid move %s %s", uidSet, astring(destMailbox))
+}
+
+// MSNReplace is like the preferred [Conn.UIDReplace], but operates on a message
+// sequence number (MSN) instead of a UID.
+//
+// Required capability: "REPLACE".
+//
+// Method [Conn.UIDReplace], operating on UIDs instead of sequence numbers, should be
+// preferred.
+func (c *Conn) MSNReplace(msgseq string, mailbox string, msg Append) (resp Response, rerr error) {
+	// todo: parse msgseq, must be nznumber, with a known msgseq. or "*" with at least one message.
+	return c.replace("replace", msgseq, mailbox, msg)
+}
+
+// UIDReplace uses the IMAP4 "UID REPLACE" command to replace a message from the
+// selected/active mailbox with a new/different version of the message in the named
+// mailbox, which may be the same or different than the selected mailbox.
+//
+// The replaced message is indicated by uid.
+//
+// Required capability: "REPLACE".
+func (c *Conn) UIDReplace(uid string, mailbox string, msg Append) (resp Response, rerr error) {
+	// todo: parse uid, must be nznumber, with a known uid. or "*" with at least one message.
+	return c.replace("uid replace", uid, mailbox, msg)
+}
+
+func (c *Conn) replace(cmd string, num string, mailbox string, msg Append) (resp Response, rerr error) {
+	defer c.recover(&rerr, &resp)
+
+	// todo: use synchronizing literal for larger messages.
+
+	var date string
+	if msg.Received != nil {
+		date = ` "` + msg.Received.Format("_2-Jan-2006 15:04:05 -0700") + `"`
+	}
+	// todo: only use literal8 if needed, possibly with "UTF8()"
+	// todo: encode mailbox
+	err := c.WriteCommandf("", "%s %s %s (%s)%s ~{%d+}", cmd, num, astring(mailbox), strings.Join(msg.Flags, " "), date, msg.Size)
+	c.xcheckf(err, "writing replace command")
+
+	defer c.xtracewrite(mlog.LevelTracedata)()
+	_, err = io.Copy(c.xbw, msg.Data)
+	c.xcheckf(err, "write message data")
+	c.xtracewrite(mlog.LevelTrace)
+
+	fmt.Fprintf(c.xbw, "\r\n")
+	c.xflush()
+
+	return c.responseOK()
 }

imapclient/fuzz_test.go

@@ -0,0 +1,38 @@
+package imapclient
+
+import (
+	"os"
+	"strings"
+	"testing"
+)
+
+func FuzzParser(f *testing.F) {
+	/*
+		Gathering all untagged responses and command completion results from the RFCs:
+
+		cd ../rfc
+		(
+		  grep ' S: \* [A-Z]' * | sed 's/^.*S: //g'
+		  grep -E ' S: [^ *]+ (OK|NO|BAD) ' * | sed 's/^.*S: //g'
+		) | grep -v '\.\.\/' | sort | uniq >../testdata/imapclient/fuzzseed.txt
+	*/
+	buf, err := os.ReadFile("../testdata/imapclient/fuzzseed.txt")
+	if err != nil {
+		f.Fatalf("reading seed: %v", err)
+	}
+	for _, s := range strings.Split(string(buf), "\n") {
+		f.Add(s + "\r\n")
+	}
+	f.Add("1:3")
+	f.Add("3:1")
+	f.Add("3,1")
+	f.Add("*")
+
+	f.Fuzz(func(t *testing.T, data string) {
+		ParseUntagged(data)
+		ParseCode(data)
+		ParseResult(data)
+		ParseNumSet(data)
+		ParseUIDRange(data)
+	})
+}

imapclient/parse_test.go

@@ -0,0 +1,42 @@
+package imapclient
+
+import (
+	"fmt"
+	"reflect"
+	"testing"
+)
+
+func tcheckf(t *testing.T, err error, format string, args ...any) {
+	if err != nil {
+		t.Fatalf("%s: %s", fmt.Sprintf(format, args...), err)
+	}
+}
+
+func tcompare(t *testing.T, a, b any) {
+	if !reflect.DeepEqual(a, b) {
+		t.Fatalf("got:\n%#v\nexpected:\n%#v", a, b)
+	}
+}
+
+func uint32ptr(v uint32) *uint32 { return &v }
+
+func TestParse(t *testing.T) {
+	code, err := ParseCode("COPYUID 1 1:3 2:4")
+	tcheckf(t, err, "parsing code")
+	tcompare(t, code,
+		CodeCopyUID{
+			DestUIDValidity: 1,
+			From:            []NumRange{{First: 1, Last: uint32ptr(3)}},
+			To:              []NumRange{{First: 2, Last: uint32ptr(4)}},
+		},
+	)
+
+	ut, err := ParseUntagged("* BYE done\r\n")
+	tcheckf(t, err, "parsing untagged")
+	tcompare(t, ut, UntaggedBye{Text: "done"})
+
+	tag, result, err := ParseResult("tag1 OK [ALERT] Hello\r\n")
+	tcheckf(t, err, "parsing result")
+	tcompare(t, tag, "tag1")
+	tcompare(t, result, Result{Status: OK, Code: CodeWord("ALERT"), Text: "Hello"})
+}

imapclient/prefixconn.go

@@ -0,0 +1,41 @@
+package imapclient
+
+import (
+	"io"
+	"net"
+)
+
+// prefixConn is a net.Conn with a buffer from which the first reads are satisfied.
+// used for STARTTLS where already did a buffered read of initial TLS data.
+type prefixConn struct {
+	prefix []byte
+	net.Conn
+}
+
+func (c *prefixConn) Read(buf []byte) (int, error) {
+	if len(c.prefix) > 0 {
+		n := min(len(buf), len(c.prefix))
+		copy(buf[:n], c.prefix[:n])
+		c.prefix = c.prefix[n:]
+		if len(c.prefix) == 0 {
+			c.prefix = nil
+		}
+		return n, nil
+	}
+	return c.Conn.Read(buf)
+}
+
+// xprefixConn checks if there are any buffered unconsumed reads. If not, it
+// returns c.conn. Otherwise, it returns a *prefixConn from which the buffered data
+// can be read followed by data from c.conn.
+func (c *Conn) xprefixConn() net.Conn {
+	n := c.br.Buffered()
+	if n == 0 {
+		return c.conn
+	}
+
+	buf := make([]byte, n)
+	_, err := io.ReadFull(c.br, buf)
+	c.xcheckf(err, "get buffered data")
+	return &prefixConn{buf, c.conn}
+}

imapclient/protocol.go

@@ -2,35 +2,57 @@ package imapclient
 
 import (
 	"bufio"
+	"errors"
 	"fmt"
 	"strings"
+	"time"
 )
 
-// Capability is a known string for with the ENABLED and CAPABILITY command.
+// Capability is a known string for with the ENABLED command and response and
+// CAPABILITY responses. Servers could send unknown values. Always in upper case.
 type Capability string
 
 const (
-	CapIMAP4rev1     Capability = "IMAP4rev1"
-	CapIMAP4rev2     Capability = "IMAP4rev2"
-	CapLoginDisabled Capability = "LOGINDISABLED"
-	CapStarttls      Capability = "STARTTLS"
-	CapAuthPlain     Capability = "AUTH=PLAIN"
-	CapLiteralPlus   Capability = "LITERAL+"
-	CapLiteralMinus  Capability = "LITERAL-"
-	CapIdle          Capability = "IDLE"
-	CapNamespace     Capability = "NAMESPACE"
-	CapBinary        Capability = "BINARY"
-	CapUnselect      Capability = "UNSELECT"
-	CapUidplus       Capability = "UIDPLUS"
-	CapEsearch       Capability = "ESEARCH"
-	CapEnable        Capability = "ENABLE"
-	CapSave          Capability = "SAVE"
-	CapListExtended  Capability = "LIST-EXTENDED"
-	CapSpecialUse    Capability = "SPECIAL-USE"
-	CapMove          Capability = "MOVE"
-	CapUTF8Only      Capability = "UTF8=ONLY"
-	CapUTF8Accept    Capability = "UTF8=ACCEPT"
-	CapID            Capability = "ID" // ../rfc/2971:80
+	CapIMAP4rev1           Capability = "IMAP4REV1"               // ../rfc/3501:1310
+	CapIMAP4rev2           Capability = "IMAP4REV2"               // ../rfc/9051:1219
+	CapLoginDisabled       Capability = "LOGINDISABLED"           // ../rfc/3501:3792 ../rfc/9051:5436
+	CapStartTLS            Capability = "STARTTLS"                // ../rfc/3501:1327 ../rfc/9051:1238
+	CapAuthPlain           Capability = "AUTH=PLAIN"              // ../rfc/3501:1327 ../rfc/9051:1238
+	CapAuthExternal        Capability = "AUTH=EXTERNAL"           // ../rfc/4422:1575
+	CapAuthSCRAMSHA256Plus Capability = "AUTH=SCRAM-SHA-256-PLUS" // ../rfc/7677:80
+	CapAuthSCRAMSHA256     Capability = "AUTH=SCRAM-SHA-256"
+	CapAuthSCRAMSHA1Plus   Capability = "AUTH=SCRAM-SHA-1-PLUS" // ../rfc/5802:465
+	CapAuthSCRAMSHA1       Capability = "AUTH=SCRAM-SHA-1"
+	CapAuthCRAMMD5         Capability = "AUTH=CRAM-MD5" // ../rfc/2195:80
+	CapLiteralPlus         Capability = "LITERAL+"      // ../rfc/2088:45
+	CapLiteralMinus        Capability = "LITERAL-"      // ../rfc/7888:26 ../rfc/9051:847 Default since IMAP4rev2
+	CapIdle                Capability = "IDLE"          // ../rfc/2177:69 ../rfc/9051:3542 Default since IMAP4rev2
+	CapNamespace           Capability = "NAMESPACE"     // ../rfc/2342:130 ../rfc/9051:135 Default since IMAP4rev2
+	CapBinary              Capability = "BINARY"        // ../rfc/3516:100
+	CapUnselect            Capability = "UNSELECT"      // ../rfc/3691:78 ../rfc/9051:3667 Default since IMAP4rev2
+	CapUidplus             Capability = "UIDPLUS"       // ../rfc/4315:36 ../rfc/9051:8015 Default since IMAP4rev2
+	CapEsearch             Capability = "ESEARCH"       // ../rfc/4731:69 ../rfc/9051:8016 Default since IMAP4rev2
+	CapEnable              Capability = "ENABLE"        // ../rfc/5161:52 ../rfc/9051:8016 Default since IMAP4rev2
+	CapListExtended        Capability = "LIST-EXTENDED" // ../rfc/5258:150 ../rfc/9051:7987 Syntax except multiple mailboxes default since IMAP4rev2
+	CapSpecialUse          Capability = "SPECIAL-USE"   // ../rfc/6154:156 ../rfc/9051:8021 Special-use attributes in LIST responses by default since IMAP4rev2
+	CapMove                Capability = "MOVE"          // ../rfc/6851:87 ../rfc/9051:8018 Default since IMAP4rev2
+	CapUTF8Only            Capability = "UTF8=ONLY"
+	CapUTF8Accept          Capability = "UTF8=ACCEPT"
+	CapCondstore           Capability = "CONDSTORE"          // ../rfc/7162:411
+	CapQresync             Capability = "QRESYNC"            // ../rfc/7162:1376
+	CapID                  Capability = "ID"                 // ../rfc/2971:80
+	CapMetadata            Capability = "METADATA"           // ../rfc/5464:124
+	CapMetadataServer      Capability = "METADATA-SERVER"    // ../rfc/5464:124
+	CapSaveDate            Capability = "SAVEDATE"           // ../rfc/8514
+	CapCreateSpecialUse    Capability = "CREATE-SPECIAL-USE" // ../rfc/6154:296
+	CapCompressDeflate     Capability = "COMPRESS=DEFLATE"   // ../rfc/4978:65
+	CapListMetadata        Capability = "LIST-METADATA"      // ../rfc/9590:73
+	CapMultiAppend         Capability = "MULTIAPPEND"        // ../rfc/3502:33
+	CapReplace             Capability = "REPLACE"            // ../rfc/8508:155
+	CapPreview             Capability = "PREVIEW"            // ../rfc/8970:114
+	CapMultiSearch         Capability = "MULTISEARCH"        // ../rfc/7377:187
+	CapNotify              Capability = "NOTIFY"             // ../rfc/5465:195
+	CapUIDOnly             Capability = "UIDONLY"            // ../rfc/9586:129
 )
 
 // Status is the tagged final result of a command.
@@ -42,73 +64,144 @@ const (
 	OK  Status = "OK"  // Command succeeded.
 )
 
+// Response is a response to an IMAP command including any preceding untagged
+// responses. Response implements the error interface through result.
+//
+// See [UntaggedResponseGet] and [UntaggedResponseList] to retrieve specific types
+// of untagged responses.
+type Response struct {
+	Untagged []Untagged
+	Result
+}
+
+var (
+	ErrMissing  = errors.New("no response of type")        // Returned by UntaggedResponseGet.
+	ErrMultiple = errors.New("multiple responses of type") // Idem.
+)
+
+// UntaggedResponseGet returns the single untagged response of type T. Only
+// [ErrMissing] or [ErrMultiple] can be returned as error.
+func UntaggedResponseGet[T Untagged](resp Response) (T, error) {
+	var t T
+	var have bool
+	for _, e := range resp.Untagged {
+		if tt, ok := e.(T); ok {
+			if have {
+				return t, ErrMultiple
+			}
+			t = tt
+		}
+	}
+	if !have {
+		return t, ErrMissing
+	}
+	return t, nil
+}
+
+// UntaggedResponseList returns all untagged responses of type T.
+func UntaggedResponseList[T Untagged](resp Response) []T {
+	var l []T
+	for _, e := range resp.Untagged {
+		if tt, ok := e.(T); ok {
+			l = append(l, tt)
+		}
+	}
+	return l
+}
+
 // Result is the final response for a command, indicating success or failure.
 type Result struct {
 	Status Status
-	RespText
+	Code   Code   // Set if response code is present.
+	Text   string // Any remaining text.
 }
 
-// CodeArg represents a response code with arguments, i.e. the data between [] in the response line.
-type CodeArg interface {
-	CodeString() string
-}
-
-// CodeOther is a valid but unrecognized response code.
-type CodeOther struct {
-	Code string
-	Args []string
-}
-
-func (c CodeOther) CodeString() string {
-	return c.Code + " " + strings.Join(c.Args, " ")
-}
-
-// CodeWords is a code with space-separated string parameters. E.g. CAPABILITY.
-type CodeWords struct {
-	Code string
-	Args []string
-}
-
-func (c CodeWords) CodeString() string {
-	s := c.Code
-	for _, w := range c.Args {
-		s += " " + w
+func (r Result) Error() string {
+	s := fmt.Sprintf("IMAP result %s", r.Status)
+	if r.Code != nil {
+		s += "[" + r.Code.CodeString() + "]"
+	}
+	if r.Text != "" {
+		s += " " + r.Text
 	}
 	return s
 }
 
-// CodeList is a code with a list with space-separated strings as parameters. E.g. BADCHARSET, PERMANENTFLAGS.
-type CodeList struct {
-	Code string
-	Args []string // If nil, no list was present. List can also be empty.
+// Code represents a response code with optional arguments, i.e. the data between [] in the response line.
+type Code interface {
+	CodeString() string
 }
 
-func (c CodeList) CodeString() string {
-	s := c.Code
-	if c.Args == nil {
+// CodeWord is a response code without parameters, always in upper case.
+type CodeWord string
+
+func (c CodeWord) CodeString() string {
+	return string(c)
+}
+
+// CodeOther is an unrecognized response code with parameters.
+type CodeParams struct {
+	Code string // Always in upper case.
+	Args []string
+}
+
+func (c CodeParams) CodeString() string {
+	return c.Code + " " + strings.Join(c.Args, " ")
+}
+
+// CodeCapability is a CAPABILITY response code with the capabilities supported by the server.
+type CodeCapability []Capability
+
+func (c CodeCapability) CodeString() string {
+	var s string
+	for _, c := range c {
+		s += " " + string(c)
+	}
+	return "CAPABILITY" + s
+}
+
+type CodeBadCharset []string
+
+func (c CodeBadCharset) CodeString() string {
+	s := "BADCHARSET"
+	if len(c) == 0 {
 		return s
 	}
-	return s + "(" + strings.Join(c.Args, " ") + ")"
+	return s + " (" + strings.Join([]string(c), " ") + ")"
 }
 
-// CodeUint is a code with a uint32 parameter, e.g. UIDNEXT and UIDVALIDITY.
-type CodeUint struct {
-	Code string
-	Num  uint32
+type CodePermanentFlags []string
+
+func (c CodePermanentFlags) CodeString() string {
+	return "PERMANENTFLAGS (" + strings.Join([]string(c), " ") + ")"
 }
 
-func (c CodeUint) CodeString() string {
-	return fmt.Sprintf("%s %d", c.Code, c.Num)
+type CodeUIDNext uint32
+
+func (c CodeUIDNext) CodeString() string {
+	return fmt.Sprintf("UIDNEXT %d", c)
+}
+
+type CodeUIDValidity uint32
+
+func (c CodeUIDValidity) CodeString() string {
+	return fmt.Sprintf("UIDVALIDITY %d", c)
+}
+
+type CodeUnseen uint32
+
+func (c CodeUnseen) CodeString() string {
+	return fmt.Sprintf("UNSEEN %d", c)
 }
 
 // "APPENDUID" response code.
 type CodeAppendUID struct {
 	UIDValidity uint32
-	UID         uint32
+	UIDs        NumRange
 }
 
 func (c CodeAppendUID) CodeString() string {
-	return fmt.Sprintf("APPENDUID %d %d", c.UIDValidity, c.UID)
+	return fmt.Sprintf("APPENDUID %d %s", c.UIDValidity, c.UIDs.String())
 }
 
 // "COPYUID" response code.
@@ -149,11 +242,66 @@ func (c CodeHighestModSeq) CodeString() string {
 	return fmt.Sprintf("HIGHESTMODSEQ %d", c)
 }
 
-// RespText represents a response line minus the leading tag.
-type RespText struct {
-	Code    string  // The first word between [] after the status.
-	CodeArg CodeArg // Set if code has a parameter.
-	More    string  // Any remaining text.
+// "INPROGRESS" response code.
+type CodeInProgress struct {
+	Tag     string // Nil is empty string.
+	Current *uint32
+	Goal    *uint32
+}
+
+func (c CodeInProgress) CodeString() string {
+	// ABNF allows inprogress-tag/state with all nil values. Doesn't seem useful enough
+	// to keep track of.
+	if c.Tag == "" && c.Current == nil && c.Goal == nil {
+		return "INPROGRESS"
+	}
+
+	// todo: quote tag properly
+	current := "nil"
+	goal := "nil"
+	if c.Current != nil {
+		current = fmt.Sprintf("%d", *c.Current)
+	}
+	if c.Goal != nil {
+		goal = fmt.Sprintf("%d", *c.Goal)
+	}
+	return fmt.Sprintf("INPROGRESS (%q %s %s)", c.Tag, current, goal)
+}
+
+// "BADEVENT" response code, with the events that are supported, for the NOTIFY
+// extension.
+type CodeBadEvent []string
+
+func (c CodeBadEvent) CodeString() string {
+	return fmt.Sprintf("BADEVENT (%s)", strings.Join([]string(c), " "))
+}
+
+// "METADATA LONGENTRIES number" response for GETMETADATA command.
+type CodeMetadataLongEntries uint32
+
+func (c CodeMetadataLongEntries) CodeString() string {
+	return fmt.Sprintf("METADATA LONGENTRIES %d", c)
+}
+
+// "METADATA (MAXSIZE number)" response for SETMETADATA command.
+type CodeMetadataMaxSize uint32
+
+func (c CodeMetadataMaxSize) CodeString() string {
+	return fmt.Sprintf("METADATA (MAXSIZE %d)", c)
+}
+
+// "METADATA (TOOMANY)" response for SETMETADATA command.
+type CodeMetadataTooMany struct{}
+
+func (c CodeMetadataTooMany) CodeString() string {
+	return "METADATA (TOOMANY)"
+}
+
+// "METADATA (NOPRIVATE)" response for SETMETADATA command.
+type CodeMetadataNoPrivate struct{}
+
+func (c CodeMetadataNoPrivate) CodeString() string {
+	return "METADATA (NOPRIVATE)"
 }
 
 // atom or string.
@@ -194,17 +342,30 @@ func syncliteral(s string) string {
 // todo: make an interface that the untagged responses implement?
 type Untagged any
 
-type UntaggedBye RespText
-type UntaggedPreauth RespText
+type UntaggedBye struct {
+	Code Code   // Set if response code is present.
+	Text string // Any remaining text.
+}
+type UntaggedPreauth struct {
+	Code Code   // Set if response code is present.
+	Text string // Any remaining text.
+}
 type UntaggedExpunge uint32
 type UntaggedExists uint32
 type UntaggedRecent uint32
-type UntaggedCapability []string
-type UntaggedEnabled []string
+
+// UntaggedCapability lists all capabilities the server implements.
+type UntaggedCapability []Capability
+
+// UntaggedEnabled indicates the capabilities that were enabled on the connection
+// by the server, typically in response to an ENABLE command.
+type UntaggedEnabled []Capability
+
 type UntaggedResult Result
 type UntaggedFlags []string
 type UntaggedList struct {
 	// ../rfc/9051:6690
+
 	Flags     []string
 	Separator byte // 0 for NIL
 	Mailbox   string
@@ -215,22 +376,76 @@ type UntaggedFetch struct {
 	Seq   uint32
 	Attrs []FetchAttr
 }
+
+// UntaggedUIDFetch is like UntaggedFetch, but with UIDs instead of message
+// sequence numbers, and returned instead of regular fetch responses when UIDONLY
+// is enabled.
+type UntaggedUIDFetch struct {
+	UID   uint32
+	Attrs []FetchAttr
+}
 type UntaggedSearch []uint32
 
-// ../rfc/7162:1101
 type UntaggedSearchModSeq struct {
+	// ../rfc/7162:1101
+
 	Nums   []uint32
 	ModSeq int64
 }
 type UntaggedStatus struct {
 	Mailbox string
-	Attrs   map[string]int64 // Upper case status attributes. ../rfc/9051:7059
+	Attrs   map[StatusAttr]int64 // Upper case status attributes.
 }
+
+// Unsolicited response, indicating an annotation has changed.
+type UntaggedMetadataKeys struct {
+	// ../rfc/5464:716
+
+	Mailbox string // Empty means not specific to mailbox.
+
+	// Keys that have changed. To get values (or determine absence), the server must be
+	// queried.
+	Keys []string
+}
+
+// Annotation is a metadata server of mailbox annotation.
+type Annotation struct {
+	Key string
+	// Nil is represented by IsString false and a nil Value.
+	IsString bool
+	Value    []byte
+}
+
+type UntaggedMetadataAnnotations struct {
+	// ../rfc/5464:683
+
+	Mailbox     string // Empty means not specific to mailbox.
+	Annotations []Annotation
+}
+
+type StatusAttr string
+
+// ../rfc/9051:7059 ../9208:712
+
+const (
+	StatusMessages       StatusAttr = "MESSAGES"
+	StatusUIDNext        StatusAttr = "UIDNEXT"
+	StatusUIDValidity    StatusAttr = "UIDVALIDITY"
+	StatusUnseen         StatusAttr = "UNSEEN"
+	StatusDeleted        StatusAttr = "DELETED"
+	StatusSize           StatusAttr = "SIZE"
+	StatusRecent         StatusAttr = "RECENT"
+	StatusAppendLimit    StatusAttr = "APPENDLIMIT"
+	StatusHighestModSeq  StatusAttr = "HIGHESTMODSEQ"
+	StatusDeletedStorage StatusAttr = "DELETED-STORAGE"
+)
+
 type UntaggedNamespace struct {
 	Personal, Other, Shared []NamespaceDescr
 }
 type UntaggedLsub struct {
 	// ../rfc/3501:4833
+
 	Flags     []string
 	Separator byte
 	Mailbox   string
@@ -238,15 +453,17 @@ type UntaggedLsub struct {
 
 // Fields are optional and zero if absent.
 type UntaggedEsearch struct {
-	// ../rfc/9051:6546
-	Correlator string
-	UID        bool
-	Min        uint32
-	Max        uint32
-	All        NumSet
-	Count      *uint32
-	ModSeq     int64
-	Exts       []EsearchDataExt
+	Tag         string // ../rfc/9051:6546
+	Mailbox     string // For MULTISEARCH. ../rfc/7377:437
+	UIDValidity uint32 // For MULTISEARCH, ../rfc/7377:438
+
+	UID    bool
+	Min    uint32
+	Max    uint32
+	All    NumSet
+	Count  *uint32
+	ModSeq int64
+	Exts   []EsearchDataExt
 }
 
 // UntaggedVanished is used in QRESYNC to send UIDs that have been removed.
@@ -255,6 +472,37 @@ type UntaggedVanished struct {
 	UIDs    NumSet
 }
 
+// UntaggedQuotaroot lists the roots for which quota can be present.
+type UntaggedQuotaroot []string
+
+// UntaggedQuota holds the quota for a quota root.
+type UntaggedQuota struct {
+	Root string
+
+	// Always has at least one. Any QUOTA=RES-* capability not mentioned has no limit
+	// or this quota root.
+	Resources []QuotaResource
+}
+
+// Resource types ../rfc/9208:533
+
+// QuotaResourceName is the name of a resource type. More can be defined in the
+// future and encountered in the wild. Always in upper case.
+type QuotaResourceName string
+
+const (
+	QuotaResourceStorage           = "STORAGE"
+	QuotaResourceMesssage          = "MESSAGE"
+	QuotaResourceMailbox           = "MAILBOX"
+	QuotaResourceAnnotationStorage = "ANNOTATION-STORAGE"
+)
+
+type QuotaResource struct {
+	Name  QuotaResourceName
+	Usage int64 // Currently in use. Count or disk size in 1024 byte blocks.
+	Limit int64 // Maximum allowed usage.
+}
+
 // ../rfc/2971:184
 
 type UntaggedID map[string]string
@@ -267,6 +515,7 @@ type EsearchDataExt struct {
 
 type NamespaceDescr struct {
 	// ../rfc/9051:6769
+
 	Prefix    string
 	Separator byte // If 0 then separator was absent.
 	Exts      []NamespaceExtension
@@ -274,13 +523,14 @@ type NamespaceDescr struct {
 
 type NamespaceExtension struct {
 	// ../rfc/9051:6773
+
 	Key    string
 	Values []string
 }
 
 // FetchAttr represents a FETCH response attribute.
 type FetchAttr interface {
-	Attr() string // Name of attribute.
+	Attr() string // Name of attribute in upper case, e.g. "UID".
 }
 
 type NumSet struct {
@@ -307,12 +557,19 @@ func (ns NumSet) String() string {
 }
 
 func ParseNumSet(s string) (ns NumSet, rerr error) {
-	c := Conn{r: bufio.NewReader(strings.NewReader(s))}
+	c := Proto{br: bufio.NewReader(strings.NewReader(s))}
 	defer c.recover(&rerr)
 	ns = c.xsequenceSet()
 	return
 }
 
+func ParseUIDRange(s string) (nr NumRange, rerr error) {
+	c := Proto{br: bufio.NewReader(strings.NewReader(s))}
+	defer c.recover(&rerr)
+	nr = c.xuidrange()
+	return
+}
+
 // NumRange is a single number or range.
 type NumRange struct {
 	First uint32  // 0 for "*".
@@ -346,6 +603,7 @@ type TaggedExtComp struct {
 
 type TaggedExtVal struct {
 	// ../rfc/9051:7111
+
 	Number *int64
 	SeqSet *NumSet
 	Comp   *TaggedExtComp // If SimpleNumber and SimpleSeqSet is nil, this is a Comp. But Comp is optional and can also be nil. Not great.
@@ -353,6 +611,7 @@ type TaggedExtVal struct {
 
 type MboxListExtendedItem struct {
 	// ../rfc/9051:6699
+
 	Tag string
 	Val TaggedExtVal
 }
@@ -381,9 +640,21 @@ type Address struct {
 }
 
 // "INTERNALDATE" fetch response.
-type FetchInternalDate string            // todo: parsed time
+type FetchInternalDate struct {
+	Date time.Time
+}
+
 func (f FetchInternalDate) Attr() string { return "INTERNALDATE" }
 
+// "SAVEDATE" fetch response.
+type FetchSaveDate struct {
+	// ../rfc/8514:265
+
+	SaveDate *time.Time // nil means absent for message.
+}
+
+func (f FetchSaveDate) Attr() string { return "SAVEDATE" }
+
 // "RFC822.SIZE" fetch response.
 type FetchRFC822Size int64
 
@@ -407,6 +678,7 @@ func (f FetchRFC822Text) Attr() string { return "RFC822.TEXT" }
 // "BODYSTRUCTURE" fetch response.
 type FetchBodystructure struct {
 	// ../rfc/9051:6355
+
 	RespAttr string
 	Body     any // BodyType*
 }
@@ -416,6 +688,7 @@ func (f FetchBodystructure) Attr() string { return f.RespAttr }
 // "BODY" fetch response.
 type FetchBody struct {
 	// ../rfc/9051:6756 ../rfc/9051:6985
+
 	RespAttr string
 	Section  string // todo: parse more ../rfc/9051:6985
 	Offset   int32
@@ -431,36 +704,96 @@ type BodyFields struct {
 	Octets                       int32
 }
 
-// BodyTypeMpart represents the body structure a multipart message, with subparts and the multipart media subtype. Used in a FETCH response.
+// BodyTypeMpart represents the body structure a multipart message, with
+// subparts and the multipart media subtype. Used in a FETCH response.
 type BodyTypeMpart struct {
 	// ../rfc/9051:6411
+
 	Bodies       []any // BodyTypeBasic, BodyTypeMsg, BodyTypeText
 	MediaSubtype string
+	Ext          *BodyExtensionMpart
 }
 
-// BodyTypeBasic represents basic information about a part, used in a FETCH response.
+// BodyTypeBasic represents basic information about a part, used in a FETCH
+// response.
 type BodyTypeBasic struct {
 	// ../rfc/9051:6407
+
 	MediaType, MediaSubtype string
 	BodyFields              BodyFields
+	Ext                     *BodyExtension1Part
 }
 
-// BodyTypeMsg represents an email message as a body structure, used in a FETCH response.
+// BodyTypeMsg represents an email message as a body structure, used in a FETCH
+// response.
 type BodyTypeMsg struct {
 	// ../rfc/9051:6415
+
 	MediaType, MediaSubtype string
 	BodyFields              BodyFields
 	Envelope                Envelope
 	Bodystructure           any // One of the BodyType*
 	Lines                   int64
+	Ext                     *BodyExtension1Part
 }
 
-// BodyTypeText represents a text part as a body structure, used in a FETCH response.
+// BodyTypeText represents a text part as a body structure, used in a FETCH
+// response.
 type BodyTypeText struct {
 	// ../rfc/9051:6418
+
 	MediaType, MediaSubtype string
 	BodyFields              BodyFields
 	Lines                   int64
+	Ext                     *BodyExtension1Part
+}
+
+// BodyExtension1Part has the extensible form fields of a BODYSTRUCTURE for
+// multiparts.
+//
+// Fields in this struct are optional in IMAP4, and can be NIL or contain a value.
+// The first field is always present, otherwise the "parent" struct would have a
+// nil *BodyExtensionMpart. The second and later fields are nil when absent. For
+// non-reference types (e.g. strings), an IMAP4 NIL is represented as a pointer to
+// (*T)(nil). For reference types (e.g. slices), an IMAP4 NIL is represented by a
+// pointer to nil.
+type BodyExtensionMpart struct {
+	// ../rfc/9051:5986 ../rfc/3501:4161 ../rfc/9051:6371 ../rfc/3501:4599
+
+	Params            [][2]string
+	Disposition       **string
+	DispositionParams *[][2]string
+	Language          *[]string
+	Location          **string
+	More              []BodyExtension // Nil if absent.
+}
+
+// BodyExtension1Part has the extensible form fields of a BODYSTRUCTURE for
+// non-multiparts.
+//
+// Fields in this struct are optional in IMAP4, and can be NIL or contain a value.
+// The first field is always present, otherwise the "parent" struct would have a
+// nil *BodyExtensionMpart. The second and later fields are nil when absent. For
+// non-reference types (e.g. strings), an IMAP4 NIL is represented as a pointer to
+// (*T)(nil). For reference types (e.g. slices), an IMAP4 NIL is represented by a
+// pointer to nil.
+type BodyExtension1Part struct {
+	// ../rfc/9051:6023 ../rfc/3501:4191 ../rfc/9051:6366 ../rfc/3501:4584
+
+	MD5               *string
+	Disposition       **string
+	DispositionParams *[][2]string
+	Language          *[]string
+	Location          **string
+	More              []BodyExtension // Nil means absent.
+}
+
+// BodyExtension has the additional extension fields for future expansion of
+// extensions.
+type BodyExtension struct {
+	String *string
+	Number *int64
+	More   []BodyExtension
 }
 
 // "BINARY" fetch response.
@@ -490,3 +823,12 @@ func (f FetchUID) Attr() string { return "UID" }
 type FetchModSeq int64
 
 func (f FetchModSeq) Attr() string { return "MODSEQ" }
+
+// "PREVIEW" fetch response.
+type FetchPreview struct {
+	Preview *string
+}
+
+// ../rfc/8970:146
+
+func (f FetchPreview) Attr() string { return "PREVIEW" }

imapserver/append_test.go

@@ -7,22 +7,30 @@ import (
 )
 
 func TestAppend(t *testing.T) {
+	testAppend(t, false)
+}
+
+func TestAppendUIDOnly(t *testing.T) {
+	testAppend(t, true)
+}
+
+func testAppend(t *testing.T, uidonly bool) {
 	defer mockUIDValidity()()
 
-	tc := start(t) // note: with switchboard because this connection stays alive unlike tc2.
+	tc := start(t, uidonly) // note: with switchboard because this connection stays alive unlike tc2.
 	defer tc.close()
 
-	tc2 := startNoSwitchboard(t) // note: without switchboard because this connection will break during tests.
-	defer tc2.close()
+	tc2 := startNoSwitchboard(t, uidonly) // note: without switchboard because this connection will break during tests.
+	defer tc2.closeNoWait()
 
-	tc3 := startNoSwitchboard(t)
-	defer tc3.close()
+	tc3 := startNoSwitchboard(t, uidonly)
+	defer tc3.closeNoWait()
 
-	tc2.client.Login("mjl@mox.example", "testtest")
+	tc2.login("mjl@mox.example", password0)
 	tc2.client.Select("inbox")
-	tc.client.Login("mjl@mox.example", "testtest")
+	tc.login("mjl@mox.example", password0)
 	tc.client.Select("inbox")
-	tc3.client.Login("mjl@mox.example", "testtest")
+	tc3.login("mjl@mox.example", password0)
 
 	tc2.transactf("bad", "append")              // Missing params.
 	tc2.transactf("bad", `append inbox`)        // Missing message.
@@ -30,39 +38,44 @@ func TestAppend(t *testing.T) {
 
 	// Syntax error for line ending in literal causes connection abort.
 	tc2.transactf("bad", "append inbox (\\Badflag) {1+}\r\nx") // Unknown flag.
-	tc2 = startNoSwitchboard(t)
-	defer tc2.close()
-	tc2.client.Login("mjl@mox.example", "testtest")
+	tc2 = startNoSwitchboard(t, uidonly)
+	defer tc2.closeNoWait()
+	tc2.login("mjl@mox.example", password0)
 	tc2.client.Select("inbox")
 
 	tc2.transactf("bad", "append inbox () \"bad time\" {1+}\r\nx") // Bad time.
-	tc2 = startNoSwitchboard(t)
-	defer tc2.close()
-	tc2.client.Login("mjl@mox.example", "testtest")
+	tc2 = startNoSwitchboard(t, uidonly)
+	defer tc2.closeNoWait()
+	tc2.login("mjl@mox.example", password0)
 	tc2.client.Select("inbox")
 
 	tc2.transactf("no", "append nobox (\\Seen) \" 1-Jan-2022 10:10:00 +0100\" {1}")
-	tc2.xcode("TRYCREATE")
+	tc2.xcodeWord("TRYCREATE")
+
+	tc2.transactf("no", "append expungebox (\\Seen) {1}")
+	tc2.xcodeWord("TRYCREATE")
 
 	tc2.transactf("ok", "append inbox (\\Seen Label1 $label2) \" 1-Jan-2022 10:10:00 +0100\" {1+}\r\nx")
 	tc2.xuntagged(imapclient.UntaggedExists(1))
-	tc2.xcodeArg(imapclient.CodeAppendUID{UIDValidity: 1, UID: 1})
+	tc2.xcode(imapclient.CodeAppendUID{UIDValidity: 1, UIDs: xparseUIDRange("1")})
 
 	tc.transactf("ok", "noop")
-	uid1 := imapclient.FetchUID(1)
 	flags := imapclient.FetchFlags{`\Seen`, "$label2", "label1"}
-	tc.xuntagged(imapclient.UntaggedExists(1), imapclient.UntaggedFetch{Seq: 1, Attrs: []imapclient.FetchAttr{uid1, flags}})
+	tc.xuntagged(imapclient.UntaggedExists(1), tc.untaggedFetch(1, 1, flags))
 	tc3.transactf("ok", "noop")
 	tc3.xuntagged() // Inbox is not selected, nothing to report.
 
-	tc2.transactf("ok", "append inbox (\\Seen) \" 1-Jan-2022 10:10:00 +0100\" UTF8 ({47+}\r\ncontent-type: just completely invalid;;\r\n\r\ntest)")
+	tc2.transactf("ok", "append inbox (\\Seen) \" 1-Jan-2022 10:10:00 +0100\" UTF8 (~{47+}\r\ncontent-type: just completely invalid;;\r\n\r\ntest)")
 	tc2.xuntagged(imapclient.UntaggedExists(2))
-	tc2.xcodeArg(imapclient.CodeAppendUID{UIDValidity: 1, UID: 2})
+	tc2.xcode(imapclient.CodeAppendUID{UIDValidity: 1, UIDs: xparseUIDRange("2")})
+
+	tc2.transactf("ok", "append inbox (\\Seen) \" 1-Jan-2022 10:10:00 +0100\" UTF8 (~{31+}\r\ncontent-type: text/plain;\n\ntest)")
+	tc2.xuntagged(imapclient.UntaggedExists(3))
+	tc2.xcode(imapclient.CodeAppendUID{UIDValidity: 1, UIDs: xparseUIDRange("3")})
 
 	// Messages that we cannot parse are marked as application/octet-stream. Perhaps
 	// the imap client knows how to deal with them.
 	tc2.transactf("ok", "uid fetch 2 body")
-	uid2 := imapclient.FetchUID(2)
 	xbs := imapclient.FetchBodystructure{
 		RespAttr: "BODY",
 		Body: imapclient.BodyTypeBasic{
@@ -73,5 +86,50 @@ func TestAppend(t *testing.T) {
 			},
 		},
 	}
-	tc2.xuntagged(imapclient.UntaggedFetch{Seq: 2, Attrs: []imapclient.FetchAttr{uid2, xbs}})
+	tc2.xuntagged(tc.untaggedFetch(2, 2, xbs))
+
+	// Multiappend with two messages.
+	tc.transactf("ok", "noop") // Flush pending untagged responses.
+	tc.transactf("ok", "append inbox {6+}\r\ntest\r\n ~{6+}\r\ntost\r\n")
+	tc.xuntagged(imapclient.UntaggedExists(5))
+	tc.xcode(imapclient.CodeAppendUID{UIDValidity: 1, UIDs: xparseUIDRange("4:5")})
+
+	// Cancelled with zero-length message.
+	tc.transactf("no", "append inbox {6+}\r\ntest\r\n {0+}\r\n")
+
+	tclimit := startArgs(t, uidonly, false, false, true, true, "limit")
+	defer tclimit.close()
+	tclimit.login("limit@mox.example", password0)
+	tclimit.client.Select("inbox")
+	// First message of 1 byte is within limits.
+	tclimit.transactf("ok", "append inbox (\\Seen Label1 $label2) \" 1-Jan-2022 10:10:00 +0100\" {1+}\r\nx")
+	tclimit.xuntagged(imapclient.UntaggedExists(1))
+	// Second message would take account past limit.
+	tclimit.transactf("no", "append inbox (\\Seen Label1 $label2) \" 1-Jan-2022 10:10:00 +0100\" {1+}\r\nx")
+	tclimit.xcodeWord("OVERQUOTA")
+
+	// Empty mailbox.
+	if uidonly {
+		tclimit.transactf("ok", `uid store 1 flags (\deleted)`)
+	} else {
+		tclimit.transactf("ok", `store 1 flags (\deleted)`)
+	}
+	tclimit.transactf("ok", "expunge")
+
+	// Multiappend with first message within quota, and second message with sync
+	// literal causing quota error. Request should get error response immediately.
+	tclimit.transactf("no", "append inbox {1+}\r\nx {100000}")
+	tclimit.xcodeWord("OVERQUOTA")
+
+	// Again, but second message now with non-sync literal, which is fully consumed by server.
+	tclimit.client.WriteCommandf("", "append inbox {1+}\r\nx {4000+}")
+	buf := make([]byte, 4000, 4002)
+	for i := range buf {
+		buf[i] = 'x'
+	}
+	buf = append(buf, "\r\n"...)
+	_, err := tclimit.client.Write(buf)
+	tclimit.check(err, "write append message")
+	tclimit.response("no")
+	tclimit.xcodeWord("OVERQUOTA")
 }

imapserver/authenticate_test.go

@@ -1,51 +1,74 @@
 package imapserver
 
 import (
+	"context"
 	"crypto/hmac"
 	"crypto/md5"
 	"crypto/sha1"
 	"crypto/sha256"
+	"crypto/tls"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"hash"
+	"net"
+	"os"
+	"path/filepath"
 	"strings"
 	"testing"
+	"time"
 
+	"golang.org/x/text/secure/precis"
+
+	"github.com/mjl-/mox/imapclient"
+	"github.com/mjl-/mox/mox-"
 	"github.com/mjl-/mox/scram"
+	"github.com/mjl-/mox/store"
 )
 
+func TestAuthenticateLogin(t *testing.T) {
+	// NFD username and PRECIS-cleaned password.
+	tc := start(t, false)
+	tc.client.Login("mo\u0301x@mox.example", password1)
+	tc.close()
+}
+
 func TestAuthenticatePlain(t *testing.T) {
-	tc := start(t)
+	tc := start(t, false)
 
 	tc.transactf("no", "authenticate bogus ")
 	tc.transactf("bad", "authenticate plain not base64...")
 	tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000baduser\u0000badpass")))
-	tc.xcode("AUTHENTICATIONFAILED")
+	tc.xcodeWord("AUTHENTICATIONFAILED")
 	tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000badpass")))
-	tc.xcode("AUTHENTICATIONFAILED")
+	tc.xcodeWord("AUTHENTICATIONFAILED")
 	tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl\u0000badpass"))) // Need email, not account.
-	tc.xcode("AUTHENTICATIONFAILED")
+	tc.xcodeWord("AUTHENTICATIONFAILED")
 	tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000test")))
-	tc.xcode("AUTHENTICATIONFAILED")
-	tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000testtesttest")))
-	tc.xcode("AUTHENTICATIONFAILED")
+	tc.xcodeWord("AUTHENTICATIONFAILED")
+	tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000test"+password0)))
+	tc.xcodeWord("AUTHENTICATIONFAILED")
 	tc.transactf("bad", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000")))
-	tc.xcode("")
-	tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("other\u0000mjl@mox.example\u0000testtest")))
-	tc.xcode("AUTHORIZATIONFAILED")
-	tc.transactf("ok", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000testtest")))
+	tc.xcode(nil)
+	tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("other\u0000mjl@mox.example\u0000"+password0)))
+	tc.xcodeWord("AUTHORIZATIONFAILED")
+	tc.transactf("ok", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000"+password0)))
 	tc.close()
 
-	tc = start(t)
-	tc.transactf("ok", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("mjl@mox.example\u0000mjl@mox.example\u0000testtest")))
+	tc = start(t, false)
+	tc.transactf("ok", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("mjl@mox.example\u0000mjl@mox.example\u0000"+password0)))
 	tc.close()
 
-	tc = start(t)
-	tc.client.AuthenticatePlain("mjl@mox.example", "testtest")
+	// NFD username and PRECIS-cleaned password.
+	tc = start(t, false)
+	tc.transactf("ok", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("mo\u0301x@mox.example\u0000mo\u0301x@mox.example\u0000"+password1)))
 	tc.close()
 
-	tc = start(t)
+	tc = start(t, false)
+	tc.client.AuthenticatePlain("mjl@mox.example", password0)
+	tc.close()
+
+	tc = start(t, false)
 	defer tc.close()
 
 	tc.cmdf("", "authenticate plain")
@@ -55,38 +78,65 @@ func TestAuthenticatePlain(t *testing.T) {
 
 	tc.cmdf("", "authenticate plain")
 	tc.readprefixline("+ ")
-	tc.writelinef("%s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000testtest")))
+	tc.writelinef("%s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000"+password0)))
 	tc.readstatus("ok")
 }
 
+func TestLoginDisabled(t *testing.T) {
+	tc := start(t, false)
+	defer tc.close()
+
+	acc, err := store.OpenAccount(pkglog, "disabled", false)
+	tcheck(t, err, "open account")
+	err = acc.SetPassword(pkglog, "test1234")
+	tcheck(t, err, "set password")
+	err = acc.Close()
+	tcheck(t, err, "close account")
+
+	tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000disabled@mox.example\u0000test1234")))
+	tc.xcode(nil)
+	tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000disabled@mox.example\u0000bogus")))
+	tc.xcodeWord("AUTHENTICATIONFAILED")
+
+	tc.transactf("no", "login disabled@mox.example test1234")
+	tc.xcode(nil)
+	tc.transactf("no", "login disabled@mox.example bogus")
+	tc.xcodeWord("AUTHENTICATIONFAILED")
+}
+
 func TestAuthenticateSCRAMSHA1(t *testing.T) {
-	testAuthenticateSCRAM(t, "SCRAM-SHA-1", sha1.New)
+	testAuthenticateSCRAM(t, false, "SCRAM-SHA-1", sha1.New)
 }
 
 func TestAuthenticateSCRAMSHA256(t *testing.T) {
-	testAuthenticateSCRAM(t, "SCRAM-SHA-256", sha256.New)
+	testAuthenticateSCRAM(t, false, "SCRAM-SHA-256", sha256.New)
 }
 
-func testAuthenticateSCRAM(t *testing.T, method string, h func() hash.Hash) {
-	tc := start(t)
-	tc.client.AuthenticateSCRAM(method, h, "mjl@mox.example", "testtest")
+func TestAuthenticateSCRAMSHA1PLUS(t *testing.T) {
+	testAuthenticateSCRAM(t, true, "SCRAM-SHA-1-PLUS", sha1.New)
+}
+
+func TestAuthenticateSCRAMSHA256PLUS(t *testing.T) {
+	testAuthenticateSCRAM(t, true, "SCRAM-SHA-256-PLUS", sha256.New)
+}
+
+func testAuthenticateSCRAM(t *testing.T, tls bool, method string, h func() hash.Hash) {
+	tc := startArgs(t, false, true, tls, true, true, "mjl")
+	tc.client.AuthenticateSCRAM(method, h, "mjl@mox.example", password0)
 	tc.close()
 
 	auth := func(status string, serverFinalError error, username, password string) {
 		t.Helper()
 
-		sc := scram.NewClient(h, username, "")
+		noServerPlus := false
+		sc := scram.NewClient(h, username, "", noServerPlus, tc.client.TLSConnectionState())
 		clientFirst, err := sc.ClientFirst()
 		tc.check(err, "scram clientFirst")
-		tc.client.LastTag = "x001"
-		tc.writelinef("%s authenticate %s %s", tc.client.LastTag, method, base64.StdEncoding.EncodeToString([]byte(clientFirst)))
+		tc.client.WriteCommandf("", "authenticate %s %s", method, base64.StdEncoding.EncodeToString([]byte(clientFirst)))
 
 		xreadContinuation := func() []byte {
-			line, _, result, rerr := tc.client.ReadContinuation()
-			tc.check(rerr, "read continuation")
-			if result.Status != "" {
-				tc.t.Fatalf("expected continuation")
-			}
+			line, err := tc.client.ReadContinuation()
+			tcheck(t, err, "read continuation")
 			buf, err := base64.StdEncoding.DecodeString(line)
 			tc.check(err, "parsing base64 from remote")
 			return buf
@@ -109,27 +159,31 @@ func testAuthenticateSCRAM(t *testing.T, method string, h func() hash.Hash) {
 		} else {
 			tc.writelinef("")
 		}
-		_, result, err := tc.client.Response()
+		resp, err := tc.client.ReadResponse()
 		tc.check(err, "read response")
-		if string(result.Status) != strings.ToUpper(status) {
-			tc.t.Fatalf("got status %q, expected %q", result.Status, strings.ToUpper(status))
+		if string(resp.Status) != strings.ToUpper(status) {
+			tc.t.Fatalf("got status %q, expected %q", resp.Status, strings.ToUpper(status))
 		}
 	}
 
-	tc = start(t)
+	tc = startArgs(t, false, true, tls, true, true, "mjl")
 	auth("no", scram.ErrInvalidProof, "mjl@mox.example", "badpass")
 	auth("no", scram.ErrInvalidProof, "mjl@mox.example", "")
 	// todo: server aborts due to invalid username. we should probably make client continue with fake determinisitically generated salt and result in error in the end.
-	// auth("no", nil, "other@mox.example", "testtest")
+	// auth("no", nil, "other@mox.example", password0)
 
 	tc.transactf("no", "authenticate bogus ")
 	tc.transactf("bad", "authenticate %s not base64...", method)
-	tc.transactf("bad", "authenticate %s %s", method, base64.StdEncoding.EncodeToString([]byte("bad data")))
+	tc.transactf("no", "authenticate %s %s", method, base64.StdEncoding.EncodeToString([]byte("bad data")))
+
+	// NFD username, with PRECIS-cleaned password.
+	auth("ok", nil, "mo\u0301x@mox.example", password1)
+
 	tc.close()
 }
 
 func TestAuthenticateCRAMMD5(t *testing.T) {
-	tc := start(t)
+	tc := start(t, false)
 
 	tc.transactf("no", "authenticate bogus ")
 	tc.transactf("bad", "authenticate CRAM-MD5 not base64...")
@@ -139,38 +193,190 @@ func TestAuthenticateCRAMMD5(t *testing.T) {
 	auth := func(status string, username, password string) {
 		t.Helper()
 
-		tc.client.LastTag = "x001"
-		tc.writelinef("%s authenticate CRAM-MD5", tc.client.LastTag)
+		tc.client.WriteCommandf("", "authenticate CRAM-MD5")
 
 		xreadContinuation := func() []byte {
-			line, _, result, rerr := tc.client.ReadContinuation()
-			tc.check(rerr, "read continuation")
-			if result.Status != "" {
-				tc.t.Fatalf("expected continuation")
-			}
+			line, err := tc.client.ReadContinuation()
+			tcheck(t, err, "read continuation")
 			buf, err := base64.StdEncoding.DecodeString(line)
 			tc.check(err, "parsing base64 from remote")
 			return buf
 		}
 
 		chal := xreadContinuation()
+		pw, err := precis.OpaqueString.String(password)
+		if err == nil {
+			password = pw
+		}
 		h := hmac.New(md5.New, []byte(password))
 		h.Write([]byte(chal))
-		resp := fmt.Sprintf("%s %x", username, h.Sum(nil))
-		tc.writelinef("%s", base64.StdEncoding.EncodeToString([]byte(resp)))
+		data := fmt.Sprintf("%s %x", username, h.Sum(nil))
+		tc.writelinef("%s", base64.StdEncoding.EncodeToString([]byte(data)))
 
-		_, result, err := tc.client.Response()
+		resp, err := tc.client.ReadResponse()
 		tc.check(err, "read response")
-		if string(result.Status) != strings.ToUpper(status) {
-			tc.t.Fatalf("got status %q, expected %q", result.Status, strings.ToUpper(status))
+		if string(resp.Status) != strings.ToUpper(status) {
+			tc.t.Fatalf("got status %q, expected %q", resp.Status, strings.ToUpper(status))
 		}
 	}
 
 	auth("no", "mjl@mox.example", "badpass")
 	auth("no", "mjl@mox.example", "")
-	auth("no", "other@mox.example", "testtest")
+	auth("no", "other@mox.example", password0)
 
-	auth("ok", "mjl@mox.example", "testtest")
+	auth("ok", "mjl@mox.example", password0)
 
 	tc.close()
+
+	// NFD username, with PRECIS-cleaned password.
+	tc = start(t, false)
+	auth("ok", "mo\u0301x@mox.example", password1)
+	tc.close()
+}
+
+func TestAuthenticateTLSClientCert(t *testing.T) {
+	tc := startArgsMore(t, false, true, true, nil, nil, true, true, "mjl", nil)
+	tc.transactf("no", "authenticate external ") // No TLS auth.
+	tc.close()
+
+	// Create a certificate, register its public key with account, and make a tls
+	// client config that sends the certificate.
+	clientCert0 := fakeCert(t, true)
+	clientConfig := tls.Config{
+		InsecureSkipVerify: true,
+		Certificates:       []tls.Certificate{clientCert0},
+	}
+
+	tlspubkey, err := store.ParseTLSPublicKeyCert(clientCert0.Certificate[0])
+	tcheck(t, err, "parse certificate")
+	tlspubkey.Account = "mjl"
+	tlspubkey.LoginAddress = "mjl@mox.example"
+	tlspubkey.NoIMAPPreauth = true
+
+	addClientCert := func() error {
+		return store.TLSPublicKeyAdd(ctxbg, &tlspubkey)
+	}
+
+	// No preauth, explicit authenticate with TLS.
+	tc = startArgsMore(t, false, true, true, nil, &clientConfig, false, true, "mjl", addClientCert)
+	if tc.client.Preauth {
+		t.Fatalf("preauthentication while not configured for tls public key")
+	}
+	tc.transactf("ok", "authenticate external ")
+	tc.close()
+
+	// External with explicit username.
+	tc = startArgsMore(t, false, true, true, nil, &clientConfig, false, true, "mjl", addClientCert)
+	if tc.client.Preauth {
+		t.Fatalf("preauthentication while not configured for tls public key")
+	}
+	tc.transactf("ok", "authenticate external %s", base64.StdEncoding.EncodeToString([]byte("mjl@mox.example")))
+	tc.close()
+
+	// No preauth, also allow other mechanisms.
+	tc = startArgsMore(t, false, true, true, nil, &clientConfig, false, true, "mjl", addClientCert)
+	tc.transactf("ok", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000mjl@mox.example\u0000"+password0)))
+	tc.close()
+
+	// No preauth, also allow other username for same account.
+	tc = startArgsMore(t, false, true, true, nil, &clientConfig, false, true, "mjl", addClientCert)
+	tc.transactf("ok", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000móx@mox.example\u0000"+password0)))
+	tc.close()
+
+	// No preauth, other mechanism must be for same account.
+	acc, err := store.OpenAccount(pkglog, "other", false)
+	tcheck(t, err, "open account")
+	err = acc.SetPassword(pkglog, "test1234")
+	tcheck(t, err, "set password")
+	err = acc.Close()
+	tcheck(t, err, "close account")
+	tc = startArgsMore(t, false, true, true, nil, &clientConfig, false, true, "mjl", addClientCert)
+	tc.transactf("no", "authenticate plain %s", base64.StdEncoding.EncodeToString([]byte("\u0000other@mox.example\u0000test1234")))
+	tc.close()
+
+	// Starttls and external auth.
+	tc = startArgsMore(t, false, true, false, nil, &clientConfig, false, true, "mjl", addClientCert)
+	tc.client.StartTLS(&clientConfig)
+	tc.transactf("ok", "authenticate external =")
+	tc.close()
+
+	tlspubkey.NoIMAPPreauth = false
+	err = store.TLSPublicKeyUpdate(ctxbg, &tlspubkey)
+	tcheck(t, err, "update tls public key")
+
+	// With preauth, no authenticate command needed/allowed.
+	// Already set up tls session ticket cache, for next test.
+	serverConfig := tls.Config{
+		Certificates: []tls.Certificate{fakeCert(t, false)},
+	}
+	ctx, cancel := context.WithCancel(ctxbg)
+	defer cancel()
+	mox.StartTLSSessionTicketKeyRefresher(ctx, pkglog, &serverConfig)
+	clientConfig.ClientSessionCache = tls.NewLRUClientSessionCache(10)
+	tc = startArgsMore(t, false, true, true, &serverConfig, &clientConfig, false, true, "mjl", addClientCert)
+	if !tc.client.Preauth {
+		t.Fatalf("not preauthentication while configured for tls public key")
+	}
+	cs := tc.conn.(*tls.Conn).ConnectionState()
+	if cs.DidResume {
+		t.Fatalf("tls connection was resumed")
+	}
+	tc.transactf("no", "authenticate external ") // Not allowed, already in authenticated state.
+	tc.close()
+
+	// Authentication works with TLS resumption.
+	tc = startArgsMore(t, false, true, true, &serverConfig, &clientConfig, false, true, "mjl", addClientCert)
+	if !tc.client.Preauth {
+		t.Fatalf("not preauthentication while configured for tls public key")
+	}
+	cs = tc.conn.(*tls.Conn).ConnectionState()
+	if !cs.DidResume {
+		t.Fatalf("tls connection was not resumed")
+	}
+	// Check that operations that require an account work.
+	tc.client.Enable(imapclient.CapIMAP4rev2)
+	received, err := time.Parse(time.RFC3339, "2022-11-16T10:01:00+01:00")
+	tc.check(err, "parse time")
+	tc.client.Append("inbox", makeAppendTime(exampleMsg, received))
+	tc.client.Select("inbox")
+	tc.close()
+
+	// Authentication with unknown key should fail.
+	// todo: less duplication, change startArgs so this can be merged into it.
+	err = store.Close()
+	tcheck(t, err, "store close")
+	os.RemoveAll("../testdata/imap/data")
+	err = store.Init(ctxbg)
+	tcheck(t, err, "store init")
+	mox.ConfigStaticPath = filepath.FromSlash("../testdata/imap/mox.conf")
+	mox.MustLoadConfig(true, false)
+	switchStop := store.Switchboard()
+	defer switchStop()
+
+	serverConn, clientConn := net.Pipe()
+	defer clientConn.Close()
+
+	done := make(chan struct{})
+	defer func() { <-done }()
+	connCounter++
+	cid := connCounter
+	go func() {
+		defer serverConn.Close()
+		serve("test", cid, &serverConfig, serverConn, true, false, false, false, "")
+		close(done)
+	}()
+
+	clientConfig.ClientSessionCache = nil
+	clientConn = tls.Client(clientConn, &clientConfig)
+	// note: It's not enough to do a handshake and check if that was successful. If the
+	// client cert is not acceptable, we only learn after the handshake, when the first
+	// data messages are exchanged.
+	buf := make([]byte, 100)
+	_, err = clientConn.Read(buf)
+	if err == nil {
+		t.Fatalf("tls handshake with unknown client certificate succeeded")
+	}
+	if alert, ok := mox.AsTLSAlert(err); !ok || alert != 42 {
+		t.Fatalf("got err %#v, expected tls 'bad certificate' alert", err)
+	}
 }

imapserver/compress_test.go

@@ -0,0 +1,82 @@
+package imapserver
+
+import (
+	"crypto/tls"
+	"encoding/base64"
+	"io"
+	mathrand "math/rand/v2"
+	"testing"
+	"time"
+)
+
+func TestCompress(t *testing.T) {
+	tc := start(t, false)
+	defer tc.close()
+
+	tc.login("mjl@mox.example", password0)
+
+	tc.transactf("bad", "compress")
+	tc.transactf("bad", "compress bogus ")
+	tc.transactf("no", "compress bogus")
+
+	tc.client.CompressDeflate()
+	tc.transactf("no", "compress deflate") // Cannot have multiple.
+	tc.xcodeWord("COMPRESSIONACTIVE")
+
+	tc.client.Select("inbox")
+	tc.transactf("ok", "append inbox (\\seen) {%d+}\r\n%s", len(exampleMsg), exampleMsg)
+	tc.transactf("ok", "noop")
+	tc.transactf("ok", "fetch 1 body.peek[1]")
+}
+
+func TestCompressStartTLS(t *testing.T) {
+	tc := start(t, false)
+	defer tc.close()
+
+	tc.client.StartTLS(&tls.Config{InsecureSkipVerify: true})
+	tc.login("mjl@mox.example", password0)
+	tc.client.CompressDeflate()
+	tc.client.Select("inbox")
+	tc.transactf("ok", "append inbox (\\seen) {%d+}\r\n%s", len(exampleMsg), exampleMsg)
+	tc.transactf("ok", "noop")
+	tc.transactf("ok", "fetch 1 body.peek[1]")
+}
+
+func TestCompressBreak(t *testing.T) {
+	// Close the client connection when the server is writing. That causes writes in
+	// the server to fail (panic), jumping out of the flate writer and leaving its
+	// state inconsistent. We must not call into the flate writer again because due to
+	// its broken internal state it may cause array out of bounds accesses.
+
+	tc := start(t, false)
+	defer tc.close()
+
+	msg := exampleMsg
+	// Add random data (so it is not compressible). Don't know why, but only
+	// reproducible with large writes. As if setting socket buffers had no effect.
+	buf := make([]byte, 64*1024)
+	_, err := io.ReadFull(mathrand.NewChaCha8([32]byte{}), buf)
+	tcheck(t, err, "read random")
+	text := base64.StdEncoding.EncodeToString(buf)
+	for len(text) > 0 {
+		n := min(76, len(text))
+		msg += text[:n] + "\r\n"
+		text = text[n:]
+	}
+
+	tc.login("mjl@mox.example", password0)
+	tc.client.CompressDeflate()
+	tc.client.Select("inbox")
+	tc.transactf("ok", "append inbox (\\seen) {%d+}\r\n%s", len(msg), msg)
+	tc.transactf("ok", "noop")
+
+	// Write request. Close connection instead of reading data. Write will panic,
+	// coming through flate writer leaving its state inconsistent. Server must not try
+	// to Flush/Write again on flate writer or it may panic.
+	tc.client.Writelinef("x fetch 1 body.peek[1]")
+
+	// Close client connection and prevent cleanup from closing the client again.
+	time.Sleep(time.Second / 10)
+	tc.client = nil
+	tc.conn.Close() // Simulate client disappearing.
+}

imapserver/copy_test.go

@@ -7,17 +7,25 @@ import (
 )
 
 func TestCopy(t *testing.T) {
+	testCopy(t, false)
+}
+
+func TestCopyUIDOnly(t *testing.T) {
+	testCopy(t, true)
+}
+
+func testCopy(t *testing.T, uidonly bool) {
 	defer mockUIDValidity()()
-	tc := start(t)
+	tc := start(t, uidonly)
 	defer tc.close()
 
-	tc2 := startNoSwitchboard(t)
-	defer tc2.close()
+	tc2 := startNoSwitchboard(t, uidonly)
+	defer tc2.closeNoWait()
 
-	tc.client.Login("mjl@mox.example", "testtest")
+	tc.login("mjl@mox.example", password0)
 	tc.client.Select("inbox")
 
-	tc2.client.Login("mjl@mox.example", "testtest")
+	tc2.login("mjl@mox.example", password0)
 	tc2.client.Select("Trash")
 
 	tc.transactf("bad", "copy")          // Missing params.
@@ -25,37 +33,53 @@ func TestCopy(t *testing.T) {
 	tc.transactf("bad", "copy 1 inbox ") // Leftover.
 
 	// Seqs 1,2 and UIDs 3,4.
-	tc.client.Append("inbox", nil, nil, []byte(exampleMsg))
-	tc.client.Append("inbox", nil, nil, []byte(exampleMsg))
-	tc.client.StoreFlagsSet("1:2", true, `\Deleted`)
+	tc.client.Append("inbox", makeAppend(exampleMsg))
+	tc.client.Append("inbox", makeAppend(exampleMsg))
+	tc.transactf("ok", `Uid Store 1:2 +Flags.Silent (\Deleted)`)
 	tc.client.Expunge()
-	tc.client.Append("inbox", nil, nil, []byte(exampleMsg))
-	tc.client.Append("inbox", nil, nil, []byte(exampleMsg))
+	tc.client.Append("inbox", makeAppend(exampleMsg))
+	tc.client.Append("inbox", makeAppend(exampleMsg))
 
-	tc.transactf("no", "copy 1 nonexistent")
-	tc.xcode("TRYCREATE")
+	if uidonly {
+		tc.transactf("ok", "uid copy 3:* Trash")
+	} else {
+		tc.transactf("no", "copy 1 nonexistent")
+		tc.xcodeWord("TRYCREATE")
+		tc.transactf("no", "copy 1 expungebox")
+		tc.xcodeWord("TRYCREATE")
 
-	tc.transactf("no", "copy 1 inbox") // Cannot copy to same mailbox.
+		tc.transactf("no", "copy 1 inbox") // Cannot copy to same mailbox.
 
-	tc2.transactf("ok", "noop") // Drain.
+		tc2.transactf("ok", "noop") // Drain.
 
-	tc.transactf("ok", "copy 1:* Trash")
-	ptr := func(v uint32) *uint32 { return &v }
-	tc.xcodeArg(imapclient.CodeCopyUID{DestUIDValidity: 1, From: []imapclient.NumRange{{First: 3, Last: ptr(4)}}, To: []imapclient.NumRange{{First: 1, Last: ptr(2)}}})
+		tc.transactf("ok", "copy 1:* Trash")
+		tc.xcode(mustParseCode("COPYUID 1 3:4 1:2"))
+	}
 	tc2.transactf("ok", "noop")
 	tc2.xuntagged(
 		imapclient.UntaggedExists(2),
-		imapclient.UntaggedFetch{Seq: 1, Attrs: []imapclient.FetchAttr{imapclient.FetchUID(1), imapclient.FetchFlags(nil)}},
-		imapclient.UntaggedFetch{Seq: 2, Attrs: []imapclient.FetchAttr{imapclient.FetchUID(2), imapclient.FetchFlags(nil)}},
+		tc2.untaggedFetch(1, 1, imapclient.FetchFlags(nil)),
+		tc2.untaggedFetch(2, 2, imapclient.FetchFlags(nil)),
 	)
 
 	tc.transactf("no", "uid copy 1,2 Trash") // No match.
 	tc.transactf("ok", "uid copy 4,3 Trash")
-	tc.xcodeArg(imapclient.CodeCopyUID{DestUIDValidity: 1, From: []imapclient.NumRange{{First: 3, Last: ptr(4)}}, To: []imapclient.NumRange{{First: 3, Last: ptr(4)}}})
+	tc.xcode(mustParseCode("COPYUID 1 3:4 3:4"))
 	tc2.transactf("ok", "noop")
 	tc2.xuntagged(
 		imapclient.UntaggedExists(4),
-		imapclient.UntaggedFetch{Seq: 3, Attrs: []imapclient.FetchAttr{imapclient.FetchUID(3), imapclient.FetchFlags(nil)}},
-		imapclient.UntaggedFetch{Seq: 4, Attrs: []imapclient.FetchAttr{imapclient.FetchUID(4), imapclient.FetchFlags(nil)}},
+		tc2.untaggedFetch(3, 3, imapclient.FetchFlags(nil)),
+		tc2.untaggedFetch(4, 4, imapclient.FetchFlags(nil)),
 	)
+
+	tclimit := startArgs(t, uidonly, false, false, true, true, "limit")
+	defer tclimit.close()
+	tclimit.login("limit@mox.example", password0)
+	tclimit.client.Select("inbox")
+	// First message of 1 byte is within limits.
+	tclimit.transactf("ok", "append inbox (\\Seen Label1 $label2) \" 1-Jan-2022 10:10:00 +0100\" {1+}\r\nx")
+	tclimit.xuntagged(imapclient.UntaggedExists(1))
+	// Second message would take account past limit.
+	tclimit.transactf("no", "uid copy 1:* Trash")
+	tclimit.xcodeWord("OVERQUOTA")
 }

imapserver/create_test.go

@@ -7,24 +7,42 @@ import (
 )
 
 func TestCreate(t *testing.T) {
-	tc := start(t)
+	testCreate(t, false)
+}
+
+func TestCreateUIDOnly(t *testing.T) {
+	testCreate(t, true)
+}
+
+func testCreate(t *testing.T, uidonly bool) {
+	tc := start(t, uidonly)
 	defer tc.close()
 
-	tc2 := startNoSwitchboard(t)
-	defer tc2.close()
+	tc2 := startNoSwitchboard(t, uidonly)
+	defer tc2.closeNoWait()
 
-	tc.client.Login("mjl@mox.example", "testtest")
-	tc2.client.Login("mjl@mox.example", "testtest")
+	tc.login("mjl@mox.example", password0)
+	tc2.login("mjl@mox.example", password0)
 
 	tc.transactf("no", "create inbox") // Already exists and not allowed. ../rfc/9051:1913
 	tc.transactf("no", "create Inbox") // Idem.
 
+	// Don't allow names that can cause trouble when exporting to directories.
+	tc.transactf("no", "create .")
+	tc.transactf("no", "create ..")
+	tc.transactf("no", "create legit/..")
+	tc.transactf("ok", "create ...") // No special meaning.
+
 	// ../rfc/9051:1937
 	tc.transactf("ok", "create inbox/a/c")
 	tc.xuntagged(imapclient.UntaggedList{Flags: []string{`\Subscribed`}, Separator: '/', Mailbox: "Inbox/a"}, imapclient.UntaggedList{Flags: []string{`\Subscribed`}, Separator: '/', Mailbox: "Inbox/a/c"})
 
 	tc2.transactf("ok", "noop")
-	tc2.xuntagged(imapclient.UntaggedList{Flags: []string{`\Subscribed`}, Separator: '/', Mailbox: "Inbox/a"}, imapclient.UntaggedList{Flags: []string{`\Subscribed`}, Separator: '/', Mailbox: "Inbox/a/c"})
+	tc2.xuntagged(
+		imapclient.UntaggedList{Flags: []string{`\Subscribed`}, Separator: '/', Mailbox: "..."},
+		imapclient.UntaggedList{Flags: []string{`\Subscribed`}, Separator: '/', Mailbox: "Inbox/a"},
+		imapclient.UntaggedList{Flags: []string{`\Subscribed`}, Separator: '/', Mailbox: "Inbox/a/c"},
+	)
 
 	tc.transactf("no", "create inbox/a/c") // Exists.
 
@@ -36,10 +54,15 @@ func TestCreate(t *testing.T) {
 
 	// ../rfc/9051:1934
 	tc.transactf("ok", "create mailbox/")
-	tc.xuntagged(imapclient.UntaggedList{Flags: []string{`\Subscribed`}, Separator: '/', Mailbox: "mailbox", OldName: "mailbox/"})
+	tc.xuntagged(imapclient.UntaggedList{Flags: []string{`\Subscribed`}, Separator: '/', Mailbox: "mailbox"})
+
+	// OldName is only set for IMAP4rev2 or NOTIFY.
+	tc.client.Enable(imapclient.CapIMAP4rev2)
+	tc.transactf("ok", "create mailbox2/")
+	tc.xuntagged(imapclient.UntaggedList{Flags: []string{`\Subscribed`}, Separator: '/', Mailbox: "mailbox2", OldName: "mailbox2/"})
 
 	tc2.transactf("ok", "noop")
-	tc2.xuntagged(imapclient.UntaggedList{Flags: []string{`\Subscribed`}, Separator: '/', Mailbox: "mailbox"})
+	tc2.xuntagged(imapclient.UntaggedList{Flags: []string{`\Subscribed`}, Separator: '/', Mailbox: "mailbox"}, imapclient.UntaggedList{Flags: []string{`\Subscribed`}, Separator: '/', Mailbox: "mailbox2"})
 
 	// If we are already subscribed, create should still work, and we still want to see the subscribed flag.
 	tc.transactf("ok", "subscribe newbox")
@@ -62,8 +85,24 @@ func TestCreate(t *testing.T) {
 	tc.transactf("bad", `create "\x9f"`)
 	tc.transactf("bad", `create "\u2028"`)
 	tc.transactf("bad", `create "\u2029"`)
-	tc.transactf("no", `create "%%"`)
-	tc.transactf("no", `create "*"`)
-	tc.transactf("no", `create "#"`)
-	tc.transactf("no", `create "&"`)
+	tc.transactf("ok", `create "%%"`)
+	tc.transactf("ok", `create "*"`)
+	tc.transactf("no", `create "#"`) // Leading hash not allowed.
+	tc.transactf("ok", `create "test#"`)
+
+	// Create with flags.
+	tc.transactf("no", `create "newwithflags" (use (\unknown))`)
+	tc.transactf("no", `create "newwithflags" (use (\all))`)
+	tc.transactf("ok", `create "newwithflags" (use (\archive))`)
+	tc.transactf("ok", "noop")
+	tc.xuntagged()
+	tc.transactf("ok", `create "newwithflags2" (use (\archive) use (\drafts \sent))`)
+
+	// UTF-7 checks are only for IMAP4 before rev2 and without UTF8=ACCEPT.
+	tc.transactf("ok", `create "&"`)      // Interpreted as UTF-8, no UTF-7.
+	tc2.transactf("bad", `create "&"`)    // Bad UTF-7.
+	tc2.transactf("ok", `create "&Jjo-"`) // ☺, valid UTF-7.
+
+	tc.transactf("ok", "create expungebox") // Existed in past.
+	tc.transactf("ok", "delete expungebox") // Gone again.
 }

imapserver/delete_test.go

@@ -7,36 +7,45 @@ import (
 )
 
 func TestDelete(t *testing.T) {
-	tc := start(t)
+	testDelete(t, false)
+}
+
+func TestDeleteUIDOnly(t *testing.T) {
+	testDelete(t, false)
+}
+
+func testDelete(t *testing.T, uidonly bool) {
+	tc := start(t, uidonly)
 	defer tc.close()
 
-	tc2 := startNoSwitchboard(t)
-	defer tc2.close()
+	tc2 := startNoSwitchboard(t, uidonly)
+	defer tc2.closeNoWait()
 
-	tc3 := startNoSwitchboard(t)
-	defer tc3.close()
+	tc3 := startNoSwitchboard(t, uidonly)
+	defer tc3.closeNoWait()
 
-	tc.client.Login("mjl@mox.example", "testtest")
-	tc2.client.Login("mjl@mox.example", "testtest")
-	tc3.client.Login("mjl@mox.example", "testtest")
+	tc.login("mjl@mox.example", password0)
+	tc2.login("mjl@mox.example", password0)
+	tc3.login("mjl@mox.example", password0)
 
 	tc.transactf("bad", "delete")              // Missing mailbox.
 	tc.transactf("no", "delete inbox")         // Cannot delete inbox.
 	tc.transactf("no", "delete nonexistent")   // Cannot delete mailbox that does not exist.
 	tc.transactf("no", `delete "nonexistent"`) // Again, with quoted string syntax.
+	tc.transactf("no", `delete "expungebox"`)  // Already removed.
 
 	tc.client.Subscribe("x")
 	tc.transactf("no", "delete x") // Subscription does not mean there is a mailbox that can be deleted.
 
-	tc.client.Create("a/b")
+	tc.client.Create("a/b", nil)
 	tc2.transactf("ok", "noop") // Drain changes.
 	tc3.transactf("ok", "noop")
 
 	// ../rfc/9051:2000
 	tc.transactf("no", "delete a") // Still has child.
-	tc.xcode("HASCHILDREN")
+	tc.xcodeWord("HASCHILDREN")
 
-	tc3.client.Enable("IMAP4rev2") // For \NonExistent support.
+	tc3.client.Enable(imapclient.CapIMAP4rev2) // For \NonExistent support.
 	tc.transactf("ok", "delete a/b")
 	tc2.transactf("ok", "noop")
 	tc2.xuntagged() // No IMAP4rev2, no \NonExistent.
@@ -53,12 +62,12 @@ func TestDelete(t *testing.T) {
 	)
 
 	// Let's try again with a message present.
-	tc.client.Create("msgs")
-	tc.client.Append("msgs", nil, nil, []byte(exampleMsg))
+	tc.client.Create("msgs", nil)
+	tc.client.Append("msgs", makeAppend(exampleMsg))
 	tc.transactf("ok", "delete msgs")
 
 	// Delete for inbox/* is allowed.
-	tc.client.Create("inbox/a")
+	tc.client.Create("inbox/a", nil)
 	tc.transactf("ok", "delete inbox/a")
 
 }

imapserver/error.go

@@ -57,3 +57,9 @@ func xsyntaxErrorf(format string, args ...any) {
 	err := errors.New(errmsg)
 	panic(syntaxError{"", "", errmsg, err})
 }
+
+func xsyntaxCodeErrorf(code, format string, args ...any) {
+	errmsg := fmt.Sprintf(format, args...)
+	err := errors.New(errmsg)
+	panic(syntaxError{"", code, errmsg, err})
+}

imapserver/expunge_test.go

@@ -7,17 +7,25 @@ import (
 )
 
 func TestExpunge(t *testing.T) {
+	testExpunge(t, false)
+}
+
+func TestExpungeUIDOnly(t *testing.T) {
+	testExpunge(t, true)
+}
+
+func testExpunge(t *testing.T, uidonly bool) {
 	defer mockUIDValidity()()
-	tc := start(t)
+	tc := start(t, uidonly)
 	defer tc.close()
 
-	tc2 := startNoSwitchboard(t)
-	defer tc2.close()
+	tc2 := startNoSwitchboard(t, uidonly)
+	defer tc2.closeNoWait()
 
-	tc.client.Login("mjl@mox.example", "testtest")
+	tc.login("mjl@mox.example", password0)
 	tc.client.Select("inbox")
 
-	tc2.client.Login("mjl@mox.example", "testtest")
+	tc2.login("mjl@mox.example", password0)
 	tc2.client.Select("inbox")
 
 	tc.transactf("bad", "expunge leftover") // Leftover data.
@@ -31,35 +39,43 @@ func TestExpunge(t *testing.T) {
 
 	tc.client.Unselect()
 	tc.client.Select("inbox")
-	tc.client.Append("inbox", nil, nil, []byte(exampleMsg))
-	tc.client.Append("inbox", nil, nil, []byte(exampleMsg))
-	tc.client.Append("inbox", nil, nil, []byte(exampleMsg))
+	tc.client.Append("inbox", makeAppend(exampleMsg))
+	tc.client.Append("inbox", makeAppend(exampleMsg))
+	tc.client.Append("inbox", makeAppend(exampleMsg))
 	tc.transactf("ok", "expunge") // Still nothing to remove.
 	tc.xuntagged()
 
-	tc.client.StoreFlagsAdd("1,3", true, `\Deleted`)
+	tc.transactf("ok", `uid store 1,3 +flags.silent \Deleted`)
 
 	tc2.transactf("ok", "noop") // Drain.
 
 	tc.transactf("ok", "expunge")
-	tc.xuntagged(imapclient.UntaggedExpunge(1), imapclient.UntaggedExpunge(2))
+	if uidonly {
+		tc.xuntagged(imapclient.UntaggedVanished{UIDs: xparseNumSet("1,3")})
+	} else {
+		tc.xuntagged(imapclient.UntaggedExpunge(1), imapclient.UntaggedExpunge(2))
+	}
 
 	tc2.transactf("ok", "noop") // Drain.
-	tc2.xuntagged(imapclient.UntaggedExpunge(1), imapclient.UntaggedExpunge(2))
+	if uidonly {
+		tc2.xuntagged(imapclient.UntaggedVanished{UIDs: xparseNumSet("1,3")})
+	} else {
+		tc2.xuntagged(imapclient.UntaggedExpunge(1), imapclient.UntaggedExpunge(2))
+	}
 
 	tc.transactf("ok", "expunge") // Nothing to remove anymore.
 	tc.xuntagged()
 
 	// Only UID 2 is still left. We'll add 3 more. Getting us to UIDs 2,4,5,6.
-	tc.client.Append("inbox", nil, nil, []byte(exampleMsg))
-	tc.client.Append("inbox", nil, nil, []byte(exampleMsg))
-	tc.client.Append("inbox", nil, nil, []byte(exampleMsg))
+	tc.client.Append("inbox", makeAppend(exampleMsg))
+	tc.client.Append("inbox", makeAppend(exampleMsg))
+	tc.client.Append("inbox", makeAppend(exampleMsg))
 
 	tc.transactf("bad", "uid expunge")            // Missing uid set.
 	tc.transactf("bad", "uid expunge 1 leftover") // Leftover data.
 	tc.transactf("bad", "uid expunge 1 leftover") // Leftover data.
 
-	tc.client.StoreFlagsAdd("1,2,4", true, `\Deleted`) // Marks UID 2,4,6 as deleted.
+	tc.transactf("ok", `uid store 2,4,6 +flags.silent \Deleted`)
 
 	tc.transactf("ok", "uid expunge 1")
 	tc.xuntagged() // No match.
@@ -67,8 +83,16 @@ func TestExpunge(t *testing.T) {
 	tc2.transactf("ok", "noop") // Drain.
 
 	tc.transactf("ok", "uid expunge 4:6") // Removes UID 4,6 at seqs 2,4.
-	tc.xuntagged(imapclient.UntaggedExpunge(2), imapclient.UntaggedExpunge(3))
+	if uidonly {
+		tc.xuntagged(imapclient.UntaggedVanished{UIDs: xparseNumSet("4,6")})
+	} else {
+		tc.xuntagged(imapclient.UntaggedExpunge(2), imapclient.UntaggedExpunge(3))
+	}
 
 	tc2.transactf("ok", "noop")
-	tc.xuntagged(imapclient.UntaggedExpunge(2), imapclient.UntaggedExpunge(3))
+	if uidonly {
+		tc2.xuntagged(imapclient.UntaggedVanished{UIDs: xparseNumSet("4,6")})
+	} else {
+		tc2.xuntagged(imapclient.UntaggedExpunge(2), imapclient.UntaggedExpunge(3))
+	}
 }