mirror of
https://github.com/mjl-/mox.git
synced 2025-06-27 23:08:14 +03:00
2d3d726f05
to facilitate migrations from/to other mail setups. a domain can be added in "disabled" mode (or can be disabled/enabled later on). you can configure a disabled domain, but incoming/outgoing messages involving the domain are rejected with temporary error codes (as this may occur during a migration, remote servers will try again, hopefully to the correct machine or after this machine has been configured correctly). also, no acme tls certs will be requested for disabled domains (the autoconfig/mta-sts dns records may still point to the current/previous machine). accounts with addresses at disabled domains can still login, unless logins are disabled for their accounts. an account now has an option to disable logins. you can specify an error message to show. this will be shown in smtp, imap and the web interfaces. it could contain a message about migrations, and possibly a URL to a page with information about how to migrate. incoming/outgoing email involving accounts with login disabled are still accepted/delivered as normal (unless the domain involved in the messages is disabled too). account operations by the admin, such as importing/exporting messages still works. in the admin web interface, listings of domains/accounts show if they are disabled. domains & accounts can be enabled/disabled through the config file, cli commands and admin web interface. for issue #175 by RobSlgm
70 lines
2.0 KiB
Go
70 lines
2.0 KiB
Go
package mox
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"fmt"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/mjl-/mox/config"
|
|
"github.com/mjl-/mox/dkim"
|
|
"github.com/mjl-/mox/dns"
|
|
"github.com/mjl-/mox/mlog"
|
|
"github.com/mjl-/mox/smtp"
|
|
)
|
|
|
|
// DKIMSelectors returns the selectors to use for signing.
|
|
func DKIMSelectors(dkimConf config.DKIM) []dkim.Selector {
|
|
var l []dkim.Selector
|
|
for _, sign := range dkimConf.Sign {
|
|
sel := dkimConf.Selectors[sign]
|
|
s := dkim.Selector{
|
|
Hash: sel.HashEffective,
|
|
HeaderRelaxed: sel.Canonicalization.HeaderRelaxed,
|
|
BodyRelaxed: sel.Canonicalization.BodyRelaxed,
|
|
Headers: sel.HeadersEffective,
|
|
SealHeaders: !sel.DontSealHeaders,
|
|
Expiration: time.Duration(sel.ExpirationSeconds) * time.Second,
|
|
PrivateKey: sel.Key,
|
|
Domain: sel.Domain,
|
|
}
|
|
l = append(l, s)
|
|
}
|
|
return l
|
|
}
|
|
|
|
// DKIMSign looks up the domain for "from", and uses its DKIM configuration to
|
|
// generate DKIM-Signature headers, for inclusion in a message. The
|
|
// DKIM-Signatur headers, are returned. If no domain was found an empty string and
|
|
// nil error is returned.
|
|
func DKIMSign(ctx context.Context, log mlog.Log, from smtp.Path, smtputf8 bool, data []byte) (string, error) {
|
|
// Add DKIM signature for domain, even if higher up than the full mail hostname.
|
|
// This helps with an assumed (because default) relaxed DKIM policy. If the DMARC
|
|
// policy happens to be strict, the signature won't help, but won't hurt either.
|
|
fd := from.IPDomain.Domain
|
|
var zerodom dns.Domain
|
|
for fd != zerodom {
|
|
confDom, ok := Conf.Domain(fd)
|
|
if !ok {
|
|
var nfd dns.Domain
|
|
_, nfd.ASCII, _ = strings.Cut(fd.ASCII, ".")
|
|
_, nfd.Unicode, _ = strings.Cut(fd.Unicode, ".")
|
|
fd = nfd
|
|
continue
|
|
}
|
|
|
|
if confDom.Disabled {
|
|
return "", ErrDomainDisabled
|
|
}
|
|
|
|
selectors := DKIMSelectors(confDom.DKIM)
|
|
dkimHeaders, err := dkim.Sign(ctx, log.Logger, from.Localpart, fd, selectors, smtputf8, bytes.NewReader(data))
|
|
if err != nil {
|
|
return "", fmt.Errorf("dkim sign for domain %s: %v", fd, err)
|
|
}
|
|
return dkimHeaders, nil
|
|
}
|
|
return "", nil
|
|
}
|