10 cryptorand "crypto/rand"
33 "golang.org/x/text/unicode/norm"
35 "github.com/mjl-/autocert"
37 "github.com/mjl-/sconf"
39 "github.com/mjl-/mox/autotls"
40 "github.com/mjl-/mox/config"
41 "github.com/mjl-/mox/dkim"
42 "github.com/mjl-/mox/dns"
43 "github.com/mjl-/mox/message"
44 "github.com/mjl-/mox/mlog"
45 "github.com/mjl-/mox/moxio"
46 "github.com/mjl-/mox/mtasts"
47 "github.com/mjl-/mox/smtp"
50var pkglog = mlog.New("mox", nil)
52// Pedantic enables stricter parsing.
55// Config paths are set early in program startup. They will point to files in
58 ConfigStaticPath string
59 ConfigDynamicPath string
60 Conf = Config{Log: map[string]slog.Level{"": slog.LevelError}}
63var ErrConfig = errors.New("config error")
65// Set by packages webadmin, webaccount, webmail, webapisrv to prevent cyclic dependencies.
66var NewWebadminHandler = func(basePath string, isForwarded bool) http.Handler { return nopHandler }
67var NewWebaccountHandler = func(basePath string, isForwarded bool) http.Handler { return nopHandler }
68var NewWebmailHandler = func(maxMsgSize int64, basePath string, isForwarded bool, accountPath string) http.Handler {
71var NewWebapiHandler = func(maxMsgSize int64, basePath string, isForwarded bool) http.Handler { return nopHandler }
73var nopHandler = http.HandlerFunc(nil)
75// Config as used in the code, a processed version of what is in the config file.
77// Use methods to lookup a domain/account/address in the dynamic configuration.
79 Static config.Static // Does not change during the lifetime of a running instance.
81 logMutex sync.Mutex // For accessing the log levels.
82 Log map[string]slog.Level
84 dynamicMutex sync.Mutex
85 Dynamic config.Dynamic // Can only be accessed directly by tests. Use methods on Config for locked access.
86 dynamicMtime time.Time
87 DynamicLastCheck time.Time // For use by quickstart only to skip checks.
89 // From canonical full address (localpart@domain, lower-cased when
90 // case-insensitive, stripped of catchall separator) to account and address.
91 // Domains are IDNA names in utf8. Dynamic config lock must be held when accessing.
92 AccountDestinationsLocked map[string]AccountDestination
94 // Like AccountDestinationsLocked, but for aliases.
95 aliases map[string]config.Alias
98type AccountDestination struct {
99 Catchall bool // If catchall destination for its domain.
100 Localpart smtp.Localpart // In original casing as written in config file.
102 Destination config.Destination
105// LogLevelSet sets a new log level for pkg. An empty pkg sets the default log
106// value that is used if no explicit log level is configured for a package.
107// This change is ephemeral, no config file is changed.
108func (c *Config) LogLevelSet(log mlog.Log, pkg string, level slog.Level) {
110 defer c.logMutex.Unlock()
111 l := c.copyLogLevels()
114 log.Print("log level changed", slog.String("pkg", pkg), slog.Any("level", mlog.LevelStrings[level]))
115 mlog.SetConfig(c.Log)
118// LogLevelRemove removes a configured log level for a package.
119func (c *Config) LogLevelRemove(log mlog.Log, pkg string) {
121 defer c.logMutex.Unlock()
122 l := c.copyLogLevels()
125 log.Print("log level cleared", slog.String("pkg", pkg))
126 mlog.SetConfig(c.Log)
129// copyLogLevels returns a copy of c.Log, for modifications.
130// must be called with log lock held.
131func (c *Config) copyLogLevels() map[string]slog.Level {
132 m := map[string]slog.Level{}
133 for pkg, level := range c.Log {
139// LogLevels returns a copy of the current log levels.
140func (c *Config) LogLevels() map[string]slog.Level {
142 defer c.logMutex.Unlock()
143 return c.copyLogLevels()
146// DynamicLockUnlock locks the dynamic config, will try updating the latest state
147// from disk, and return an unlock function. Should be called as "defer
148// Conf.DynamicLockUnlock()()".
149func (c *Config) DynamicLockUnlock() func() {
150 c.dynamicMutex.Lock()
152 if now.Sub(c.DynamicLastCheck) > time.Second {
153 c.DynamicLastCheck = now
154 if fi, err := os.Stat(ConfigDynamicPath); err != nil {
155 pkglog.Errorx("stat domains config", err)
156 } else if !fi.ModTime().Equal(c.dynamicMtime) {
157 if errs := c.loadDynamic(); len(errs) > 0 {
158 pkglog.Errorx("loading domains config", errs[0], slog.Any("errors", errs))
160 pkglog.Info("domains config reloaded")
161 c.dynamicMtime = fi.ModTime()
165 return c.dynamicMutex.Unlock
168func (c *Config) withDynamicLock(fn func()) {
169 defer c.DynamicLockUnlock()()
173// must be called with dynamic lock held.
174func (c *Config) loadDynamic() []error {
175 d, mtime, accDests, aliases, err := ParseDynamicConfig(context.Background(), pkglog, ConfigDynamicPath, c.Static)
180 c.dynamicMtime = mtime
181 c.AccountDestinationsLocked = accDests
183 c.allowACMEHosts(pkglog, true)
187// DynamicConfig returns a shallow copy of the dynamic config. Must not be modified.
188func (c *Config) DynamicConfig() (config config.Dynamic) {
189 c.withDynamicLock(func() {
190 config = c.Dynamic // Shallow copy.
195func (c *Config) Domains() (l []string) {
196 c.withDynamicLock(func() {
197 for name := range c.Dynamic.Domains {
205func (c *Config) Accounts() (l []string) {
206 c.withDynamicLock(func() {
207 for name := range c.Dynamic.Accounts {
214func (c *Config) AccountsDisabled() (all, disabled []string) {
215 c.withDynamicLock(func() {
216 for name, conf := range c.Dynamic.Accounts {
217 all = append(all, name)
218 if conf.LoginDisabled != "" {
219 disabled = append(disabled, name)
226// DomainLocalparts returns a mapping of encoded localparts to account names for a
227// domain, and encoded localparts to aliases. An empty localpart is a catchall
228// destination for a domain.
229func (c *Config) DomainLocalparts(d dns.Domain) (map[string]string, map[string]config.Alias) {
230 suffix := "@" + d.Name()
231 m := map[string]string{}
232 aliases := map[string]config.Alias{}
233 c.withDynamicLock(func() {
234 for addr, ad := range c.AccountDestinationsLocked {
235 if strings.HasSuffix(addr, suffix) {
239 m[ad.Localpart.String()] = ad.Account
243 for addr, a := range c.aliases {
244 if strings.HasSuffix(addr, suffix) {
245 aliases[a.LocalpartStr] = a
252func (c *Config) Domain(d dns.Domain) (dom config.Domain, ok bool) {
253 c.withDynamicLock(func() {
254 dom, ok = c.Dynamic.Domains[d.Name()]
259func (c *Config) DomainConfigs() (doms []config.Domain) {
260 c.withDynamicLock(func() {
261 doms = make([]config.Domain, 0, len(c.Dynamic.Domains))
262 for _, d := range c.Dynamic.Domains {
263 doms = append(doms, d)
269func (c *Config) Account(name string) (acc config.Account, ok bool) {
270 c.withDynamicLock(func() {
271 acc, ok = c.Dynamic.Accounts[name]
276func (c *Config) AccountDestination(addr string) (accDest AccountDestination, alias *config.Alias, ok bool) {
277 c.withDynamicLock(func() {
278 accDest, ok = c.AccountDestinationsLocked[addr]
281 a, ok = c.aliases[addr]
290func (c *Config) Routes(accountName string, domain dns.Domain) (accountRoutes, domainRoutes, globalRoutes []config.Route) {
291 c.withDynamicLock(func() {
292 acc := c.Dynamic.Accounts[accountName]
293 accountRoutes = acc.Routes
295 dom := c.Dynamic.Domains[domain.Name()]
296 domainRoutes = dom.Routes
298 globalRoutes = c.Dynamic.Routes
303func (c *Config) IsClientSettingsDomain(d dns.Domain) (is bool) {
304 c.withDynamicLock(func() {
305 _, is = c.Dynamic.ClientSettingDomains[d]
310func (c *Config) allowACMEHosts(log mlog.Log, checkACMEHosts bool) {
311 for _, l := range c.Static.Listeners {
312 if l.TLS == nil || l.TLS.ACME == "" {
316 m := c.Static.ACME[l.TLS.ACME].Manager
317 hostnames := map[dns.Domain]struct{}{}
319 hostnames[c.Static.HostnameDomain] = struct{}{}
320 if l.HostnameDomain.ASCII != "" {
321 hostnames[l.HostnameDomain] = struct{}{}
324 for _, dom := range c.Dynamic.Domains {
325 // Do not allow TLS certificates for domains for which we only accept DMARC/TLS
326 // reports as external party.
331 // Do not fetch TLS certs for disabled domains. The A/AAAA records may not be
332 // configured or still point to a previous machine before a migration.
337 if l.AutoconfigHTTPS.Enabled && !l.AutoconfigHTTPS.NonTLS {
338 if d, err := dns.ParseDomain("autoconfig." + dom.Domain.ASCII); err != nil {
339 log.Errorx("parsing autoconfig domain", err, slog.Any("domain", dom.Domain))
341 hostnames[d] = struct{}{}
345 if l.MTASTSHTTPS.Enabled && dom.MTASTS != nil && !l.MTASTSHTTPS.NonTLS {
346 d, err := dns.ParseDomain("mta-sts." + dom.Domain.ASCII)
348 log.Errorx("parsing mta-sts domain", err, slog.Any("domain", dom.Domain))
350 hostnames[d] = struct{}{}
354 if dom.ClientSettingsDomain != "" {
355 hostnames[dom.ClientSettingsDNSDomain] = struct{}{}
359 if l.WebserverHTTPS.Enabled {
360 for from := range c.Dynamic.WebDNSDomainRedirects {
361 hostnames[from] = struct{}{}
363 for _, wh := range c.Dynamic.WebHandlers {
364 hostnames[wh.DNSDomain] = struct{}{}
368 public := c.Static.Listeners["public"]
370 if len(public.NATIPs) > 0 {
376 m.SetAllowedHostnames(log, dns.StrictResolver{Pkg: "autotls", Log: log.Logger}, hostnames, ips, checkACMEHosts)
380// todo future: write config parsing & writing code that can read a config and remembers the exact tokens including newlines and comments, and can write back a modified file. the goal is to be able to write a config file automatically (after changing fields through the ui), but not loose comments and whitespace, to still get useful diffs for storing the config in a version control system.
382// WriteDynamicLocked prepares an updated internal state for the new dynamic
383// config, then writes it to disk and activates it.
385// Returns ErrConfig if the configuration is not valid.
387// Must be called with config lock held.
388func WriteDynamicLocked(ctx context.Context, log mlog.Log, c config.Dynamic) error {
389 accDests, aliases, errs := prepareDynamicConfig(ctx, log, ConfigDynamicPath, Conf.Static, &c)
391 errstrs := make([]string, len(errs))
392 for i, err := range errs {
393 errstrs[i] = err.Error()
395 return fmt.Errorf("%w: %s", ErrConfig, strings.Join(errstrs, "; "))
399 err := sconf.Write(&b, c)
403 f, err := os.OpenFile(ConfigDynamicPath, os.O_WRONLY, 0660)
410 log.Check(err, "closing file after error")
414 if _, err := f.Write(buf); err != nil {
415 return fmt.Errorf("write domains.conf: %v", err)
417 if err := f.Truncate(int64(len(buf))); err != nil {
418 return fmt.Errorf("truncate domains.conf after write: %v", err)
420 if err := f.Sync(); err != nil {
421 return fmt.Errorf("sync domains.conf after write: %v", err)
423 if err := moxio.SyncDir(log, filepath.Dir(ConfigDynamicPath)); err != nil {
424 return fmt.Errorf("sync dir of domains.conf after write: %v", err)
429 return fmt.Errorf("stat after writing domains.conf: %v", err)
432 if err := f.Close(); err != nil {
433 return fmt.Errorf("close written domains.conf: %v", err)
437 Conf.dynamicMtime = fi.ModTime()
438 Conf.DynamicLastCheck = time.Now()
440 Conf.AccountDestinationsLocked = accDests
441 Conf.aliases = aliases
443 Conf.allowACMEHosts(log, true)
448// MustLoadConfig loads the config, quitting on errors.
449func MustLoadConfig(doLoadTLSKeyCerts, checkACMEHosts bool) {
450 errs := LoadConfig(context.Background(), pkglog, doLoadTLSKeyCerts, checkACMEHosts)
452 pkglog.Error("loading config file: multiple errors")
453 for _, err := range errs {
454 pkglog.Errorx("config error", err)
456 pkglog.Fatal("stopping after multiple config errors")
457 } else if len(errs) == 1 {
458 pkglog.Fatalx("loading config file", errs[0])
462// LoadConfig attempts to parse and load a config, returning any errors
464func LoadConfig(ctx context.Context, log mlog.Log, doLoadTLSKeyCerts, checkACMEHosts bool) []error {
465 Shutdown, ShutdownCancel = context.WithCancel(context.Background())
466 Context, ContextCancel = context.WithCancel(context.Background())
468 c, errs := ParseConfig(ctx, log, ConfigStaticPath, false, doLoadTLSKeyCerts, checkACMEHosts)
473 mlog.SetConfig(c.Log)
478// SetConfig sets a new config. Not to be used during normal operation.
479func SetConfig(c *Config) {
480 // Cannot just assign *c to Conf, it would copy the mutex.
481 Conf = Config{c.Static, sync.Mutex{}, c.Log, sync.Mutex{}, c.Dynamic, c.dynamicMtime, c.DynamicLastCheck, c.AccountDestinationsLocked, c.aliases}
483 // If we have non-standard CA roots, use them for all HTTPS requests.
484 if Conf.Static.TLS.CertPool != nil {
485 http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{
486 RootCAs: Conf.Static.TLS.CertPool,
490 SetPedantic(c.Static.Pedantic)
493// Set pedantic in all packages.
494func SetPedantic(p bool) {
502// ParseConfig parses the static config at path p. If checkOnly is true, no changes
503// are made, such as registering ACME identities. If doLoadTLSKeyCerts is true,
504// the TLS KeyCerts configuration is loaded and checked. This is used during the
505// quickstart in the case the user is going to provide their own certificates.
506// If checkACMEHosts is true, the hosts allowed for acme are compared with the
507// explicitly configured ips we are listening on.
508func ParseConfig(ctx context.Context, log mlog.Log, p string, checkOnly, doLoadTLSKeyCerts, checkACMEHosts bool) (c *Config, errs []error) {
510 Static: config.Static{
517 if os.IsNotExist(err) && os.Getenv("MOXCONF") == "" {
518 return nil, []error{fmt.Errorf("open config file: %v (hint: use mox -config ... or set MOXCONF=...)", err)}
520 return nil, []error{fmt.Errorf("open config file: %v", err)}
523 if err := sconf.Parse(f, &c.Static); err != nil {
524 return nil, []error{fmt.Errorf("parsing %s%v", p, err)}
527 if xerrs := PrepareStaticConfig(ctx, log, p, c, checkOnly, doLoadTLSKeyCerts); len(xerrs) > 0 {
531 pp := filepath.Join(filepath.Dir(p), "domains.conf")
532 c.Dynamic, c.dynamicMtime, c.AccountDestinationsLocked, c.aliases, errs = ParseDynamicConfig(ctx, log, pp, c.Static)
535 c.allowACMEHosts(log, checkACMEHosts)
541// PrepareStaticConfig parses the static config file and prepares data structures
542// for starting mox. If checkOnly is set no substantial changes are made, like
543// creating an ACME registration.
544func PrepareStaticConfig(ctx context.Context, log mlog.Log, configFile string, conf *Config, checkOnly, doLoadTLSKeyCerts bool) (errs []error) {
545 addErrorf := func(format string, args ...any) {
546 errs = append(errs, fmt.Errorf(format, args...))
551 // check that mailbox is in unicode NFC normalized form.
552 checkMailboxNormf := func(mailbox string, format string, args ...any) {
553 s := norm.NFC.String(mailbox)
555 msg := fmt.Sprintf(format, args...)
556 addErrorf("%s: mailbox %q is not in NFC normalized form, should be %q", msg, mailbox, s)
560 // Post-process logging config.
561 if logLevel, ok := mlog.Levels[c.LogLevel]; ok {
562 conf.Log = map[string]slog.Level{"": logLevel}
564 addErrorf("invalid log level %q", c.LogLevel)
566 for pkg, s := range c.PackageLogLevels {
567 if logLevel, ok := mlog.Levels[s]; ok {
568 conf.Log[pkg] = logLevel
570 addErrorf("invalid package log level %q", s)
577 u, err := user.Lookup(c.User)
579 uid, err := strconv.ParseUint(c.User, 10, 32)
581 addErrorf("parsing unknown user %s as uid: %v (hint: add user mox with \"useradd -d $PWD mox\" or specify a different username on the quickstart command-line)", c.User, err)
583 // We assume the same gid as uid.
588 if uid, err := strconv.ParseUint(u.Uid, 10, 32); err != nil {
589 addErrorf("parsing uid %s: %v", u.Uid, err)
593 if gid, err := strconv.ParseUint(u.Gid, 10, 32); err != nil {
594 addErrorf("parsing gid %s: %v", u.Gid, err)
600 hostname, err := dns.ParseDomain(c.Hostname)
602 addErrorf("parsing hostname: %s", err)
603 } else if hostname.Name() != c.Hostname {
604 addErrorf("hostname must be in unicode form %q instead of %q", hostname.Name(), c.Hostname)
606 c.HostnameDomain = hostname
608 if c.HostTLSRPT.Account != "" {
609 tlsrptLocalpart, err := smtp.ParseLocalpart(c.HostTLSRPT.Localpart)
611 addErrorf("invalid localpart %q for host tlsrpt: %v", c.HostTLSRPT.Localpart, err)
612 } else if tlsrptLocalpart.IsInternational() {
613 // Does not appear documented in
../rfc/8460, but similar to DMARC it makes sense
614 // to keep this ascii-only addresses.
615 addErrorf("host TLSRPT localpart %q is an internationalized address, only conventional ascii-only address allowed for interopability", tlsrptLocalpart)
617 c.HostTLSRPT.ParsedLocalpart = tlsrptLocalpart
620 // Return private key for host name for use with an ACME. Used to return the same
621 // private key as pre-generated for use with DANE, with its public key in DNS.
622 // We only use this key for Listener's that have this ACME configured, and for
623 // which the effective listener host name (either specific to the listener, or the
624 // global name) is requested. Other host names can get a fresh private key, they
625 // don't appear in DANE records.
627 // - run 0: only use listener with explicitly matching host name in listener
628 // (default quickstart config does not set it).
629 // - run 1: only look at public listener (and host matching mox host name)
630 // - run 2: all listeners (and host matching mox host name)
631 findACMEHostPrivateKey := func(acmeName, host string, keyType autocert.KeyType, run int) crypto.Signer {
632 for listenerName, l := range Conf.Static.Listeners {
633 if l.TLS == nil || l.TLS.ACME != acmeName {
636 if run == 0 && host != l.HostnameDomain.ASCII {
639 if run == 1 && listenerName != "public" || host != Conf.Static.HostnameDomain.ASCII {
643 case autocert.KeyRSA2048:
644 if len(l.TLS.HostPrivateRSA2048Keys) == 0 {
647 return l.TLS.HostPrivateRSA2048Keys[0]
648 case autocert.KeyECDSAP256:
649 if len(l.TLS.HostPrivateECDSAP256Keys) == 0 {
652 return l.TLS.HostPrivateECDSAP256Keys[0]
659 // Make a function for an autocert.Manager.GetPrivateKey, using findACMEHostPrivateKey.
660 makeGetPrivateKey := func(acmeName string) func(host string, keyType autocert.KeyType) (crypto.Signer, error) {
661 return func(host string, keyType autocert.KeyType) (crypto.Signer, error) {
662 key := findACMEHostPrivateKey(acmeName, host, keyType, 0)
664 key = findACMEHostPrivateKey(acmeName, host, keyType, 1)
667 key = findACMEHostPrivateKey(acmeName, host, keyType, 2)
670 log.Debug("found existing private key for certificate for host",
671 slog.String("acmename", acmeName),
672 slog.String("host", host),
673 slog.Any("keytype", keyType))
676 log.Debug("generating new private key for certificate for host",
677 slog.String("acmename", acmeName),
678 slog.String("host", host),
679 slog.Any("keytype", keyType))
681 case autocert.KeyRSA2048:
682 return rsa.GenerateKey(cryptorand.Reader, 2048)
683 case autocert.KeyECDSAP256:
684 return ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
686 return nil, fmt.Errorf("unrecognized requested key type %v", keyType)
690 for name, acme := range c.ACME {
691 addAcmeErrorf := func(format string, args ...any) {
692 addErrorf("acme provider %s: %s", name, fmt.Sprintf(format, args...))
697 if acme.ExternalAccountBinding != nil {
698 eabKeyID = acme.ExternalAccountBinding.KeyID
699 p := configDirPath(configFile, acme.ExternalAccountBinding.KeyFile)
700 buf, err := os.ReadFile(p)
702 addAcmeErrorf("reading external account binding key: %s", err)
704 dec := make([]byte, base64.RawURLEncoding.DecodedLen(len(buf)))
705 n, err := base64.RawURLEncoding.Decode(dec, buf)
707 addAcmeErrorf("parsing external account binding key as base64: %s", err)
718 acmeDir := dataDirPath(configFile, c.DataDir, "acme")
719 os.MkdirAll(acmeDir, 0770)
720 manager, err := autotls.Load(log, name, acmeDir, acme.ContactEmail, acme.DirectoryURL, eabKeyID, eabKey, makeGetPrivateKey(name), Shutdown.Done())
722 addAcmeErrorf("loading ACME identity: %s", err)
724 acme.Manager = manager
726 // Help configurations from older quickstarts.
727 if acme.IssuerDomainName == "" && acme.DirectoryURL == "https://acme-v02.api.letsencrypt.org/directory" {
728 acme.IssuerDomainName = "letsencrypt.org"
734 var haveUnspecifiedSMTPListener bool
735 for name, l := range c.Listeners {
736 addListenerErrorf := func(format string, args ...any) {
737 addErrorf("listener %s: %s", name, fmt.Sprintf(format, args...))
740 if l.Hostname != "" {
741 d, err := dns.ParseDomain(l.Hostname)
743 addListenerErrorf("parsing hostname %q: %s", l.Hostname, err)
748 if l.TLS.ACME != "" && len(l.TLS.KeyCerts) != 0 {
749 addListenerErrorf("cannot have ACME and static key/certificates")
750 } else if l.TLS.ACME != "" {
751 acme, ok := c.ACME[l.TLS.ACME]
753 addListenerErrorf("unknown ACME provider %q", l.TLS.ACME)
756 // If only checking or with missing ACME definition, we don't have an acme manager,
757 // so set an empty tls config to continue.
758 var tlsconfig, tlsconfigFallback *tls.Config
759 if checkOnly || acme.Manager == nil {
760 tlsconfig = &tls.Config{}
761 tlsconfigFallback = &tls.Config{}
763 hostname := c.HostnameDomain
764 if l.Hostname != "" {
765 hostname = l.HostnameDomain
767 // If SNI is absent, we will use the listener hostname, but reject connections with
768 // an SNI hostname that is not allowlisted.
769 // Incoming SMTP deliveries use tlsconfigFallback for interoperability. TLS
770 // connections for unknown SNI hostnames fall back to a certificate for the
771 // listener hostname instead of causing the TLS connection to fail.
772 tlsconfig = acme.Manager.TLSConfig(hostname, true, false)
773 tlsconfigFallback = acme.Manager.TLSConfig(hostname, true, true)
774 l.TLS.ACMEConfig = acme.Manager.ACMETLSConfig
776 l.TLS.Config = tlsconfig
777 l.TLS.ConfigFallback = tlsconfigFallback
778 } else if len(l.TLS.KeyCerts) != 0 {
779 if doLoadTLSKeyCerts {
780 if err := loadTLSKeyCerts(configFile, "listener "+name, l.TLS); err != nil {
781 addListenerErrorf("%w", err)
785 addListenerErrorf("cannot have TLS config without ACME and without static keys/certificates")
787 for _, privKeyFile := range l.TLS.HostPrivateKeyFiles {
788 keyPath := configDirPath(configFile, privKeyFile)
789 privKey, err := loadPrivateKeyFile(keyPath)
791 addListenerErrorf("parsing host private key for DANE and ACME certificates: %v", err)
794 switch k := privKey.(type) {
795 case *rsa.PrivateKey:
796 if k.N.BitLen() != 2048 {
797 log.Error("need rsa key with 2048 bits, for host private key for DANE/ACME certificates, ignoring",
798 slog.String("listener", name),
799 slog.String("file", keyPath),
800 slog.Int("bits", k.N.BitLen()))
803 l.TLS.HostPrivateRSA2048Keys = append(l.TLS.HostPrivateRSA2048Keys, k)
804 case *ecdsa.PrivateKey:
805 if k.Curve != elliptic.P256() {
806 log.Error("unrecognized ecdsa curve for host private key for DANE/ACME certificates, ignoring", slog.String("listener", name), slog.String("file", keyPath))
809 l.TLS.HostPrivateECDSAP256Keys = append(l.TLS.HostPrivateECDSAP256Keys, k)
811 log.Error("unrecognized key type for host private key for DANE/ACME certificates, ignoring",
812 slog.String("listener", name),
813 slog.String("file", keyPath),
814 slog.String("keytype", fmt.Sprintf("%T", privKey)))
818 if l.TLS.ACME != "" && (len(l.TLS.HostPrivateRSA2048Keys) == 0) != (len(l.TLS.HostPrivateECDSAP256Keys) == 0) {
819 log.Warn("uncommon configuration with either only an RSA 2048 or ECDSA P256 host private key for DANE/ACME certificates; this ACME implementation can retrieve certificates for both type of keys, it is recommended to set either both or none; continuing")
823 var minVersion uint16 = tls.VersionTLS12
824 if l.TLS.MinVersion != "" {
825 versions := map[string]uint16{
826 "TLSv1.0": tls.VersionTLS10,
827 "TLSv1.1": tls.VersionTLS11,
828 "TLSv1.2": tls.VersionTLS12,
829 "TLSv1.3": tls.VersionTLS13,
831 v, ok := versions[l.TLS.MinVersion]
833 addListenerErrorf("unknown TLS mininum version %q", l.TLS.MinVersion)
837 if l.TLS.Config != nil {
838 l.TLS.Config.MinVersion = minVersion
840 if l.TLS.ConfigFallback != nil {
841 l.TLS.ConfigFallback.MinVersion = minVersion
843 if l.TLS.ACMEConfig != nil {
844 l.TLS.ACMEConfig.MinVersion = minVersion
847 var needsTLS []string
848 needtls := func(s string, v bool) {
850 needsTLS = append(needsTLS, s)
853 needtls("IMAPS", l.IMAPS.Enabled)
854 needtls("SMTP", l.SMTP.Enabled && !l.SMTP.NoSTARTTLS)
855 needtls("Submissions", l.Submissions.Enabled)
856 needtls("Submission", l.Submission.Enabled && !l.Submission.NoRequireSTARTTLS)
857 needtls("AccountHTTPS", l.AccountHTTPS.Enabled)
858 needtls("AdminHTTPS", l.AdminHTTPS.Enabled)
859 needtls("AutoconfigHTTPS", l.AutoconfigHTTPS.Enabled && !l.AutoconfigHTTPS.NonTLS)
860 needtls("MTASTSHTTPS", l.MTASTSHTTPS.Enabled && !l.MTASTSHTTPS.NonTLS)
861 needtls("WebserverHTTPS", l.WebserverHTTPS.Enabled)
862 if len(needsTLS) > 0 {
863 addListenerErrorf("no tls config specified, but requires tls for %s", strings.Join(needsTLS, ", "))
866 if l.AutoconfigHTTPS.Enabled && l.MTASTSHTTPS.Enabled && l.AutoconfigHTTPS.Port == l.MTASTSHTTPS.Port && l.AutoconfigHTTPS.NonTLS != l.MTASTSHTTPS.NonTLS {
867 addListenerErrorf("autoconfig and mta-sts enabled on same port but with both http and https")
871 haveUnspecifiedSMTPListener = true
873 for _, ipstr := range l.IPs {
874 ip := net.ParseIP(ipstr)
876 addListenerErrorf("invalid IP %q", ipstr)
879 if ip.IsUnspecified() {
880 haveUnspecifiedSMTPListener = true
883 if len(c.SpecifiedSMTPListenIPs) >= 2 {
884 haveUnspecifiedSMTPListener = true
885 } else if len(c.SpecifiedSMTPListenIPs) > 0 && (c.SpecifiedSMTPListenIPs[0].To4() == nil) == (ip.To4() == nil) {
886 haveUnspecifiedSMTPListener = true
888 c.SpecifiedSMTPListenIPs = append(c.SpecifiedSMTPListenIPs, ip)
892 for _, s := range l.SMTP.DNSBLs {
893 d, err := dns.ParseDomain(s)
895 addListenerErrorf("parsing DNSBL zone %q: %s", s, err)
898 l.SMTP.DNSBLZones = append(l.SMTP.DNSBLZones, d)
900 if l.IPsNATed && len(l.NATIPs) > 0 {
901 addListenerErrorf("both IPsNATed and NATIPs configued (remove deprecated IPsNATed)")
903 for _, ipstr := range l.NATIPs {
904 ip := net.ParseIP(ipstr)
906 addListenerErrorf("invalid ip %q", ipstr)
907 } else if ip.IsUnspecified() || ip.IsLoopback() {
908 addListenerErrorf("NAT ip that is the unspecified or loopback address %s", ipstr)
911 cleanPath := func(kind string, enabled bool, path string) string {
915 if path != "" && !strings.HasPrefix(path, "/") {
916 addListenerErrorf("%s with path %q that must start with a slash", kind, path)
917 } else if path != "" && !strings.HasSuffix(path, "/") {
918 log.Warn("http service path should end with a slash, using effective path with slash", slog.String("kind", kind), slog.String("path", path), slog.String("effectivepath", path+"/"))
923 l.AccountHTTP.Path = cleanPath("AccountHTTP", l.AccountHTTP.Enabled, l.AccountHTTP.Path)
924 l.AccountHTTPS.Path = cleanPath("AccountHTTPS", l.AccountHTTPS.Enabled, l.AccountHTTPS.Path)
925 l.AdminHTTP.Path = cleanPath("AdminHTTP", l.AdminHTTP.Enabled, l.AdminHTTP.Path)
926 l.AdminHTTPS.Path = cleanPath("AdminHTTPS", l.AdminHTTPS.Enabled, l.AdminHTTPS.Path)
927 l.WebmailHTTP.Path = cleanPath("WebmailHTTP", l.WebmailHTTP.Enabled, l.WebmailHTTP.Path)
928 l.WebmailHTTPS.Path = cleanPath("WebmailHTTPS", l.WebmailHTTPS.Enabled, l.WebmailHTTPS.Path)
929 l.WebAPIHTTP.Path = cleanPath("WebAPIHTTP", l.WebAPIHTTP.Enabled, l.WebAPIHTTP.Path)
930 l.WebAPIHTTPS.Path = cleanPath("WebAPIHTTPS", l.WebAPIHTTPS.Enabled, l.WebAPIHTTPS.Path)
931 c.Listeners[name] = l
933 if haveUnspecifiedSMTPListener {
934 c.SpecifiedSMTPListenIPs = nil
937 var zerouse config.SpecialUseMailboxes
938 if len(c.DefaultMailboxes) > 0 && (c.InitialMailboxes.SpecialUse != zerouse || len(c.InitialMailboxes.Regular) > 0) {
939 addErrorf("cannot have both DefaultMailboxes and InitialMailboxes")
941 // DefaultMailboxes is deprecated.
942 for _, mb := range c.DefaultMailboxes {
943 checkMailboxNormf(mb, "default mailbox")
944 // We don't create parent mailboxes for default mailboxes.
945 if ParentMailboxName(mb) != "" {
946 addErrorf("default mailbox cannot be a child mailbox")
949 checkSpecialUseMailbox := func(nameOpt string) {
951 checkMailboxNormf(nameOpt, "special-use initial mailbox")
952 if strings.EqualFold(nameOpt, "inbox") {
953 addErrorf("initial mailbox cannot be set to Inbox (Inbox is always created)")
955 // We don't currently create parent mailboxes for initial mailboxes.
956 if ParentMailboxName(nameOpt) != "" {
957 addErrorf("initial mailboxes cannot be child mailboxes")
961 checkSpecialUseMailbox(c.InitialMailboxes.SpecialUse.Archive)
962 checkSpecialUseMailbox(c.InitialMailboxes.SpecialUse.Draft)
963 checkSpecialUseMailbox(c.InitialMailboxes.SpecialUse.Junk)
964 checkSpecialUseMailbox(c.InitialMailboxes.SpecialUse.Sent)
965 checkSpecialUseMailbox(c.InitialMailboxes.SpecialUse.Trash)
966 for _, name := range c.InitialMailboxes.Regular {
967 checkMailboxNormf(name, "regular initial mailbox")
968 if strings.EqualFold(name, "inbox") {
969 addErrorf("initial regular mailbox cannot be set to Inbox (Inbox is always created)")
971 if ParentMailboxName(name) != "" {
972 addErrorf("initial mailboxes cannot be child mailboxes")
976 checkTransportSMTP := func(name string, isTLS bool, t *config.TransportSMTP) {
977 addTransportErrorf := func(format string, args ...any) {
978 addErrorf("transport %s: %s", name, fmt.Sprintf(format, args...))
982 t.DNSHost, err = dns.ParseDomain(t.Host)
984 addTransportErrorf("bad host %s: %v", t.Host, err)
987 if isTLS && t.STARTTLSInsecureSkipVerify {
988 addTransportErrorf("cannot have STARTTLSInsecureSkipVerify with immediate TLS")
990 if isTLS && t.NoSTARTTLS {
991 addTransportErrorf("cannot have NoSTARTTLS with immediate TLS")
997 seen := map[string]bool{}
998 for _, m := range t.Auth.Mechanisms {
1000 addTransportErrorf("duplicate authentication mechanism %s", m)
1004 case "SCRAM-SHA-256-PLUS":
1005 case "SCRAM-SHA-256":
1006 case "SCRAM-SHA-1-PLUS":
1011 addTransportErrorf("unknown authentication mechanism %s", m)
1015 t.Auth.EffectiveMechanisms = t.Auth.Mechanisms
1016 if len(t.Auth.EffectiveMechanisms) == 0 {
1017 t.Auth.EffectiveMechanisms = []string{"SCRAM-SHA-256-PLUS", "SCRAM-SHA-256", "SCRAM-SHA-1-PLUS", "SCRAM-SHA-1", "CRAM-MD5"}
1021 checkTransportSocks := func(name string, t *config.TransportSocks) {
1022 addTransportErrorf := func(format string, args ...any) {
1023 addErrorf("transport %s: %s", name, fmt.Sprintf(format, args...))
1026 _, _, err := net.SplitHostPort(t.Address)
1028 addTransportErrorf("bad address %s: %v", t.Address, err)
1030 for _, ipstr := range t.RemoteIPs {
1031 ip := net.ParseIP(ipstr)
1033 addTransportErrorf("bad ip %s", ipstr)
1035 t.IPs = append(t.IPs, ip)
1038 t.Hostname, err = dns.ParseDomain(t.RemoteHostname)
1040 addTransportErrorf("bad hostname %s: %v", t.RemoteHostname, err)
1044 checkTransportDirect := func(name string, t *config.TransportDirect) {
1045 addTransportErrorf := func(format string, args ...any) {
1046 addErrorf("transport %s: %s", name, fmt.Sprintf(format, args...))
1049 if t.DisableIPv4 && t.DisableIPv6 {
1050 addTransportErrorf("both IPv4 and IPv6 are disabled, enable at least one")
1061 for name, t := range c.Transports {
1062 addTransportErrorf := func(format string, args ...any) {
1063 addErrorf("transport %s: %s", name, fmt.Sprintf(format, args...))
1067 if t.Submissions != nil {
1069 checkTransportSMTP(name, true, t.Submissions)
1071 if t.Submission != nil {
1073 checkTransportSMTP(name, false, t.Submission)
1077 checkTransportSMTP(name, false, t.SMTP)
1081 checkTransportSocks(name, t.Socks)
1083 if t.Direct != nil {
1085 checkTransportDirect(name, t.Direct)
1088 addTransportErrorf("cannot have multiple methods in a transport")
1092 // Load CA certificate pool.
1093 if c.TLS.CA != nil {
1094 if c.TLS.CA.AdditionalToSystem {
1096 c.TLS.CertPool, err = x509.SystemCertPool()
1098 addErrorf("fetching system CA cert pool: %v", err)
1101 c.TLS.CertPool = x509.NewCertPool()
1103 for _, certfile := range c.TLS.CA.CertFiles {
1104 p := configDirPath(configFile, certfile)
1105 pemBuf, err := os.ReadFile(p)
1107 addErrorf("reading TLS CA cert file: %v", err)
1109 } else if !c.TLS.CertPool.AppendCertsFromPEM(pemBuf) {
1110 // todo: can we check more fully if we're getting some useful data back?
1111 addErrorf("no CA certs added from %q", p)
1118// PrepareDynamicConfig parses the dynamic config file given a static file.
1119func ParseDynamicConfig(ctx context.Context, log mlog.Log, dynamicPath string, static config.Static) (c config.Dynamic, mtime time.Time, accDests map[string]AccountDestination, aliases map[string]config.Alias, errs []error) {
1120 addErrorf := func(format string, args ...any) {
1121 errs = append(errs, fmt.Errorf(format, args...))
1124 f, err := os.Open(dynamicPath)
1126 addErrorf("parsing domains config: %v", err)
1132 addErrorf("stat domains config: %v", err)
1134 if err := sconf.Parse(f, &c); err != nil {
1135 addErrorf("parsing dynamic config file: %v", err)
1139 accDests, aliases, errs = prepareDynamicConfig(ctx, log, dynamicPath, static, &c)
1140 return c, fi.ModTime(), accDests, aliases, errs
1143func prepareDynamicConfig(ctx context.Context, log mlog.Log, dynamicPath string, static config.Static, c *config.Dynamic) (accDests map[string]AccountDestination, aliases map[string]config.Alias, errs []error) {
1144 addErrorf := func(format string, args ...any) {
1145 errs = append(errs, fmt.Errorf(format, args...))
1148 // Check that mailbox is in unicode NFC normalized form.
1149 checkMailboxNormf := func(mailbox string, what string, errorf func(format string, args ...any)) {
1150 s := norm.NFC.String(mailbox)
1152 errorf("%s: mailbox %q is not in NFC normalized form, should be %q", what, mailbox, s)
1156 // Validate postmaster account exists.
1157 if _, ok := c.Accounts[static.Postmaster.Account]; !ok {
1158 addErrorf("postmaster account %q does not exist", static.Postmaster.Account)
1160 checkMailboxNormf(static.Postmaster.Mailbox, "postmaster mailbox", addErrorf)
1162 accDests = map[string]AccountDestination{}
1163 aliases = map[string]config.Alias{}
1165 // Validate host TLSRPT account/address.
1166 if static.HostTLSRPT.Account != "" {
1167 if _, ok := c.Accounts[static.HostTLSRPT.Account]; !ok {
1168 addErrorf("host tlsrpt account %q does not exist", static.HostTLSRPT.Account)
1170 checkMailboxNormf(static.HostTLSRPT.Mailbox, "host tlsrpt mailbox", addErrorf)
1172 // Localpart has been parsed already.
1174 addrFull := smtp.NewAddress(static.HostTLSRPT.ParsedLocalpart, static.HostnameDomain).String()
1175 dest := config.Destination{
1176 Mailbox: static.HostTLSRPT.Mailbox,
1177 HostTLSReports: true,
1179 accDests[addrFull] = AccountDestination{false, static.HostTLSRPT.ParsedLocalpart, static.HostTLSRPT.Account, dest}
1182 var haveSTSListener, haveWebserverListener bool
1183 for _, l := range static.Listeners {
1184 if l.MTASTSHTTPS.Enabled {
1185 haveSTSListener = true
1187 if l.WebserverHTTP.Enabled || l.WebserverHTTPS.Enabled {
1188 haveWebserverListener = true
1192 checkRoutes := func(descr string, routes []config.Route) {
1193 parseRouteDomains := func(l []string) []string {
1195 for _, e := range l {
1201 if strings.HasPrefix(e, ".") {
1205 d, err := dns.ParseDomain(e)
1207 addErrorf("%s: invalid domain %s: %v", descr, e, err)
1209 r = append(r, prefix+d.ASCII)
1214 for i := range routes {
1215 routes[i].FromDomainASCII = parseRouteDomains(routes[i].FromDomain)
1216 routes[i].ToDomainASCII = parseRouteDomains(routes[i].ToDomain)
1218 routes[i].ResolvedTransport, ok = static.Transports[routes[i].Transport]
1220 addErrorf("%s: route references undefined transport %s", descr, routes[i].Transport)
1225 checkRoutes("global routes", c.Routes)
1227 // Validate domains.
1228 c.ClientSettingDomains = map[dns.Domain]struct{}{}
1229 for d, domain := range c.Domains {
1230 addDomainErrorf := func(format string, args ...any) {
1231 addErrorf(fmt.Sprintf("domain %v: %s", d, fmt.Sprintf(format, args...)))
1234 dnsdomain, err := dns.ParseDomain(d)
1236 addDomainErrorf("parsing domain: %s", err)
1237 } else if dnsdomain.Name() != d {
1238 addDomainErrorf("must be specified in unicode form, %s", dnsdomain.Name())
1241 domain.Domain = dnsdomain
1243 if domain.ClientSettingsDomain != "" {
1244 csd, err := dns.ParseDomain(domain.ClientSettingsDomain)
1246 addDomainErrorf("bad client settings domain %q: %s", domain.ClientSettingsDomain, err)
1248 domain.ClientSettingsDNSDomain = csd
1249 c.ClientSettingDomains[csd] = struct{}{}
1252 if domain.LocalpartCatchallSeparator != "" && len(domain.LocalpartCatchallSeparators) != 0 {
1253 addDomainErrorf("cannot have both LocalpartCatchallSeparator and LocalpartCatchallSeparators")
1255 domain.LocalpartCatchallSeparatorsEffective = domain.LocalpartCatchallSeparators
1256 if domain.LocalpartCatchallSeparator != "" {
1257 domain.LocalpartCatchallSeparatorsEffective = append(domain.LocalpartCatchallSeparatorsEffective, domain.LocalpartCatchallSeparator)
1259 sepSeen := map[string]bool{}
1260 for _, sep := range domain.LocalpartCatchallSeparatorsEffective {
1262 addDomainErrorf("duplicate localpart catchall separator %q", sep)
1267 for _, sign := range domain.DKIM.Sign {
1268 if _, ok := domain.DKIM.Selectors[sign]; !ok {
1269 addDomainErrorf("unknown selector %s for signing", sign)
1272 for name, sel := range domain.DKIM.Selectors {
1273 addSelectorErrorf := func(format string, args ...any) {
1274 addDomainErrorf("selector %s: %s", name, fmt.Sprintf(format, args...))
1277 seld, err := dns.ParseDomain(name)
1279 addSelectorErrorf("parsing selector: %s", err)
1280 } else if seld.Name() != name {
1281 addSelectorErrorf("must be specified in unicode form, %q", seld.Name())
1285 if sel.Expiration != "" {
1286 exp, err := time.ParseDuration(sel.Expiration)
1288 addSelectorErrorf("invalid expiration %q: %v", sel.Expiration, err)
1290 sel.ExpirationSeconds = int(exp / time.Second)
1294 sel.HashEffective = sel.Hash
1295 switch sel.HashEffective {
1297 sel.HashEffective = "sha256"
1299 log.Error("using sha1 with DKIM is deprecated as not secure enough, switch to sha256")
1302 addSelectorErrorf("unsupported hash %q", sel.HashEffective)
1305 pemBuf, err := os.ReadFile(configDirPath(dynamicPath, sel.PrivateKeyFile))
1307 addSelectorErrorf("reading private key: %s", err)
1310 p, _ := pem.Decode(pemBuf)
1312 addSelectorErrorf("private key has no PEM block")
1315 key, err := x509.ParsePKCS8PrivateKey(p.Bytes)
1317 addSelectorErrorf("parsing private key: %s", err)
1320 switch k := key.(type) {
1321 case *rsa.PrivateKey:
1322 if k.N.BitLen() < 1024 {
1324 // Let's help user do the right thing.
1325 addSelectorErrorf("rsa keys should be >= 1024 bits, is %d bits", k.N.BitLen())
1328 sel.Algorithm = fmt.Sprintf("rsa-%d", k.N.BitLen())
1329 case ed25519.PrivateKey:
1330 if sel.HashEffective != "sha256" {
1331 addSelectorErrorf("hash algorithm %q is not supported with ed25519, only sha256 is", sel.HashEffective)
1334 sel.Algorithm = "ed25519"
1336 addSelectorErrorf("private key type %T not yet supported", key)
1339 if len(sel.Headers) == 0 {
1343 // By default we seal signed headers, and we sign user-visible headers to
1344 // prevent/limit reuse of previously signed messages: All addressing fields, date
1345 // and subject, message-referencing fields, parsing instructions (content-type).
1346 sel.HeadersEffective = strings.Split("From,To,Cc,Bcc,Reply-To,References,In-Reply-To,Subject,Date,Message-Id,Content-Type", ",")
1349 for _, h := range sel.Headers {
1350 from = from || strings.EqualFold(h, "From")
1352 if strings.EqualFold(h, "DKIM-Signature") || strings.EqualFold(h, "Received") || strings.EqualFold(h, "Return-Path") {
1353 log.Error("DKIM-signing header %q is recommended against as it may be modified in transit")
1357 addSelectorErrorf("From-field must always be DKIM-signed")
1359 sel.HeadersEffective = sel.Headers
1362 domain.DKIM.Selectors[name] = sel
1365 if domain.MTASTS != nil {
1366 if !haveSTSListener {
1367 addDomainErrorf("MTA-STS enabled, but there is no listener for MTASTS", d)
1369 sts := domain.MTASTS
1370 if sts.PolicyID == "" {
1371 addDomainErrorf("invalid empty MTA-STS PolicyID")
1374 case mtasts.ModeNone, mtasts.ModeTesting, mtasts.ModeEnforce:
1376 addDomainErrorf("invalid mtasts mode %q", sts.Mode)
1380 checkRoutes("routes for domain", domain.Routes)
1382 c.Domains[d] = domain
1385 // To determine ReportsOnly.
1386 domainHasAddress := map[string]bool{}
1388 // Validate email addresses.
1389 for accName, acc := range c.Accounts {
1390 addAccountErrorf := func(format string, args ...any) {
1391 addErrorf("account %q: %s", accName, fmt.Sprintf(format, args...))
1395 acc.DNSDomain, err = dns.ParseDomain(acc.Domain)
1397 addAccountErrorf("parsing domain %s: %s", acc.Domain, err)
1400 if strings.EqualFold(acc.RejectsMailbox, "Inbox") {
1401 addAccountErrorf("cannot set RejectsMailbox to inbox, messages will be removed automatically from the rejects mailbox")
1403 checkMailboxNormf(acc.RejectsMailbox, "rejects mailbox", addErrorf)
1405 if len(acc.LoginDisabled) > 256 {
1406 addAccountErrorf("message for disabled login must be <256 characters")
1408 for _, c := range acc.LoginDisabled {
1409 // For IMAP and SMTP. IMAP only allows UTF8 after "ENABLE IMAPrev2".
1410 if c < ' ' || c >= 0x7f {
1411 addAccountErrorf("message cannot contain control characters including newlines, and must be ascii-only")
1415 if acc.AutomaticJunkFlags.JunkMailboxRegexp != "" {
1416 r, err := regexp.Compile(acc.AutomaticJunkFlags.JunkMailboxRegexp)
1418 addAccountErrorf("invalid JunkMailboxRegexp regular expression: %v", err)
1422 if acc.AutomaticJunkFlags.NeutralMailboxRegexp != "" {
1423 r, err := regexp.Compile(acc.AutomaticJunkFlags.NeutralMailboxRegexp)
1425 addAccountErrorf("invalid NeutralMailboxRegexp regular expression: %v", err)
1427 acc.NeutralMailbox = r
1429 if acc.AutomaticJunkFlags.NotJunkMailboxRegexp != "" {
1430 r, err := regexp.Compile(acc.AutomaticJunkFlags.NotJunkMailboxRegexp)
1432 addAccountErrorf("invalid NotJunkMailboxRegexp regular expression: %v", err)
1434 acc.NotJunkMailbox = r
1437 if acc.JunkFilter != nil {
1438 params := acc.JunkFilter.Params
1439 if params.MaxPower < 0 || params.MaxPower > 0.5 {
1440 addAccountErrorf("junk filter MaxPower must be >= 0 and < 0.5")
1442 if params.TopWords < 0 {
1443 addAccountErrorf("junk filter TopWords must be >= 0")
1445 if params.IgnoreWords < 0 || params.IgnoreWords > 0.5 {
1446 addAccountErrorf("junk filter IgnoreWords must be >= 0 and < 0.5")
1448 if params.RareWords < 0 {
1449 addAccountErrorf("junk filter RareWords must be >= 0")
1453 acc.ParsedFromIDLoginAddresses = make([]smtp.Address, len(acc.FromIDLoginAddresses))
1454 for i, s := range acc.FromIDLoginAddresses {
1455 a, err := smtp.ParseAddress(s)
1457 addAccountErrorf("invalid fromid login address %q: %v", s, err)
1459 // We check later on if address belongs to account.
1460 dom, ok := c.Domains[a.Domain.Name()]
1462 addAccountErrorf("unknown domain in fromid login address %q", s)
1463 } else if len(dom.LocalpartCatchallSeparatorsEffective) == 0 {
1464 addAccountErrorf("localpart catchall separator not configured for domain for fromid login address %q", s)
1466 acc.ParsedFromIDLoginAddresses[i] = a
1469 // Clear any previously derived state.
1472 c.Accounts[accName] = acc
1474 if acc.OutgoingWebhook != nil {
1475 u, err := url.Parse(acc.OutgoingWebhook.URL)
1476 if err == nil && (u.Scheme != "http" && u.Scheme != "https") {
1477 err = errors.New("scheme must be http or https")
1480 addAccountErrorf("parsing outgoing hook url %q: %v", acc.OutgoingWebhook.URL, err)
1483 // note: outgoing hook events are in ../queue/hooks.go, ../mox-/config.go, ../queue.go and ../webapi/gendoc.sh. keep in sync.
1484 outgoingHookEvents := []string{"delivered", "suppressed", "delayed", "failed", "relayed", "expanded", "canceled", "unrecognized"}
1485 for _, e := range acc.OutgoingWebhook.Events {
1486 if !slices.Contains(outgoingHookEvents, e) {
1487 addAccountErrorf("unknown outgoing hook event %q", e)
1491 if acc.IncomingWebhook != nil {
1492 u, err := url.Parse(acc.IncomingWebhook.URL)
1493 if err == nil && (u.Scheme != "http" && u.Scheme != "https") {
1494 err = errors.New("scheme must be http or https")
1497 addAccountErrorf("parsing incoming hook url %q: %v", acc.IncomingWebhook.URL, err)
1501 // todo deprecated: only localpart as keys for Destinations, we are replacing them with full addresses. if domains.conf is written, we won't have to do this again.
1502 replaceLocalparts := map[string]string{}
1504 for addrName, dest := range acc.Destinations {
1505 addDestErrorf := func(format string, args ...any) {
1506 addAccountErrorf("destination %q: %s", addrName, fmt.Sprintf(format, args...))
1509 checkMailboxNormf(dest.Mailbox, "destination mailbox", addDestErrorf)
1511 if dest.SMTPError != "" {
1512 if len(dest.SMTPError) > 256 {
1513 addDestErrorf("smtp error must be smaller than 256 bytes")
1515 for _, c := range dest.SMTPError {
1516 if c < ' ' || c >= 0x7f {
1517 addDestErrorf("smtp error cannot contain contain control characters (including newlines) or non-ascii")
1522 if dest.Mailbox != "" {
1523 addDestErrorf("cannot have both SMTPError and Mailbox")
1525 if len(dest.Rulesets) != 0 {
1526 addDestErrorf("cannot have both SMTPError and Rulesets")
1529 t := strings.SplitN(dest.SMTPError, " ", 2)
1532 addDestErrorf("smtp error must be 421 or 550 (with optional message), not %q", dest.SMTPError)
1535 dest.SMTPErrorCode = smtp.C451LocalErr
1536 dest.SMTPErrorSecode = smtp.SeSys3Other0
1537 dest.SMTPErrorMsg = "error processing"
1539 dest.SMTPErrorCode = smtp.C550MailboxUnavail
1540 dest.SMTPErrorSecode = smtp.SeAddr1UnknownDestMailbox1
1541 dest.SMTPErrorMsg = "no such user(s)"
1544 dest.SMTPErrorMsg = strings.TrimSpace(t[1])
1546 acc.Destinations[addrName] = dest
1549 if dest.MessageAuthRequiredSMTPError != "" {
1550 if len(dest.MessageAuthRequiredSMTPError) > 256 {
1551 addDestErrorf("message authentication required smtp error must be smaller than 256 bytes")
1553 for _, c := range dest.MessageAuthRequiredSMTPError {
1554 if c < ' ' || c >= 0x7f {
1555 addDestErrorf("message authentication required smtp error cannot contain contain control characters (including newlines) or non-ascii")
1561 for i, rs := range dest.Rulesets {
1562 addRulesetErrorf := func(format string, args ...any) {
1563 addDestErrorf("ruleset %d: %s", i+1, fmt.Sprintf(format, args...))
1566 checkMailboxNormf(rs.Mailbox, "ruleset mailbox", addRulesetErrorf)
1570 if rs.SMTPMailFromRegexp != "" {
1572 r, err := regexp.Compile(rs.SMTPMailFromRegexp)
1574 addRulesetErrorf("invalid SMTPMailFrom regular expression: %v", err)
1576 c.Accounts[accName].Destinations[addrName].Rulesets[i].SMTPMailFromRegexpCompiled = r
1578 if rs.MsgFromRegexp != "" {
1580 r, err := regexp.Compile(rs.MsgFromRegexp)
1582 addRulesetErrorf("invalid MsgFrom regular expression: %v", err)
1584 c.Accounts[accName].Destinations[addrName].Rulesets[i].MsgFromRegexpCompiled = r
1586 if rs.VerifiedDomain != "" {
1588 d, err := dns.ParseDomain(rs.VerifiedDomain)
1590 addRulesetErrorf("invalid VerifiedDomain: %v", err)
1592 c.Accounts[accName].Destinations[addrName].Rulesets[i].VerifiedDNSDomain = d
1595 var hdr [][2]*regexp.Regexp
1596 for k, v := range rs.HeadersRegexp {
1598 if strings.ToLower(k) != k {
1599 addRulesetErrorf("header field %q must only have lower case characters", k)
1601 if strings.ToLower(v) != v {
1602 addRulesetErrorf("header value %q must only have lower case characters", v)
1604 rk, err := regexp.Compile(k)
1606 addRulesetErrorf("invalid rule header regexp %q: %v", k, err)
1608 rv, err := regexp.Compile(v)
1610 addRulesetErrorf("invalid rule header regexp %q: %v", v, err)
1612 hdr = append(hdr, [...]*regexp.Regexp{rk, rv})
1614 c.Accounts[accName].Destinations[addrName].Rulesets[i].HeadersRegexpCompiled = hdr
1617 addRulesetErrorf("ruleset must have at least one rule")
1620 if rs.IsForward && rs.ListAllowDomain != "" {
1621 addRulesetErrorf("ruleset cannot have both IsForward and ListAllowDomain")
1624 if rs.SMTPMailFromRegexp == "" || rs.VerifiedDomain == "" {
1625 addRulesetErrorf("ruleset with IsForward must have both SMTPMailFromRegexp and VerifiedDomain too")
1628 if rs.ListAllowDomain != "" {
1629 d, err := dns.ParseDomain(rs.ListAllowDomain)
1631 addRulesetErrorf("invalid ListAllowDomain %q: %v", rs.ListAllowDomain, err)
1633 c.Accounts[accName].Destinations[addrName].Rulesets[i].ListAllowDNSDomain = d
1636 checkMailboxNormf(rs.AcceptRejectsToMailbox, "rejects mailbox", addRulesetErrorf)
1637 if strings.EqualFold(rs.AcceptRejectsToMailbox, "inbox") {
1638 addRulesetErrorf("AcceptRejectsToMailbox cannot be set to Inbox")
1642 // Catchall destination for domain.
1643 if strings.HasPrefix(addrName, "@") {
1644 d, err := dns.ParseDomain(addrName[1:])
1646 addDestErrorf("parsing domain %q", addrName[1:])
1648 } else if _, ok := c.Domains[d.Name()]; !ok {
1649 addDestErrorf("unknown domain for address")
1652 domainHasAddress[d.Name()] = true
1653 addrFull := "@" + d.Name()
1654 if _, ok := accDests[addrFull]; ok {
1655 addDestErrorf("duplicate canonicalized catchall destination address %s", addrFull)
1657 accDests[addrFull] = AccountDestination{true, "", accName, dest}
1661 // todo deprecated: remove support for parsing destination as just a localpart instead full address.
1662 var address smtp.Address
1663 if localpart, err := smtp.ParseLocalpart(addrName); err != nil && errors.Is(err, smtp.ErrBadLocalpart) {
1664 address, err = smtp.ParseAddress(addrName)
1666 addDestErrorf("invalid email address")
1668 } else if _, ok := c.Domains[address.Domain.Name()]; !ok {
1669 addDestErrorf("unknown domain for address")
1674 addDestErrorf("invalid localpart %q", addrName)
1677 address = smtp.NewAddress(localpart, acc.DNSDomain)
1678 if _, ok := c.Domains[acc.DNSDomain.Name()]; !ok {
1679 addDestErrorf("unknown domain %s", acc.DNSDomain.Name())
1682 replaceLocalparts[addrName] = address.Pack(true)
1685 origLP := address.Localpart
1686 dc := c.Domains[address.Domain.Name()]
1687 domainHasAddress[address.Domain.Name()] = true
1688 lp := CanonicalLocalpart(address.Localpart, dc)
1690 for _, sep := range dc.LocalpartCatchallSeparatorsEffective {
1691 if strings.Contains(string(address.Localpart), sep) {
1693 addDestErrorf("localpart of address %s includes domain catchall separator %s", address, sep)
1697 address.Localpart = lp
1699 addrFull := address.Pack(true)
1700 if _, ok := accDests[addrFull]; ok {
1701 addDestErrorf("duplicate canonicalized destination address %s", addrFull)
1703 accDests[addrFull] = AccountDestination{false, origLP, accName, dest}
1706 for lp, addr := range replaceLocalparts {
1707 dest, ok := acc.Destinations[lp]
1709 addAccountErrorf("could not find localpart %q to replace with address in destinations", lp)
1711 log.Warn(`deprecation warning: support for account destination addresses specified as just localpart ("username") instead of full email address will be removed in the future; update domains.conf, for each Account, for each Destination, ensure each key is an email address by appending "@" and the default domain for the account`,
1712 slog.Any("localpart", lp),
1713 slog.Any("address", addr),
1714 slog.String("account", accName))
1715 acc.Destinations[addr] = dest
1716 delete(acc.Destinations, lp)
1720 // Now that all addresses are parsed, check if all fromid login addresses match
1721 // configured addresses.
1722 for i, a := range acc.ParsedFromIDLoginAddresses {
1723 // For domain catchall.
1724 if _, ok := accDests["@"+a.Domain.Name()]; ok {
1727 dc := c.Domains[a.Domain.Name()]
1728 a.Localpart = CanonicalLocalpart(a.Localpart, dc)
1729 if _, ok := accDests[a.Pack(true)]; !ok {
1730 addAccountErrorf("fromid login address %q does not match its destination addresses", acc.FromIDLoginAddresses[i])
1734 checkRoutes("routes for account", acc.Routes)
1737 // Set DMARC destinations.
1738 for d, domain := range c.Domains {
1739 addDomainErrorf := func(format string, args ...any) {
1740 addErrorf("domain %s: %s", d, fmt.Sprintf(format, args...))
1743 dmarc := domain.DMARC
1747 if _, ok := c.Accounts[dmarc.Account]; !ok {
1748 addDomainErrorf("DMARC account %q does not exist", dmarc.Account)
1750 lp, err := smtp.ParseLocalpart(dmarc.Localpart)
1752 addDomainErrorf("invalid DMARC localpart %q: %s", dmarc.Localpart, err)
1754 if lp.IsInternational() {
1756 addDomainErrorf("DMARC localpart %q is an internationalized address, only conventional ascii-only address possible for interopability", lp)
1758 addrdom := domain.Domain
1759 if dmarc.Domain != "" {
1760 addrdom, err = dns.ParseDomain(dmarc.Domain)
1762 addDomainErrorf("DMARC domain %q: %s", dmarc.Domain, err)
1763 } else if _, ok := c.Domains[addrdom.Name()]; !ok {
1764 addDomainErrorf("unknown domain %q for DMARC address", addrdom)
1767 if addrdom == domain.Domain {
1768 domainHasAddress[addrdom.Name()] = true
1771 domain.DMARC.ParsedLocalpart = lp
1772 domain.DMARC.DNSDomain = addrdom
1773 c.Domains[d] = domain
1774 addrFull := smtp.NewAddress(lp, addrdom).String()
1775 dest := config.Destination{
1776 Mailbox: dmarc.Mailbox,
1779 checkMailboxNormf(dmarc.Mailbox, "DMARC mailbox for account", addDomainErrorf)
1780 accDests[addrFull] = AccountDestination{false, lp, dmarc.Account, dest}
1783 // Set TLSRPT destinations.
1784 for d, domain := range c.Domains {
1785 addDomainErrorf := func(format string, args ...any) {
1786 addErrorf("domain %s: %s", d, fmt.Sprintf(format, args...))
1789 tlsrpt := domain.TLSRPT
1793 if _, ok := c.Accounts[tlsrpt.Account]; !ok {
1794 addDomainErrorf("TLSRPT account %q does not exist", tlsrpt.Account)
1796 lp, err := smtp.ParseLocalpart(tlsrpt.Localpart)
1798 addDomainErrorf("invalid TLSRPT localpart %q: %s", tlsrpt.Localpart, err)
1800 if lp.IsInternational() {
1801 // Does not appear documented in
../rfc/8460, but similar to DMARC it makes sense
1802 // to keep this ascii-only addresses.
1803 addDomainErrorf("TLSRPT localpart %q is an internationalized address, only conventional ascii-only address allowed for interopability", lp)
1805 addrdom := domain.Domain
1806 if tlsrpt.Domain != "" {
1807 addrdom, err = dns.ParseDomain(tlsrpt.Domain)
1809 addDomainErrorf("TLSRPT domain %q: %s", tlsrpt.Domain, err)
1810 } else if _, ok := c.Domains[addrdom.Name()]; !ok {
1811 addDomainErrorf("unknown domain %q for TLSRPT address", tlsrpt.Domain)
1814 if addrdom == domain.Domain {
1815 domainHasAddress[addrdom.Name()] = true
1818 domain.TLSRPT.ParsedLocalpart = lp
1819 domain.TLSRPT.DNSDomain = addrdom
1820 c.Domains[d] = domain
1821 addrFull := smtp.NewAddress(lp, addrdom).String()
1822 dest := config.Destination{
1823 Mailbox: tlsrpt.Mailbox,
1824 DomainTLSReports: true,
1826 checkMailboxNormf(tlsrpt.Mailbox, "TLSRPT mailbox", addDomainErrorf)
1827 accDests[addrFull] = AccountDestination{false, lp, tlsrpt.Account, dest}
1830 // Set ReportsOnly for domains, based on whether we have seen addresses (possibly
1831 // from DMARC or TLS reporting).
1832 for d, domain := range c.Domains {
1833 domain.ReportsOnly = !domainHasAddress[domain.Domain.Name()]
1834 c.Domains[d] = domain
1837 // Aliases, per domain. Also add references to accounts.
1838 for d, domain := range c.Domains {
1839 for lpstr, a := range domain.Aliases {
1840 addAliasErrorf := func(format string, args ...any) {
1841 addErrorf("domain %s: alias %s: %s", d, lpstr, fmt.Sprintf(format, args...))
1845 a.LocalpartStr = lpstr
1846 var clp smtp.Localpart
1847 lp, err := smtp.ParseLocalpart(lpstr)
1849 addAliasErrorf("parsing alias: %v", err)
1853 for _, sep := range domain.LocalpartCatchallSeparatorsEffective {
1854 if strings.Contains(string(lp), sep) {
1855 addAliasErrorf("alias contains localpart catchall separator")
1862 clp = CanonicalLocalpart(lp, domain)
1865 addr := smtp.NewAddress(clp, domain.Domain).Pack(true)
1866 if _, ok := aliases[addr]; ok {
1867 addAliasErrorf("duplicate alias address %q", addr)
1870 if _, ok := accDests[addr]; ok {
1871 addAliasErrorf("alias %q already present as regular address", addr)
1874 if len(a.Addresses) == 0 {
1875 // Not currently possible, Addresses isn't optional.
1876 addAliasErrorf("alias %q needs at least one destination address", addr)
1879 a.ParsedAddresses = make([]config.AliasAddress, 0, len(a.Addresses))
1880 seen := map[string]bool{}
1881 for _, destAddr := range a.Addresses {
1882 da, err := smtp.ParseAddress(destAddr)
1884 addAliasErrorf("parsing destination address %q: %v", destAddr, err)
1887 dastr := da.Pack(true)
1888 accDest, ok := accDests[dastr]
1890 addAliasErrorf("references non-existent address %q", destAddr)
1894 addAliasErrorf("duplicate address %q", destAddr)
1898 aa := config.AliasAddress{Address: da, AccountName: accDest.Account, Destination: accDest.Destination}
1899 a.ParsedAddresses = append(a.ParsedAddresses, aa)
1901 a.Domain = domain.Domain
1902 c.Domains[d].Aliases[lpstr] = a
1905 for _, aa := range a.ParsedAddresses {
1906 acc := c.Accounts[aa.AccountName]
1909 addrs = make([]string, len(a.ParsedAddresses))
1910 for i := range a.ParsedAddresses {
1911 addrs[i] = a.ParsedAddresses[i].Address.Pack(true)
1914 // Keep the non-sensitive fields.
1915 accAlias := config.Alias{
1916 PostPublic: a.PostPublic,
1917 ListMembers: a.ListMembers,
1918 AllowMsgFrom: a.AllowMsgFrom,
1919 LocalpartStr: a.LocalpartStr,
1922 acc.Aliases = append(acc.Aliases, config.AddressAlias{SubscriptionAddress: aa.Address.Pack(true), Alias: accAlias, MemberAddresses: addrs})
1923 c.Accounts[aa.AccountName] = acc
1928 // Check webserver configs.
1929 if (len(c.WebDomainRedirects) > 0 || len(c.WebHandlers) > 0) && !haveWebserverListener {
1930 addErrorf("WebDomainRedirects or WebHandlers configured but no listener with WebserverHTTP or WebserverHTTPS enabled")
1933 c.WebDNSDomainRedirects = map[dns.Domain]dns.Domain{}
1934 for from, to := range c.WebDomainRedirects {
1935 addRedirectErrorf := func(format string, args ...any) {
1936 addErrorf("web redirect %s to %s: %s", from, to, fmt.Sprintf(format, args...))
1939 fromdom, err := dns.ParseDomain(from)
1941 addRedirectErrorf("parsing domain for redirect %s: %v", from, err)
1943 todom, err := dns.ParseDomain(to)
1945 addRedirectErrorf("parsing domain for redirect %s: %v", to, err)
1946 } else if fromdom == todom {
1947 addRedirectErrorf("will not redirect domain %s to itself", todom)
1949 var zerodom dns.Domain
1950 if _, ok := c.WebDNSDomainRedirects[fromdom]; ok && fromdom != zerodom {
1951 addRedirectErrorf("duplicate redirect domain %s", from)
1953 c.WebDNSDomainRedirects[fromdom] = todom
1956 for i := range c.WebHandlers {
1957 wh := &c.WebHandlers[i]
1959 addHandlerErrorf := func(format string, args ...any) {
1960 addErrorf("webhandler %s %s: %s", wh.Domain, wh.PathRegexp, fmt.Sprintf(format, args...))
1963 if wh.LogName == "" {
1964 wh.Name = fmt.Sprintf("%d", i)
1966 wh.Name = wh.LogName
1969 dom, err := dns.ParseDomain(wh.Domain)
1971 addHandlerErrorf("parsing domain: %v", err)
1975 if !strings.HasPrefix(wh.PathRegexp, "^") {
1976 addHandlerErrorf("path regexp must start with a ^")
1978 re, err := regexp.Compile(wh.PathRegexp)
1980 addHandlerErrorf("compiling regexp: %v", err)
1985 if wh.WebStatic != nil {
1988 if ws.StripPrefix != "" && !strings.HasPrefix(ws.StripPrefix, "/") {
1989 addHandlerErrorf("static: prefix to strip %s must start with a slash", ws.StripPrefix)
1991 for k := range ws.ResponseHeaders {
1993 k := strings.TrimSpace(xk)
1994 if k != xk || k == "" {
1995 addHandlerErrorf("static: bad header %q", xk)
1999 if wh.WebRedirect != nil {
2001 wr := wh.WebRedirect
2002 if wr.BaseURL != "" {
2003 u, err := url.Parse(wr.BaseURL)
2005 addHandlerErrorf("redirect: parsing redirect url %s: %v", wr.BaseURL, err)
2011 addHandlerErrorf("redirect: BaseURL must have empty path", wr.BaseURL)
2015 if wr.OrigPathRegexp != "" && wr.ReplacePath != "" {
2016 re, err := regexp.Compile(wr.OrigPathRegexp)
2018 addHandlerErrorf("compiling regexp %s: %v", wr.OrigPathRegexp, err)
2021 } else if wr.OrigPathRegexp != "" || wr.ReplacePath != "" {
2022 addHandlerErrorf("redirect: must have either both OrigPathRegexp and ReplacePath, or neither")
2023 } else if wr.BaseURL == "" {
2024 addHandlerErrorf("must at least one of BaseURL and OrigPathRegexp+ReplacePath")
2026 if wr.StatusCode != 0 && (wr.StatusCode < 300 || wr.StatusCode >= 400) {
2027 addHandlerErrorf("redirect: invalid redirect status code %d", wr.StatusCode)
2030 if wh.WebForward != nil {
2033 u, err := url.Parse(wf.URL)
2035 addHandlerErrorf("forward: parsing url %s: %v", wf.URL, err)
2039 for k := range wf.ResponseHeaders {
2041 k := strings.TrimSpace(xk)
2042 if k != xk || k == "" {
2043 addHandlerErrorf("forrward: bad header %q", xk)
2047 if wh.WebInternal != nil {
2049 wi := wh.WebInternal
2050 if !strings.HasPrefix(wi.BasePath, "/") || !strings.HasSuffix(wi.BasePath, "/") {
2051 addHandlerErrorf("internal service: base path %q must start and end with /", wi.BasePath)
2053 // todo: we could make maxMsgSize and accountPath configurable
2054 const isForwarded = false
2057 wi.Handler = NewWebadminHandler(wi.BasePath, isForwarded)
2059 wi.Handler = NewWebaccountHandler(wi.BasePath, isForwarded)
2062 wi.Handler = NewWebmailHandler(config.DefaultMaxMsgSize, wi.BasePath, isForwarded, accountPath)
2064 wi.Handler = NewWebapiHandler(config.DefaultMaxMsgSize, wi.BasePath, isForwarded)
2066 addHandlerErrorf("internal service: unknown service %q", wi.Service)
2068 wi.Handler = SafeHeaders(http.StripPrefix(wi.BasePath[:len(wi.BasePath)-1], wi.Handler))
2071 addHandlerErrorf("must have exactly one handler, not %d", n)
2075 c.MonitorDNSBLZones = nil
2076 for _, s := range c.MonitorDNSBLs {
2077 d, err := dns.ParseDomain(s)
2079 addErrorf("dnsbl %s: parsing dnsbl zone: %v", s, err)
2082 if slices.Contains(c.MonitorDNSBLZones, d) {
2083 addErrorf("dnsbl %s: duplicate zone", s)
2086 c.MonitorDNSBLZones = append(c.MonitorDNSBLZones, d)
2092func loadPrivateKeyFile(keyPath string) (crypto.Signer, error) {
2093 keyBuf, err := os.ReadFile(keyPath)
2095 return nil, fmt.Errorf("reading host private key: %v", err)
2097 b, _ := pem.Decode(keyBuf)
2099 return nil, fmt.Errorf("parsing pem block for private key: %v", err)
2104 privKey, err = x509.ParsePKCS8PrivateKey(b.Bytes)
2105 case "RSA PRIVATE KEY":
2106 privKey, err = x509.ParsePKCS1PrivateKey(b.Bytes)
2107 case "EC PRIVATE KEY":
2108 privKey, err = x509.ParseECPrivateKey(b.Bytes)
2110 err = fmt.Errorf("unknown pem type %q", b.Type)
2113 return nil, fmt.Errorf("parsing private key: %v", err)
2115 if k, ok := privKey.(crypto.Signer); ok {
2118 return nil, fmt.Errorf("parsed private key not a crypto.Signer, but %T", privKey)
2121func loadTLSKeyCerts(configFile, kind string, ctls *config.TLS) error {
2122 certs := []tls.Certificate{}
2123 for _, kp := range ctls.KeyCerts {
2124 certPath := configDirPath(configFile, kp.CertFile)
2125 keyPath := configDirPath(configFile, kp.KeyFile)
2126 cert, err := loadX509KeyPairPrivileged(certPath, keyPath)
2128 return fmt.Errorf("tls config for %q: parsing x509 key pair: %v", kind, err)
2130 certs = append(certs, cert)
2132 ctls.Config = &tls.Config{
2133 Certificates: certs,
2135 ctls.ConfigFallback = ctls.Config
2139// load x509 key/cert files from file descriptor possibly passed in by privileged
2141func loadX509KeyPairPrivileged(certPath, keyPath string) (tls.Certificate, error) {
2142 certBuf, err := readFilePrivileged(certPath)
2144 return tls.Certificate{}, fmt.Errorf("reading tls certificate: %v", err)
2146 keyBuf, err := readFilePrivileged(keyPath)
2148 return tls.Certificate{}, fmt.Errorf("reading tls key: %v", err)
2150 return tls.X509KeyPair(certBuf, keyBuf)
2153// like os.ReadFile, but open privileged file possibly passed in by root process.
2154func readFilePrivileged(path string) ([]byte, error) {
2155 f, err := OpenPrivileged(path)
2160 return io.ReadAll(f)