14 "github.com/prometheus/client_golang/prometheus"
15 "github.com/prometheus/client_golang/prometheus/promauto"
18// We start up as root, bind to sockets, open private key/cert files and fork and
19// exec as unprivileged user. During startup as root, we gather the fd's for the
20// listen addresses in passedListeners and files in passedFiles, and pass their
21// addresses and paths in environment variables to the new process.
22var passedListeners = map[string]*os.File{} // Listen address to file descriptor.
23var passedFiles = map[string][]*os.File{} // Path to file descriptors.
25// RestorePassedFiles reads addresses from $MOX_SOCKETS and paths from $MOX_FILES
26// and prepares an os.File for each file descriptor, which are used by later calls
27// of Listen or opening files.
28func RestorePassedFiles() {
29 s := os.Getenv("MOX_SOCKETS")
32 if runtime.GOOS == "linux" {
33 linuxhint = " If you updated from v0.0.1, update the mox.service file to start as root (privileges are dropped): ./mox config printservice >mox.service && sudo systemctl daemon-reload && sudo systemctl restart mox."
35 pkglog.Fatal("mox must be started as root, and will drop privileges after binding required sockets (missing environment variable MOX_SOCKETS)." + linuxhint)
38 // 0,1,2 are stdin,stdout,stderr, 3 is the first passed fd (first listeners, then files).
40 for _, addr := range strings.Split(s, ",") {
41 passedListeners[addr] = os.NewFile(o, addr)
45 files := os.Getenv("MOX_FILES")
49 for _, path := range strings.Split(files, ",") {
50 passedFiles[path] = append(passedFiles[path], os.NewFile(o, path))
55// CleanupPassedFiles closes the listening socket file descriptors and files passed
56// in by the parent process. To be called by the unprivileged child after listeners
57// have been recreated (they dup the file descriptor), and by the privileged
58// process after starting its child.
59func CleanupPassedFiles() {
60 for _, f := range passedListeners {
62 pkglog.Check(err, "closing listener socket file descriptor")
64 for _, fl := range passedFiles {
65 for _, f := range fl {
67 pkglog.Check(err, "closing path file descriptor")
72// For privileged file descriptor operations (listen and opening privileged files),
73// perform them immediately, regardless of running as root or other user, in case
74// ForkExecUnprivileged is not used.
75var FilesImmediate bool
77// Listen returns a newly created network listener when starting as root, and
78// otherwise (not root) returns a network listener from a file descriptor that was
79// passed by the parent root process.
80func Listen(network, addr string) (net.Listener, error) {
81 if os.Getuid() != 0 && !FilesImmediate {
82 f, ok := passedListeners[addr]
84 return nil, fmt.Errorf("no file descriptor for listener %s", addr)
86 ln, err := net.FileListener(f)
88 return nil, fmt.Errorf("making network listener from file descriptor for address %s: %v", addr, err)
93 if _, ok := passedListeners[addr]; ok {
94 return nil, fmt.Errorf("duplicate listener: %s", addr)
97 ln, err := net.Listen(network, addr)
101 // On windows, we cannot duplicate a socket. We don't need to for mox localserve
102 // with FilesImmediate.
104 tcpln, ok := ln.(*net.TCPListener)
106 return nil, fmt.Errorf("listener not a tcp listener, but %T, for network %s, address %s", ln, network, addr)
108 f, err := tcpln.File()
110 return nil, fmt.Errorf("dup listener: %v", err)
112 passedListeners[addr] = f
117// Open a privileged file, such as a TLS private key. When running as root
118// (during startup), the file is opened and the file descriptor is stored.
119// These file descriptors are passed to the unprivileged process. When in the
120// unprivileged processed, we lookup a passed file descriptor.
121// The same calls should be made in the privileged and unprivileged process.
122func OpenPrivileged(path string) (*os.File, error) {
123 if os.Getuid() != 0 && !FilesImmediate {
124 fl := passedFiles[path]
126 return nil, fmt.Errorf("no file descriptor for file %s", path)
129 passedFiles[path] = fl[1:]
133 f, err := os.Open(path)
137 passedFiles[path] = append(passedFiles[path], f)
139 // Open again, the caller will be closing this file.
143// Shutdown is canceled when a graceful shutdown is initiated. SMTP, IMAP, periodic
144// processes should check this before starting a new operation. If this context is
145// canaceled, the operation should not be started, and new connections/commands should
146// receive a message that the service is currently not available.
147var Shutdown context.Context
148var ShutdownCancel func()
150// This context should be used as parent by most operations. It is canceled 1
151// second after graceful shutdown was initiated with the cancelation of the
152// Shutdown context. This should abort active operations.
154// Operations typically have context timeouts, 30s for single i/o like DNS queries,
155// and 1 minute for operations with more back and forth. These are set through a
156// context.WithTimeout based on this context, so those contexts are still canceled
157// when shutting down.
159// HTTP servers don't get graceful shutdown, their connections are just aborted.
160// todo: should shut down http connections as well, and shut down the listener and/or return 503 for new requests.
161var Context context.Context
162var ContextCancel func()
164// Connections holds all active protocol sockets (smtp, imap). They will be given
165// an immediate read/write deadline shortly after initiating mox shutdown, after
166// which the connections get 1 more second for error handling before actual
168var Connections = &connections{
169 conns: map[net.Conn]connKind{},
170 gauges: map[connKind]prometheus.GaugeFunc{},
171 active: map[connKind]int64{},
174type connKind struct {
179type connections struct {
181 conns map[net.Conn]connKind
182 dones []chan struct{}
183 gauges map[connKind]prometheus.GaugeFunc
185 activeMutex sync.Mutex
186 active map[connKind]int64
189// Register adds a connection for receiving an immediate i/o deadline on shutdown.
190// When the connection is closed, Remove must be called to cancel the registration.
191func (c *connections) Register(nc net.Conn, protocol, listener string) {
192 // This can happen, when a connection was initiated before a shutdown, but it
193 // doesn't hurt to log it.
195 case <-Shutdown.Done():
196 pkglog.Error("new connection added while shutting down")
201 ck := connKind{protocol, listener}
205 c.activeMutex.Unlock()
210 if _, ok := c.gauges[ck]; !ok {
211 c.gauges[ck] = promauto.NewGaugeFunc(
212 prometheus.GaugeOpts{
213 Name: "mox_connections_count",
214 Help: "Open connections, per protocol/listener.",
215 ConstLabels: prometheus.Labels{
216 "protocol": protocol,
217 "listener": listener,
222 defer c.activeMutex.Unlock()
223 return float64(c.active[ck])
229// Unregister removes a connection for shutdown.
230func (c *connections) Unregister(nc net.Conn) {
238 c.activeMutex.Unlock()
242 if len(c.conns) > 0 {
245 for _, done := range c.dones {
251// Shutdown sets an immediate i/o deadline on all open registered sockets. Called
252// some time after mox shutdown is initiated.
253// The deadline will cause i/o's to be aborted, which should result in the
254// connection being unregistered.
255func (c *connections) Shutdown() {
259 for nc := range c.conns {
260 if err := nc.SetDeadline(now); err != nil {
261 pkglog.Errorx("setting immediate read/write deadline for shutdown", err)
266// Done returns a new channel on which a value is sent when no more sockets are
267// open, which could be immediate.
268func (c *connections) Done() chan struct{} {
271 done := make(chan struct{}, 1)
272 if len(c.conns) == 0 {
276 c.dones = append(c.dones, done)