mirror of
https://github.com/decke/smtprelay.git
synced 2026-01-17 06:39:24 -07:00
Compare commits
25 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
0e352a9bb6 | ||
|
42d1721751 | ||
|
|
e20797a4df | ||
|
|
54b224c8c6 | ||
|
8d7554031d | ||
|
|
9ad25e290f | ||
|
|
b84020b310 | ||
|
|
54bf53cd0e | ||
|
|
e1c3ef2785 | ||
|
|
5a036a6638 | ||
|
|
17f906df1e | ||
|
|
a73b625e68 | ||
|
|
780ac71f74 | ||
|
|
88b425b63d | ||
|
|
42c8136071 | ||
|
|
b0dfe3e540 | ||
|
|
2cecffe562 | ||
|
|
b8f8214922 | ||
|
|
bc2e50b4d5 | ||
|
|
87976ae630 | ||
|
|
ccb70f5cf6 | ||
|
|
0b6681b7dc | ||
|
|
51a6fb7feb | ||
|
|
7e38262340 | ||
|
|
0febc5a07a |
10
.github/workflows/codeql-analysis.yml
vendored
10
.github/workflows/codeql-analysis.yml
vendored
@@ -38,16 +38,16 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
|
||||
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
||||
with:
|
||||
egress-policy: audit
|
||||
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
|
||||
uses: github/codeql-action/init@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
# If you wish to specify custom queries, you can do so here or in a config file.
|
||||
@@ -58,7 +58,7 @@ jobs:
|
||||
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
||||
# If this step fails, then you should remove it and run the build manually (see below)
|
||||
- name: Autobuild
|
||||
uses: github/codeql-action/autobuild@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
|
||||
uses: github/codeql-action/autobuild@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
|
||||
|
||||
# ℹ️ Command-line programs to run using the OS shell.
|
||||
# 📚 https://git.io/JvXDl
|
||||
@@ -72,4 +72,4 @@ jobs:
|
||||
# make release
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
|
||||
uses: github/codeql-action/analyze@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
|
||||
|
||||
4
.github/workflows/dependency-review.yml
vendored
4
.github/workflows/dependency-review.yml
vendored
@@ -17,11 +17,11 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
|
||||
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
||||
with:
|
||||
egress-policy: audit
|
||||
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
|
||||
|
||||
6
.github/workflows/go.yml
vendored
6
.github/workflows/go.yml
vendored
@@ -10,12 +10,12 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
|
||||
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
||||
with:
|
||||
egress-policy: audit
|
||||
|
||||
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
- uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
|
||||
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
- uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
|
||||
with:
|
||||
go-version: 'stable'
|
||||
|
||||
|
||||
30
.github/workflows/release.yaml
vendored
30
.github/workflows/release.yaml
vendored
@@ -3,6 +3,12 @@ name: Release Go Binaries
|
||||
on:
|
||||
release:
|
||||
types: [created]
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
release_tag:
|
||||
description: 'Tag name to build (v1.3.1)'
|
||||
required: false
|
||||
default: ''
|
||||
|
||||
# Declare default permissions as read only.
|
||||
permissions: read-all
|
||||
@@ -21,21 +27,37 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
|
||||
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
||||
with:
|
||||
egress-policy: audit
|
||||
|
||||
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
- name: Determine ref to checkout
|
||||
run: |
|
||||
# If manually invoked with a release_tag input, use refs/tags/<release_tag>.
|
||||
if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ -n "${{ github.event.inputs.release_tag }}" ]; then
|
||||
echo "REF=refs/tags/${{ github.event.inputs.release_tag }}" >> $GITHUB_ENV
|
||||
else
|
||||
# For release events GITHUB_REF is already refs/tags/<tag>; otherwise fall back to the incoming ref.
|
||||
echo "REF=${GITHUB_REF}" >> $GITHUB_ENV
|
||||
fi
|
||||
|
||||
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
with:
|
||||
ref: ${{ env.REF }}
|
||||
|
||||
- name: Set APP_VERSION env
|
||||
run: echo APP_VERSION=$(echo ${GITHUB_REF} | rev | cut -d'/' -f 1 | rev ) >> ${GITHUB_ENV}
|
||||
run: |
|
||||
# basename strips refs/... and yields the tag or branch name
|
||||
echo "APP_VERSION=$(basename ${REF})" >> $GITHUB_ENV
|
||||
|
||||
- name: Set BUILD_TIME env
|
||||
run: echo BUILD_TIME=$(date) >> ${GITHUB_ENV}
|
||||
|
||||
- uses: wangyoucao577/go-release-action@481a2c1a0f1be199722e3e9b74d7199acafc30a8 # v1.53
|
||||
- uses: wangyoucao577/go-release-action@279495102627de7960cbc33434ab01a12bae144b # v1.55
|
||||
with:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
goos: ${{ matrix.goos }}
|
||||
goarch: ${{ matrix.goarch }}
|
||||
extra_files: LICENSE README.md smtprelay.ini
|
||||
ldflags: -s -w -X "main.appVersion=${{ env.APP_VERSION }}" -X "main.buildTime=${{ env.BUILD_TIME }}"
|
||||
release_tag: ${{ env.APP_VERSION }}
|
||||
|
||||
8
.github/workflows/scorecards.yml
vendored
8
.github/workflows/scorecards.yml
vendored
@@ -36,12 +36,12 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
|
||||
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
||||
with:
|
||||
egress-policy: audit
|
||||
|
||||
- name: "Checkout code"
|
||||
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
@@ -68,7 +68,7 @@ jobs:
|
||||
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
|
||||
# format to the repository Actions tab.
|
||||
- name: "Upload artifact"
|
||||
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
|
||||
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
|
||||
with:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
@@ -76,6 +76,6 @@ jobs:
|
||||
|
||||
# Upload the results to GitHub's code scanning dashboard.
|
||||
- name: "Upload to code-scanning"
|
||||
uses: github/codeql-action/upload-sarif@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
|
||||
uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
||||
45
config.go
45
config.go
@@ -46,6 +46,8 @@ var (
|
||||
command = flagset.String("command", "", "Path to pipe command")
|
||||
remotesStr = flagset.String("remotes", "", "Outgoing SMTP servers")
|
||||
strictSender = flagset.Bool("strict_sender", false, "Use only SMTP servers with Sender matches to From")
|
||||
remoteCert = flagset.String("remote_certificate", "", "Client SSL certificate for remote STARTTLS/TLS")
|
||||
remoteKey = flagset.String("remote_key", "", "Client SSL private key for remote STARTTLS/TLS")
|
||||
|
||||
// additional flags
|
||||
_ = flagset.String("config", "", "Path to config file (ini format)")
|
||||
@@ -67,9 +69,38 @@ func localAuthRequired() bool {
|
||||
return *allowedUsers != ""
|
||||
}
|
||||
|
||||
func remoteCertAndKeyReadable() bool {
|
||||
certSet := *remoteCert != ""
|
||||
keySet := *remoteKey != ""
|
||||
|
||||
// Both must be set or both must be unset
|
||||
if certSet != keySet {
|
||||
return false
|
||||
}
|
||||
|
||||
// If both are set, verify files exist and are accessible
|
||||
if certSet && keySet {
|
||||
if _, err := os.Stat(*remoteCert); err != nil {
|
||||
log.Error().
|
||||
Str("cert", *remoteCert).
|
||||
Err(err).
|
||||
Msg("cannot access remote client certificate file")
|
||||
return false
|
||||
}
|
||||
if _, err := os.Stat(*remoteKey); err != nil {
|
||||
log.Error().
|
||||
Str("key", *remoteKey).
|
||||
Err(err).
|
||||
Msg("cannot access remote client key file")
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func setupAliases() {
|
||||
if *aliasFile != "" {
|
||||
aliases := make(AliasMap)
|
||||
aliases, err := AliasLoadFile(*aliasFile)
|
||||
if err != nil {
|
||||
log.Fatal().
|
||||
@@ -138,6 +169,11 @@ func setupRemotes() {
|
||||
logger.Fatal().Msg(fmt.Sprintf("error parsing url: '%s': %v", remoteURL, err))
|
||||
}
|
||||
|
||||
if *remoteCert != "" && *remoteKey != "" && (r.Scheme == "smtps" || r.Scheme == "starttls") {
|
||||
r.ClientCertPath = *remoteCert
|
||||
r.ClientKeyPath = *remoteKey
|
||||
}
|
||||
|
||||
remotes = append(remotes, r)
|
||||
}
|
||||
}
|
||||
@@ -254,6 +290,13 @@ func ConfigLoad() {
|
||||
log.Warn().Msg("no remotes or command set; mail will not be forwarded!")
|
||||
}
|
||||
|
||||
if !remoteCertAndKeyReadable() {
|
||||
log.Fatal().
|
||||
Str("remote_certificate", *remoteCert).
|
||||
Str("remote_key", *remoteKey).
|
||||
Msg("remote_certificate and remote_key must both be set or both be empty")
|
||||
}
|
||||
|
||||
setupAllowedNetworks()
|
||||
setupAllowedPatterns()
|
||||
setupAliases()
|
||||
|
||||
8
go.mod
8
go.mod
@@ -8,17 +8,17 @@ require (
|
||||
github.com/peterbourgon/ff/v3 v3.4.0
|
||||
github.com/rs/zerolog v1.34.0
|
||||
github.com/stretchr/testify v1.11.1
|
||||
golang.org/x/crypto v0.44.0
|
||||
golang.org/x/crypto v0.47.0
|
||||
)
|
||||
|
||||
require (
|
||||
github.com/davecgh/go-spew v1.1.1 // indirect
|
||||
github.com/klauspost/compress v1.18.1 // indirect
|
||||
github.com/klauspost/compress v1.18.2 // indirect
|
||||
github.com/mattn/go-colorable v0.1.14 // indirect
|
||||
github.com/mattn/go-isatty v0.0.20 // indirect
|
||||
github.com/pmezard/go-difflib v1.0.0 // indirect
|
||||
golang.org/x/sys v0.38.0 // indirect
|
||||
golang.org/x/sys v0.40.0 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
)
|
||||
|
||||
go 1.24.3
|
||||
go 1.24.11
|
||||
|
||||
12
go.sum
12
go.sum
@@ -12,8 +12,8 @@ github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8
|
||||
github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
|
||||
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
|
||||
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||
github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co=
|
||||
github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0=
|
||||
github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
|
||||
github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
|
||||
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
|
||||
github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
|
||||
github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
|
||||
@@ -31,13 +31,13 @@ github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
|
||||
github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
|
||||
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
|
||||
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
|
||||
golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
|
||||
golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
|
||||
golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
|
||||
golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
|
||||
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
|
||||
golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
|
||||
golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
|
||||
golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
|
||||
@@ -14,6 +14,8 @@ type Remote struct {
|
||||
Port string
|
||||
Addr string
|
||||
Sender string
|
||||
ClientCertPath string
|
||||
ClientKeyPath string
|
||||
}
|
||||
|
||||
// ParseRemote creates a remote from a given url in the following format:
|
||||
|
||||
16
smtp.go
16
smtp.go
@@ -340,6 +340,14 @@ func SendMail(r *Remote, from string, to []string, msg []byte) error {
|
||||
ServerName: r.Hostname,
|
||||
InsecureSkipVerify: r.SkipVerify,
|
||||
}
|
||||
// Load client certificate on-demand, just before connection
|
||||
if r.ClientCertPath != "" && r.ClientKeyPath != "" {
|
||||
cert, err := tls.LoadX509KeyPair(r.ClientCertPath, r.ClientKeyPath)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
config.Certificates = []tls.Certificate{cert}
|
||||
}
|
||||
conn, err := tls.Dial("tcp", r.Addr, config)
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -366,6 +374,14 @@ func SendMail(r *Remote, from string, to []string, msg []byte) error {
|
||||
ServerName: c.serverName,
|
||||
InsecureSkipVerify: r.SkipVerify,
|
||||
}
|
||||
// Load client certificate on-demand, just before use
|
||||
if r.ClientCertPath != "" && r.ClientKeyPath != "" {
|
||||
cert, err := tls.LoadX509KeyPair(r.ClientCertPath, r.ClientKeyPath)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
config.Certificates = []tls.Certificate{cert}
|
||||
}
|
||||
if testHookStartTLS != nil {
|
||||
testHookStartTLS(config)
|
||||
}
|
||||
|
||||
@@ -119,6 +119,10 @@
|
||||
; Mailjet.com
|
||||
;remotes = starttls://user:pass@in-v3.mailjet.com:587
|
||||
|
||||
; Exchange Online (O365) SMTP relay
|
||||
; (Change netloc to your own Exchange MX endpoint)
|
||||
; remotes = starttls://contoso-com.mail.protection.outlook.com:25
|
||||
|
||||
; Ignore remote host certificates
|
||||
;remotes = starttls://user:pass@server:587?skipVerify
|
||||
|
||||
@@ -131,5 +135,11 @@
|
||||
; Multiple remotes, space delimited
|
||||
;remotes = smtp://127.0.0.1:1025 starttls://user:pass@smtp.mailgun.org:587
|
||||
|
||||
; Client SSL certificate for remote STARTTLS/TLS
|
||||
; remote_certificate = /path/to/certificate-chain.pem
|
||||
|
||||
; Client SSL private key for remote STARTTLS/TLS
|
||||
; remote_key = /path/to/private-key.pem
|
||||
|
||||
; Pipe messages to external command
|
||||
;command = /usr/local/bin/script
|
||||
|
||||
Reference in New Issue
Block a user