Merge branch 'master' into dev

.github/workflows/cicd.yml

@@ -10,11 +10,13 @@ on:
 jobs:
   build-and-test:
     name: "Build and test"
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
     - name: "Install libpam"
-      run: sudo apt-get install -y libpam-dev
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libpam-dev
     - uses: actions/cache@v2
       with:
         path: |
@@ -24,7 +26,7 @@ jobs:
         restore-keys: ${{ runner.os }}-go-
     - uses: actions/setup-go@v2
       with:
-        go-version: 1.18.9
+        go-version: 1.19
     - name: "Verify build.sh"
       run: |
         ./build.sh

.mkdocs.yml

@@ -60,7 +60,7 @@ nav:
           - reference/table/sql_query.md
           - reference/table/chain.md
           - reference/table/email_localpart.md
-          - reference/table/email_with_domains.md
+          - reference/table/email_with_domain.md
           - reference/table/auth.md
       - Authentication providers:
           - reference/auth/pass_table.md

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.18-alpine AS build-env
+FROM golang:1.19-alpine AS build-env
 
 RUN set -ex && \
     apk upgrade --no-cache --available && \
@@ -14,7 +14,7 @@ RUN mkdir -p /pkg/data && \
     cp maddy.conf.docker /pkg/data/maddy.conf && \
     ./build.sh --builddir /tmp --destdir /pkg/ --tags docker build install
 
-FROM alpine:3.17.0
+FROM alpine:3.18.4
 LABEL maintainer="[email protected]"
 LABEL org.opencontainers.image.source=https://github.com/foxcpp/maddy
 

README.md

@@ -15,8 +15,8 @@ daemon with uniform configuration and minimal maintenance cost.
 feature-packed implementation you may want to use Dovecot instead. maddy still
 can handle message delivery business.
 
-[![CI status](https://img.shields.io/github/workflow/status/foxcpp/maddy/Testing%20and%20release%20preparation?style=flat-square)](https://github.com/foxcpp/maddy/actions/workflows/cicd.yml)
-[![Issues tracker](https://img.shields.io/github/issues/foxcpp/maddy)](https://github.com/foxcpp/maddy)
+[![CI status](https://img.shields.io/github/actions/workflow/status/foxcpp/maddy/cicd.yml?style=flat-square)](https://github.com/foxcpp/maddy/actions/workflows/cicd.yml)
+[![Issues tracker](https://img.shields.io/github/issues/foxcpp/maddy?style=flat-square)](https://github.com/foxcpp/maddy)
 
 * [Setup tutorial](https://maddy.email/tutorials/setting-up/)
 * [Documentation](https://maddy.email/)

build.sh

@@ -146,10 +146,23 @@ install() {
 	# Attempt to install systemd units only for Linux.
 	# Check is done using GOOS instead of uname -s to account for possible
 	# package cross-compilation.
-	if [ "$(go env GOOS)" = "linux" ]; then
-		command install -m 0755 -d "${destdir}/${prefix}/lib/systemd/system/"
-		command install -m 0644 "${builddir}"/systemd/*.service "${destdir}/${prefix}/lib/systemd/system/"
-	fi
+	# Though go command might be unavailable if build.sh is run
+	# with sudo and go installation is user-specific, so fallback
+	# to using uname -s in the end.
+	set +e
+  if command -v go >/dev/null 2>/dev/null; then
+    set -e
+    if [ "$(go env GOOS)" = "linux" ]; then
+    		command install -m 0755 -d "${destdir}/${prefix}/lib/systemd/system/"
+    		command install -m 0644 "${builddir}"/systemd/*.service "${destdir}/${prefix}/lib/systemd/system/"
+    fi
+  else
+    set -e
+    if [ "$(uname -s)" = "Linux" ]; then
+        		command install -m 0755 -d "${destdir}/${prefix}/lib/systemd/system/"
+        		command install -m 0644 "${builddir}"/systemd/*.service "${destdir}/${prefix}/lib/systemd/system/"
+        fi
+  fi
 
 	if [ -e "${builddir}"/man ]; then
 		command install -m 0755 -d "${destdir}/${prefix}/share/man/man1/"

contrib/kubernetes/chart/README.md

@@ -9,7 +9,7 @@ load balancer in front of the nodes.
 
 ## Requirement
 
-In order to run maddy properly, you need to have TLS secret undet name maddy present in the cluster. If you have commercial
+In order to run maddy properly, you need to have TLS secret under name maddy present in the cluster. If you have commercial
 certificate, you can create it by the following command:
 
 ```sh
@@ -20,9 +20,9 @@ If you use cert-manager, just create the secret under name maddy.
 
 ## Replication
 
-Default for this chart is 1 replica of maddy. If you try to increse this, you will probably get an error because of
+Default for this chart is 1 replica of maddy. If you try to increase this, you will probably get an error because of
 the busy ports 25, 143, 587, etc. We do not support this feature at the moment, so please use just 1 replica. Like said
-at the begining of this document, multiple replicas would probably require to switch do DaemonSet which would further require
+at the beginning of this document, multiple replicas would probably require to switch do DaemonSet which would further require
 to have TCP load balancer and shared storage between all replicas. This is not supported by this chart, sorry.
 This chart is used on one node cluster and then installation is straight forward, like described bellow, but if you have
 multiple node cluster, please use taints and tolerations to select the desired node. This chart supports tolerations to

dist/README.md

@@ -22,7 +22,7 @@ Additionally, unit files apply strict sandboxing, limiting maddy permissions on
 the system to a bare minimum. Subset of these options makes it impossible for
 privileged authentication helper binaries to gain required permissions, so you
 may have to disable it when using system account-based authentication with
-maddy running as a unprivilieged user.
+maddy running as a unprivileged user.
 
 ## fail2ban configuration
 

dist/systemd/maddy.service

@@ -3,7 +3,7 @@ Description=maddy mail server
 Documentation=man:maddy(1)
 Documentation=man:maddy.conf(5)
 Documentation=https://maddy.email
-After=network.target
+After=network-online.target
 
 [Service]
 Type=notify
@@ -54,8 +54,9 @@ KillSignal=SIGTERM
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 
-# Force all files created by maddy to be only readable by it.
-UMask=0027
+# Force all files created by maddy to be only readable by it
+# and maddy group.
+UMask=0007
 
 # Bump FD limitations. Even idle mail server can have a lot of FDs open (think
 # of idle IMAP connections, especially ones abandoned on the other end and

dist/systemd/maddy@.service

@@ -3,7 +3,7 @@ Description=maddy mail server (using %i.conf)
 Documentation=man:maddy(1)
 Documentation=man:maddy.conf(5)
 Documentation=https://maddy.email
-After=network.target
+After=network-online.target
 
 [Service]
 Type=notify
@@ -50,8 +50,9 @@ KillSignal=SIGTERM
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 
-# Force all files created by maddy to be only readable by it.
-UMask=0027
+# Force all files created by maddy to be only readable by it and
+# maddy group.
+UMask=0007
 
 # Bump FD limitations. Even idle mail server can have a lot of FDs open (think
 # of idle IMAP connections, especially ones abandoned on the other end and

docs/docker.md

@@ -72,4 +72,4 @@ docker run \
 
 It will fail on first startup. Copy TLS certificate to /data/tls/fullchain.pem
 and key to /data/tls/privkey.pem. Run the server again. Finish DNS configuration
-(DKIM keys, etc) as described in [tutorials/setting-up/](tutorials/setting-up/).
+(DKIM keys, etc) as described in [tutorials/setting-up/](../tutorials/setting-up/).

docs/internals/unicode.md

@@ -93,4 +93,4 @@ mentioned above).
 
 Clients that want to implement proper handling for Unicode strings may assume
 maddy does not handle them properly in e.g. SEARCH commands and so such clients
-may download messsages and process them locally.
+may download messages and process them locally.

docs/multiple-domains.md

@@ -28,7 +28,7 @@ the [introduction tutorial](tutorials/setting-up.md).
 
 Also note that you do not really need a separate TLS certificate for each
 managed domain. You can have one hostname e.g. mail.example.org set as an MX
-record for mulitple domains.
+record for multiple domains.
 
 **If you want multiple domains to share username namespace**, you should change
 several more options.
@@ -53,7 +53,7 @@ maddy imap-acct create [email protected]
 "user"**, you can set `storage_map` in IMAP endpoint and `delivery_map` in
 storage backend to use `email_locapart`:
 ```
-straoge.imapsql local_mailboxes {
+storage.imapsql local_mailboxes {
    ...
    delivery_map email_localpart # deliver "user@*" to "user"
 }
@@ -75,8 +75,8 @@ accept non-email usernames:
 authorize_sender {
   ...
   user_to_email chain {
-    step email_localpart_optional            # remove domain from username if present
-    step email_with_domains $(local_domains) # expand username with all allowed domains
+    step email_localpart_optional           # remove domain from username if present
+    step email_with_domain $(local_domains) # expand username with all allowed domains
   }
 }
 ```
@@ -141,8 +141,8 @@ mailboxes.**
         authorize_sender {
           ...
           user_to_email chain {
-            step email_localpart_optional            # remove domain from username if present
-            step email_with_domains $(local_domains) # expand username with all allowed domains
+            step email_localpart_optional           # remove domain from username if present
+            step email_with_domain $(local_domains) # expand username with all allowed domains
           }
         }
       }

docs/reference/auth/dovecot_sasl.md

@@ -1,6 +1,6 @@
 # Dovecot SASL
 
-The 'auth.dovecot\_sasl' module implements the client side of the Dovecot
+The 'auth.dovecot_sasl' module implements the client side of the Dovecot
 authentication protocol, allowing maddy to use it as a credentials source.
 
 Currently SASL mechanisms support is limited to mechanisms supported by maddy
@@ -16,11 +16,11 @@ dovecot_sasl unix://socket_path
 
 ## Configuration directives
 
-**Syntax**: endpoint _schema://address_ <br>
-**Default**: not set
+### endpoint _schema://address_
+Default: not set
 
 Set the address to use to contact Dovecot SASL server in the standard endpoint
 format.
 
-tcp://10.0.0.1:2222 for TCP, unix:///var/lib/dovecot/auth.sock for Unix
+`tcp://10.0.0.1:2222` for TCP, `unix:///var/lib/dovecot/auth.sock` for Unix
 domain sockets.

docs/reference/auth/external.md

@@ -1,12 +1,12 @@
 # System command
 
 auth.external module for authentication using external helper binary. It looks for binary
-named maddy-auth-helper in $PATH and libexecdir and uses it for authentication
+named `maddy-auth-helper` in $PATH and libexecdir and uses it for authentication
 using username/password pair.
 
 The protocol is very simple:
 Program is launched for each authentication. Username and password are written
-to stdin, adding \\n to the end. If binary exits with 0 status code -
+to stdin, adding \n to the end. If binary exits with 0 status code -
 authentication is considered successful. If the status code is 1 -
 authentication is failed. If the status code is 2 - another unrelated error has
 happened. Additional information should be written to stderr.
@@ -21,19 +21,24 @@ auth.external {
 
 ## Configuration directives
 
-**Syntax**: helper _file\_path\_
+### helper _file_path_
 
-Location of the helper binary. **Required.**
+**Required.** <br>
+Location of the helper binary. 
 
-**Syntax**: perdomain _boolean_ <br>
-**Default**: no
+---
+
+### perdomain _boolean_
+Default: `no`
 
 Don't remove domain part of username when authenticating and require it to be
 present. Can be used if you want user@domain1 and user@domain2 to be different
 accounts.
 
-**Syntax**: domains _domains..._ <br>
-**Default**: not specified
+---
+
+### domains _domains..._
+Default: not specified
 
 Domains that should be allowed in username during authentication.
 
@@ -43,5 +48,5 @@ name in addition to just username.
 
 If used without 'perdomain', domain part will be removed from login before
 check with underlying auth. mechanism. If 'perdomain' is set, then
-domains must be also set and domain part WILL NOT be removed before check.
+domains must be also set and domain part **will not** be removed before check.