Simple Golang SMTP relay/proxy server
go
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

main.go 7.2KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282
  1. package main
  2. import (
  3. "crypto/tls"
  4. "fmt"
  5. "io"
  6. "log"
  7. "net"
  8. "net/smtp"
  9. "os"
  10. "regexp"
  11. "strings"
  12. "time"
  13. "github.com/chrj/smtpd"
  14. )
  15. func connectionChecker(peer smtpd.Peer) error {
  16. var peerIP net.IP
  17. if addr, ok := peer.Addr.(*net.TCPAddr); ok {
  18. peerIP = net.ParseIP(addr.IP.String())
  19. } else {
  20. return smtpd.Error{Code: 421, Message: "Denied"}
  21. }
  22. nets := strings.Split(*allowedNets, " ")
  23. for i := range(nets) {
  24. _, allowedNet, _ := net.ParseCIDR(nets[i])
  25. if allowedNet.Contains(peerIP) {
  26. return nil
  27. }
  28. }
  29. return smtpd.Error{Code: 421, Message: "Denied"}
  30. }
  31. func senderChecker(peer smtpd.Peer, addr string) error {
  32. // check sender address from auth file if user is authenticated
  33. if *allowedUsers != "" && peer.Username != "" {
  34. _, email, err := AuthFetch(peer.Username)
  35. if err != nil {
  36. return smtpd.Error{Code: 451, Message: "Bad sender address"}
  37. }
  38. if strings.ToLower(addr) != strings.ToLower(email) {
  39. return smtpd.Error{Code: 451, Message: "Bad sender address"}
  40. }
  41. }
  42. if *allowedSender == "" {
  43. return nil
  44. }
  45. re, err := regexp.Compile(*allowedSender)
  46. if err != nil {
  47. log.Printf("allowed_sender invalid: %v\n", err)
  48. return smtpd.Error{Code: 451, Message: "Bad sender address"}
  49. }
  50. if re.MatchString(addr) {
  51. return nil
  52. }
  53. return smtpd.Error{Code: 451, Message: "Bad sender address"}
  54. }
  55. func recipientChecker(peer smtpd.Peer, addr string) error {
  56. if *allowedRecipients == "" {
  57. return nil
  58. }
  59. re, err := regexp.Compile(*allowedRecipients)
  60. if err != nil {
  61. log.Printf("allowed_recipients invalid: %v\n", err)
  62. return smtpd.Error{Code: 451, Message: "Bad recipient address"}
  63. }
  64. if re.MatchString(addr) {
  65. return nil
  66. }
  67. return smtpd.Error{Code: 451, Message: "Bad recipient address"}
  68. }
  69. func authChecker(peer smtpd.Peer, username string, password string) error {
  70. err := AuthCheckPassword(username, password)
  71. if err != nil {
  72. log.Printf("Auth error: %v\n", err)
  73. return smtpd.Error{Code: 535, Message: "Authentication credentials invalid"}
  74. }
  75. return nil
  76. }
  77. func mailHandler(peer smtpd.Peer, env smtpd.Envelope) error {
  78. if *allowedUsers != "" && peer.Username == "" {
  79. return smtpd.Error{Code: 530, Message: "Authentication Required"}
  80. }
  81. peerIP := ""
  82. if addr, ok := peer.Addr.(*net.TCPAddr); ok {
  83. peerIP = addr.IP.String()
  84. }
  85. log.Printf("new mail from=<%s> to=%s peer=[%s]\n", env.Sender,
  86. env.Recipients, peerIP)
  87. var auth smtp.Auth
  88. host, _, _ := net.SplitHostPort(*remoteHost)
  89. if *remoteUser != "" && *remotePass != "" {
  90. auth = smtp.PlainAuth("", *remoteUser, *remotePass, host)
  91. }
  92. env.AddReceivedLine(peer)
  93. log.Printf("delivering using smarthost %s\n", *remoteHost)
  94. err := SendMail(
  95. *remoteHost,
  96. auth,
  97. env.Sender,
  98. env.Recipients,
  99. env.Data,
  100. )
  101. if err != nil {
  102. log.Printf("delivery failed: %v\n", err);
  103. return smtpd.Error{Code: 554, Message: "Forwarding failed"}
  104. }
  105. log.Printf("%s delivery successful\n", env.Recipients)
  106. return nil
  107. }
  108. func main() {
  109. ConfigLoad()
  110. if *versionInfo {
  111. fmt.Printf("smtprelay/%s\n", VERSION)
  112. os.Exit(0)
  113. }
  114. if *logFile != "" {
  115. f, err := os.OpenFile(*logFile, os.O_WRONLY | os.O_CREATE | os.O_APPEND, 0600)
  116. if err != nil {
  117. log.Fatalf("Error opening logfile: %v", err)
  118. }
  119. defer f.Close()
  120. log.SetOutput(io.MultiWriter(os.Stdout, f))
  121. }
  122. listeners := strings.Split(*listen, " ")
  123. for i := range(listeners) {
  124. listener := listeners[i]
  125. server := &smtpd.Server{
  126. Hostname: *hostName,
  127. WelcomeMessage: *welcomeMsg,
  128. ConnectionChecker: connectionChecker,
  129. SenderChecker: senderChecker,
  130. RecipientChecker: recipientChecker,
  131. Handler: mailHandler,
  132. }
  133. if *allowedUsers != "" {
  134. err := AuthLoadFile(*allowedUsers)
  135. if err != nil {
  136. log.Fatalf("Authentication file: %s\n", err)
  137. }
  138. server.Authenticator = authChecker
  139. }
  140. if strings.Index(listeners[i], "://") == -1 {
  141. log.Printf("Listen on %s ...\n", listener)
  142. go server.ListenAndServe(listener)
  143. } else if strings.HasPrefix(listeners[i], "starttls://") {
  144. listener = strings.TrimPrefix(listener, "starttls://")
  145. if *localCert == "" || *localKey == "" {
  146. log.Fatal("TLS certificate/key not defined in config")
  147. }
  148. cert, err := tls.LoadX509KeyPair(*localCert, *localKey)
  149. if err != nil {
  150. log.Fatal(err)
  151. }
  152. server.TLSConfig = &tls.Config {
  153. PreferServerCipherSuites: true,
  154. MinVersion: tls.VersionTLS11,
  155. // Ciphersuites as defined in stock Go but without 3DES
  156. // https://golang.org/src/crypto/tls/cipher_suites.go
  157. CipherSuites: []uint16 {
  158. tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  159. tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  160. tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  161. tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  162. tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  163. tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  164. tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  165. tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  166. tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  167. tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  168. tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  169. tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  170. tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // does not provide PFS
  171. tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // does not provide PFS
  172. tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
  173. tls.TLS_RSA_WITH_AES_128_CBC_SHA,
  174. tls.TLS_RSA_WITH_AES_256_CBC_SHA,
  175. },
  176. Certificates: [] tls.Certificate{cert},
  177. }
  178. server.ForceTLS = *localForceTLS
  179. log.Printf("Listen on %s (STARTSSL) ...\n", listener)
  180. lsnr, err := net.Listen("tcp", listener)
  181. defer lsnr.Close()
  182. go server.Serve(lsnr)
  183. } else if strings.HasPrefix(listeners[i], "tls://") {
  184. listener = strings.TrimPrefix(listener, "tls://")
  185. if *localCert == "" || *localKey == "" {
  186. log.Fatal("TLS certificate/key not defined in config")
  187. }
  188. cert, err := tls.LoadX509KeyPair(*localCert, *localKey)
  189. if err != nil {
  190. log.Fatal(err)
  191. }
  192. server.TLSConfig = &tls.Config {
  193. PreferServerCipherSuites: true,
  194. MinVersion: tls.VersionTLS11,
  195. // Ciphersuites as defined in stock Go but without 3DES
  196. // https://golang.org/src/crypto/tls/cipher_suites.go
  197. CipherSuites: []uint16 {
  198. tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  199. tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  200. tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  201. tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  202. tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  203. tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  204. tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  205. tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  206. tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  207. tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  208. tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  209. tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  210. tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // does not provide PFS
  211. tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // does not provide PFS
  212. tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
  213. tls.TLS_RSA_WITH_AES_128_CBC_SHA,
  214. tls.TLS_RSA_WITH_AES_256_CBC_SHA,
  215. },
  216. Certificates: [] tls.Certificate{cert},
  217. }
  218. log.Printf("Listen on %s (TLS) ...\n", listener)
  219. lsnr, err := tls.Listen("tcp", listener, server.TLSConfig)
  220. defer lsnr.Close()
  221. go server.Serve(lsnr)
  222. } else {
  223. log.Fatal("Unknown protocol in listener ", listener)
  224. }
  225. }
  226. for true {
  227. time.Sleep(time.Minute)
  228. }
  229. }