serv/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2024-12-26 16:33:47 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

make it possible to serve https on a different port than 443 through configuration

Browse source 
so you can run mox on openbsd with port redirects in pf.conf.

in the future, starting as root, binding the sockets, and passing the bound
sockets to a new unprivileged process should be implemented, but this should
get openbsd users going.

from discussion with mteege
This commit is contained in:
Mechiel Lukkien 2023-02-18 16:53:06 +01:00
parent a289a3e771
commit cc3a2c9bc8
No known key found for this signature in database
3 changed files with 29 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
config/config.go
View file

@ -71,6 +71,7 @@ type ACME struct {
DirectoryURL string `sconf-doc:"For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory."` DirectoryURL string `sconf-doc:"For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory."`
RenewBefore time.Duration `sconf:"optional" sconf-doc:"How long before expiration to renew the certificate. Default is 30 days."` RenewBefore time.Duration `sconf:"optional" sconf-doc:"How long before expiration to renew the certificate. Default is 30 days."`
ContactEmail string `sconf-doc:"Email address to register at ACME provider. The provider can email you when certificates are about to expire. If you configure an address for which email is delivered by this server, keep in mind that TLS misconfigurations could result in such notification emails not arriving."` ContactEmail string `sconf-doc:"Email address to register at ACME provider. The provider can email you when certificates are about to expire. If you configure an address for which email is delivered by this server, keep in mind that TLS misconfigurations could result in such notification emails not arriving."`
Port int `sconf:"optional" sconf-doc:"TLS port for ACME validation, 443 by default. You should only override this if you cannot listen on port 443 directly. ACME will make requests to port 443, so you'll have to add an external mechanism to get the connection here, e.g. by configuring port forwarding."`
Manager *autotls.Manager `sconf:"-" json:"-"` Manager *autotls.Manager `sconf:"-" json:"-"`
} }
@ -134,10 +135,12 @@ type Listener struct {
} `sconf:"optional" sconf-doc:"Serve /debug/pprof/ for profiling a running mox instance. Do not enable this on a public IP!"` } `sconf:"optional" sconf-doc:"Serve /debug/pprof/ for profiling a running mox instance. Do not enable this on a public IP!"`
AutoconfigHTTPS struct { AutoconfigHTTPS struct {
Enabled bool Enabled bool
Port int `sconf:"optional" sconf-doc:"TLS port, 443 by default. You should only override this if you cannot listen on port 443 directly. Autoconfig requests will be made to port 443, so you'll have to add an external mechanism to get the connection here, e.g. by configuring port forwarding."`
} `sconf:"optional" sconf-doc:"Serve autoconfiguration/autodiscovery to simplify configuring email applications, will use port 443. Requires a TLS config."` } `sconf:"optional" sconf-doc:"Serve autoconfiguration/autodiscovery to simplify configuring email applications, will use port 443. Requires a TLS config."`
MTASTSHTTPS struct { MTASTSHTTPS struct {
Enabled bool Enabled bool
} `sconf:"optional" sconf-doc:"Serve MTA-STS policies describing SMTP TLS requirements, will use port 443. Requires a TLS config."` Port int `sconf:"optional" sconf-doc:"TLS port, 443 by default. You should only override this if you cannot listen on port 443 directly. MTA-STS requests will be made to port 443, so you'll have to add an external mechanism to get the connection here, e.g. by configuring port forwarding."`
} `sconf:"optional" sconf-doc:"Serve MTA-STS policies describing SMTP TLS requirements. Requires a TLS config."`
} }
type Domain struct { type Domain struct {

22
config/doc.go
View file

@ -66,6 +66,12 @@ describe-static" and "mox config describe-domains":
# in such notification emails not arriving. # in such notification emails not arriving.
ContactEmail: ContactEmail:
# TLS port for ACME validation, 443 by default. You should only override this if
# you cannot listen on port 443 directly. ACME will make requests to port 443, so
# you'll have to add an external mechanism to get the connection here, e.g. by
# configuring port forwarding. (optional)
Port: 0
# File containing hash of admin password, for authentication in the web admin # File containing hash of admin password, for authentication in the web admin
# pages (if enabled). (optional) # pages (if enabled). (optional)
AdminPasswordFile: AdminPasswordFile:
@ -228,11 +234,23 @@ describe-static" and "mox config describe-domains":
AutoconfigHTTPS: AutoconfigHTTPS:
Enabled: false Enabled: false
# Serve MTA-STS policies describing SMTP TLS requirements, will use port 443. # TLS port, 443 by default. You should only override this if you cannot listen on
# Requires a TLS config. (optional) # port 443 directly. Autoconfig requests will be made to port 443, so you'll have
# to add an external mechanism to get the connection here, e.g. by configuring
# port forwarding. (optional)
Port: 0
# Serve MTA-STS policies describing SMTP TLS requirements. Requires a TLS config.
# (optional)
MTASTSHTTPS: MTASTSHTTPS:
Enabled: false Enabled: false
# TLS port, 443 by default. You should only override this if you cannot listen on
# port 443 directly. MTA-STS requests will be made to port 443, so you'll have to
# add an external mechanism to get the connection here, e.g. by configuring port
# forwarding. (optional)
Port: 0
# Destination for emails delivered to postmaster address. # Destination for emails delivered to postmaster address.
Postmaster: Postmaster:
Account: Account:

10
http/web.go
View file

@ -55,12 +55,12 @@ func ListenAndServe() {
s = serve{nil, nil, &http.ServeMux{}} s = serve{nil, nil, &http.ServeMux{}}
} }
s.kinds = append(s.kinds, kind) s.kinds = append(s.kinds, kind)
if https && port == 443 && l.TLS.ACME != "" { if https && l.TLS.ACME != "" {
s.tlsConfig = l.TLS.ACMEConfig s.tlsConfig = l.TLS.ACMEConfig
} else if https { } else if https {
s.tlsConfig = l.TLS.Config s.tlsConfig = l.TLS.Config
if l.TLS.ACME != "" { if l.TLS.ACME != "" {
ensureServe(true, 443, "acme-tls-alpn-01") ensureServe(true, config.Port(mox.Conf.Static.ACME[l.TLS.ACME].Port, 443), "acme-tls-alpn-01")
} }
} }
portServe[port] = s portServe[port] = s
@ -68,7 +68,7 @@ func ListenAndServe() {
} }
if l.SMTP.Enabled && !l.SMTP.NoSTARTTLS || l.Submissions.Enabled || l.IMAPS.Enabled { if l.SMTP.Enabled && !l.SMTP.NoSTARTTLS || l.Submissions.Enabled || l.IMAPS.Enabled {
ensureServe(true, 443, "acme-tls-alpn01") ensureServe(true, config.Port(config.Port(l.AutoconfigHTTPS.Port, 443), 443), "acme-tls-alpn01")
} }
if l.AccountHTTP.Enabled { if l.AccountHTTP.Enabled {
@ -110,12 +110,12 @@ func ListenAndServe() {
})) }))
} }
if l.AutoconfigHTTPS.Enabled { if l.AutoconfigHTTPS.Enabled {
srv := ensureServe(true, 443, "autoconfig-https") srv := ensureServe(true, config.Port(l.AutoconfigHTTPS.Port, 443), "autoconfig-https")
srv.mux.HandleFunc("/mail/config-v1.1.xml", safeHeaders(autoconfHandle(l))) srv.mux.HandleFunc("/mail/config-v1.1.xml", safeHeaders(autoconfHandle(l)))
srv.mux.HandleFunc("/autodiscover/autodiscover.xml", safeHeaders(autodiscoverHandle(l))) srv.mux.HandleFunc("/autodiscover/autodiscover.xml", safeHeaders(autodiscoverHandle(l)))
} }
if l.MTASTSHTTPS.Enabled { if l.MTASTSHTTPS.Enabled {
srv := ensureServe(true, 443, "mtasts-https") srv := ensureServe(true, config.Port(l.MTASTSHTTPS.Port, 443), "mtasts-https")
srv.mux.HandleFunc("/.well-known/mta-sts.txt", safeHeaders(mtastsPolicyHandle)) srv.mux.HandleFunc("/.well-known/mta-sts.txt", safeHeaders(mtastsPolicyHandle))
} }
if l.PprofHTTP.Enabled { if l.PprofHTTP.Enabled {