mirror of
https://github.com/mjl-/mox.git
synced 2024-12-28 01:13:47 +03:00
d1b87cdb0d
since we are now at go1.21 as minimum.
385 lines
13 KiB
Go
385 lines
13 KiB
Go
package http
|
|
|
|
import (
|
|
"encoding/xml"
|
|
"fmt"
|
|
"log/slog"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/prometheus/client_golang/prometheus"
|
|
"github.com/prometheus/client_golang/prometheus/promauto"
|
|
"rsc.io/qr"
|
|
|
|
"github.com/mjl-/mox/mox-"
|
|
"github.com/mjl-/mox/smtp"
|
|
)
|
|
|
|
var (
|
|
metricAutoconf = promauto.NewCounterVec(
|
|
prometheus.CounterOpts{
|
|
Name: "mox_autoconf_request_total",
|
|
Help: "Number of autoconf requests.",
|
|
},
|
|
[]string{"domain"},
|
|
)
|
|
metricAutodiscover = promauto.NewCounterVec(
|
|
prometheus.CounterOpts{
|
|
Name: "mox_autodiscover_request_total",
|
|
Help: "Number of autodiscover requests.",
|
|
},
|
|
[]string{"domain"},
|
|
)
|
|
)
|
|
|
|
// Autoconfiguration/Autodiscovery:
|
|
//
|
|
// - Thunderbird will request an "autoconfig" xml file.
|
|
// - Microsoft tools will request an "autodiscovery" xml file.
|
|
// - In my tests on an internal domain, iOS mail only talks to Apple servers, then
|
|
// does not attempt autoconfiguration. Possibly due to them being private DNS
|
|
// names. Apple software can be provisioned with "mobileconfig" profile files,
|
|
// which users can download after logging in.
|
|
//
|
|
// DNS records seem optional, but autoconfig.<domain> and autodiscover.<domain>
|
|
// (both CNAME or A) are useful, and so is SRV _autodiscovery._tcp.<domain> 0 0 443
|
|
// autodiscover.<domain> (or just <hostname> directly).
|
|
//
|
|
// Autoconf/discovery only works with valid TLS certificates, not with self-signed
|
|
// certs. So use it on public endpoints with certs signed by common CA's, or run
|
|
// your own (internal) CA and import the CA cert on your devices.
|
|
//
|
|
// Also see https://roll.urown.net/server/mail/autoconfig.html
|
|
|
|
// Autoconfiguration for Mozilla Thunderbird.
|
|
// User should create a DNS record: autoconfig.<domain> (CNAME or A).
|
|
// See https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat
|
|
func autoconfHandle(w http.ResponseWriter, r *http.Request) {
|
|
log := pkglog.WithContext(r.Context())
|
|
|
|
var addrDom string
|
|
defer func() {
|
|
metricAutoconf.WithLabelValues(addrDom).Inc()
|
|
}()
|
|
|
|
email := r.FormValue("emailaddress")
|
|
log.Debug("autoconfig request", slog.String("email", email))
|
|
addr, err := smtp.ParseAddress(email)
|
|
if err != nil {
|
|
http.Error(w, "400 - bad request - invalid parameter emailaddress", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
socketType := func(tlsMode mox.TLSMode) (string, error) {
|
|
switch tlsMode {
|
|
case mox.TLSModeImmediate:
|
|
return "SSL", nil
|
|
case mox.TLSModeSTARTTLS:
|
|
return "STARTTLS", nil
|
|
case mox.TLSModeNone:
|
|
return "plain", nil
|
|
default:
|
|
return "", fmt.Errorf("unknown tls mode %v", tlsMode)
|
|
}
|
|
}
|
|
|
|
var imapTLS, submissionTLS string
|
|
config, err := mox.ClientConfigDomain(addr.Domain)
|
|
if err == nil {
|
|
imapTLS, err = socketType(config.IMAP.TLSMode)
|
|
}
|
|
if err == nil {
|
|
submissionTLS, err = socketType(config.Submission.TLSMode)
|
|
}
|
|
if err != nil {
|
|
http.Error(w, "400 - bad request - "+err.Error(), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Thunderbird doesn't seem to allow U-labels, always return ASCII names.
|
|
var resp autoconfigResponse
|
|
resp.Version = "1.1"
|
|
resp.EmailProvider.ID = addr.Domain.ASCII
|
|
resp.EmailProvider.Domain = addr.Domain.ASCII
|
|
resp.EmailProvider.DisplayName = email
|
|
resp.EmailProvider.DisplayShortName = addr.Domain.ASCII
|
|
|
|
// todo: specify SCRAM-SHA-256 once thunderbird and autoconfig supports it. or perhaps that will fall under "password-encrypted" by then.
|
|
|
|
resp.EmailProvider.IncomingServer.Type = "imap"
|
|
resp.EmailProvider.IncomingServer.Hostname = config.IMAP.Host.ASCII
|
|
resp.EmailProvider.IncomingServer.Port = config.IMAP.Port
|
|
resp.EmailProvider.IncomingServer.SocketType = imapTLS
|
|
resp.EmailProvider.IncomingServer.Username = email
|
|
resp.EmailProvider.IncomingServer.Authentication = "password-encrypted"
|
|
|
|
resp.EmailProvider.OutgoingServer.Type = "smtp"
|
|
resp.EmailProvider.OutgoingServer.Hostname = config.Submission.Host.ASCII
|
|
resp.EmailProvider.OutgoingServer.Port = config.Submission.Port
|
|
resp.EmailProvider.OutgoingServer.SocketType = submissionTLS
|
|
resp.EmailProvider.OutgoingServer.Username = email
|
|
resp.EmailProvider.OutgoingServer.Authentication = "password-encrypted"
|
|
|
|
// todo: should we put the email address in the URL?
|
|
resp.ClientConfigUpdate.URL = fmt.Sprintf("https://autoconfig.%s/mail/config-v1.1.xml", addr.Domain.ASCII)
|
|
|
|
w.Header().Set("Content-Type", "application/xml; charset=utf-8")
|
|
enc := xml.NewEncoder(w)
|
|
enc.Indent("", "\t")
|
|
fmt.Fprint(w, xml.Header)
|
|
if err := enc.Encode(resp); err != nil {
|
|
log.Errorx("marshal autoconfig response", err)
|
|
}
|
|
}
|
|
|
|
// Autodiscover from Microsoft, also used by Thunderbird.
|
|
// User should create a DNS record: _autodiscover._tcp.<domain> SRV 0 0 443 <hostname>
|
|
//
|
|
// In practice, autodiscover does not seem to work wit microsoft clients. A
|
|
// connectivity test tool for outlook is available on
|
|
// https://testconnectivity.microsoft.com/, it has an option to do "Autodiscover to
|
|
// detect server settings". Incoming TLS connections are all failing, with various
|
|
// errors.
|
|
//
|
|
// Thunderbird does understand autodiscover.
|
|
func autodiscoverHandle(w http.ResponseWriter, r *http.Request) {
|
|
log := pkglog.WithContext(r.Context())
|
|
|
|
var addrDom string
|
|
defer func() {
|
|
metricAutodiscover.WithLabelValues(addrDom).Inc()
|
|
}()
|
|
|
|
if r.Method != "POST" {
|
|
http.Error(w, "405 - method not allowed - post required", http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
|
|
var req autodiscoverRequest
|
|
if err := xml.NewDecoder(r.Body).Decode(&req); err != nil {
|
|
http.Error(w, "400 - bad request - parsing autodiscover request: "+err.Error(), http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
|
|
log.Debug("autodiscover request", slog.String("email", req.Request.EmailAddress))
|
|
|
|
addr, err := smtp.ParseAddress(req.Request.EmailAddress)
|
|
if err != nil {
|
|
http.Error(w, "400 - bad request - invalid parameter emailaddress", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// tlsmode returns the "ssl" and "encryption" fields.
|
|
tlsmode := func(tlsMode mox.TLSMode) (string, string, error) {
|
|
switch tlsMode {
|
|
case mox.TLSModeImmediate:
|
|
return "on", "TLS", nil
|
|
case mox.TLSModeSTARTTLS:
|
|
return "on", "", nil
|
|
case mox.TLSModeNone:
|
|
return "off", "", nil
|
|
default:
|
|
return "", "", fmt.Errorf("unknown tls mode %v", tlsMode)
|
|
}
|
|
}
|
|
|
|
var imapSSL, imapEncryption string
|
|
var submissionSSL, submissionEncryption string
|
|
config, err := mox.ClientConfigDomain(addr.Domain)
|
|
if err == nil {
|
|
imapSSL, imapEncryption, err = tlsmode(config.IMAP.TLSMode)
|
|
}
|
|
if err == nil {
|
|
submissionSSL, submissionEncryption, err = tlsmode(config.Submission.TLSMode)
|
|
}
|
|
if err != nil {
|
|
http.Error(w, "400 - bad request - "+err.Error(), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// The docs are generated and fragmented in many tiny pages, hard to follow.
|
|
// High-level starting point, https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxdscli/78530279-d042-4eb0-a1f4-03b18143cd19
|
|
// Request: https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxdscli/2096fab2-9c3c-40b9-b123-edf6e8d55a9b
|
|
// Response, protocol: https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxdscli/f4238db6-a983-435c-807a-b4b4a624c65b
|
|
// It appears autodiscover does not allow specifying SCRAM-SHA-256 as
|
|
// authentication method, or any authentication method that real clients actually
|
|
// use. See
|
|
// https://learn.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxdscli/21fd2dd5-c4ee-485b-94fb-e7db5da93726
|
|
|
|
w.Header().Set("Content-Type", "application/xml; charset=utf-8")
|
|
|
|
resp := autodiscoverResponse{}
|
|
resp.XMLName.Local = "Autodiscover"
|
|
resp.XMLName.Space = "http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"
|
|
resp.Response.XMLName.Local = "Response"
|
|
resp.Response.XMLName.Space = "http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"
|
|
resp.Response.Account = autodiscoverAccount{
|
|
AccountType: "email",
|
|
Action: "settings",
|
|
Protocol: []autodiscoverProtocol{
|
|
{
|
|
Type: "IMAP",
|
|
Server: config.IMAP.Host.ASCII,
|
|
Port: config.IMAP.Port,
|
|
LoginName: req.Request.EmailAddress,
|
|
SSL: imapSSL,
|
|
Encryption: imapEncryption,
|
|
SPA: "off", // Override default "on", this is Microsofts proprietary authentication protocol.
|
|
AuthRequired: "on",
|
|
},
|
|
{
|
|
Type: "SMTP",
|
|
Server: config.Submission.Host.ASCII,
|
|
Port: config.Submission.Port,
|
|
LoginName: req.Request.EmailAddress,
|
|
SSL: submissionSSL,
|
|
Encryption: submissionEncryption,
|
|
SPA: "off", // Override default "on", this is Microsofts proprietary authentication protocol.
|
|
AuthRequired: "on",
|
|
},
|
|
},
|
|
}
|
|
enc := xml.NewEncoder(w)
|
|
enc.Indent("", "\t")
|
|
fmt.Fprint(w, xml.Header)
|
|
if err := enc.Encode(resp); err != nil {
|
|
log.Errorx("marshal autodiscover response", err)
|
|
}
|
|
}
|
|
|
|
// Thunderbird requests these URLs for autoconfig/autodiscover:
|
|
// https://autoconfig.example.org/mail/config-v1.1.xml?emailaddress=user%40example.org
|
|
// https://autodiscover.example.org/autodiscover/autodiscover.xml
|
|
// https://example.org/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=user%40example.org
|
|
// https://example.org/autodiscover/autodiscover.xml
|
|
type autoconfigResponse struct {
|
|
XMLName xml.Name `xml:"clientConfig"`
|
|
Version string `xml:"version,attr"`
|
|
|
|
EmailProvider struct {
|
|
ID string `xml:"id,attr"`
|
|
Domain string `xml:"domain"`
|
|
DisplayName string `xml:"displayName"`
|
|
DisplayShortName string `xml:"displayShortName"`
|
|
|
|
IncomingServer struct {
|
|
Type string `xml:"type,attr"`
|
|
Hostname string `xml:"hostname"`
|
|
Port int `xml:"port"`
|
|
SocketType string `xml:"socketType"`
|
|
Username string `xml:"username"`
|
|
Authentication string `xml:"authentication"`
|
|
} `xml:"incomingServer"`
|
|
|
|
OutgoingServer struct {
|
|
Type string `xml:"type,attr"`
|
|
Hostname string `xml:"hostname"`
|
|
Port int `xml:"port"`
|
|
SocketType string `xml:"socketType"`
|
|
Username string `xml:"username"`
|
|
Authentication string `xml:"authentication"`
|
|
} `xml:"outgoingServer"`
|
|
} `xml:"emailProvider"`
|
|
|
|
ClientConfigUpdate struct {
|
|
URL string `xml:"url,attr"`
|
|
} `xml:"clientConfigUpdate"`
|
|
}
|
|
|
|
type autodiscoverRequest struct {
|
|
XMLName xml.Name `xml:"Autodiscover"`
|
|
Request struct {
|
|
EmailAddress string `xml:"EMailAddress"`
|
|
AcceptableResponseSchema string `xml:"AcceptableResponseSchema"`
|
|
}
|
|
}
|
|
|
|
type autodiscoverResponse struct {
|
|
XMLName xml.Name
|
|
Response struct {
|
|
XMLName xml.Name
|
|
Account autodiscoverAccount
|
|
}
|
|
}
|
|
|
|
type autodiscoverAccount struct {
|
|
AccountType string
|
|
Action string
|
|
Protocol []autodiscoverProtocol
|
|
}
|
|
|
|
type autodiscoverProtocol struct {
|
|
Type string
|
|
Server string
|
|
Port int
|
|
DirectoryPort int
|
|
ReferralPort int
|
|
LoginName string
|
|
SSL string
|
|
Encryption string `xml:",omitempty"`
|
|
SPA string
|
|
AuthRequired string
|
|
}
|
|
|
|
// Serve a .mobileconfig file. This endpoint is not a standard place where Apple
|
|
// devices look. We point to it from the account page.
|
|
func mobileconfigHandle(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != "GET" {
|
|
http.Error(w, "405 - method not allowed - get required", http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
addresses := r.FormValue("addresses")
|
|
fullName := r.FormValue("name")
|
|
var buf []byte
|
|
var err error
|
|
if addresses == "" {
|
|
err = fmt.Errorf("missing/empty field addresses")
|
|
}
|
|
l := strings.Split(addresses, ",")
|
|
if err == nil {
|
|
buf, err = MobileConfig(l, fullName)
|
|
}
|
|
if err != nil {
|
|
http.Error(w, "400 - bad request - "+err.Error(), http.StatusBadRequest)
|
|
return
|
|
}
|
|
h := w.Header()
|
|
filename := l[0]
|
|
filename = strings.ReplaceAll(filename, ".", "-")
|
|
filename = strings.ReplaceAll(filename, "@", "-at-")
|
|
filename = "email-account-" + filename + ".mobileconfig"
|
|
h.Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, filename))
|
|
w.Write(buf)
|
|
}
|
|
|
|
// Serve a png file with qrcode with the link to the .mobileconfig file, should be
|
|
// helpful for mobile devices.
|
|
func mobileconfigQRCodeHandle(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != "GET" {
|
|
http.Error(w, "405 - method not allowed - get required", http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
if !strings.HasSuffix(r.URL.Path, ".qrcode.png") {
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
|
|
// Compose URL, scheme and host are not set.
|
|
u := *r.URL
|
|
if r.TLS == nil {
|
|
u.Scheme = "http"
|
|
} else {
|
|
u.Scheme = "https"
|
|
}
|
|
u.Host = r.Host
|
|
u.Path = strings.TrimSuffix(u.Path, ".qrcode.png")
|
|
|
|
code, err := qr.Encode(u.String(), qr.L)
|
|
if err != nil {
|
|
http.Error(w, "500 - internal server error - generating qr-code: "+err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
h := w.Header()
|
|
h.Set("Content-Type", "image/png")
|
|
w.Write(code.PNG())
|
|
}
|