Mirrors/go-chasquid-smtp
1
0
Fork 0
mirror of https://blitiri.com.ar/repos/chasquid synced 2025-12-17 14:37:02 +00:00
Code Releases Activity
542 Commits 4 Branches 28 Tags
a996106eeebe81a292ecba838c7503cac7493e74
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Alberto Bertogli a996106eee smtpsrv: Strict CRLF enforcement in DATA contents 
The RFCs are very clear that in DATA contents:

> CR and LF MUST only occur together as CRLF; they MUST NOT appear
> independently in the body.

https://www.rfc-editor.org/rfc/rfc5322#section-2.3
https://www.rfc-editor.org/rfc/rfc5321#section-2.3.8

Allowing "independent" CR and LF can cause a number of problems.

In particular, there is a new "SMTP smuggling attack" published recently
that involves the server incorrectly parsing the end of DATA marker
`\r\n.\r\n`, which an attacker can exploit to impersonate a server when
email is transmitted server-to-server.

https://www.postfix.org/smtp-smuggling.html
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

Currently, chasquid is vulnerable to this attack, because Go's standard
libraries net/textproto and net/mail do not enforce CRLF strictly.

This patch fixes the problem by introducing a new "dot reader" function
that strictly enforces CRLF when reading dot-terminated data, used in
the DATA input processing.

When an invalid newline terminator is found, the connection is aborted
immediately because we cannot safely recover from that state.

We still keep the internal representation as LF-terminated for
convenience and simplicity.

However, the MDA courier is changed to pass CRLF-terminated lines, since
that is an external program which could be strict when receiving email
messages.

See https://github.com/albertito/chasquid/issues/47 for more details and
discussion.
2023-12-24 10:43:27 +00:00
.github/workflows
github: Run coverage tests
2023-07-28 10:05:15 +01:00
cmd
userdb: Add support for receive-only users
2023-12-03 11:59:26 +00:00
docker
docker/add-user.sh: Don't crash on updating when there is a single user
2023-10-29 22:28:08 +00:00
docs
userdb: Add support for receive-only users
2023-12-03 11:59:26 +00:00
etc
etc: Simplify default config by removing systemd sockets
2022-11-12 11:49:20 +00:00
internal
smtpsrv: Strict CRLF enforcement in DATA contents
2023-12-24 10:43:27 +00:00
test
smtpsrv: Strict CRLF enforcement in DATA contents
2023-12-24 10:43:27 +00:00
.cirrus.yml
cirrus: Remove the golangci-lint test
2022-11-13 11:09:19 +00:00
.clang-format
Auto-format protobuf files
2023-10-03 23:34:23 +01:00
.gitignore
Auto-format protobuf files
2023-10-03 23:34:23 +01:00
.mkdocs.yml
docs: Add a page for known issues
2021-05-24 01:01:16 +01:00
chasquid.go
Reject empty listening addresses
2023-12-02 15:08:09 +00:00
dnsoverride.go
Update build tag constraints
2022-08-08 17:52:34 +01:00
go.mod
modules: Update Go dependencies
2023-12-21 15:41:20 +00:00
go.sum
modules: Update Go dependencies
2023-12-21 15:41:20 +00:00
LICENSE
Add a license
2016-11-03 00:51:59 +00:00
Makefile
Auto-format protobuf files
2023-10-03 23:34:23 +01:00
monitoring.go
monitoring: Get build information from Go's runtime
2023-02-05 11:01:36 +00:00
README.md
github: Run coverage tests
2023-07-28 10:05:15 +01:00

README.md

chasquid

chasquid is an SMTP (email) server with a focus on simplicity, security, and ease of operation.

It is designed mainly for individuals and small groups.

It's written in Go, and distributed under the Apache license 2.0.

Go tests Go Report Card Coverage
Docs OFTC IRC

Features

  • Easy
    • Easy to configure.
    • Hard to mis-configure in ways that are harmful or insecure (e.g. no open relay, or clear-text authentication).
    • Monitoring HTTP server, with exported variables and tracing to help debugging.
    • Integrated with Debian, Ubuntu, and Arch.
    • Supports using Dovecot for authentication.
  • Useful
    • Multiple/virtual domains, with per-domain users and aliases.
    • Suffix dropping (user+something@domainuser@domain).
    • Hooks for integration with greylisting, anti-virus, anti-spam, and DKIM/DMARC.
    • International usernames (SMTPUTF8) and domain names (IDNA).
  • Secure
    • Tracking of per-domain TLS support, prevents connection downgrading.
    • Multiple TLS certificates.
    • Easy integration with Let's Encrypt.
    • SPF and MTA-STS checking.

Documentation

The how-to guide and the installation guide are the best starting points on how to install, configure and run chasquid.

You will find all documentation here.

Contact

If you have any questions, comments or patches, please send them to the mailing list, chasquid@googlegroups.com.
To subscribe, send an email to chasquid+subscribe@googlegroups.com.

Security issues can be reported privately to albertito@blitiri.com.ar.

Bug reports and pull requests on GitHub are also welcome.

You can also reach out via IRC, #chasquid on OFTC.

Description
No description provided
Readme 1.7 MiB
Languages
Go 84.1%
Shell 11.1%
Python 2.8%
Dockerfile 1%
CSS 0.7%
Other 0.3%