X-Git-Url: https://thelambdalab.xyz/gitweb/index.cgi?a=blobdiff_plain;f=lambdamail.scm;h=946f831bcd9ca29f281219f6631d537fd910d893;hb=refs%2Fheads%2Fstarttls;hp=fad257d9239b4bb9555a0a2ee4fcf7867375b7fa;hpb=8461b3c6d1d2772d9bda20cb79e8f70fee7f610d;p=lambdamail.git diff --git a/lambdamail.scm b/lambdamail.scm index fad257d..946f831 100644 --- a/lambdamail.scm +++ b/lambdamail.scm @@ -2,7 +2,7 @@ ;; ;; Intended for a single-user system -(import tcp6 +(import tcp6 openssl (chicken port) (chicken io) (chicken string) @@ -18,9 +18,12 @@ (chicken random) srfi-1 srfi-13 matchable base64) -(define lambdamail-version "LambdaMail v1.6.0") +(define lambdamail-version "LambdaMail v1.8.0") -(define-record config host port spool-dir user group) +(define-record config host port spool-dir user group certfile keyfile) +(define (tls-supported? config) + (and (config-certfile config) + (config-keyfile config))) (define (time-stamp) (time->string (seconds->local-time) "%d %b %Y %T %z")) @@ -32,18 +35,21 @@ (define (drop-privs config) (let ((uid (config-user config)) (gid (config-group config))) - (if (not (null? gid)) ; Group first, since only root can switch groups. + (if gid ; Group first, since only root can switch groups. (set! (current-group-id) gid)) - (if (not (null? uid)) + (if uid (set! (current-user-id) uid)))) (define (run-server config) (set-buffering-mode! (current-output-port) #:line) (let ((listener (tcp-listen (config-port config) 10 "::"))) - (print lambdamail-version - " listening on port " (config-port config) " ...") - (print "(Host name: " (config-host config) - ", Spool dir: " (config-spool-dir config) ")") + (print "Starting " lambdamail-version " with the following configuration:") + (print "Host: '" (config-host config) "'\n" + "Port: '" (config-port config) "'\n" + "Spool dir: '" (config-spool-dir config) "'") + (when (tls-supported? config) + (print "Cert file: '" (config-certfile config) "'\n" + "Key file: '" (config-keyfile config) "'")) (drop-privs config) (server-loop listener config '()))) @@ -89,7 +95,15 @@ (('get-line) (read-line in-port)) (('send strings ...) (write-line (conc (apply conc strings) "\r") out-port)) (('set-helo! h) (set! helo h)) - (('helo) helo))))) + (('helo) helo) + (('starttls) + (let-values (((in-port-tls out-port-tls) + (ssl-start* #t in-port out-port + certificate: (config-certfile config) + private-key: (config-keyfile config) + protocol: (cons 'tlsv12 ssl-max-protocol)))) + (set! in-port in-port-tls) + (set! out-port out-port-tls))))))) (define (smtp-command? cmd-string input-string) (string-prefix? cmd-string (string-downcase input-string))) @@ -118,7 +132,16 @@ "250-" (config-host config) " Hello " (smtp-command-args "ehlo" line)) (smtp-session 'send "250 AUTH PLAIN") - ;; (smtp-session 'send "250 STARTTLS") + (if (tls-supported? config) + (smtp-session 'send "250 STARTTLS")) + (loop mmsg received-messages)) + ((smtp-command? "starttls" line) + (let ((args (smtp-command-args "starttls" line))) + (if (> 0 (string-length args)) + (smtp-session 'send "501 Syntax error (no parameters allowed)") + (begin + (smtp-session 'send "220 Ready to start TLS") + (smtp-session 'starttls)))) (loop mmsg received-messages)) ((smtp-command? "auth plain" line) (let* ((auth-string (smtp-command-args "auth plain" line)) @@ -271,7 +294,7 @@ ;; This is a hack - there's no built-in interface to res_query() ;; in chicken, so we have to resort to a system call to dig... -(define (get-mail-server-for-domain domain) +(define (get-mail-servers-for-domain domain) (let* ((mx-lines (let-values (((in out id) (process (conc "dig " domain " mx +short")))) (with-input-from-port in read-lines))) (mx-entries (map (lambda (l) @@ -279,38 +302,48 @@ (list (string->number (car s)) (string-drop-right (cadr s) 1)))) ; remove trailing "." mx-lines)) - (sorted-mx-entries (sort mx-entries (lambda (e f) (< (car e) (car f)))))) + (sorted-mx-entries (map cadr (sort mx-entries (lambda (e f) (< (car e) (car f))))))) (if (null? sorted-mx-entries) - domain ; fall-back to email address domain if no mx entries - (cadar sorted-mx-entries)))) ; otherwise pick the highest priority server + (list domain) ; fall-back to email address domain if no mx entries + sorted-mx-entries))) ; otherwise pick the highest priority server (define (deliver-message-remote msg config) - (let* ((domain (get-domain-from-email (message-to msg))) - (mail-server (get-mail-server-for-domain domain))) - (print "Attempting delivery to " mail-server) - (let-values (((tcp-in tcp-out) (tcp-connect mail-server 25))) - (let ((smtp-session (make-outgoing-smtp-session tcp-in tcp-out))) - (let ((result (and - (smtp-session 'expect "220") - (smtp-session 'send "helo " (config-host config)) - (smtp-session 'expect "250") - (smtp-session 'send "mail from:" (message-from msg)) - (smtp-session 'expect "250") - (smtp-session 'send "rcpt to:" (message-to msg)) - (smtp-session 'expect "250") - (smtp-session 'send "data") - (smtp-session 'expect "354") - (smtp-session 'send (message-text msg)) - (smtp-session 'send ".") - (smtp-session 'expect "250" "5") ;Do not try again on rejects. - (smtp-session 'send "quit")))) - (close-input-port tcp-in) - (close-output-port tcp-out) - (print "Connection closed.") - (if result - (print "* MESSAGE DELIVERED (remote)") - (print "* REMOTE DELIVERY FAILED (unexpected server response)")) - result))))) + (let ((domain (get-domain-from-email (message-to msg)))) + (let loop ((mail-servers (get-mail-servers-for-domain domain))) + (if (null? mail-servers) + (begin + (print "* REMOTE DELIVERY FAILED (Could not connect to any mail server)") + #f) + (condition-case + (let ((mail-server (car mail-servers))) + (print "Attempting delivery to " mail-server) + (let-values (((tcp-in tcp-out) (tcp-connect mail-server 25))) + (let ((smtp-session (make-outgoing-smtp-session tcp-in tcp-out))) + (let ((result (and + (smtp-session 'expect "220") + (smtp-session 'send "helo " (config-host config)) + (smtp-session 'expect "250") + (smtp-session 'send "mail from:" (message-from msg)) + (smtp-session 'expect "250") + (smtp-session 'send "rcpt to:" (message-to msg)) + (smtp-session 'expect "250") + (smtp-session 'send "data") + (smtp-session 'expect "354") + (smtp-session 'send (message-text msg)) + (smtp-session 'send ".") + (smtp-session 'expect "250" "5") ;Do not try again on rejects. + (smtp-session 'send "quit")))) + (close-input-port tcp-in) + (close-output-port tcp-out) + (print "Connection closed.") + (if result + (print "* MESSAGE DELIVERED (remote)") + (print "* REMOTE DELIVERY FAILED (unexpected server response)")) + result)))) + (o (exn) + (print-error-messsage o) + (print "* Failed to connect. Trying next server.") + (loop (cdr mail-servers)))))))) (define (or-list l) (fold (lambda (a b) (or a b)) #f l)) @@ -344,17 +377,20 @@ (print "Usage:\n" progname " -h/--help\n" progname " -v/--version\n" - progname " [-u/--user UID] [-g/--group GID] hostname [[port [spooldir]]\n" + progname " [-u/--user UID] [-g/--group GID] [-c/--certfile] [-k/--keyfile]\n" + (make-string (string-length progname)) " hostname [[port [spooldir]]\n" "\n" "The -u and -g options can be used to set the UID and GID of the process\n" - "following the creation of the TCP port listener (which often requires root).")) + "following the creation of the TCP port listener (which often requires root).\n" + "The -c and -k options specify certificate and key files in PEM format for\n" + "optional STARTTLS support.")) (define (print-version) (print lambdamail-version)) (define (main) (let ((progname (pathname-file (car (argv)))) - (config (make-config "" 25 "/var/spool/mail" '() '()))) + (config (make-config "" 25 "/var/spool/mail" #f #f #f #f))) (if (null? (cdr (argv))) (print-usage progname) (let loop ((args (cdr (argv)))) @@ -370,6 +406,14 @@ (equal? this-arg "--group")) (config-group-set! config (string->number (car rest-args))) (loop (cdr rest-args))) + ((or (equal? this-arg "-c") + (equal? this-arg "--certfile")) + (config-certfile-set! config (car rest-args)) + (loop (cdr rest-args))) + ((or (equal? this-arg "-k") + (equal? this-arg "--keyfile")) + (config-keyfile-set! config (car rest-args)) + (loop (cdr rest-args))) ((or (equal? this-arg "-h") (equal? this-arg "--help")) (print-usage progname))