maddy 0.3.1

Bug fixes

• limits: Fix "rate" directive parser handling for 2 arguments
• endpoint/smtp: Fix panic if connection is closed in the middle of receiving body
• endpoint/smtp: Fix limit leak in case of aborted transaction

Documentation improvements

• Change github to github.com in 0.3 migration guide (#237)
• Mention per-source domain limiting option

Misc

• build.sh: Switch to X.Y-fixes branch if it exists

maddy 0.3.0

Stability: This version is believed to be stable enough for use in use
non-critical deployments.

Breaking changes

• Minimal supported Go version is increased to Go 1.14

maddy keeps tracking latest Go version to benefit from language and
library improvements.

build.sh script will automatically download a newer toolchain version
if system installed version is too old.

• Fully separate authentication from IMAP access

Now there is no uniform database that is used both for IMAP index and
authenticaiton. This allows completely independent implementation and
leveraging of maddy modular framework for more flexible authentication
documentation.

This is a breaking change that also affects how password hashes are
calculated and requires destructive changes to databases created in
0.2 order to use with 0.3. A migration utility is created to assist
with that. See Upgrading page in documentation for detailed instructions.

New features

• Preliminary milter client implementation

This release introduces limited implementation of milter client protocol. Due
to a number of differences between how maddy handles internal filtering and
protocol model "milters" currently cannot make most modifications to the
message content and is limited to prepending headers and quarantining or
rejecting message.

• source_in, destination_in directives for message pipeline

Directives source_in and destination_in allow matching of message senders
or recipients against lists sources from table modules (files, SQL queries,
etc). See maddy-smtp(5) for details.

• Dovecot authentication client support

maddy now implements client side of Dovecot authentication protocol allowing it
to be used with Dovecot as an IMAP server instead of builtin server.

• Dovecot-compatible sasld endpoint

Additional, maddy also implements Dovecot-compatible sasld endpoint
that allows it to be used as a source for authentication data for other
servers that support Dovecot authentication protocol (e.g. SMTP servers like
Postfix).

• lmtp_downstream delivery target

maddy now has full implementation of LMTP client allowing messages to be
forwarded to other software that speaks LMTP protocol.

• endpoint/smtp: Allow to choose the IP to use for outbound smtp.

• modify/dkim: Allow to sign emails from subdomains using a top domain key

Improvements

• cmd/maddyctl: Create a set of typical mailboxes on IMAP account creation
• endpoint/smtp: Send 535 on permanent authentication failure
• target: Make Received generation more robust in case of missing data
• config: Support scheme:IP:PORT syntax for endpoint declaration

Bug fixes

• storage/imapsql: Fix SPECIAL-USE support being accidentally disabled
• Fix and improve -v flag description
• endpoint/smtp: Fix missing server hostname in Received header
• target/remote: Do not fail delivery with null return path

Documentation improvements

• Fix a number of links in documentation
• Add page about IMAP-only configuration
• Mention disabled HZGB2312 support
• Add smtp-only.md page
• Add imap-only.md page
• Add FAQ page
• Add upgrading instructions page

Build artifacts

There is no binary tarballs for this release as Alpine Linux 3.12 ships Go 1.13. This will be addressed in the
future and this release will be amended.

🔒 Attached tarballs are signed using PGP key 3197 BBD9 5137 E682 A597 17B4 34BB 2007 0813 96F4

maddy 0.2.1

Stability: This version is believed to be stable enough for use in use
non-critical deployments.

SECURITY ISSUES

• Fixed out-of-memory crash triggered by buggy encoding implementation
  (8edcd91) (see GHSA-8jp9-qm2r-p877)

If you require hz-gb-2312 handling and understand security consequences, manually
build maddy 0.2.1 with -tags hz_gb_2312 passed to go build command.

Bug fixes

• dist: Remove unnessecary log prefix matching for fail2ban filter (979effb)
  Thanks @bn4t!

• check/dkim: Fix a couple of issues in error handling (076fc0d)

  DKIM signatures with missing required fields were still considered
  passing for purposes of action selection.

  dkim.IsPermFail/dkim.IsTempFail calls were checking the wrong error
  object.

• storage/imapsql: Fix Close deadlock in case of EnableUpdatePipe fail (96a3b96)

• Fix inconsistency in SASLAuth logger name for endpoints (6b87eb9)
  (#221)

• log: Strip extra newline from Logger.Write output (ebccff0)

Documentation improvements

• Add missing packages for compilation and fail2ban setup (cfe3436)
  Thanks @bn4t!

• Fix small typo (b96acd5)
  Thanks @bn4t!

• Clarify SECURITY.md (244b030)

• Update outdated tutorials (b472734)

Build artifacts

Artifact	SHA-256
maddy executable (Linux, x86_64, musl)	443dfa57f3e5e39ad4130389d439627c2efecba68ac4c9991c4a7cb54c3ce59a
maddyctl executable (Linux, x86_64, musl)	b9fafcd302f9c55053a2c8609a9b9dd72ab185d332c436b4c2942a79afa7ef99
Full Zstd tarball (Linux, x86_64, musl)	b64fcefe64eb081ac1a67c8e38c218c76115014f3d7dcafb7e0a35414faafeb7
Source code tarball	a634e054bf3766816643028a5e302c27ec9ddd391fd2a13f12b6959aa86b38e9

🔒 Attached tarballs are signed using PGP key 3197 BBD9 5137 E682 A597 17B4 34BB 2007 0813 96F4

Build artifacts are produced using the same environment as 0.1.

maddy 0.2

Stability: This version is believed to be stable enough for use in use
non-critical deployments. Database structure for sql (imapsql) module is
compatible with 0.1. Configuration requires some changes.

Incompatible changes & migration notes

• alias_file is replaced with generic replace_rcpt module that can use any "table"-like structure for lookups.
  Migration: Replace alias_file /etc/maddy/aliases with replace_rcpt file_table /etc/maddy/aliases.

• replace_rcpt now relies on tables to handle regexp and static replacements.
  Migration: Replace replace_rcpt postmaster postmaster@$(primary_domain)
  with replace_rcpt static { entry postmaster postmaster@$(primary_domain).
  Replace replace_rcpt "(.+)\+(.+)@(.+)" "$1@$3" with
  replace_rcpt regexp "(.+)\+(.+)@(.+)" "$1@$3".

• Module sql is renamed to imapsql. Change its name in the
  configuration block definition for local_mailboxes/local_authdb.

• Configuration parser now requires a new line after } closing the block.

New features

• Authentication code is refined and generalized. It permits the implementation
  of additional more complex SASL mechanisms such as TLS client certificate
  authentication and OAuth2 support. These are not implemented in 0.2 though.
  What is currently accessible is the ability to use multiple password-based
  authentication providers to allow user login based on any match from any
  credentials store configured.

• Generic Postfix-like string lookup abstraction is introduced. Alias rewriting
  is updated to use. Additionally, it is possible to use it for password-based
  authentication now. Currently implemented "tables" are: identity (returns
  the lookup key), dummy (empty table), sql_table (returns the result of
  a SQL query), static (hardcoded mapping), regexp (Regular
  Expression-based rewrite of lookup key).

• sign_dkim module now supports multiple domains in a single configuration,
  avoiding the need for complex dispatching.

• maddy -v output now includes compile-time defaults for state_dir,
  runtime_dir and configuration path.

• build.sh script can now customize default values for state_dir and
  runtime_dir.

Bug fixes

• Fix race in file_table reload test (a91d8c2)
• Fix misuse of TriesCount in queue (ceda725)
• Fix queue retry delay calculation (4b3e7ce)

Build artifacts

Artifact	SHA-256
maddy executable (Linux, x86_64, musl)	b9a5c29c50575f63e3b3de7b8ad0380917ff568560da3860580186c53be89304
maddyctl executable (Linux, x86_64, musl)	7bc9ac4cf62e8317a2ef0fa6ff3a8cde6877a2f972c94c1bcbd8f8f0bd4c148e
Full Zstd tarball (Linux, x86_64, musl)	154617ed5a9314947c67272edc2a884e0df4664e537816ae6da832f30e00d5dc
Sourec code tarball	6f3799d8158d5b9e4625084ab6548fc70c98acdc0234e2acac7e05e553753753

🔒 Attached tarballs are signed using PGP key 3197 BBD9 5137 E682 A597 17B4 34BB 2007 0813 96F4

Build artifacts are produced using the same environment as 0.1.

maddy 0.1.1

This release includes no server code changes.

Known issues

• Delay between outbound delivery attempts is improperly calculated and has no effect.
  Fixed on development branch. Set low outbound rate limit as a workaround for 0.1:

  limits outbound_limits {
      destination rate 1 1m
  }
  

• Outbound delivery will be attempted more than allowed by max_tries (by 1).
  Fixed on development branch.

• build.sh script bundled with 0.1 fails if the system Go toolchain lacks the patch version number (e.g. 1.14).
  Fixed on development branch. The fixed version is uploaded to foxcpp.dev.

It is possible to install the in-development version by adding --gitversion flag to the build.sh script invocation:

curl 'https://foxcpp.dev/maddy/build.sh' | bash /dev/stdin --gitversion dev

Change log

Documentation

• Mention prebuilt binaries in the setup tutorial
• Be more specific about build.sh dependencies
• Remove "in early development" disclaimers
• Several minor edits (8f1d572)

Build script (build.sh)

• Use absolute path to the Go toolchain in PATH
• Check GOMOD value correctly
• Remove wget dependency

Build artifacts

Artifact	SHA-256
maddy executable (Linux, x86_64, musl)	dc7db76d9adba8c4a60893534eb41fb0941717f53954f87f70a5066fc43cc207
maddyctl executable (Linux, x86_64, musl)	ffbcc615d343af1196635aac5e229c8e6f9bf5459eabfeae8cd2404c1ec103e3
Full Zstd tarball (Linux, x86_64, musl)	4380a2eda129987333db3fd2b4e493de62200aa4f717ea8f67789da4cb21472f
Source code tarball	bf155f17eda6df20b435ba6e7a2ffce773b146e2a8b9eb8bc2c7d2a02176a8db

🔒 Attached tarballs are signed using PGP key 3197 BBD9 5137 E682 A597 17B4 34BB 2007 0813 96F4

Build environment is the same as the previous release (0.1).

maddy 0.1

Stability: This version is believed to be stable enough for use in use non-critical deployments. Backward compatibility for database structures and configuration syntax is not promised but will be maintained if possible.

Implemented features

• IMAP4rev1 (RFC 3501) server implementation with some basic extensions
• SMTP (RFC 5321) server implementation with per-source, per-destination delivery and filtering support
• Experimental local storage backend & IMAP index based on relational DB
• Sender authentication methods for inbound messages: DKIM, DMARC, SPF
• Remote server authentication methods for outbound messages: MTA-STS, DANE, DNSSEC-aware resolver, STARTTLS Everywhere rule-set support
• PAM-based user authentication (not used by default)

In the end, it is not very flexible in some corners at the moment but if you just want a generic mail server set-up, it will not be a big trouble.

Known issues

• IMAP sequence numbers are not properly synchronized, making concurrent mailbox access potentially unsafe, though the chance of actual data damage is pretty small. See issue #188 for details.
• Support for IP literals in e-mail addresses is disabled. Attempt to use them will result in a delivery error.

Build artifacts

Artifact	SHA-256
maddy executable (Linux, x86_64, musl)	bfcb649ca9586f190d30933174d4b5770f1b75f541c13c94d5458cb7578f9073
maddyctl executable (Linux, x86_64, musl)	8e97306825cd0d1e0b2e5867327640a1dbfa6590e1451d2a9e7ebfc932fe53d2
Full Zstd tarball (Linux, x86_64, musl)	51cc45067a99d3cfb04d72bdfde5f99e2a699b04d495f85f68b1a2894e0b41d1

🔒 Attached tarballs are signed using PGP key 3197 BBD9 5137 E682 A597 17B4 34BB 2007 0813 96F4

Note: Provided binaries do not include support for PAM authentication as it depends on system libraries in ways that are problematic to make portable. For system account authentication, you can use shadow module that reads /etc/shadow directly or maddy-pam-helper (install it into /usr/local/lib/maddy).

Attached tarballs include complete root prefix for Linux so you can just extract contents into the root directory to install maddy if you do not want to build it from source for whatever reason.

Build environment information:

• Distribution: Alpine Linux 3.11.3
• GCC: 9.1.0
• Go: 1.13.4
• musl-libc: 1.1.24

Utilities and all binaries used to build the tarball can be found here: https://foxcpp.dev/maddy-repro/. In theory it should be possible to recreate the exactly same build output using them.