v0.5.2

2024-09-20 07:16:18 +08:00 · 2024-01-07 15:34:46 +01:00 · 2024-01-07 15:34:46 +01:00 · d829b56571
parent 3a800aff7a
commit d829b56571
9 changed files with 49 additions and 13 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,12 +2,14 @@

 All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/).

-## [0.5.2] - 2024-01-xx
+## [0.5.2] - 2024-01-07
+
+Please read the [UPGRADING.md](UPGRADING.md) file for more information on how to upgrade from previous versions.

 ## Added
- ACME support for automatic TLS certificate generation and renewal.
- TLS certificate hot-reloading.
- HAProxy protocol support.
+- [ACME](https://stalw.art/docs/server/tls/acme) support for automatic TLS certificate generation and renewal (#160).
+- TLS certificate [hot-reloading](https://stalw.art/docs/management/database/maintenance#tls-certificate-reloading).
+- [HAProxy protocol](https://stalw.art/docs/server/proxy) support (#36).

 ### Changed

--- a/UPGRADING.md
+++ b/UPGRADING.md
@ -1,4 +1,16 @@
-Upgrading from `v0.5.0` to `v0.5.x`
+Upgrading from `v0.5.1` to `v0.5.2`
+-----------------------------------
+
+- Make sure that implicit TLS is enabled for the JMAP [listener](https://stalw.art/docs/server/listener) configured under `ets/jmap/listener.toml`:
+  ```toml
+  [server.listener."jmap".tls]
+  implicit = true
+  ```
+- Optional: Enable automatic TLS with [ACME](https://stalw.art/docs/server/tls/acme).
+- Replace the binary with the new version.
+- Restart the service.
+
+Upgrading from `v0.5.0` to `v0.5.1`
 -----------------------------------

 - Replace the binary with the new version.
--- a/crates/install/src/main.rs
+++ b/crates/install/src/main.rs
@ -111,9 +111,10 @@ enum SmtpDirectory {
    Imap,
 }

-const DIRECTORIES: [[&str; 2]; 6] = [
+const DIRECTORIES: [[&str; 2]; 7] = [
    ["bin", ""],
    ["etc", "dkim"],
+    ["etc", "acme"],
    ["data", "blobs"],
    ["logs", ""],
    ["queue", ""],
--- a/crates/utils/src/acme/directory.rs
+++ b/crates/utils/src/acme/directory.rs
@ -274,6 +274,7 @@ pub enum DirectoryError {
    NoTlsAlpn01Challenge,
 }

+#[allow(unused_mut)]
 async fn https(
    url: impl AsRef<str>,
    method: Method,
--- a/crates/utils/src/config/tls.rs
+++ b/crates/utils/src/config/tls.rs
@ -93,12 +93,6 @@ impl Config {
                })
                .collect::<Vec<_>>();
            let cache = PathBuf::from(self.value_require(("acme", acme_id, "cache"))?);
-            if !cache.exists() {
-                std::fs::create_dir_all(&cache).map_err(|err| {
-                    format!("Failed to create ACME cache directory {:?}: {}", cache, err)
-                })?;
-            }
-
            let renew_before: Duration =
                self.property_or_static(("acme", acme_id, "renew-before"), "30d")?;

--- a/crates/utils/src/listener/mod.rs
+++ b/crates/utils/src/listener/mod.rs
@ -115,6 +115,8 @@ pub trait SessionManager: Sync + Send + 'static + Clone {
                            tracing::debug!(
                                context = "tls",
                                event = "error",
+                                instance = session.instance.id,
+                                protocol = ?session.instance.protocol,
                                remote.ip = session.remote_ip.to_string(),
                                "Failed to accept TLS connection: {}",
                                err
--- a/resources/config/common/server.toml
+++ b/resources/config/common/server.toml
@ -5,7 +5,7 @@
 [server]
 hostname = "%{HOST}%"
 max-connections = 8192
-#proxy-trusted-networks = ["10.0.0.0/8", "127.0.0.0/8"]
+#proxy-trusted-networks = ["127.0.0.0/8", "::1", "10.0.0.0/8"]

 [server.run-as]
 user = "stalwart-mail"
--- a/tests/resources/docker/Docker.haproxy
+++ b/tests/resources/docker/Docker.haproxy
@ -0,0 +1,6 @@
+# docker build -t test-haproxy -f Docker.haproxy .
+# docker run -it --rm --name haproxy-syntax-check test-haproxy haproxy -c -f /usr/local/etc/haproxy/haproxy.cfg
+# docker run -d -p 1111:1111 --name some-haproxy --sysctl net.ipv4.ip_unprivileged_port_start=0 test-haproxy
+
+FROM haproxy:2.3
+COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
--- a/tests/resources/docker/haproxy.cfg
+++ b/tests/resources/docker/haproxy.cfg
@ -0,0 +1,18 @@
+global
+    log stdout format raw local0
+
+defaults
+    log     global
+    timeout connect 5000ms
+    timeout client  50000ms
+    timeout server  50000ms
+
+frontend tcp_in
+    bind *:1111
+    mode tcp
+    option tcplog
+    default_backend tcp_out
+
+backend tcp_out
+    mode tcp
+    server docker_server host.docker.internal:143 send-proxy