From d829b5657142d3ced5ea1735361e696cfd177737 Mon Sep 17 00:00:00 2001 From: mdecimus Date: Sun, 7 Jan 2024 15:34:46 +0100 Subject: [PATCH] v0.5.2 --- CHANGELOG.md | 10 ++++++---- UPGRADING.md | 14 +++++++++++++- crates/install/src/main.rs | 3 ++- crates/utils/src/acme/directory.rs | 1 + crates/utils/src/config/tls.rs | 6 ------ crates/utils/src/listener/mod.rs | 2 ++ resources/config/common/server.toml | 2 +- tests/resources/docker/Docker.haproxy | 6 ++++++ tests/resources/docker/haproxy.cfg | 18 ++++++++++++++++++ 9 files changed, 49 insertions(+), 13 deletions(-) create mode 100644 tests/resources/docker/Docker.haproxy create mode 100644 tests/resources/docker/haproxy.cfg diff --git a/CHANGELOG.md b/CHANGELOG.md index c88824a2..89713dbf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,12 +2,14 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). -## [0.5.2] - 2024-01-xx +## [0.5.2] - 2024-01-07 + +Please read the [UPGRADING.md](UPGRADING.md) file for more information on how to upgrade from previous versions. ## Added -- ACME support for automatic TLS certificate generation and renewal. -- TLS certificate hot-reloading. -- HAProxy protocol support. +- [ACME](https://stalw.art/docs/server/tls/acme) support for automatic TLS certificate generation and renewal (#160). +- TLS certificate [hot-reloading](https://stalw.art/docs/management/database/maintenance#tls-certificate-reloading). +- [HAProxy protocol](https://stalw.art/docs/server/proxy) support (#36). ### Changed diff --git a/UPGRADING.md b/UPGRADING.md index ff2f38d8..1deecdc3 100644 --- a/UPGRADING.md +++ b/UPGRADING.md @@ -1,4 +1,16 @@ -Upgrading from `v0.5.0` to `v0.5.x` +Upgrading from `v0.5.1` to `v0.5.2` +----------------------------------- + +- Make sure that implicit TLS is enabled for the JMAP [listener](https://stalw.art/docs/server/listener) configured under `ets/jmap/listener.toml`: + ```toml + [server.listener."jmap".tls] + implicit = true + ``` +- Optional: Enable automatic TLS with [ACME](https://stalw.art/docs/server/tls/acme). +- Replace the binary with the new version. +- Restart the service. + +Upgrading from `v0.5.0` to `v0.5.1` ----------------------------------- - Replace the binary with the new version. diff --git a/crates/install/src/main.rs b/crates/install/src/main.rs index 1b815f97..3932af8d 100644 --- a/crates/install/src/main.rs +++ b/crates/install/src/main.rs @@ -111,9 +111,10 @@ enum SmtpDirectory { Imap, } -const DIRECTORIES: [[&str; 2]; 6] = [ +const DIRECTORIES: [[&str; 2]; 7] = [ ["bin", ""], ["etc", "dkim"], + ["etc", "acme"], ["data", "blobs"], ["logs", ""], ["queue", ""], diff --git a/crates/utils/src/acme/directory.rs b/crates/utils/src/acme/directory.rs index 88e1f6b3..fafd3b85 100644 --- a/crates/utils/src/acme/directory.rs +++ b/crates/utils/src/acme/directory.rs @@ -274,6 +274,7 @@ pub enum DirectoryError { NoTlsAlpn01Challenge, } +#[allow(unused_mut)] async fn https( url: impl AsRef, method: Method, diff --git a/crates/utils/src/config/tls.rs b/crates/utils/src/config/tls.rs index 076d251c..a48fb495 100644 --- a/crates/utils/src/config/tls.rs +++ b/crates/utils/src/config/tls.rs @@ -93,12 +93,6 @@ impl Config { }) .collect::>(); let cache = PathBuf::from(self.value_require(("acme", acme_id, "cache"))?); - if !cache.exists() { - std::fs::create_dir_all(&cache).map_err(|err| { - format!("Failed to create ACME cache directory {:?}: {}", cache, err) - })?; - } - let renew_before: Duration = self.property_or_static(("acme", acme_id, "renew-before"), "30d")?; diff --git a/crates/utils/src/listener/mod.rs b/crates/utils/src/listener/mod.rs index 18ee2b02..6522b952 100644 --- a/crates/utils/src/listener/mod.rs +++ b/crates/utils/src/listener/mod.rs @@ -115,6 +115,8 @@ pub trait SessionManager: Sync + Send + 'static + Clone { tracing::debug!( context = "tls", event = "error", + instance = session.instance.id, + protocol = ?session.instance.protocol, remote.ip = session.remote_ip.to_string(), "Failed to accept TLS connection: {}", err diff --git a/resources/config/common/server.toml b/resources/config/common/server.toml index f5ea241f..273c82de 100644 --- a/resources/config/common/server.toml +++ b/resources/config/common/server.toml @@ -5,7 +5,7 @@ [server] hostname = "%{HOST}%" max-connections = 8192 -#proxy-trusted-networks = ["10.0.0.0/8", "127.0.0.0/8"] +#proxy-trusted-networks = ["127.0.0.0/8", "::1", "10.0.0.0/8"] [server.run-as] user = "stalwart-mail" diff --git a/tests/resources/docker/Docker.haproxy b/tests/resources/docker/Docker.haproxy new file mode 100644 index 00000000..b2a1cc84 --- /dev/null +++ b/tests/resources/docker/Docker.haproxy @@ -0,0 +1,6 @@ +# docker build -t test-haproxy -f Docker.haproxy . +# docker run -it --rm --name haproxy-syntax-check test-haproxy haproxy -c -f /usr/local/etc/haproxy/haproxy.cfg +# docker run -d -p 1111:1111 --name some-haproxy --sysctl net.ipv4.ip_unprivileged_port_start=0 test-haproxy + +FROM haproxy:2.3 +COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg diff --git a/tests/resources/docker/haproxy.cfg b/tests/resources/docker/haproxy.cfg new file mode 100644 index 00000000..54edec30 --- /dev/null +++ b/tests/resources/docker/haproxy.cfg @@ -0,0 +1,18 @@ +global + log stdout format raw local0 + +defaults + log global + timeout connect 5000ms + timeout client 50000ms + timeout server 50000ms + +frontend tcp_in + bind *:1111 + mode tcp + option tcplog + default_backend tcp_out + +backend tcp_out + mode tcp + server docker_server host.docker.internal:143 send-proxy