Proxy protocol support for SMTP and IMAP

drdaeman · Sep 2, 2024 · dfdabd3 · dfdabd3
1 parent cbeadf1
commit dfdabd3
Show file tree

Hide file tree

Showing 8 changed files with 246 additions and 31 deletions.
diff --git a/docs/reference/endpoints/imap.md b/docs/reference/endpoints/imap.md
@@ -43,8 +43,29 @@ See [TLS configuration / Server](/reference/tls/#server-side) for details.
 
 ---
 
-### io_debug _boolean_
-Default: `no`
+### proxy\_protocol _trusted ips..._ { ... } <br>
+Default: not enabled
+
+Enable use of HAProxy PROXY protocol. Supports both v1 and v2 protocols.
+If a list of trusted IP addresses or subnets is provided, only connections
+from those will be trusted.
+
+TLS for the channel between the proxies and maddy can be configured
+using a 'tls' directive:
+```
+proxy_protocol {
+ trust 127.0.0.1 ::1 192.168.0.1/24
+ tls &proxy_tls
+}
+```
+Note that the top-level 'tls' directive is not inherited here. If you
+need TLS on top of the PROXY protocol, securing the protocol header,
+you must declare TLS explicitly.
+
+---
+
+**Syntax**: io\_debug _boolean_ <br>
+**Default**: no
 
 Write all commands and responses to stderr.
 

diff --git a/docs/reference/endpoints/smtp.md b/docs/reference/endpoints/smtp.md
@@ -63,6 +63,24 @@ See [TLS configuration / Server](/reference/tls/#server-side) for details.
 
 ---
 
+### proxy\_protocol _trusted ips..._ { ... } <br>
+Default: not enabled
+
+Enable use of HAProxy PROXY protocol. Supports both v1 and v2 protocols.
+If a list of trusted IP addresses or subnets is provided, only connections
+from those will be trusted.
+
+TLS for the channel between the proxies and maddy can be configured
+using a 'tls' directive:
+```
+proxy_protocol {
+ trust 127.0.0.1 ::1 192.168.0.1/24
+ tls &proxy_tls
+}
+```
+
+---
+
 ### io_debug _boolean_
 Default: `no`
 

diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.19
 require (
  blitiri.com.ar/go/spf v1.5.1
  github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5
+ github.com/c0va23/go-proxyprotocol v0.9.1
  github.com/caddyserver/certmagic v0.20.0
  github.com/emersion/go-imap v1.2.2-0.20220928192137-6fac715be9cf
  github.com/emersion/go-imap-compress v0.0.0-20201103190257-14809af1d1b9

diff --git a/go.sum b/go.sum
@@ -237,7 +237,8 @@ github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
 github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/c0va23/go-proxyprotocol v0.9.1 h1:5BCkp0fDJOhzzH1lhjUgHhmZz9VvRMMif1U2D31hb34=
+github.com/c0va23/go-proxyprotocol v0.9.1/go.mod h1:TNjUV+llvk8TvWJxlPYAeAYZgSzT/iicNr3nWBWX320=
 github.com/caddyserver/certmagic v0.20.0 h1:bTw7LcEZAh9ucYCRXyCpIrSAGplplI0vGYJ4BpCQ/Fc=
 github.com/caddyserver/certmagic v0.20.0/go.mod h1:N4sXgpICQUskEWpj7zVzvWD41p3NYacrNoZYiRM2jTg=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -258,8 +259,6 @@ github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cpuguy83/go-md2man/v2 v2.0.3 h1:qMCsGGgs+MAzDFyp9LpAe1Lqy/fY/qCovCm0qnXZOBM=
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
@@ -321,10 +320,6 @@ github.com/foxcpp/go-imap-mess v0.0.0-20230108134257-b7ec3a649613 h1:fw9OWfPxP1C
 github.com/foxcpp/go-imap-mess v0.0.0-20230108134257-b7ec3a649613/go.mod h1:P/O/qz4gaVkefzJ40BUtN/ZzBnaEg0YYe1no/SMp7Aw=
 github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed h1:1Jo7geyvunrPSjL6F6D9EcXoNApS5v3LQaro7aUNPnE=
 github.com/foxcpp/go-imap-namespace v0.0.0-20200802091432-08496dd8e0ed/go.mod h1:Shows1vmkBWO40ChOClaUe6DUnZrsP1UPAuoWzIUdgQ=
-github.com/foxcpp/go-imap-sql v0.5.1-0.20240121160244-7f314a0fe78a h1:/c5NvIHDrrU6+7glgr4YHwN3REH1bGb1l8s9S6ruORg=
-github.com/foxcpp/go-imap-sql v0.5.1-0.20240121160244-7f314a0fe78a/go.mod h1:LMlfyNkVs7v2zE6OVeGe9qWPmKFdXDmLNddPLodPVIw=
-github.com/foxcpp/go-imap-sql v0.5.1-0.20240214172211-ee5bc28d4278 h1:7LGp/ryQH/MOTWgWgv7+cPEFKgKH1aADCEnus13G5Kg=
-github.com/foxcpp/go-imap-sql v0.5.1-0.20240214172211-ee5bc28d4278/go.mod h1:LMlfyNkVs7v2zE6OVeGe9qWPmKFdXDmLNddPLodPVIw=
 github.com/foxcpp/go-imap-sql v0.5.1-0.20240831122236-655e4cb87d20 h1:q4NtuuK7Kuf8zHC1CF8p1GB1owd/IyN+zfqy8DQL9Ig=
 github.com/foxcpp/go-imap-sql v0.5.1-0.20240831122236-655e4cb87d20/go.mod h1:LMlfyNkVs7v2zE6OVeGe9qWPmKFdXDmLNddPLodPVIw=
 github.com/foxcpp/go-mockdns v0.0.0-20191216195825-5eabd8dbfe1f/go.mod h1:tPg4cp4nseejPd+UKxtCVQ2hUxNTZ7qQZJa7CLriIeo=
@@ -346,15 +341,13 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A=
 github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc=
-github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI=
 github.com/go-sql-driver/mysql v1.7.1/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -369,6 +362,7 @@ github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt
 github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
+github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -483,12 +477,10 @@ github.com/johannesboyne/gofakes3 v0.0.0-20210704111953-6a9f95c2941c h1:lx/uPI+m
 github.com/johannesboyne/gofakes3 v0.0.0-20210704111953-6a9f95c2941c/go.mod h1:LIAXxPvcUXwOcTIj9LSNSUpE9/eMHalTWxsP/kmWxQI=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
-github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
@@ -498,7 +490,6 @@ github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa02
 github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
 github.com/klauspost/cpuid/v2 v2.2.6 h1:ndNyv040zDGIDh8thGkXYjnFtiN02M1PVVF+JE/48xc=
 github.com/klauspost/cpuid/v2 v2.2.6/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
-github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -561,20 +552,17 @@ github.com/minio/minio-go/v7 v7.0.66 h1:bnTOXOHjOqv/gcMuiVbN9o2ngRItvqE774dG9nq0
 github.com/minio/minio-go/v7 v7.0.66/go.mod h1:DHAgmyQEGdW3Cif0UooKOyrT3Vxs82zNdV6tkKhRtbs=
 github.com/minio/sha256-simd v1.0.1 h1:6kaan5IFmwTNynnKKpDHe6FWHohJOHhCPchzK49dzMM=
 github.com/minio/sha256-simd v1.0.1/go.mod h1:Pz6AKMiUdngCLpeTL/RJY1M9rUuPMYujV5xJjtbRSN8=
-github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/netauth/netauth v0.6.2-0.20220831214440-1df568cd25d6 h1:TsF5Cl0Mj5JMvPOP2ySVq+CZoiPrTGwvNPbuQotuSAE=
 github.com/netauth/netauth v0.6.2-0.20220831214440-1df568cd25d6/go.mod h1:4PEbISVqRCQaXaDAt289w3nK9UhoF8/ZOLy31Hbv7ds=
 github.com/netauth/protocol v0.0.0-20210918062754-7fee492ffcbd h1:4yVpQ/+li28lQ/daYCWeDB08obRmjaoAw2qfFFaCQ40=
 github.com/netauth/protocol v0.0.0-20210918062754-7fee492ffcbd/go.mod h1:wpK5wqysOJU1w2OxgG65du8M7UqBkxzsNaJdjwiRqAs=
-github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pelletier/go-toml/v2 v2.1.1 h1:LWAJwfNvjQZCFIDKWYQaM62NcYeYViCmWIwmOStowAI=
 github.com/pelletier/go-toml/v2 v2.1.1/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
 github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
@@ -610,7 +598,6 @@ github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6g
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
 github.com/shabbyrobe/gocovmerge v0.0.0-20180507124511-f6ea450bfb63 h1:J6qvD6rbmOil46orKqJaRPG+zTpoGlBTUdyv8ki63L0=
 github.com/shabbyrobe/gocovmerge v0.0.0-20180507124511-f6ea450bfb63/go.mod h1:n+VKSARF5y/tS9XFSP7vWDfS+GUC5vs/YT7M5XDTUEM=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
@@ -621,7 +608,6 @@ github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
 github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
 github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
 github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ=

diff --git a/internal/endpoint/imap/imap.go b/internal/endpoint/imap/imap.go
@@ -44,14 +44,16 @@ import (
  "github.com/foxcpp/maddy/framework/module"
  "github.com/foxcpp/maddy/internal/auth"
  "github.com/foxcpp/maddy/internal/authz"
+ "github.com/foxcpp/maddy/internal/proxy_protocol"
  "github.com/foxcpp/maddy/internal/updatepipe"
 )
 
 type Endpoint struct {
- addrs []string
- serv *imapserver.Server
- listeners []net.Listener
- Store module.Storage
+ addrs []string
+ serv *imapserver.Server
+ listeners []net.Listener
+ proxyProtocol *proxy_protocol.ProxyProtocol
+ Store module.Storage
 
  tlsConfig *tls.Config
  listenersWg sync.WaitGroup
@@ -90,6 +92,7 @@ func (endp *Endpoint) Init(cfg *config.Map) error {
  })
  cfg.Custom("storage", false, true, nil, modconfig.StorageDirective, &endp.Store)
  cfg.Custom("tls", true, true, nil, tls2.TLSDirective, &endp.tlsConfig)
+ cfg.Custom("proxy_protocol", false, false, nil, proxy_protocol.ProxyProtocolDirective, &endp.proxyProtocol)
  cfg.Bool("insecure_auth", false, false, &insecureAuth)
  cfg.Bool("io_debug", false, false, &ioDebug)
  cfg.Bool("io_errors", false, false, &ioErrors)
@@ -167,6 +170,10 @@ func (endp *Endpoint) setupListeners(addresses []config.Endpoint) error {
  l = tls.NewListener(l, endp.tlsConfig)
  }
 
+ if endp.proxyProtocol != nil {
+ l = proxy_protocol.NewListener(l, endp.proxyProtocol, endp.Log)
+ }
+
  endp.listeners = append(endp.listeners, l)
 
  endp.listenersWg.Add(1)

diff --git a/internal/endpoint/smtp/smtp.go b/internal/endpoint/smtp/smtp.go
@@ -47,18 +47,20 @@ import (
  "github.com/foxcpp/maddy/internal/authz"
  "github.com/foxcpp/maddy/internal/limits"
  "github.com/foxcpp/maddy/internal/msgpipeline"
+ "github.com/foxcpp/maddy/internal/proxy_protocol"
  "golang.org/x/net/idna"
 )
 
 type Endpoint struct {
- saslAuth auth.SASLAuth
- serv *smtp.Server
- name string
- addrs []string
- listeners []net.Listener
- pipeline *msgpipeline.MsgPipeline
- resolver dns.Resolver
- limits *limits.Group
+ saslAuth auth.SASLAuth
+ serv *smtp.Server
+ name string
+ addrs []string
+ listeners []net.Listener
+ proxyProtocol *proxy_protocol.ProxyProtocol
+ pipeline *msgpipeline.MsgPipeline
+ resolver dns.Resolver
+ limits *limits.Group
 
  buffer func(r io.Reader) (buffer.Buffer, error)
 
@@ -266,6 +268,7 @@ func (endp *Endpoint) setConfig(cfg *config.Map) error {
  return autoBufferMode(1*1024*1024 /* 1 MiB */, path), nil
  }, bufferModeDirective, &endp.buffer)
  cfg.Custom("tls", true, endp.name != "lmtp", nil, tls2.TLSDirective, &endp.serv.TLSConfig)
+ cfg.Custom("proxy_protocol", false, false, nil, proxy_protocol.ProxyProtocolDirective, &endp.proxyProtocol)
  cfg.Bool("insecure_auth", endp.name == "lmtp", false, &endp.serv.AllowInsecureAuth)
  cfg.Int("smtp_max_line_length", false, false, 4000, &endp.serv.MaxLineLength)
  cfg.Bool("io_debug", false, false, &ioDebug)
@@ -353,6 +356,10 @@ func (endp *Endpoint) setupListeners(addresses []config.Endpoint) error {
  l = tls.NewListener(l, endp.serv.TLSConfig)
  }
 
+ if endp.proxyProtocol != nil {
+ l = proxy_protocol.NewListener(l, endp.proxyProtocol, endp.Log)
+ }
+
  endp.listeners = append(endp.listeners, l)
 
  endp.listenersWg.Add(1)

diff --git a/internal/proxy_protocol/proxy_protocol.go b/internal/proxy_protocol/proxy_protocol.go
@@ -0,0 +1,86 @@
+package proxy_protocol
+
+import (
+ "crypto/tls"
+ "net"
+ "strings"
+
+ "github.com/c0va23/go-proxyprotocol"
+ "github.com/foxcpp/maddy/framework/config"
+ tls2 "github.com/foxcpp/maddy/framework/config/tls"
+ "github.com/foxcpp/maddy/framework/log"
+)
+
+type ProxyProtocol struct {
+ trust []net.IPNet
+ tlsConfig *tls.Config
+}
+
+func ProxyProtocolDirective(_ *config.Map, node config.Node) (interface{}, error) {
+ p := ProxyProtocol{}
+
+ childM := config.NewMap(nil, node)
+ var trustList []string
+
+ childM.StringList("trust", false, false, nil, &trustList)
+ childM.Custom("tls", true, false, nil, tls2.TLSDirective, &p.tlsConfig)
+
+ if _, err := childM.Process(); err != nil {
+ return nil, err
+ }
+
+ if len(node.Args) > 0 {
+ if trustList == nil {
+ trustList = make([]string, 0)
+ }
+ trustList = append(trustList, node.Args...)
+ }
+
+ for _, trust := range trustList {
+ if !strings.Contains(trust, "/") {
+ trust += "/32"
+ }
+ _, ipNet, err := net.ParseCIDR(trust)
+ if err != nil {
+ return nil, err
+ }
+ p.trust = append(p.trust, *ipNet)
+ }
+
+ return &p, nil
+}
+
+func NewListener(inner net.Listener, p *ProxyProtocol, logger log.Logger) net.Listener {
+ var listener net.Listener
+
+ sourceChecker := func(upstream net.Addr) (bool, error) {
+ if tcpAddr, ok := upstream.(*net.TCPAddr); ok {
+ if len(p.trust) == 0 {
+ return true, nil
+ }
+ for _, trusted := range p.trust {
+ if trusted.Contains(tcpAddr.IP) {
+ return true, nil
+ }
+ }
+ } else if _, ok := upstream.(*net.UnixAddr); ok {
+ // UNIX local socket connection, always trusted
+ return true, nil
+ }
+
+ logger.Printf("proxy_protocol: connection from untrusted source %s", upstream)
+ return false, nil
+ }
+
+ listener = proxyprotocol.NewDefaultListener(inner).
+ WithLogger(proxyprotocol.LoggerFunc(func(format string, v ...interface{}) {
+ logger.Debugf("proxy_protocol: "+format, v...)
+ })).
+ WithSourceChecker(sourceChecker)
+
+ if p.tlsConfig != nil {
+ listener = tls.NewListener(listener, p.tlsConfig)
+ }
+
+ return listener
+}