Feature: Add TLS forwarding support and refactor forwarding function

2025-04-17 12:06:22 +02:00 · 2025-03-29 15:45:50 +13:00 · 2025-03-29 15:45:50 +13:00 · 6c0ef5ba33
commit 6c0ef5ba33
parent 2dbc4ea601
5 changed files with 59 additions and 25 deletions
--- a/cmd/root.go
+++ b/cmd/root.go
@ -311,6 +311,7 @@ func initConfigFromEnv() {
 		config.SMTPForwardConfig.Port, _ = strconv.Atoi(os.Getenv("MP_SMTP_FORWARD_PORT"))
 	}
 	config.SMTPForwardConfig.STARTTLS = getEnabledFromEnv("MP_SMTP_FORWARD_STARTTLS")
+	config.SMTPForwardConfig.TLS = getEnabledFromEnv("MP_SMTP_FORWARD_TLS")
 	config.SMTPForwardConfig.AllowInsecure = getEnabledFromEnv("MP_SMTP_FORWARD_ALLOW_INSECURE")
 	config.SMTPForwardConfig.Auth = os.Getenv("MP_SMTP_FORWARD_AUTH")
 	config.SMTPForwardConfig.Username = os.Getenv("MP_SMTP_FORWARD_USERNAME")
--- a/config/config.go
+++ b/config/config.go
@ -209,11 +209,11 @@ type autoTag struct {

 // SMTPRelayConfigStruct struct for parsing yaml & storing variables
 type SMTPRelayConfigStruct struct {
-	Host                    string         `yaml:"host"`
-	Port                    int            `yaml:"port"`
-	STARTTLS                bool           `yaml:"starttls"`
-	TLS                     bool           `yaml:"tls"`
-	AllowInsecure           bool           `yaml:"allow-insecure"`
+	Host                    string         `yaml:"host"`               // SMTP host
+	Port                    int            `yaml:"port"`               // SMTP port
+	STARTTLS                bool           `yaml:"starttls"`           // whether to use STARTTLS
+	TLS                     bool           `yaml:"tls"`                // whether to use TLS
+	AllowInsecure           bool           `yaml:"allow-insecure"`     // allow insecure authentication, ignore TLS validation
 	Auth                    string         `yaml:"auth"`               // none, plain, login, cram-md5
 	Username                string         `yaml:"username"`           // plain & cram-md5
 	Password                string         `yaml:"password"`           // plain
@ -235,7 +235,8 @@ type SMTPForwardConfigStruct struct {
 	Host          string `yaml:"host"`           // SMTP host
 	Port          int    `yaml:"port"`           // SMTP port
 	STARTTLS      bool   `yaml:"starttls"`       // whether to use STARTTLS
-	AllowInsecure bool   `yaml:"allow-insecure"` // allow insecure authentication
+	TLS           bool   `yaml:"tls"`            // whether to use TLS
+	AllowInsecure bool   `yaml:"allow-insecure"` // allow insecure authentication, ignore TLS validation
 	Auth          string `yaml:"auth"`           // none, plain, login, cram-md5
 	Username      string `yaml:"username"`       // plain & cram-md5
 	Password      string `yaml:"password"`       // plain
--- a/config/validators.go
+++ b/config/validators.go
@ -94,10 +94,6 @@ func validateRelayConfig() error {
 		SMTPRelayConfig.Port = 25 // default
 	}

-	if SMTPRelayConfig.STARTTLS && SMTPRelayConfig.TLS {
-		return fmt.Errorf("[relay] TLS & STARTTLS cannot be required together")
-	}
-
 	SMTPRelayConfig.Auth = strings.ToLower(SMTPRelayConfig.Auth)

 	if SMTPRelayConfig.Auth == "" || SMTPRelayConfig.Auth == "none" || SMTPRelayConfig.Auth == "false" {
@ -149,6 +145,10 @@ func validateRelayConfig() error {
 		SMTPRelayConfig.OverrideFrom = m.Address
 	}

+	if SMTPRelayConfig.STARTTLS && SMTPRelayConfig.TLS {
+		return fmt.Errorf("[relay] TLS & STARTTLS cannot be required together")
+	}
+
 	ReleaseEnabled = true

 	logger.Log().Infof("[relay] enabling message relaying via %s:%d", SMTPRelayConfig.Host, SMTPRelayConfig.Port)
@ -247,6 +247,10 @@ func validateForwardConfig() error {
 		SMTPForwardConfig.OverrideFrom = m.Address
 	}

+	if SMTPForwardConfig.STARTTLS && SMTPForwardConfig.TLS {
+		return fmt.Errorf("[forward] TLS & STARTTLS cannot be required together")
+	}
+
 	logger.Log().Infof("[forward] enabling message forwarding to %s via %s:%d", SMTPForwardConfig.To, SMTPForwardConfig.Host, SMTPForwardConfig.Port)

 	return nil
--- a/internal/smtpd/forward.go
+++ b/internal/smtpd/forward.go
@ -25,27 +25,55 @@ func autoForwardMessage(from string, data *[]byte) {
 	}
 }

+func createForwardingSMTPClient(config config.SMTPForwardConfigStruct, addr string) (*smtp.Client, error) {
+	if config.TLS {
+		tlsConf := &tls.Config{ServerName: config.Host} // #nosec
+		tlsConf.InsecureSkipVerify = config.AllowInsecure
+
+		conn, err := tls.Dial("tcp", addr, tlsConf)
+		if err != nil {
+			return nil, fmt.Errorf("TLS Dial error: %v", err)
+		}
+
+		client, err := smtp.NewClient(conn, tlsConf.ServerName)
+		if err != nil {
+			conn.Close()
+			return nil, fmt.Errorf("SMTP client error: %v", err)
+		}
+
+		// Note: The caller is responsible for closing the client
+		return client, nil
+	}
+
+	client, err := smtp.Dial(addr)
+	if err != nil {
+		return nil, fmt.Errorf("error connecting to %s: %v", addr, err)
+	}
+
+	if config.STARTTLS {
+		tlsConf := &tls.Config{ServerName: config.Host} // #nosec
+		tlsConf.InsecureSkipVerify = config.AllowInsecure
+
+		if err = client.StartTLS(tlsConf); err != nil {
+			client.Close()
+			return nil, fmt.Errorf("error creating StartTLS config: %v", err)
+		}
+	}
+
+	// Note: The caller is responsible for closing the client
+	return client, nil
+}
+
 // Forward will connect to a pre-configured SMTP server and send a message to one or more recipients.
 func forward(from string, msg []byte) error {
 	addr := fmt.Sprintf("%s:%d", config.SMTPForwardConfig.Host, config.SMTPForwardConfig.Port)

-	c, err := smtp.Dial(addr)
+	c, err := createForwardingSMTPClient(config.SMTPForwardConfig, addr)
 	if err != nil {
-		return fmt.Errorf("error connecting to %s: %s", addr, err.Error())
+		return err
 	}
-
 	defer c.Close()

-	if config.SMTPForwardConfig.STARTTLS {
-		conf := &tls.Config{ServerName: config.SMTPForwardConfig.Host} // #nosec
-
-		conf.InsecureSkipVerify = config.SMTPForwardConfig.AllowInsecure
-
-		if err = c.StartTLS(conf); err != nil {
-			return fmt.Errorf("error creating StartTLS config: %s", err.Error())
-		}
-	}
-
 	auth := forwardAuthFromConfig()

 	if auth != nil {
--- a/internal/smtpd/relay.go
+++ b/internal/smtpd/relay.go
@ -59,7 +59,7 @@ func autoRelayMessage(from string, to []string, data *[]byte) {
 	}
 }

-func createSMTPClient(config config.SMTPRelayConfigStruct, addr string) (*smtp.Client, error) {
+func createRelaySMTPClient(config config.SMTPRelayConfigStruct, addr string) (*smtp.Client, error) {
 	if config.TLS {
 		tlsConf := &tls.Config{ServerName: config.Host} // #nosec
 		tlsConf.InsecureSkipVerify = config.AllowInsecure
@ -102,7 +102,7 @@ func createSMTPClient(config config.SMTPRelayConfigStruct, addr string) (*smtp.C
 func Relay(from string, to []string, msg []byte) error {
 	addr := fmt.Sprintf("%s:%d", config.SMTPRelayConfig.Host, config.SMTPRelayConfig.Port)

-	c, err := createSMTPClient(config.SMTPRelayConfig, addr)
+	c, err := createRelaySMTPClient(config.SMTPRelayConfig, addr)
 	if err != nil {
 		return err
 	}