Merge branch 'master' of github.com:nodemailer/wildduck

Author: NickOvt

CHANGELOG.md

@@ -1,5 +1,28 @@
 # Changelog
 
+## [1.43.3](https://github.com/nodemailer/wildduck/compare/v1.43.2...v1.43.3) (2024-05-02)
+
+
+### Bug Fixes
+
+* **api-storage:** Added all storage endpoints to API docs generation ZMS-149 ([#675](https://github.com/nodemailer/wildduck/issues/675)) ([8e9af88](https://github.com/nodemailer/wildduck/commit/8e9af88a62960207d68f28fb71cd540be7a66fd5))
+* **autsni:** Fixed garbage collection for unfinished certificates ([5bf6c86](https://github.com/nodemailer/wildduck/commit/5bf6c865428d743f7ce328647146c95e07f3ace2))
+
+## [1.43.2](https://github.com/nodemailer/wildduck/compare/v1.43.1...v1.43.2) (2024-04-29)
+
+
+### Bug Fixes
+
+* **SNI:** do not use the default db for SNI ([a6c53eb](https://github.com/nodemailer/wildduck/commit/a6c53eba1fb3a6ed929050742b8681dafc472ce8))
+
+## [1.43.1](https://github.com/nodemailer/wildduck/compare/v1.43.0...v1.43.1) (2024-04-29)
+
+
+### Bug Fixes
+
+* **api-submit:** Added submission api endpoint to api docs generation ([#676](https://github.com/nodemailer/wildduck/issues/676)) ([82133df](https://github.com/nodemailer/wildduck/commit/82133df0c9b01e9bf4fcfcfea6ed660f37aeffe3))
+* **SNI:** disable SNI certificate autogeneration by default ([ecbdc9b](https://github.com/nodemailer/wildduck/commit/ecbdc9be5fefeebc71452f621dcd72e0844955ca))
+
 ## [1.43.0](https://github.com/nodemailer/wildduck/compare/v1.42.6...v1.43.0) (2024-04-29)
 
 

config/acme.toml

@@ -19,17 +19,19 @@ keyExponent = 65537
 
 [autogenerate]
 # If enabled then automatically generates TLS certificates based on SNI servernames
-enabled = true
+enabled = false
+
 [autogenerate.cnameMapping]
 # Sudomain CNAME mapping
 #   "abc" = ["def.com"] means that if the SNI servername domain is "abc.{domain}"
 #   then there must be a CNAME record for this domain that points to "def.com".
 #   If multiple CNAME targets are defined (eg ["def.com", "bef.com"], then at least 1 must match.
 #   Additionally, there must be at least 1 email account with "@{domain}" address.
 #   If there is no match, then TLS certificate is not generated.
-imap = ["imap.example.com"]
-smtp = ["smtp.example.com"]
-pop3 = ["imap.example.com"]
+
+# imap = ["imap.example.com"]
+# smtp = ["smtp.example.com"]
+# pop3 = ["imap.example.com"]
 
 [agent]
 # If enabled then starts a HTTP server that listens for ACME verification requests

indexes.yaml

@@ -631,6 +631,15 @@ indexes:
               expires: 1
               '_acme.lastRenewalCheck': 1
 
+    - collection: certs
+      index:
+          name: garbage_check
+          key:
+              acme: 1
+              updated: 1
+              expires: 1
+              autogenerated: 1
+
     - collection: audits
       index:
           name: user_expire_time

lib/acme/certs.js

@@ -13,7 +13,6 @@ const log = require('npmlog');
 const { Resolver } = require('dns').promises;
 const resolver = new Resolver();
 const Joi = require('joi');
-const db = require('../db');
 const { SettingsHandler } = require('../settings-handler');
 
 if (config.resolver && config.resolver.ns && config.resolver.ns.length) {
@@ -40,9 +39,9 @@ let acmeInitialized = false;
 let acmeInitializing = false;
 let acmeInitPending = [];
 
-const ensureAcme = async acmeOptions => {
+const ensureAcme = async (acmeOptions, certHandler) => {
     if (!settings) {
-        settings = new SettingsHandler({ db: db.database });
+        settings = new SettingsHandler({ db: certHandler.database });
     }
 
     if (acmeInitialized) {
@@ -78,7 +77,7 @@ const ensureAcme = async acmeOptions => {
 };
 
 const getAcmeAccount = async (acmeOptions, certHandler) => {
-    await ensureAcme(acmeOptions);
+    await ensureAcme(acmeOptions, certHandler);
 
     const entryKey = `acme:account:${acmeOptions.key}`;
 
@@ -121,7 +120,7 @@ const getAcmeAccount = async (acmeOptions, certHandler) => {
     };
 };
 
-const validateDomain = async domain => {
+const validateDomain = async (domain, certHandler) => {
     // check domain name format
     const validation = Joi.string()
         .domain({ tlds: { allow: true } })
@@ -136,9 +135,9 @@ const validateDomain = async domain => {
     }
 
     // check CAA support
-    const caaDomains = config.acme.caaDomains.map(normalizeDomain).filter(d => d);
+    const caaDomains = certHandler.acme?.caaDomains.map(normalizeDomain).filter(d => d);
 
-    if (caaDomains.length) {
+    if (caaDomains?.length) {
         let parts = domain.split('.');
         for (let i = 0; i < parts.length - 1; i++) {
             let subdomain = parts.slice(i).join('.');
@@ -169,7 +168,7 @@ const acquireCert = async (domain, acmeOptions, certificateData, certHandler) =>
     const domainSafeLockKey = `d:lock:safe:${domain}`;
     const domainOpLockKey = `d:lock:op:${domain}`;
 
-    if (await db.redis.exists(domainSafeLockKey)) {
+    if (await certHandler.redis.exists(domainSafeLockKey)) {
         // nothing to do here, renewal blocked
         log.info('ACME', 'Renewal blocked by failsafe lock for %s', domain);
 
@@ -179,17 +178,17 @@ const acquireCert = async (domain, acmeOptions, certificateData, certHandler) =>
 
     try {
         // throws if can not validate domain
-        await validateDomain(domain);
+        await validateDomain(domain, certHandler);
         log.info('ACME', 'Domain validation for %s passed', domain);
     } catch (err) {
-        log.error('ACME', 'Failed to validate domain %s: %s', domain, err.message);
+        log.error('ACME', 'Failed to validate domain %s: %s', domain, err.stack);
         return certificateData;
     }
 
     // Use locking to avoid race conditions, first try gets the lock, others wait until first is finished
     if (!getLock) {
         let lock = new Lock({
-            redis: db.redis,
+            redis: certHandler.redis,
             namespace: 'acme'
         });
         getLock = (...args) => lock.waitAcquireLock(...args);
@@ -212,7 +211,7 @@ const acquireCert = async (domain, acmeOptions, certificateData, certHandler) =>
         if (!privateKey) {
             // generate new key
             log.info('ACME', 'Provision new private key for %s', domain);
-            privateKey = await certHandler.resetPrivateKey({ _id: certificateData._id }, config.acme);
+            privateKey = await certHandler.resetPrivateKey({ _id: certificateData._id }, certHandler.acme);
         }
 
         const jwkPrivateKey = pem2jwk(privateKey);
@@ -236,7 +235,7 @@ const acquireCert = async (domain, acmeOptions, certificateData, certHandler) =>
             domains: [domain],
             challenges: {
                 'http-01': AcmeChallenge.create({
-                    db: db.database
+                    db: certHandler.database
                 })
             }
         };
@@ -290,16 +289,16 @@ const acquireCert = async (domain, acmeOptions, certificateData, certHandler) =>
         return await certHandler.getRecord({ _id: certificateData._id }, true);
     } catch (err) {
         try {
-            await db.redis.multi().set(domainSafeLockKey, 1).expire(domainSafeLockKey, BLOCK_RENEW_AFTER_ERROR_TTL).exec();
+            await certHandler.redis.multi().set(domainSafeLockKey, 1).expire(domainSafeLockKey, BLOCK_RENEW_AFTER_ERROR_TTL).exec();
         } catch (err) {
-            log.error('ACME', 'Redis call failed key=%s domains=%s error=%s', domainSafeLockKey, domain, err.message);
+            log.error('ACME', 'Redis call failed key=%s domains=%s error=%s', domainSafeLockKey, domain, err.stack);
         }
 
         log.error('ACME', 'Failed to generate certificate domains=%s error=%s', domain, err.stack);
 
         if (certificateData && certificateData._id) {
             try {
-                await db.database.collection('certs').findOneAndUpdate(
+                await certHandler.database.collection('certs').findOneAndUpdate(
                     { _id: certificateData._id },
                     {
                         $set: {
@@ -312,7 +311,7 @@ const acquireCert = async (domain, acmeOptions, certificateData, certHandler) =>
                     }
                 );
             } catch (err) {
-                log.error('ACME', 'Failed to update certificate record domain=%s error=%s', domain, err.message);
+                log.error('ACME', 'Failed to update certificate record domain=%s error=%s', domain, err.stack);
             }
 
             certHandler.loggelf({
@@ -335,7 +334,7 @@ const acquireCert = async (domain, acmeOptions, certificateData, certHandler) =>
         try {
             await releaseLock(lock);
         } catch (err) {
-            log.error('Lock', 'Failed to release lock for %s: %s', domainOpLockKey, err);
+            log.error('Lock', 'Failed to release lock for %s: %s', domainOpLockKey, err.stack);
         }
     }
 };