-
Notifications
You must be signed in to change notification settings - Fork 366
Configuration
The configuration is in strict JSON format. Here is an annotated configuration.
To get started, copy goguerrilla.conf.sample to goguerrilla.conf.json
{
"allowed_hosts": ["guerrillamail.com","guerrillamailblock.com","sharklasers.com","guerrillamail.net","guerrillamail.org"], // What hosts to accept. Supports wildcards *.
"pid_file" : "/var/run/go-guerrilla.pid", // pid = process id, so that other programs can send signals to our server
"log_file" : "stderr", // can be "off", "stderr", "stdout" or any path to a file
"log_level" : "info", // can be "debug", "info", "error", "warn", "fatal", "panic"
"backend_config" :
{
"log_received_mails": true,
"save_workers_size": 1,
"save_process" : "HeadersParser|Header|Debugger", // chain of processors to be executed when saving email
"validate_process": "", // similar to save_process, chain of processors that validate a recipient
"primary_mail_host" : "mail.example.com", // used by the Header processor.
"gw_save_timeout" : "30s", // how long before giving up on saving an email (optional, default 30s)
"gw_val_rcpt_timeout" : "3s" // how long before giving up in validating a recipient (optional, default 5s)
},
"servers" : [ // the following is an array of objects, each object represents a new server that will be spawned
{
"is_enabled" : true, // boolean
"host_name":"mail.test.com", // the hostname of the server as set by MX record
"max_size": 1000000, // maximum size of an email in bytes
"timeout":180, // timeout in number of seconds before an idle connection is closed
"listen_interface":"127.0.0.1:25", // listen on ip and port
"max_clients": 1000, // max clients at one time
"log_file":"/dev/stdout", // optional. Can be "off", "stderr", "stdout" or any path to a file. Will use global setting of empty.
"tls" : { // optional, recommended
"start_tls_on":true, // supports the STARTTLS command?
"tls_always_on":false, // always connect using TLS? If true, start_tls_on will be false
"private_key_file":"/path/to/pem/file/test.com.key", // full path to pem file private key
"public_key_file":"/path/to/pem/file/test.com.crt", // full path to pem file certificate
"protocols" : ["tls1.0", "tls1.2"], // minimum protocol on the left, maximum on the right
// the following is a list of cipher suites to use.
"ciphers" : ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"],
"curves" : ["P256", "P384", "P521", "X25519"],
"prefer_server_cipher_suites" : true
}
},
// the following is a second server, but listening on port 465 and always using TLS
{
"is_enabled" : true,
"host_name":"mail.test.com",
"max_size":1000000,
"timeout":180,
"listen_interface":"127.0.0.1:465",
"max_clients":500,
"tls" : {
"start_tls_on":false,
"tls_always_on":true,
"private_key_file":"/path/to/pem/file/test.com.key",
"public_key_file":"/path/to/pem/file/test.com.crt",
"protocols" : ["tls1.0", "tls1.2"],
"ciphers" : ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"],
"curves" : ["P256", "P384", "P521", "X25519"],
"prefer_server_cipher_suites" : true
}
}
// repeat as many servers as you need
]
}
allowed_hosts
- supports wildcards for subdomains, eg *.example.com
. MX Records
with wildcards are supported, according to RCF1912
If you have a custom backend, and you would like to have your backend decide if the host is allowed, you
can turn off this feature by configuring with a single dot - .
The Json parser is very strict on syntax. If there's a parse error and it doesn't give much clue, then test your syntax here: http://jsonlint.com/#
A range of protocols, cipher suites and curves can be configured.
It's recommended to use the new cipher suites added since Go 1.8,
avoid SSLv3, and avoid CBC
based cipher suites. However, be warned
that disabling old stuff might also prevent some email getting through -
as many SMTP senders still use the old ones.
If any of the following settings are absent, GO's defaults will be used.
The protocols
setting is an array with just two elements.
The first element is the minimum protocol version, the second is the maximum.
Avoid ssl3.0. All lowercase.
- ssl3.0 (to be removed in Go 1.14)
- tls1.0
- tls1.1
- tls1.2
- tls1.3 (since Go 1.13)
Example
"protocols" : ["tls1.0", "tls1.2"]
Here is a list of cipher suites that can be used. Note that TLS_FALLBACK_SCSV
is not a cipher, but should be included to prevent downgrade attacks.
Generally, avoid CBC when you can, and possibly 3DES.
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_FALLBACK_SCSV (Used only with SSLv3, to be removed in Go 1.14)
Since Go 1.8 -
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
Since Go 1.13 -
(cipher suites are not configurable for TLS 1.3)
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
Example
"ciphers" : ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"],
curves
contains the elliptic curves that will be used in an ECDHE handshake,
in preference order.
- P256
- P384
- P521
Since Go 1.8 -
- X25519
Example
"curves" : ["P256", "P384", "P521", "X25519"]
backend configuration details here: https://github.com/flashmob/go-guerrilla/wiki/Backends,-configuring-and-extending
Here is the page discussing how to configure saving to Redis and MySQL: