-
Notifications
You must be signed in to change notification settings - Fork 64
/
Copy pathsmtp.go
318 lines (269 loc) · 8.8 KB
/
smtp.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
package courier
import (
"context"
"crypto/tls"
"crypto/x509"
"flag"
"net"
"time"
"golang.org/x/net/idna"
"blitiri.com.ar/go/chasquid/internal/domaininfo"
"blitiri.com.ar/go/chasquid/internal/envelope"
"blitiri.com.ar/go/chasquid/internal/expvarom"
"blitiri.com.ar/go/chasquid/internal/smtp"
"blitiri.com.ar/go/chasquid/internal/sts"
"blitiri.com.ar/go/chasquid/internal/trace"
)
var (
// Timeouts for SMTP delivery.
smtpDialTimeout = 1 * time.Minute
smtpTotalTimeout = 10 * time.Minute
// Port for outgoing SMTP.
// Tests can override this.
smtpPort = flag.String("testing__outgoing_smtp_port", "25",
"port to use for outgoing SMTP connections, ONLY FOR TESTING")
// Allow overriding of net.LookupMX for testing purposes.
// TODO: replace this with proper lookup interception once it is supported
// by Go.
netLookupMX = net.LookupMX
)
// Exported variables.
var (
tlsCount = expvarom.NewMap("chasquid/smtpOut/tlsCount",
"result", "count of TLS status on outgoing connections")
slcResults = expvarom.NewMap("chasquid/smtpOut/securityLevelChecks",
"result", "count of security level checks on outgoing connections")
stsSecurityModes = expvarom.NewMap("chasquid/smtpOut/sts/mode",
"mode", "count of STS checks on outgoing connections")
stsSecurityResults = expvarom.NewMap("chasquid/smtpOut/sts/security",
"result", "count of STS security checks on outgoing connections")
)
// SMTP delivers remote mail via outgoing SMTP.
type SMTP struct {
HelloDomain string
Dinfo *domaininfo.DB
STSCache *sts.PolicyCache
}
// Deliver an email. On failures, returns an error, and whether or not it is
// permanent.
func (s *SMTP) Deliver(from string, to string, data []byte) (error, bool) {
a := &attempt{
courier: s,
from: from,
to: to,
toDomain: envelope.DomainOf(to),
data: data,
tr: trace.New("Courier.SMTP", to),
}
defer a.tr.Finish()
a.tr.Debugf("%s -> %s", from, to)
// smtp.Client.Mail will add the <> for us when the address is empty.
if a.from == "<>" {
a.from = ""
}
mxs, err, perm := lookupMXs(a.tr, a.toDomain)
if err != nil || len(mxs) == 0 {
// Note this is considered a permanent error.
// This is in line with what other servers (Exim) do. However, the
// downside is that temporary DNS issues can affect delivery, so we
// have to make sure we try hard enough on the lookup above.
return a.tr.Errorf("Could not find mail server: %v", err), perm
}
a.stsPolicy = s.fetchSTSPolicy(a.tr, a.toDomain)
for _, mx := range mxs {
if a.stsPolicy != nil && !a.stsPolicy.MXIsAllowed(mx) {
a.tr.Printf("%q skipped as per MTA-STA policy", mx)
continue
}
var permanent bool
err, permanent = a.deliver(mx)
if err == nil {
return nil, false
}
if permanent {
return err, true
}
a.tr.Errorf("%q returned transient error: %v", mx, err)
}
// We exhausted all MXs failed to deliver, try again later.
return a.tr.Errorf("all MXs returned transient failures (last: %v)", err), false
}
type attempt struct {
courier *SMTP
from string
to string
data []byte
toDomain string
stsPolicy *sts.Policy
tr *trace.Trace
}
func (a *attempt) deliver(mx string) (error, bool) {
skipTLS := false
retry:
conn, err := net.DialTimeout("tcp", mx+":"+*smtpPort, smtpDialTimeout)
if err != nil {
return a.tr.Errorf("Could not dial: %v", err), false
}
defer conn.Close()
conn.SetDeadline(time.Now().Add(smtpTotalTimeout))
c, err := smtp.NewClient(conn, mx)
if err != nil {
return a.tr.Errorf("Error creating client: %v", err), false
}
if err = c.Hello(a.courier.HelloDomain); err != nil {
return a.tr.Errorf("Error saying hello: %v", err), false
}
secLevel := domaininfo.SecLevel_PLAIN
if ok, _ := c.Extension("STARTTLS"); ok && !skipTLS {
config := &tls.Config{
ServerName: mx,
// Unfortunately, many servers use self-signed and invalid
// certificates. So we use a custom verification (identical to
// Go's) to distinguish between invalid and valid certificates.
// That information is used to track the security level, to
// prevent downgrade attacks.
InsecureSkipVerify: true,
VerifyConnection: func(cs tls.ConnectionState) error {
secLevel = a.verifyConnection(cs)
return nil
},
}
err = c.StartTLS(config)
if err != nil {
// If we could not complete a jump to TLS (either because the
// STARTTLS command itself failed server-side, or because we got a
// TLS negotiation error), retry but without trying to use TLS.
// This should be quite rare, but it can happen if the server
// certificate is not parseable by the Go library, or if it has a
// broken TLS stack.
// Note that invalid and self-signed certs do NOT fall in this
// category, those are handled by the VerifyConnection function
// above, and don't need a retry. This is only needed for lower
// level errors.
tlsCount.Add("tls:failed", 1)
a.tr.Errorf("TLS error, retrying without TLS: %v", err)
skipTLS = true
conn.Close()
goto retry
}
} else {
tlsCount.Add("plain", 1)
a.tr.Debugf("Insecure - NOT using TLS")
}
if !a.courier.Dinfo.OutgoingSecLevel(a.tr, a.toDomain, secLevel) {
// We consider the failure transient, so transient misconfigurations
// do not affect deliveries.
slcResults.Add("fail", 1)
return a.tr.Errorf("Security level check failed (level:%s)", secLevel), false
}
slcResults.Add("pass", 1)
if a.stsPolicy != nil && a.stsPolicy.Mode == sts.Enforce {
// The connection MUST be validated by TLS.
// https://tools.ietf.org/html/rfc8461#section-4.2
if secLevel != domaininfo.SecLevel_TLS_SECURE {
stsSecurityResults.Add("fail", 1)
return a.tr.Errorf("invalid security level (%v) for STS policy",
secLevel), false
}
stsSecurityResults.Add("pass", 1)
a.tr.Debugf("STS policy: connection is using valid TLS")
}
if err = c.MailAndRcpt(a.from, a.to); err != nil {
return a.tr.Errorf("MAIL+RCPT %v", err), smtp.IsPermanent(err)
}
w, err := c.Data()
if err != nil {
return a.tr.Errorf("DATA %v", err), smtp.IsPermanent(err)
}
_, err = w.Write(a.data)
if err != nil {
return a.tr.Errorf("DATA writing: %v", err), smtp.IsPermanent(err)
}
err = w.Close()
if err != nil {
return a.tr.Errorf("DATA closing %v", err), smtp.IsPermanent(err)
}
_ = c.Quit()
a.tr.Debugf("done")
return nil, false
}
// CA roots to validate against, so we can override it for testing.
var certRoots *x509.CertPool = nil
func (a *attempt) verifyConnection(cs tls.ConnectionState) domaininfo.SecLevel {
// Validate certificates, using the same logic Go does, and following the
// official example at
// https://pkg.go.dev/crypto/tls#example-Config-VerifyConnection.
opts := x509.VerifyOptions{
DNSName: cs.ServerName,
Intermediates: x509.NewCertPool(),
Roots: certRoots,
}
for _, cert := range cs.PeerCertificates[1:] {
opts.Intermediates.AddCert(cert)
}
_, err := cs.PeerCertificates[0].Verify(opts)
if err != nil {
// Invalid TLS cert, since it could not be verified.
a.tr.Debugf("Insecure - using TLS, but with an invalid cert")
tlsCount.Add("tls:insecure", 1)
return domaininfo.SecLevel_TLS_INSECURE
} else {
tlsCount.Add("tls:secure", 1)
a.tr.Debugf("Secure - using TLS")
return domaininfo.SecLevel_TLS_SECURE
}
}
func (s *SMTP) fetchSTSPolicy(tr *trace.Trace, domain string) *sts.Policy {
if s.STSCache == nil {
return nil
}
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
defer cancel()
policy, err := s.STSCache.Fetch(ctx, domain)
if err != nil {
return nil
}
tr.Debugf("got STS policy")
stsSecurityModes.Add(string(policy.Mode), 1)
return policy
}
func lookupMXs(tr *trace.Trace, domain string) ([]string, error, bool) {
domain, err := idna.ToASCII(domain)
if err != nil {
return nil, err, true
}
mxs := []string{}
mxRecords, err := netLookupMX(domain)
if err != nil {
// There was an error. It could be that the domain has no MX, in which
// case we have to fall back to A, or a bigger problem.
dnsErr, ok := err.(*net.DNSError)
if !ok {
tr.Debugf("Error resolving MX on %q: %v", domain, err)
return nil, err, false
} else if dnsErr.IsNotFound {
// MX not found, fall back to A.
tr.Debugf("MX for %s not found, falling back to A", domain)
mxs = []string{domain}
} else {
tr.Debugf("MX lookup error on %q: %v", domain, dnsErr)
return nil, err, !dnsErr.Temporary()
}
} else {
// Convert the DNS records to a plain string slice. They're already
// sorted by priority.
for _, r := range mxRecords {
mxs = append(mxs, r.Host)
}
}
// Note that mxs could be empty; in that case we do NOT fall back to A.
// This case is explicitly covered by the SMTP RFC.
// https://tools.ietf.org/html/rfc5321#section-5.1
// Cap the list of MXs to 5 hosts, to keep delivery attempt times
// sane and prevent abuse.
if len(mxs) > 5 {
mxs = mxs[:5]
}
tr.Debugf("MXs: %v", mxs)
return mxs, nil, true
}