implement outgoing tls reports

we were already accepting, processing and displaying incoming tls reports. now
we start tracking TLS connection and security-policy-related errors for
outgoing message deliveries as well. we send reports once a day, to the
reporting addresses specified in TLSRPT records (rua) of a policy domain. these
reports are about MTA-STS policies and/or DANE policies, and about
STARTTLS-related failures.

sending reports is enabled by default, but can be disabled through setting
NoOutgoingTLSReports in mox.conf.

only at the end of the implementation process came the realization that the
TLSRPT policy domain for DANE (MX) hosts are separate from the TLSRPT policy
for the recipient domain, and that MTA-STS and DANE TLS/policy results are
typically delivered in separate reports. so MX hosts need their own TLSRPT
policies.

config for the per-host TLSRPT policy should be added to mox.conf for existing
installs, in field HostTLSRPT. it is automatically configured by quickstart for
new installs. with a HostTLSRPT config, the "dns records" and "dns check" admin
pages now suggest the per-host TLSRPT record. by creating that record, you're
requesting TLS reports about your MX host.

gathering all the TLS/policy results is somewhat tricky. the tentacles go
throughout the code. the positive result is that the TLS/policy-related code
had to be cleaned up a bit. for example, the smtpclient TLS modes now reflect
reality better, with independent settings about whether PKIX and/or DANE
verification has to be done, and/or whether verification errors have to be
ignored (e.g. for tls-required: no header). also, cached mtasts policies of
mode "none" are now cleaned up once the MTA-STS DNS record goes away.

.gitignore

@@ -24,6 +24,7 @@
 /testdata/smtp/postmaster/
 /testdata/smtpserverfuzz/data/
 /testdata/store/data/
+/testdata/tlsrptsend/data/
 /testdata/train/
 /testdata/webmail/data/
 /testdata/upgradetest.mbox.gz

README.md

@@ -21,7 +21,7 @@ See Quickstart below to get started.
   ("localparts"), and in domain names (IDNA).
 - Automatic TLS with ACME, for use with Let's Encrypt and other CA's.
 - DANE and MTA-STS for inbound and outbound delivery over SMTP with STARTTLS,
-  including REQUIRETLS and with incoming TLSRPT reporting.
+  including REQUIRETLS and with incoming/outgoing TLSRPT reporting.
 - Web admin interface that helps you set up your domains and accounts
   (instructions to create DNS records, configure
   SPF/DKIM/DMARC/TLSRPT/MTA-STS), for status information, managing
@@ -114,7 +114,6 @@ https://nlnet.nl/project/Mox/.
 
 ## Roadmap
 
-- Sending TLS reports (currently only receiving)
 - Authentication other than HTTP-basic for webmail/webadmin/webaccount
 - Per-domain webmail and IMAP/SMTP host name (and TLS cert) and client settings
 - Make mox Go packages more easily reusable, each pulling in fewer (internal)

backup.go

@@ -282,7 +282,8 @@ func backupctl(ctx context.Context, ctl *ctl) {
 	backupDB(dmarcdb.ReportsDB, "dmarcrpt.db")
 	backupDB(dmarcdb.EvalDB, "dmarceval.db")
 	backupDB(mtastsdb.DB, "mtasts.db")
-	backupDB(tlsrptdb.DB, "tlsrpt.db")
+	backupDB(tlsrptdb.ReportDB, "tlsrpt.db")
+	backupDB(tlsrptdb.ResultDB, "tlsrptresult.db")
 	backupFile("receivedid.key")
 
 	// Acme directory is optional.
@@ -530,7 +531,7 @@ func backupctl(ctx context.Context, ctl *ctl) {
 		}
 
 		switch p {
-		case "dmarcrpt.db", "dmarceval.db", "mtasts.db", "tlsrpt.db", "receivedid.key", "ctl":
+		case "dmarcrpt.db", "dmarceval.db", "mtasts.db", "tlsrpt.db", "tlsrptresult.db", "receivedid.key", "ctl":
 			// Already handled.
 			return nil
 		case "lastknownversion": // Optional file, not yet handled.

config/config.go

@@ -57,10 +57,18 @@ type Static struct {
 		Account string
 		Mailbox string `sconf-doc:"E.g. Postmaster or Inbox."`
 	} `sconf-doc:"Destination for emails delivered to postmaster addresses: a plain 'postmaster' without domain, 'postmaster@<hostname>' (also for each listener with SMTP enabled), and as fallback for each domain without explicitly configured postmaster destination."`
+	HostTLSRPT struct {
+		Account   string `sconf-doc:"Account to deliver TLS reports to. Typically same account as for postmaster."`
+		Mailbox   string `sconf-doc:"Mailbox to deliver TLS reports to. Recommended value: TLSRPT."`
+		Localpart string `sconf-doc:"Localpart at hostname to accept TLS reports at. Recommended value: tls-reports."`
+
+		ParsedLocalpart smtp.Localpart `sconf:"-"`
+	} `sconf:"optional" sconf-doc:"Destination for per-host TLS reports (TLSRPT). TLS reports can be per recipient domain (for MTA-STS), or per MX host (for DANE). The per-domain TLS reporting configuration is in domains.conf. This is the TLS reporting configuration for this host. If absent, no host-based TLSRPT address is configured, and no host TLSRPT DNS record is suggested."`
 	InitialMailboxes       InitialMailboxes     `sconf:"optional" sconf-doc:"Mailboxes to create for new accounts. Inbox is always created. Mailboxes can be given a 'special-use' role, which are understood by most mail clients. If absent/empty, the following mailboxes are created: Sent, Archive, Trash, Drafts and Junk."`
 	DefaultMailboxes       []string             `sconf:"optional" sconf-doc:"Deprecated in favor of InitialMailboxes. Mailboxes to create when adding an account. Inbox is always created. If no mailboxes are specified, the following are automatically created: Sent, Archive, Trash, Drafts and Junk."`
 	Transports             map[string]Transport `sconf:"optional" sconf-doc:"Transport are mechanisms for delivering messages. Transports can be referenced from Routes in accounts, domains and the global configuration. There is always an implicit/fallback delivery transport doing direct delivery with SMTP from the outgoing message queue. Transports are typically only configured when using smarthosts, i.e. when delivering through another SMTP server. Zero or one transport methods must be set in a transport, never multiple. When using an external party to send email for a domain, keep in mind you may have to add their IP address to your domain's SPF record, and possibly additional DKIM records."`
 	NoOutgoingDMARCReports bool                 `sconf:"optional" sconf-doc:"Do not send DMARC reports (aggregate only). By default, aggregate reports on DMARC evaluations are sent to domains if their DMARC policy requests them. Reports are sent at whole hours, with a minimum of 1 hour and maximum of 24 hours, rounded up so a whole number of intervals cover 24 hours, aligned at whole days in UTC."`
+	NoOutgoingTLSReports   bool                 `sconf:"optional" sconf-doc:"Do not send TLS reports. By default, reports about successful and failed SMTP STARTTLS connections are sent to domains if their TLSRPT DNS record requests them. Reports covering a 24 hour UTC interval are sent daily."`
 
 	// All IPs that were explicitly listen on for external SMTP. Only set when there
 	// are no unspecified external SMTP listeners and there is at most one for IPv4 and
@@ -126,7 +134,7 @@ type Listener struct {
 		Enabled         bool
 		Port            int  `sconf:"optional" sconf-doc:"Default 25."`
 		NoSTARTTLS      bool `sconf:"optional" sconf-doc:"Do not offer STARTTLS to secure the connection. Not recommended."`
-		RequireSTARTTLS bool `sconf:"optional" sconf-doc:"Do not accept incoming messages if STARTTLS is not active. Can be used in combination with a strict MTA-STS policy. A remote SMTP server may not support TLS and may not be able to deliver messages."`
+		RequireSTARTTLS bool `sconf:"optional" sconf-doc:"Do not accept incoming messages if STARTTLS is not active. Consider using in combination with an MTA-STS policy and/or DANE. A remote SMTP server may not support TLS and may not be able to deliver messages. Incoming messages for TLS reporting addresses ignore this setting and do not require TLS."`
 		NoRequireTLS    bool `sconf:"optional" sconf-doc:"Do not announce the REQUIRETLS SMTP extension. Messages delivered using the REQUIRETLS extension should only be distributed onwards to servers also implementing the REQUIRETLS extension. In some situations, such as hosting mailing lists, this may not be feasible due to lack of support for the extension by mailing list subscribers."`
 		// Reoriginated messages (such as messages sent to mailing list subscribers) should
 		// keep REQUIRETLS. ../rfc/8689:412
@@ -306,7 +314,7 @@ type Selector struct {
 		BodyRelaxed   bool `sconf-doc:"If set, some whitespace modifications to the message body are allowed."`
 	} `sconf:"optional"`
 	Headers          []string `sconf:"optional" sconf-doc:"Headers to sign with DKIM. If empty, a reasonable default set of headers is selected."`
-	HeadersEffective []string `sconf:"-"`
+	HeadersEffective []string `sconf:"-"` // Used when signing. Based on Headers from config, or the reasonable default.
 	DontSealHeaders  bool     `sconf:"optional" sconf-doc:"If set, don't prevent duplicate headers from being added. Not recommended."`
 	Expiration       string   `sconf:"optional" sconf-doc:"Period a signature is valid after signing, as duration, e.g. 72h. The period should be enough for delivery at the final destination, potentially with several hops/relays. In the order of days at least."`
 	PrivateKeyFile   string   `sconf-doc:"Either an RSA or ed25519 private key file in PKCS8 PEM form."`
@@ -371,8 +379,9 @@ type Destination struct {
 	Rulesets []Ruleset `sconf:"optional" sconf-doc:"Delivery rules based on message and SMTP transaction. You may want to match each mailing list by SMTP MailFrom address, VerifiedDomain and/or List-ID header (typically <listname.example.org> if the list address is [email protected]), delivering them to their own mailbox."`
 	FullName string    `sconf:"optional" sconf-doc:"Full name to use in message From header when composing messages coming from this address with webmail."`
 
-	DMARCReports bool `sconf:"-" json:"-"`
-	TLSReports   bool `sconf:"-" json:"-"`
+	DMARCReports     bool `sconf:"-" json:"-"`
+	HostTLSReports   bool `sconf:"-" json:"-"`
+	DomainTLSReports bool `sconf:"-" json:"-"`
 }
 
 // Equal returns whether d and o are equal, only looking at their user-changeable fields.

config/doc.go

@@ -179,9 +179,10 @@ describe-static" and "mox config describe-domains":
 				# Do not offer STARTTLS to secure the connection. Not recommended. (optional)
 				NoSTARTTLS: false
 
-				# Do not accept incoming messages if STARTTLS is not active. Can be used in
-				# combination with a strict MTA-STS policy. A remote SMTP server may not support
-				# TLS and may not be able to deliver messages. (optional)
+				# Do not accept incoming messages if STARTTLS is not active. Consider using in
+				# combination with an MTA-STS policy and/or DANE. A remote SMTP server may not
+				# support TLS and may not be able to deliver messages. Incoming messages for TLS
+				# reporting addresses ignore this setting and do not require TLS. (optional)
 				RequireSTARTTLS: false
 
 				# Do not announce the REQUIRETLS SMTP extension. Messages delivered using the
@@ -391,6 +392,22 @@ describe-static" and "mox config describe-domains":
 		# E.g. Postmaster or Inbox.
 		Mailbox:
 
+	# Destination for per-host TLS reports (TLSRPT). TLS reports can be per recipient
+	# domain (for MTA-STS), or per MX host (for DANE). The per-domain TLS reporting
+	# configuration is in domains.conf. This is the TLS reporting configuration for
+	# this host. If absent, no host-based TLSRPT address is configured, and no host
+	# TLSRPT DNS record is suggested. (optional)
+	HostTLSRPT:
+
+		# Account to deliver TLS reports to. Typically same account as for postmaster.
+		Account:
+
+		# Mailbox to deliver TLS reports to. Recommended value: TLSRPT.
+		Mailbox:
+
+		# Localpart at hostname to accept TLS reports at. Recommended value: tls-reports.
+		Localpart:
+
 	# Mailboxes to create for new accounts. Inbox is always created. Mailboxes can be
 	# given a 'special-use' role, which are understood by most mail clients. If
 	# absent/empty, the following mailboxes are created: Sent, Archive, Trash, Drafts
@@ -556,6 +573,11 @@ describe-static" and "mox config describe-domains":
 	# whole days in UTC. (optional)
 	NoOutgoingDMARCReports: false
 
+	# Do not send TLS reports. By default, reports about successful and failed SMTP
+	# STARTTLS connections are sent to domains if their TLSRPT DNS record requests
+	# them. Reports covering a 24 hour UTC interval are sent daily. (optional)
+	NoOutgoingTLSReports: false
+
 # domains.conf
 
 	# NOTE: This config file is in 'sconf' format. Indent with tabs. Comments must be

dmarcdb/eval.go

@@ -1,5 +1,7 @@
 package dmarcdb
 
+// Sending TLS reports and DMARC reports is very similar. See ../dmarcdb/eval.go:/similar and ../tlsrptsend/send.go:/similar.
+
 import (
 	"compress/gzip"
 	"context"

gentestdata.go

@@ -209,15 +209,15 @@ Accounts:
 		},
 		MaxAgeSeconds: 1296000,
 	}
-	err = mtastsdb.Upsert(ctxbg, dns.Domain{ASCII: "mox.example"}, "123", &mtastsPolicy)
+	err = mtastsdb.Upsert(ctxbg, dns.Domain{ASCII: "mox.example"}, "123", &mtastsPolicy, mtastsPolicy.String())
 	xcheckf(err, "adding mtastsdb report")
 
 	// Populate tlsrpt.db.
 	err = tlsrptdb.Init()
 	xcheckf(err, "tlsrptdb init")
 	tlsr, err := tlsrpt.Parse(strings.NewReader(tlsReport))
 	xcheckf(err, "parsing tls report")
-	err = tlsrptdb.AddReport(ctxbg, dns.Domain{ASCII: "mox.example"}, "[email protected]", tlsr)
+	err = tlsrptdb.AddReport(ctxbg, dns.Domain{ASCII: "mox.example"}, "[email protected]", false, tlsr)
 	xcheckf(err, "adding tls report")
 
 	// Populate queue, with a message.

go.mod

@@ -3,7 +3,7 @@ module github.com/mjl-/mox
 go 1.20
 
 require (
-	github.com/mjl-/adns v0.0.0-20231013194548-ea0378d616ab
+	github.com/mjl-/adns v0.0.0-20231109160910-82839fe3e6ae
 	github.com/mjl-/autocert v0.0.0-20231013072455-c361ae2e20a6
 	github.com/mjl-/bstore v0.0.2
 	github.com/mjl-/sconf v0.0.5

go.sum

@@ -145,8 +145,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mjl-/adns v0.0.0-20231013194548-ea0378d616ab h1:fL+dZP+IxX08+ugLq42bkvOfV42muXET+T+Ei1K16bI=
-github.com/mjl-/adns v0.0.0-20231013194548-ea0378d616ab/go.mod h1:v47qUMJnipnmDTRGaHwpCwzE6oypa5K33mUvBfzZBn8=
+github.com/mjl-/adns v0.0.0-20231109160910-82839fe3e6ae h1:P/kTaQbDFSbmDK+RVjwu7mPyr6a6XyHqHu1PlRMEbAU=
+github.com/mjl-/adns v0.0.0-20231109160910-82839fe3e6ae/go.mod h1:v47qUMJnipnmDTRGaHwpCwzE6oypa5K33mUvBfzZBn8=
 github.com/mjl-/autocert v0.0.0-20231013072455-c361ae2e20a6 h1:TEXyTghAN9pmV2ffzdnhmzkML08e1Z/oGywJ9eunbRI=
 github.com/mjl-/autocert v0.0.0-20231013072455-c361ae2e20a6/go.mod h1:taMFU86abMxKLPV4Bynhv8enbYmS67b8LG80qZv2Qus=
 github.com/mjl-/bstore v0.0.2 h1:4fdpIOY/+Dv1dBHyzdqa4PD90p8Mz86FeyRpI4qcehw=

integration_test.go

@@ -129,7 +129,7 @@ This is the message.
 `, mailfrom, rcptto)
 		msg = strings.ReplaceAll(msg, "\n", "\r\n")
 		auth := []sasl.Client{sasl.NewClientPlain(mailfrom, password)}
-		c, err := smtpclient.New(mox.Context, xlog, conn, smtpclient.TLSSkip, ourHostname, dns.Domain{ASCII: desthost}, auth, nil, nil, nil)
+		c, err := smtpclient.New(mox.Context, xlog, conn, smtpclient.TLSSkip, false, ourHostname, dns.Domain{ASCII: desthost}, smtpclient.Opts{Auth: auth})
 		tcheck(t, err, "smtp hello")
 		err = c.Deliver(mox.Context, mailfrom, rcptto, int64(len(msg)), strings.NewReader(msg), false, false, false)
 		tcheck(t, err, "deliver with smtp")

localserve.go

@@ -139,8 +139,9 @@ during those commands instead of during "data".
 
 	const mtastsdbRefresher = false
 	const sendDMARCReports = false
+	const sendTLSReports = false
 	const skipForkExec = true
-	if err := start(mtastsdbRefresher, sendDMARCReports, skipForkExec); err != nil {
+	if err := start(mtastsdbRefresher, sendDMARCReports, sendTLSReports, skipForkExec); err != nil {
 		log.Fatalx("starting mox", err)
 	}
 	golog.Printf("mox, version %s", moxvar.Version)

main.go

@@ -842,9 +842,10 @@ func cmdConfigDNSCheck(c *cmd) {
 	printResult("SPF", result.SPF.Result)
 	printResult("DKIM", result.DKIM.Result)
 	printResult("DMARC", result.DMARC.Result)
-	printResult("TLSRPT", result.TLSRPT.Result)
+	printResult("Host TLSRPT", result.HostTLSRPT.Result)
+	printResult("Domain TLSRPT", result.DomainTLSRPT.Result)
 	printResult("MTASTS", result.MTASTS.Result)
-	printResult("SRV", result.SRVConf.Result)
+	printResult("SRV conf", result.SRVConf.Result)
 	printResult("Autoconf", result.Autoconf.Result)
 	printResult("Autodiscover", result.Autodiscover.Result)
 }
@@ -1728,14 +1729,14 @@ sharing most of its code.
 			log.Printf("looking up tlsa records: %s, skipping", err)
 			continue
 		}
-		tlsMode := smtpclient.TLSStrictStartTLS
+		tlsMode := smtpclient.TLSRequiredStartTLS
 		if len(daneRecords) == 0 {
 			if !daneRequired {
 				log.Printf("host %s has no tlsa records, skipping", expandedHost)
 				continue
 			}
 			log.Printf("warning: only unusable tlsa records found, continuing with required tls without certificate verification")
-			tlsMode = smtpclient.TLSUnverifiedStartTLS
+			daneRecords = nil
 		} else {
 			var l []string
 			for _, r := range daneRecords {
@@ -1744,9 +1745,9 @@ sharing most of its code.
 			log.Printf("tlsa records: %s", strings.Join(l, "; "))
 		}
 
-		tlsRemoteHostnames := smtpclient.GatherTLSANames(haveMX, expandedNextHopAuthentic, expandedAuthentic, origNextHop, expandedNextHop, host.Domain, tlsaBaseDomain)
+		tlsHostnames := smtpclient.GatherTLSANames(haveMX, expandedNextHopAuthentic, expandedAuthentic, origNextHop, expandedNextHop, host.Domain, tlsaBaseDomain)
 		var l []string
-		for _, name := range tlsRemoteHostnames {
+		for _, name := range tlsHostnames {
 			l = append(l, name.String())
 		}
 		log.Printf("gathered valid tls certificate names for potential verification with dane-ta: %s", strings.Join(l, ", "))
@@ -1760,7 +1761,14 @@ sharing most of its code.
 		log.Printf("connected to %s, %s, starting smtp session with ehlo and starttls with dane verification", expandedHost, conn.RemoteAddr())
 
 		var verifiedRecord adns.TLSA
-		sc, err := smtpclient.New(ctxbg, clog, conn, tlsMode, ehloDomain, tlsRemoteHostnames[0], nil, daneRecords, tlsRemoteHostnames[1:], &verifiedRecord)
+		opts := smtpclient.Opts{
+			DANERecords:        daneRecords,
+			DANEMoreHostnames:  tlsHostnames[1:],
+			DANEVerifiedRecord: &verifiedRecord,
+			RootCAs:            mox.Conf.Static.TLS.CertPool,
+		}
+		tlsPKIX := false
+		sc, err := smtpclient.New(ctxbg, clog, conn, tlsMode, tlsPKIX, ehloDomain, tlsHostnames[0], opts)
 		if err != nil {
 			log.Printf("setting up smtp session: %v, skipping", err)
 			conn.Close()
@@ -2672,7 +2680,7 @@ should be used, and how long the policy can be cached.
 
 	domain := xparseDomain(args[0], "domain")
 
-	record, policy, err := mtasts.Get(context.Background(), dns.StrictResolver{}, domain)
+	record, policy, _, err := mtasts.Get(context.Background(), dns.StrictResolver{}, domain)
 	if err != nil {
 		fmt.Printf("error: %s\n", err)
 	}
@@ -2712,6 +2720,8 @@ func cmdTLSRPTDBAddReport(c *cmd) {
 	c.unlisted = true
 	c.params = "< message"
 	c.help = "Parse a TLS report from the message and add it to the database."
+	var hostReport bool
+	c.flag.BoolVar(&hostReport, "hostreport", false, "report for a host instead of domain")
 	args := c.Parse()
 	if len(args) != 0 {
 		c.Usage()
@@ -2737,7 +2747,7 @@ func cmdTLSRPTDBAddReport(c *cmd) {
 	xcheckf(err, "parsing tls report in message")
 
 	mailfrom := from.User + "@" + from.Host // todo future: should escape and such
-	err = tlsrptdb.AddReport(context.Background(), domain, mailfrom, report)
+	err = tlsrptdb.AddReport(context.Background(), domain, mailfrom, hostReport, report)
 	xcheckf(err, "add tls report to database")
 }
 

metrics/panic.go

@@ -27,6 +27,7 @@ const (
 	Queue            Panic = "queue"
 	Smtpclient       Panic = "smtpclient"
 	Smtpserver       Panic = "smtpserver"
+	Tlsrptdb         Panic = "tlsrptdb"
 	Dkimverify       Panic = "dkimverify"
 	Spfverify        Panic = "spfverify"
 	Upgradethreads   Panic = "upgradethreads"

mox-/admin.go

@@ -523,11 +523,28 @@ func DomainRecords(domConf config.Domain, domain dns.Domain, hasDNSSEC bool) ([]
 
 	if d != h {
 		records = append(records,
-			"; For the machine, only needs to be created once, for the first domain added.",
+			"; For the machine, only needs to be created once, for the first domain added:",
+			"; ",
+			"; SPF-allow host for itself, resulting in relaxed DMARC pass for (postmaster)",
+			"; messages (DSNs) sent from host:",
 			fmt.Sprintf(`%-*s TXT "v=spf1 a -all"`, 20+len(d), h+"."), // ../rfc/7208:2263 ../rfc/7208:2287
 			"",
 		)
 	}
+	if d != h && Conf.Static.HostTLSRPT.ParsedLocalpart != "" {
+		uri := url.URL{
+			Scheme: "mailto",
+			Opaque: smtp.NewAddress(Conf.Static.HostTLSRPT.ParsedLocalpart, Conf.Static.HostnameDomain).Pack(false),
+		}
+		tlsrptr := tlsrpt.Record{Version: "TLSRPTv1", RUAs: [][]string{{uri.String()}}}
+		records = append(records,
+			"; For the machine, only needs to be created once, for the first domain added:",
+			"; ",
+			"; Request reporting about success/failures of TLS connections to (MX) host, for DANE.",
+			fmt.Sprintf(`_smtp._tls.%-*s         TXT "%s"`, 20+len(d)-len("_smtp._tls."), h+".", tlsrptr.String()),
+			"",
+		)
+	}
 
 	records = append(records,
 		"; Deliver email for the domain to this host.",