-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathoutbound.go
More file actions
403 lines (364 loc) · 14.1 KB
/
Copy pathoutbound.go
File metadata and controls
403 lines (364 loc) · 14.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
package smtp
import (
"crypto/tls"
"fmt"
"io"
"log"
"net"
"strings"
"time"
godns "gomail/dns"
"gomail/mta_sts"
"gomail/store"
tlsconfig "gomail/tls"
)
// SendMail delivers a message to a remote SMTP server via MX lookup.
// This is used by the delivery worker for outbound messages.
// DSN parameters (dsnNotify, dsnRet, dsnEnvID) are optional and can be empty.
// requireTLS: if true, fails delivery if TLS cannot be established; if false, uses opportunistic TLS
// network: "tcp" (both IPv4 and IPv6), "tcp4" (IPv4 only), "tcp6" (IPv6 only)
// db: database for recording TLS failures (optional, can be nil)
func SendMail(from, to string, msg []byte, hostname string, tlsCfg *tls.Config, requireTLS bool, dsnNotify, dsnRet, dsnEnvID, network string, db *store.DB) error {
// Extract sender domain (for DANE/TLS settings lookup)
fromParts := strings.SplitN(from, "@", 2)
senderDomain := ""
if len(fromParts) == 2 {
senderDomain = fromParts[1]
}
// Extract recipient domain
parts := strings.SplitN(to, "@", 2)
if len(parts) != 2 {
return fmt.Errorf("invalid recipient address: %s", to)
}
recipientDomain := parts[1]
// Fetch MTA-STS policy for recipient domain
policy := mta_sts.FetchPolicy(recipientDomain)
if policy != nil {
log.Printf("[mta-sts] policy mode for %s: %s", recipientDomain, policy.Mode)
}
// MX lookup
mxRecords, err := godns.LookupMX(recipientDomain)
if err != nil {
return fmt.Errorf("MX lookup for %s: %w", recipientDomain, err)
}
// Try each MX in preference order
var lastErr error
for _, mx := range mxRecords {
// Check MTA-STS policy: validate MX host is in policy if policy exists
if policy != nil && policy.Mode != "none" {
// Check if this MX host is allowed by the policy
hostAllowed := false
for _, policyMX := range policy.MXHosts {
if strings.EqualFold(mx.Host, policyMX) {
hostAllowed = true
break
}
}
// Enforce TLS requirements based on policy mode
if policy.Mode == "enforce" {
// Enforce mode: skip hosts not in policy and require TLS
if !hostAllowed {
log.Printf("[mta-sts] MX host %s not in policy for %s, skipping", mx.Host, recipientDomain)
continue
}
err := deliverToHost(mx.Host, from, to, msg, hostname, tlsCfg, true, dsnNotify, dsnRet, dsnEnvID, network, db, recipientDomain, senderDomain)
if err == nil {
return nil // Success
}
lastErr = err
log.Printf("[mta-sts] ENFORCE delivery to %s failed: %v, trying next MX", mx.Host, err)
} else if policy.Mode == "testing" {
// Testing mode: log violations but allow delivery (even if host not in policy)
if !hostAllowed {
log.Printf("[mta-sts] TESTING: MX host %s not in policy for %s, but attempting anyway", mx.Host, recipientDomain)
}
err := deliverToHost(mx.Host, from, to, msg, hostname, tlsCfg, false, dsnNotify, dsnRet, dsnEnvID, network, db, recipientDomain, senderDomain)
if err == nil {
log.Printf("[mta-sts] TESTING delivery to %s succeeded", mx.Host)
return nil
}
lastErr = err
log.Printf("[mta-sts] TESTING violation for %s: %v", mx.Host, err)
}
} else {
// No policy or mode=none: use normal delivery with original requireTLS setting
err := deliverToHost(mx.Host, from, to, msg, hostname, tlsCfg, requireTLS, dsnNotify, dsnRet, dsnEnvID, network, db, recipientDomain, senderDomain)
if err == nil {
return nil // Success
}
lastErr = err
log.Printf("[smtp] delivery to %s failed: %v, trying next MX", mx.Host, err)
}
}
return fmt.Errorf("all MX hosts failed for %s: %w", recipientDomain, lastErr)
}
// deliverToHost connects to a specific SMTP host and delivers the message.
// requireTLS: if true, fails delivery if TLS cannot be established; if false, uses opportunistic TLS
// network: "tcp" (both IPv4 and IPv6), "tcp4" (IPv4 only), "tcp6" (IPv6 only)
// db: database for recording TLS failures (optional, can be nil)
// recipientDomain: recipient domain for TLS failure reporting (optional, used only if db != nil)
// senderDomain: sender domain for DANE/TLS enforcement settings lookup
func deliverToHost(host, from, to string, msg []byte, myHostname string, tlsCfg *tls.Config, requireTLS bool, dsnNotify, dsnRet, dsnEnvID, network string, db *store.DB, recipientDomain, senderDomain string) error {
// Connect to port 25
addr := host + ":25"
conn, err := net.DialTimeout(network, addr, 30*time.Second)
if err != nil {
return fmt.Errorf("connecting to %s: %w", addr, err)
}
defer conn.Close()
conn.SetDeadline(time.Now().Add(5 * time.Minute))
// Read greeting
reply, err := readReply(conn)
if err != nil {
return fmt.Errorf("reading greeting from %s: %w", host, err)
}
if !strings.HasPrefix(reply, "220") {
return fmt.Errorf("unexpected greeting from %s: %s", host, reply)
}
// EHLO
if err := sendCmd(conn, fmt.Sprintf("EHLO %s", myHostname)); err != nil {
return err
}
ehloReply, err := readReply(conn)
if err != nil {
return fmt.Errorf("EHLO reply from %s: %w", host, err)
}
if !strings.HasPrefix(ehloReply, "250") {
return fmt.Errorf("EHLO rejected by %s: %s", host, ehloReply)
}
// Check if server supports DSN (Delivery Status Notifications) and SMTPUTF8
supportsDSN := strings.Contains(ehloReply, "DSN")
supportsUTF8 := strings.Contains(ehloReply, "SMTPUTF8")
// Try STARTTLS if supported
if strings.Contains(ehloReply, "STARTTLS") && tlsCfg != nil {
if err := sendCmd(conn, "STARTTLS"); err == nil {
startTLSReply, err := readReply(conn)
if err == nil && strings.HasPrefix(startTLSReply, "220") {
clientTLS := tls.Client(conn, &tls.Config{
ServerName: host,
InsecureSkipVerify: false,
MinVersion: tls.VersionTLS12,
})
if err := clientTLS.Handshake(); err != nil {
// Record TLS failure for TLS-RPT reporting
if db != nil && recipientDomain != "" {
failureReason := "certificate-not-trusted"
if strings.Contains(err.Error(), "certificate") {
if strings.Contains(err.Error(), "expired") {
failureReason = "certificate-expired"
} else if strings.Contains(err.Error(), "verify") {
failureReason = "certificate-not-trusted"
} else {
failureReason = "certificate-host-mismatch"
}
}
clientIP := "unknown"
if conn.LocalAddr() != nil {
clientIP = strings.Split(conn.LocalAddr().String(), ":")[0]
}
_ = db.RecordTLSFailure(recipientDomain, failureReason, clientIP, host, strings.Split(addr, ":")[0])
}
if requireTLS {
return fmt.Errorf("TLS required but STARTTLS handshake with %s failed: %w", host, err)
}
log.Printf("[smtp] STARTTLS handshake with %s failed: %v (continuing with opportunistic TLS disabled)", host, err)
} else {
conn = clientTLS
// DANE verification (RFC 6698): Check certificate against TLSA records
// Fetch DANE enforcement setting from sender domain config
daneEnforcement := "disabled"
if db != nil && senderDomain != "" {
domainObj, err := db.GetDomainByName(senderDomain)
if err == nil && domainObj != nil && domainObj.DANEEnforcement != "" {
daneEnforcement = domainObj.DANEEnforcement
}
}
// Only query DANE if enforcement is not disabled (avoid unnecessary DNS queries)
if daneEnforcement != "disabled" {
daneValid, daneDetails, daneErr := tlsconfig.VerifyDANE(host, clientTLS)
clientIP := "unknown"
if conn.LocalAddr() != nil {
clientIP = strings.Split(conn.LocalAddr().String(), ":")[0]
}
if daneErr != nil {
log.Printf("[dane] DANE verification lookup failed for %s: %v", host, daneErr)
if daneEnforcement == "required" {
return fmt.Errorf("DANE verification required but lookup failed for %s: %v", host, daneErr)
} else if daneEnforcement == "optional" {
log.Printf("[dane] DANE enforcement OPTIONAL: allowing delivery despite lookup failure")
}
} else if daneValid {
log.Printf("[dane] DANE verification passed for %s: %s", host, daneDetails)
} else if daneDetails == "no TLSA records found (DANE not configured)" {
// No TLSA records found
if daneEnforcement == "required" {
// Record DANE verification failure for TLS-RPT reporting
if db != nil && recipientDomain != "" {
_ = db.RecordTLSFailure(recipientDomain, "tlsa-missing", clientIP, host,
strings.Split(addr, ":")[0])
log.Printf("[dane] DANE enforcement REQUIRED: no TLSA records found, recorded failure for TLS-RPT")
}
return fmt.Errorf("DANE verification required but no TLSA records found for %s", host)
} else if daneEnforcement == "optional" {
// optional mode: TLSA not configured, use standard TLS
log.Printf("[dane] no TLSA records for %s (DANE not configured, optional mode allows standard TLS)", host)
}
} else {
// TLSA records exist but certificate doesn't match
log.Printf("[dane] WARNING: DANE verification failed for %s: %s", host, daneDetails)
// Handle DANE enforcement level
if daneEnforcement == "required" {
// Record DANE verification failure for TLS-RPT reporting
if db != nil && recipientDomain != "" {
_ = db.RecordTLSFailure(recipientDomain, "tlsa-invalid-certificate", clientIP, host,
strings.Split(addr, ":")[0])
log.Printf("[dane] DANE enforcement REQUIRED: recorded failure for TLS-RPT")
}
return fmt.Errorf("DANE verification required but failed for %s: %s", host, daneDetails)
} else if daneEnforcement == "optional" {
// Log warning but continue - allow fallback to standard TLS
log.Printf("[dane] DANE enforcement OPTIONAL: allowing delivery despite DANE failure")
}
}
} else {
log.Printf("[dane] DANE verification disabled for %s (skipping TLSA queries)", host)
}
// Re-EHLO after STARTTLS and update DSN/UTF8 support flags
if err := sendCmd(conn, fmt.Sprintf("EHLO %s", myHostname)); err == nil {
postTLSEhlo, _ := readReply(conn)
supportsDSN = strings.Contains(postTLSEhlo, "DSN")
supportsUTF8 = strings.Contains(postTLSEhlo, "SMTPUTF8")
}
}
}
}
} else if requireTLS && !strings.Contains(ehloReply, "STARTTLS") {
// TLS required but server doesn't support STARTTLS
if db != nil && recipientDomain != "" {
clientIP := "unknown"
if conn.LocalAddr() != nil {
clientIP = strings.Split(conn.LocalAddr().String(), ":")[0]
}
_ = db.RecordTLSFailure(recipientDomain, "connection-refused", clientIP, host, strings.Split(addr, ":")[0])
}
return fmt.Errorf("TLS required but %s does not support STARTTLS", host)
}
// MAIL FROM with SMTPUTF8 parameter (if supported)
// Format: MAIL FROM:<addr> [SMTPUTF8] [RET=FULL|HDRS] [ENVID=<id>]
// RFC 6531: Include SMTPUTF8 parameter when server supports it and sender is non-ASCII
// Even if not advertised, try anyway - some servers support it without advertising
mailFromCmd := fmt.Sprintf("MAIL FROM:<%s>", from)
// Add SMTPUTF8 parameter if sender has non-ASCII characters and server supports it
if hasNonASCII(from) && supportsUTF8 {
mailFromCmd += " SMTPUTF8"
}
if supportsDSN {
if dsnRet != "" {
mailFromCmd += fmt.Sprintf(" RET=%s", dsnRet)
}
if dsnEnvID != "" {
mailFromCmd += fmt.Sprintf(" ENVID=%s", dsnEnvID)
}
}
if err := sendCmd(conn, mailFromCmd); err != nil {
return err
}
log.Printf("[smtp] sent MAIL FROM command: %s (smtputf8=%v, nonascii=%v)", mailFromCmd, supportsUTF8, hasNonASCII(from))
mailReply, err := readReply(conn)
if err != nil {
return err
}
if !strings.HasPrefix(mailReply, "250") {
return fmt.Errorf("MAIL FROM rejected by %s: %s", host, mailReply)
}
// RCPT TO with DSN and SMTPUTF8 parameters (RFC 3461, RFC 6531)
// Format: RCPT TO:<addr> [SMTPUTF8] [NOTIFY=SUCCESS|FAILURE|DELAY|NEVER] [ORCPT=rfc822;<addr>]
rcptToCmd := fmt.Sprintf("RCPT TO:<%s>", to)
// Add SMTPUTF8 parameter if any recipient has non-ASCII characters and server supports it
if hasNonASCII(to) && supportsUTF8 {
rcptToCmd += " SMTPUTF8"
}
if supportsDSN && dsnNotify != "" {
rcptToCmd += fmt.Sprintf(" NOTIFY=%s", dsnNotify)
}
if err := sendCmd(conn, rcptToCmd); err != nil {
return err
}
rcptReply, err := readReply(conn)
if err != nil {
return err
}
if !strings.HasPrefix(rcptReply, "250") {
return fmt.Errorf("RCPT TO rejected by %s: %s", host, rcptReply)
}
// DATA
if err := sendCmd(conn, "DATA"); err != nil {
return err
}
dataReply, err := readReply(conn)
if err != nil {
return err
}
if !strings.HasPrefix(dataReply, "354") {
return fmt.Errorf("DATA rejected by %s: %s", host, dataReply)
}
// Send message body
if _, err := conn.Write(msg); err != nil {
return fmt.Errorf("writing message to %s: %w", host, err)
}
// End with CRLF.CRLF
if _, err := conn.Write([]byte("\r\n.\r\n")); err != nil {
return fmt.Errorf("writing end-of-data to %s: %w", host, err)
}
finalReply, err := readReply(conn)
if err != nil {
return fmt.Errorf("reading final reply from %s: %w", host, err)
}
if !strings.HasPrefix(finalReply, "250") {
return fmt.Errorf("message rejected by %s: %s", host, finalReply)
}
// QUIT
sendCmd(conn, "QUIT")
readReply(conn) // Best effort
log.Printf("[smtp] delivered to %s via %s", to, host)
return nil
}
func sendCmd(conn net.Conn, cmd string) error {
_, err := fmt.Fprintf(conn, "%s\r\n", cmd)
return err
}
func readReply(conn net.Conn) (string, error) {
buf := make([]byte, 4096)
var reply strings.Builder
for {
n, err := conn.Read(buf)
if n > 0 {
reply.Write(buf[:n])
}
if err != nil {
if err == io.EOF {
break
}
return reply.String(), err
}
// Check if we have a complete reply (line ending without continuation)
lines := strings.Split(reply.String(), "\n")
lastLine := strings.TrimRight(lines[len(lines)-1], "\r\n ")
if lastLine == "" && len(lines) > 1 {
lastLine = strings.TrimRight(lines[len(lines)-2], "\r\n ")
}
if len(lastLine) >= 4 && lastLine[3] == ' ' {
break
}
}
return strings.TrimSpace(reply.String()), nil
}
// hasNonASCII checks if an email address contains non-ASCII (UTF-8) characters
func hasNonASCII(addr string) bool {
for _, r := range addr {
if r > 127 {
return true
}
}
return false
}