implement outgoing tls reports

we were already accepting, processing and displaying incoming tls reports. now
we start tracking TLS connection and security-policy-related errors for
outgoing message deliveries as well. we send reports once a day, to the
reporting addresses specified in TLSRPT records (rua) of a policy domain. these
reports are about MTA-STS policies and/or DANE policies, and about
STARTTLS-related failures.

sending reports is enabled by default, but can be disabled through setting
NoOutgoingTLSReports in mox.conf.

only at the end of the implementation process came the realization that the
TLSRPT policy domain for DANE (MX) hosts are separate from the TLSRPT policy
for the recipient domain, and that MTA-STS and DANE TLS/policy results are
typically delivered in separate reports. so MX hosts need their own TLSRPT
policies.

config for the per-host TLSRPT policy should be added to mox.conf for existing
installs, in field HostTLSRPT. it is automatically configured by quickstart for
new installs. with a HostTLSRPT config, the "dns records" and "dns check" admin
pages now suggest the per-host TLSRPT record. by creating that record, you're
requesting TLS reports about your MX host.

gathering all the TLS/policy results is somewhat tricky. the tentacles go
throughout the code. the positive result is that the TLS/policy-related code
had to be cleaned up a bit. for example, the smtpclient TLS modes now reflect
reality better, with independent settings about whether PKIX and/or DANE
verification has to be done, and/or whether verification errors have to be
ignored (e.g. for tls-required: no header). also, cached mtasts policies of
mode "none" are now cleaned up once the MTA-STS DNS record goes away.

smtpserver/analyze.go

@@ -210,7 +210,7 @@ func analyze(ctx context.Context, log *mlog.Log, resolver dns.Resolver, d delive
 	// Similar to DMARC reporting, we check for the required DKIM. We'll check
 	// reputation, defaulting to accept.
 	var tlsReport *tlsrpt.Report
-	if d.rcptAcc.destination.TLSReports {
+	if d.rcptAcc.destination.HostTLSReports || d.rcptAcc.destination.DomainTLSReports {
 		// Valid DKIM signature for domain must be present. We take "valid" to assume
 		// "passing", not "syntactically valid". We also check for "tlsrpt" as service.
 		// This check is optional, but if anyone goes through the trouble to explicitly
@@ -218,6 +218,13 @@ func analyze(ctx context.Context, log *mlog.Log, resolver dns.Resolver, d delive
 		// ../rfc/8460:320
 		ok := false
 		for _, r := range d.dkimResults {
+			// The record should have an allowed service "tlsrpt". The RFC mentions it as if
+			// the service must be specified explicitly, but the default allowed services for a
+			// DKIM record are "*", which includes "tlsrpt". Unless a the DKIM record
+			// explicitly specifies services (e.g. s=email), a record will work for TLS
+			// reports. The DKIM records seen used for TLS reporting in the wild don't
+			// explicitly set "s" for services.
+			// ../rfc/8460:326
 			if r.Status == dkim.StatusPass && r.Sig.Domain == d.msgFrom.Domain && r.Sig.Length < 0 && r.Record.ServiceAllowed("tlsrpt") {
 				ok = true
 				break

smtpserver/server.go

@@ -295,7 +295,7 @@ type conn struct {
 	log                   *mlog.Log
 	maxMessageSize        int64
 	requireTLSForAuth     bool
-	requireTLSForDelivery bool
+	requireTLSForDelivery bool      // If set, delivery is only allowed with TLS (STARTTLS), except if delivery is to a TLS reporting address.
 	cmd                   string    // Current command.
 	cmdStart              time.Time // Start of current command.
 	ncmds                 int       // Number of commands processed. Used to abort connection when first incoming command is unknown/invalid.
@@ -761,14 +761,22 @@ func (c *conn) xneedHello() {
 	}
 }
 
-// If smtp server is configured to require TLS for all mail delivery, abort command.
-func (c *conn) xneedTLSForDelivery() {
-	if c.requireTLSForDelivery && !c.tls {
+// If smtp server is configured to require TLS for all mail delivery (except to TLS
+// reporting address), abort command.
+func (c *conn) xneedTLSForDelivery(rcpt smtp.Path) {
+	// For TLS reports, we allow the message in even without TLS, because there may be
+	// TLS interopability problems. ../rfc/8460:316
+	if c.requireTLSForDelivery && !c.tls && !isTLSReportRecipient(rcpt) {
 		// ../rfc/3207:148
 		xsmtpUserErrorf(smtp.C530SecurityRequired, smtp.SePol7Other0, "STARTTLS required for mail delivery")
 	}
 }
 
+func isTLSReportRecipient(rcpt smtp.Path) bool {
+	_, _, dest, err := mox.FindAccount(rcpt.Localpart, rcpt.IPDomain.Domain, false)
+	return err == nil && (dest.HostTLSReports || dest.DomainTLSReports)
+}
+
 func (c *conn) cmdHelo(p *parser) {
 	c.cmdHello(p, false)
 }
@@ -1219,7 +1227,6 @@ func (c *conn) cmdMail(p *parser) {
 
 	c.xneedHello()
 	c.xcheckAuth()
-	c.xneedTLSForDelivery()
 	if c.mailFrom != nil {
 		// ../rfc/5321:2507, though ../rfc/5321:1029 contradicts, implying a MAIL would also reset, but ../rfc/5321:1160 decides.
 		xsmtpUserErrorf(smtp.C503BadCmdSeq, smtp.SeProto5BadCmdOrSeq1, "already have MAIL")
@@ -1368,7 +1375,6 @@ func (c *conn) cmdMail(p *parser) {
 func (c *conn) cmdRcpt(p *parser) {
 	c.xneedHello()
 	c.xcheckAuth()
-	c.xneedTLSForDelivery()
 	if c.mailFrom == nil {
 		// ../rfc/5321:1088
 		xsmtpUserErrorf(smtp.C503BadCmdSeq, smtp.SeProto5BadCmdOrSeq1, "missing MAIL FROM")
@@ -1398,6 +1404,12 @@ func (c *conn) cmdRcpt(p *parser) {
 	}
 	p.xend()
 
+	// Check if TLS is enabled if required. It's not great that sender/recipient
+	// addresses may have been exposed in plaintext before we can reject delivery. The
+	// recipient could be the tls reporting addresses, which must always be able to
+	// receive in plain text.
+	c.xneedTLSForDelivery(fpath)
+
 	// todo future: for submission, should we do explicit verification that domains are fully qualified? also for mail from. ../rfc/6409:420
 
 	if len(c.recipients) >= 100 {
@@ -1496,7 +1508,6 @@ func (c *conn) cmdRcpt(p *parser) {
 func (c *conn) cmdData(p *parser) {
 	c.xneedHello()
 	c.xcheckAuth()
-	c.xneedTLSForDelivery()
 	if c.mailFrom == nil {
 		// ../rfc/5321:1130
 		xsmtpUserErrorf(smtp.C503BadCmdSeq, smtp.SeProto5BadCmdOrSeq1, "missing MAIL FROM")
@@ -2525,7 +2536,7 @@ func (c *conn) deliver(ctx context.Context, recvHdrFor func(string) string, msgW
 				// loop. We also don't want to be used for sending reports to unsuspecting domains
 				// we have no relation with.
 				// todo: would it make sense to also mark some percentage of mailing-list-policy-overrides optional? to lower the load on mail servers of folks sending to large mailing lists.
-				Optional: rcptAcc.destination.DMARCReports || rcptAcc.destination.TLSReports || a.reason == reasonDMARCPolicy && unknownDomain(),
+				Optional: rcptAcc.destination.DMARCReports || rcptAcc.destination.HostTLSReports || rcptAcc.destination.DomainTLSReports || a.reason == reasonDMARCPolicy && unknownDomain(),
 
 				Addresses: addresses,
 
@@ -2643,7 +2654,7 @@ func (c *conn) deliver(ctx context.Context, recvHdrFor func(string) string, msgW
 		}
 		if a.tlsReport != nil {
 			// todo future: add rate limiting to prevent DoS attacks.
-			if err := tlsrptdb.AddReport(ctx, msgFrom.Domain, c.mailFrom.String(), a.tlsReport); err != nil {
+			if err := tlsrptdb.AddReport(ctx, msgFrom.Domain, c.mailFrom.String(), rcptAcc.destination.HostTLSReports, a.tlsReport); err != nil {
 				log.Errorx("saving TLSRPT report in database", err)
 			} else {
 				log.Info("tlsrpt report processed")

smtpserver/server_test.go

@@ -93,6 +93,7 @@ type testserver struct {
 	requiretls bool
 	dnsbls     []dns.Domain
 	tlsmode    smtpclient.TLSMode
+	tlspkix    bool
 }
 
 func newTestServer(t *testing.T, configPath string, resolver dns.Resolver) *testserver {
@@ -164,7 +165,11 @@ func (ts *testserver) run(fn func(helloErr error, client *smtpclient.Client)) {
 
 	ourHostname := mox.Conf.Static.HostnameDomain
 	remoteHostname := dns.Domain{ASCII: "mox.example"}
-	client, err := smtpclient.New(ctxbg, xlog.WithCid(ts.cid-1), clientConn, ts.tlsmode, ourHostname, remoteHostname, auth, nil, nil, nil)
+	opts := smtpclient.Opts{
+		Auth:    auth,
+		RootCAs: mox.Conf.Static.TLS.CertPool,
+	}
+	client, err := smtpclient.New(ctxbg, xlog.WithCid(ts.cid-1), clientConn, ts.tlsmode, ts.tlspkix, ourHostname, remoteHostname, opts)
 	if err != nil {
 		clientConn.Close()
 	} else {