serv/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2024-12-26 08:23:48 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

add metric for number of times we fallback to plaintext delivery

Browse source
This commit is contained in:
Mechiel Lukkien 2023-10-24 13:09:48 +02:00
parent f9eb18b6a8
commit a6d55b7e76
No known key found for this signature in database
1 changed files with 13 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
queue/direct.go
View file

@ -78,6 +78,12 @@ var (
"reason", // nopolicy (no mta-sts and no dane), norequiretls (smtp server does not support requiretls)
},
)
metricPlaintextFallback = promauto.NewCounter(
prometheus.CounterOpts{
Name: "mox_queue_plaintext_fallback_total",
Help: "Delivery attempts with fallback to plain text delivery.",
},
)
)
// todo: rename function, perhaps put some of the params in a delivery struct so we don't pass all the params all the time?
@ -180,8 +186,6 @@ func deliverDirect(cid int64, qlog *mlog.Log, resolver dns.Resolver, dialer smtp
nmissingRequireTLS := 0
// todo: should make distinction between host permanently not accepting the message, and the message not being deliverable permanently. e.g. a mx host may have a size limit, or not accept 8bitmime, while another host in the list does accept the message. same for smtputf8, ../rfc/6531:555
for _, h := range hosts {
var badTLS, ok bool
// ../rfc/8461:913
if policy != nil && !policy.Matches(h.Domain) {
var policyHosts []string
@ -222,15 +226,17 @@ func deliverDirect(cid int64, qlog *mlog.Log, resolver dns.Resolver, dialer smtp
// usually with verification of the certificate.
var daneRequired bool
var badTLS, ok bool
enforceMTASTS := policy != nil && policy.Mode == mtasts.ModeEnforce
permanent, daneRequired, badTLS, secodeOpt, remoteIP, errmsg, ok = deliverHost(nqlog, resolver, dialer, cid, ourHostname, transportName, h, enforceMTASTS, haveMX, origNextHopAuthentic, origNextHop, expandedNextHopAuthentic, expandedNextHop, &m, tlsMode)
// If we had a TLS-related failure when doing opportunistic (optional) TLS, and no
// DANE records were not found, we should try again without TLS. This could be an
// old server that only does ancient TLS versions, or has a misconfiguration. Note
// that opportunistic TLS does not do regular certificate verification, so that can't
// be the problem.
// If we had a TLS-related failure when doing TLS, and we don't have a requirement for MTA-STS/DANE,
// we try again without TLS. This could be an old
// server that only does ancient TLS versions, or has a misconfiguration. Note that
// opportunistic TLS does not do regular certificate verification, so that can't be
// the problem.
if !ok && badTLS && (!enforceMTASTS && tlsMode == smtpclient.TLSOpportunistic && !daneRequired || m.RequireTLS != nil && !*m.RequireTLS) {
metricPlaintextFallback.Inc()
if m.RequireTLS != nil && !*m.RequireTLS {
metricTLSRequiredNoIgnored.WithLabelValues("badtls").Inc()
}