add an option for the smtp delivery listener to enable/disable tls session tickets

the field is optional. if absent, the default behaviour is currently to disable
session tickets. users can set the option if they want to try if delivery from
microsoft is working again. in a  future version, we can switch the default to
enabling session tickets.

the previous fix was to disable session tickets for all tls connections,
including https. that was a bit much.

for issue #237
This commit is contained in:
Mechiel Lukkien 2024-12-06 14:50:02 +01:00
parent 42793834f8
commit e59f894a94
No known key found for this signature in database
5 changed files with 14 additions and 3 deletions

View file

@ -229,7 +229,6 @@ func (m *Manager) TLSConfig(fallbackHostname dns.Domain, fallbackNoSNI, fallback
GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
return m.loggingGetCertificate(hello, fallbackHostname, fallbackNoSNI, fallbackUnknownSNI)
},
SessionTicketsDisabled: true,
}
}

View file

@ -158,6 +158,8 @@ type Listener struct {
FirstTimeSenderDelay *time.Duration `sconf:"optional" sconf-doc:"Delay before accepting a message from a first-time sender for the destination account. Default: 15s."`
TLSSessionTicketsDisabled *bool `sconf:"optional" sconf-doc:"Override default setting for enabling TLS session tickets. Disabling session tickets may work around TLS interoperability issues."`
DNSBLZones []dns.Domain `sconf:"-"`
} `sconf:"optional"`
Submission struct {

View file

@ -262,6 +262,10 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
# account. Default: 15s. (optional)
FirstTimeSenderDelay: 0s
# Override default setting for enabling TLS session tickets. Disabling session
# tickets may work around TLS interoperability issues. (optional)
TLSSessionTicketsDisabled: false
# SMTP for submitting email, e.g. by email applications. Starts out in plain text,
# can be upgraded to TLS with the STARTTLS command. Prefer using Submissions which
# is always a TLS connection. (optional)

View file

@ -1933,8 +1933,7 @@ func loadTLSKeyCerts(configFile, kind string, ctls *config.TLS) error {
certs = append(certs, cert)
}
ctls.Config = &tls.Config{
Certificates: certs,
SessionTicketsDisabled: true,
Certificates: certs,
}
ctls.ConfigFallback = ctls.Config
return nil

View file

@ -229,6 +229,13 @@ func Listen() {
port := config.Port(listener.SMTP.Port, 25)
for _, ip := range listener.IPs {
firstTimeSenderDelay := durationDefault(listener.SMTP.FirstTimeSenderDelay, firstTimeSenderDelayDefault)
if tlsConfigDelivery != nil {
tlsConfigDelivery = tlsConfigDelivery.Clone()
// Default setting is currently to have session tickets disabled, to work around
// TLS interoperability issues with incoming deliveries from Microsoft. See
// https://github.com/golang/go/issues/70232.
tlsConfigDelivery.SessionTicketsDisabled = listener.SMTP.TLSSessionTicketsDisabled == nil || *listener.SMTP.TLSSessionTicketsDisabled
}
listen1("smtp", name, ip, port, hostname, tlsConfigDelivery, false, false, maxMsgSize, false, listener.SMTP.RequireSTARTTLS, !listener.SMTP.NoRequireTLS, listener.SMTP.DNSBLZones, firstTimeSenderDelay)
}
}