From e59f894a94c21347d1c3e70d72375926e00850da Mon Sep 17 00:00:00 2001 From: Mechiel Lukkien Date: Fri, 6 Dec 2024 14:50:02 +0100 Subject: [PATCH] add an option for the smtp delivery listener to enable/disable tls session tickets the field is optional. if absent, the default behaviour is currently to disable session tickets. users can set the option if they want to try if delivery from microsoft is working again. in a future version, we can switch the default to enabling session tickets. the previous fix was to disable session tickets for all tls connections, including https. that was a bit much. for issue #237 --- autotls/autotls.go | 1 - config/config.go | 2 ++ config/doc.go | 4 ++++ mox-/config.go | 3 +-- smtpserver/server.go | 7 +++++++ 5 files changed, 14 insertions(+), 3 deletions(-) diff --git a/autotls/autotls.go b/autotls/autotls.go index 77c7b15..4bbc229 100644 --- a/autotls/autotls.go +++ b/autotls/autotls.go @@ -229,7 +229,6 @@ func (m *Manager) TLSConfig(fallbackHostname dns.Domain, fallbackNoSNI, fallback GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) { return m.loggingGetCertificate(hello, fallbackHostname, fallbackNoSNI, fallbackUnknownSNI) }, - SessionTicketsDisabled: true, } } diff --git a/config/config.go b/config/config.go index 86acb2b..5d36df6 100644 --- a/config/config.go +++ b/config/config.go @@ -158,6 +158,8 @@ type Listener struct { FirstTimeSenderDelay *time.Duration `sconf:"optional" sconf-doc:"Delay before accepting a message from a first-time sender for the destination account. Default: 15s."` + TLSSessionTicketsDisabled *bool `sconf:"optional" sconf-doc:"Override default setting for enabling TLS session tickets. Disabling session tickets may work around TLS interoperability issues."` + DNSBLZones []dns.Domain `sconf:"-"` } `sconf:"optional"` Submission struct { diff --git a/config/doc.go b/config/doc.go index a2e2571..cccc5bb 100644 --- a/config/doc.go +++ b/config/doc.go @@ -262,6 +262,10 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details. # account. Default: 15s. (optional) FirstTimeSenderDelay: 0s + # Override default setting for enabling TLS session tickets. Disabling session + # tickets may work around TLS interoperability issues. (optional) + TLSSessionTicketsDisabled: false + # SMTP for submitting email, e.g. by email applications. Starts out in plain text, # can be upgraded to TLS with the STARTTLS command. Prefer using Submissions which # is always a TLS connection. (optional) diff --git a/mox-/config.go b/mox-/config.go index 1abd00c..826aa16 100644 --- a/mox-/config.go +++ b/mox-/config.go @@ -1933,8 +1933,7 @@ func loadTLSKeyCerts(configFile, kind string, ctls *config.TLS) error { certs = append(certs, cert) } ctls.Config = &tls.Config{ - Certificates: certs, - SessionTicketsDisabled: true, + Certificates: certs, } ctls.ConfigFallback = ctls.Config return nil diff --git a/smtpserver/server.go b/smtpserver/server.go index f933a8f..e90f0c9 100644 --- a/smtpserver/server.go +++ b/smtpserver/server.go @@ -229,6 +229,13 @@ func Listen() { port := config.Port(listener.SMTP.Port, 25) for _, ip := range listener.IPs { firstTimeSenderDelay := durationDefault(listener.SMTP.FirstTimeSenderDelay, firstTimeSenderDelayDefault) + if tlsConfigDelivery != nil { + tlsConfigDelivery = tlsConfigDelivery.Clone() + // Default setting is currently to have session tickets disabled, to work around + // TLS interoperability issues with incoming deliveries from Microsoft. See + // https://github.com/golang/go/issues/70232. + tlsConfigDelivery.SessionTicketsDisabled = listener.SMTP.TLSSessionTicketsDisabled == nil || *listener.SMTP.TLSSessionTicketsDisabled + } listen1("smtp", name, ip, port, hostname, tlsConfigDelivery, false, false, maxMsgSize, false, listener.SMTP.RequireSTARTTLS, !listener.SMTP.NoRequireTLS, listener.SMTP.DNSBLZones, firstTimeSenderDelay) } }