add an option for the smtp delivery listener to enable/disable tls session tickets

the field is optional. if absent, the default behaviour is currently to disable session tickets. users can set the option if they want to try if delivery from microsoft is working again. in a future version, we can switch the default to enabling session tickets. the previous fix was to disable session tickets for all tls connections, including https. that was a bit much. for issue #237
2024-12-26 00:13:47 +03:00 · 2024-12-06 14:50:02 +01:00 · 2024-12-06 14:50:02 +01:00 · e59f894a94
commit e59f894a94
parent 42793834f8
5 changed files with 14 additions and 3 deletions
--- a/autotls/autotls.go
+++ b/autotls/autotls.go
@ -229,7 +229,6 @@ func (m *Manager) TLSConfig(fallbackHostname dns.Domain, fallbackNoSNI, fallback
 		GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 			return m.loggingGetCertificate(hello, fallbackHostname, fallbackNoSNI, fallbackUnknownSNI)
 		},
 		SessionTicketsDisabled: true,
 	}
 }
--- a/config/config.go
+++ b/config/config.go
@ -158,6 +158,8 @@ type Listener struct {
 		FirstTimeSenderDelay *time.Duration `sconf:"optional" sconf-doc:"Delay before accepting a message from a first-time sender for the destination account. Default: 15s."`
 		TLSSessionTicketsDisabled *bool `sconf:"optional" sconf-doc:"Override default setting for enabling TLS session tickets. Disabling session tickets may work around TLS interoperability issues."`
 		DNSBLZones []dns.Domain `sconf:"-"`
 	} `sconf:"optional"`
 	Submission struct {
--- a/config/doc.go
+++ b/config/doc.go
@ -262,6 +262,10 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
 				# account. Default: 15s. (optional)
 				FirstTimeSenderDelay: 0s
 				# Override default setting for enabling TLS session tickets. Disabling session
 				# tickets may work around TLS interoperability issues. (optional)
 				TLSSessionTicketsDisabled: false
 			# SMTP for submitting email, e.g. by email applications. Starts out in plain text,
 			# can be upgraded to TLS with the STARTTLS command. Prefer using Submissions which
 			# is always a TLS connection. (optional)
--- a/mox-/config.go
+++ b/mox-/config.go
@ -1933,8 +1933,7 @@ func loadTLSKeyCerts(configFile, kind string, ctls *config.TLS) error {
 		certs = append(certs, cert)
 	}
 	ctls.Config = &tls.Config{
-		Certificates:           certs,
+		Certificates: certs,
 		SessionTicketsDisabled: true,
 	}
 	ctls.ConfigFallback = ctls.Config
 	return nil
--- a/smtpserver/server.go
+++ b/smtpserver/server.go
@ -229,6 +229,13 @@ func Listen() {
 			port := config.Port(listener.SMTP.Port, 25)
 			for _, ip := range listener.IPs {
 				firstTimeSenderDelay := durationDefault(listener.SMTP.FirstTimeSenderDelay, firstTimeSenderDelayDefault)
 				if tlsConfigDelivery != nil {
 					tlsConfigDelivery = tlsConfigDelivery.Clone()
 					// Default setting is currently to have session tickets disabled, to work around
 					// TLS interoperability issues with incoming deliveries from Microsoft. See
 					// https://github.com/golang/go/issues/70232.
 					tlsConfigDelivery.SessionTicketsDisabled = listener.SMTP.TLSSessionTicketsDisabled == nil || *listener.SMTP.TLSSessionTicketsDisabled
 				}
 				listen1("smtp", name, ip, port, hostname, tlsConfigDelivery, false, false, maxMsgSize, false, listener.SMTP.RequireSTARTTLS, !listener.SMTP.NoRequireTLS, listener.SMTP.DNSBLZones, firstTimeSenderDelay)
 			}
 		}