1// Package tlsrptdb stores reports from "SMTP TLS Reporting" in its database.
10 "github.com/prometheus/client_golang/prometheus"
11 "github.com/prometheus/client_golang/prometheus/promauto"
13 "github.com/mjl-/bstore"
15 "github.com/mjl-/mox/dns"
16 "github.com/mjl-/mox/mlog"
17 "github.com/mjl-/mox/mox-"
18 "github.com/mjl-/mox/tlsrpt"
22 metricSession = promauto.NewCounterVec(
23 prometheus.CounterOpts{
24 Name: "mox_tlsrptdb_session_total",
25 Help: "Number of sessions, both success and known result types.",
27 []string{"type"}, // Known result types, and "success"
30 knownResultTypes = map[tlsrpt.ResultType]struct{}{
31 tlsrpt.ResultSTARTTLSNotSupported: {},
32 tlsrpt.ResultCertificateHostMismatch: {},
33 tlsrpt.ResultCertificateExpired: {},
34 tlsrpt.ResultTLSAInvalid: {},
35 tlsrpt.ResultDNSSECInvalid: {},
36 tlsrpt.ResultDANERequired: {},
37 tlsrpt.ResultCertificateNotTrusted: {},
38 tlsrpt.ResultSTSPolicyInvalid: {},
39 tlsrpt.ResultSTSWebPKIInvalid: {},
40 tlsrpt.ResultValidationFailure: {},
41 tlsrpt.ResultSTSPolicyFetch: {},
45// Record is a TLS report as a database record, including information
49 Domain string `bstore:"index"` // Policy domain to which the TLS report applies. Unicode.
52 HostReport bool // Report for host TLSRPT record, as opposed to domain TLSRPT record.
56// AddReport adds a TLS report to the database.
58// The report should have come in over SMTP, with a DKIM-validated
59// verifiedFromDomain. Using HTTPS for reports is not recommended as there is no
60// authentication on the reports origin.
62// Only reports for known domains are added to the database. Unknown domains are
63// ignored without causing an error, unless no known domain was found in the report
66// Prometheus metrics are updated only for configured domains.
67func AddReport(ctx context.Context, log mlog.Log, verifiedFromDomain dns.Domain, mailFrom string, hostReport bool, r *tlsrpt.Report) error {
68 if len(r.Policies) == 0 {
69 return fmt.Errorf("no policies in report")
73 return ReportDB.Write(ctx, func(tx *bstore.Tx) error {
74 for _, p := range r.Policies {
77 d, err := dns.ParseDomain(pp.Domain)
79 return fmt.Errorf("invalid domain %v in tls report: %v", d, err)
82 if _, ok := mox.Conf.Domain(d); !ok && d != mox.Conf.Static.HostnameDomain {
83 log.Info("unknown host/recipient policy domain in tls report, not storing", slog.Any("domain", d), slog.String("mailfrom", mailFrom))
87 metricSession.WithLabelValues("success").Add(float64(p.Summary.TotalSuccessfulSessionCount))
88 for _, f := range p.FailureDetails {
90 if _, ok := knownResultTypes[f.ResultType]; ok {
91 result = string(f.ResultType)
95 metricSession.WithLabelValues(result).Add(float64(f.FailedSessionCount))
98 record := Record{0, d.Name(), verifiedFromDomain.Name(), mailFrom, d == mox.Conf.Static.HostnameDomain, *r}
99 if err := tx.Insert(&record); err != nil {
100 return fmt.Errorf("inserting report for domain: %w", err)
105 return fmt.Errorf("no domains in report recognized")
111// Records returns all TLS reports in the database.
112func Records(ctx context.Context) ([]Record, error) {
113 return bstore.QueryDB[Record](ctx, ReportDB).List()
116// RecordID returns the report for the ID.
117func RecordID(ctx context.Context, id int64) (Record, error) {
119 err := ReportDB.Get(ctx, &e)
123// RecordsPeriodPolicyDomain returns the reports overlapping start and end, for the
124// given policy domain. If policy domain is empty, records for all domains are
126func RecordsPeriodDomain(ctx context.Context, start, end time.Time, policyDomain dns.Domain) ([]Record, error) {
127 q := bstore.QueryDB[Record](ctx, ReportDB)
128 var zerodom dns.Domain
129 if policyDomain != zerodom {
130 q.FilterNonzero(Record{Domain: policyDomain.Name()})
132 q.FilterFn(func(r Record) bool {
133 dr := r.Report.DateRange
134 return !dr.Start.Before(start) && dr.Start.Before(end) || dr.End.After(start) && !dr.End.After(end)