1// Package tlsrptdb stores reports from "SMTP TLS Reporting" in its database.

2package tlsrptdb

3

4import (

5 "context"

6 "fmt"

7 "log/slog"

8 "os"

9 "path/filepath"

10 "time"

11

12 "github.com/prometheus/client_golang/prometheus"

13 "github.com/prometheus/client_golang/prometheus/promauto"

14

15 "github.com/mjl-/bstore"

16

17 "github.com/mjl-/mox/dns"

18 "github.com/mjl-/mox/mlog"

19 "github.com/mjl-/mox/mox-"

20 "github.com/mjl-/mox/tlsrpt"

21)

22

23var (

24 metricSession = promauto.NewCounterVec(

25 prometheus.CounterOpts{

26 Name: "mox_tlsrptdb_session_total",

27 Help: "Number of sessions, both success and known result types.",

28 },

29 []string{"type"}, // Known result types, and "success"

30 )

31

32 knownResultTypes = map[tlsrpt.ResultType]struct{}{

33 tlsrpt.ResultSTARTTLSNotSupported: {},

34 tlsrpt.ResultCertificateHostMismatch: {},

35 tlsrpt.ResultCertificateExpired: {},

36 tlsrpt.ResultTLSAInvalid: {},

37 tlsrpt.ResultDNSSECInvalid: {},

38 tlsrpt.ResultDANERequired: {},

39 tlsrpt.ResultCertificateNotTrusted: {},

40 tlsrpt.ResultSTSPolicyInvalid: {},

41 tlsrpt.ResultSTSWebPKIInvalid: {},

42 tlsrpt.ResultValidationFailure: {},

43 tlsrpt.ResultSTSPolicyFetch: {},

44 }

45)

46

47// Record is a TLS report as a database record, including information

48// about the sender.

49type Record struct {

50 ID int64

51 Domain string `bstore:"index"` // Policy domain to which the TLS report applies. Unicode.

52 FromDomain string

53 MailFrom string

54 HostReport bool // Report for host TLSRPT record, as opposed to domain TLSRPT record.

55 Report tlsrpt.Report

56}

57

58func reportDB(ctx context.Context) (rdb *bstore.DB, rerr error) {

59 mutex.Lock()

60 defer mutex.Unlock()

61 if ReportDB == nil {

62 p := mox.DataDirPath("tlsrpt.db")

63 os.MkdirAll(filepath.Dir(p), 0770)

64 db, err := bstore.Open(ctx, p, &bstore.Options{Timeout: 5 * time.Second, Perm: 0660}, ReportDBTypes...)

65 if err != nil {

66 return nil, err

67 }

68 ReportDB = db

69 }

70 return ReportDB, nil

71}

72

73// AddReport adds a TLS report to the database.

74//

75// The report should have come in over SMTP, with a DKIM-validated

76// verifiedFromDomain. Using HTTPS for reports is not recommended as there is no

77// authentication on the reports origin.

78//

79// Only reports for known domains are added to the database. Unknown domains are

80// ignored without causing an error, unless no known domain was found in the report

81// at all.

82//

83// Prometheus metrics are updated only for configured domains.

84func AddReport(ctx context.Context, log mlog.Log, verifiedFromDomain dns.Domain, mailFrom string, hostReport bool, r *tlsrpt.Report) error {

85 db, err := reportDB(ctx)

86 if err != nil {

87 return err

88 }

89

90 if len(r.Policies) == 0 {

91 return fmt.Errorf("no policies in report")

92 }

93

94 var inserted int

95 return db.Write(ctx, func(tx *bstore.Tx) error {

96 for _, p := range r.Policies {

97 pp := p.Policy

98

99 d, err := dns.ParseDomain(pp.Domain)

100 if err != nil {

101 return fmt.Errorf("invalid domain %v in tls report: %v", d, err)

102 }

103

104 if _, ok := mox.Conf.Domain(d); !ok && d != mox.Conf.Static.HostnameDomain {

105 log.Info("unknown host/recipient policy domain in tls report, not storing", slog.Any("domain", d), slog.String("mailfrom", mailFrom))

106 continue

107 }

108

109 metricSession.WithLabelValues("success").Add(float64(p.Summary.TotalSuccessfulSessionCount))

110 for _, f := range p.FailureDetails {

111 var result string

112 if _, ok := knownResultTypes[f.ResultType]; ok {

113 result = string(f.ResultType)

114 } else {

115 result = "other"

116 }

117 metricSession.WithLabelValues(result).Add(float64(f.FailedSessionCount))

118 }

119

120 record := Record{0, d.Name(), verifiedFromDomain.Name(), mailFrom, d == mox.Conf.Static.HostnameDomain, *r}

121 if err := tx.Insert(&record); err != nil {

122 return fmt.Errorf("inserting report for domain: %w", err)

123 }

124 inserted++

125 }

126 if inserted == 0 {

127 return fmt.Errorf("no domains in report recognized")

128 }

129 return nil

130 })

131}

132

133// Records returns all TLS reports in the database.

134func Records(ctx context.Context) ([]Record, error) {

135 db, err := reportDB(ctx)

136 if err != nil {

137 return nil, err

138 }

139 return bstore.QueryDB[Record](ctx, db).List()

140}

141

142// RecordID returns the report for the ID.

143func RecordID(ctx context.Context, id int64) (Record, error) {

144 db, err := reportDB(ctx)

145 if err != nil {

146 return Record{}, err

147 }

148

149 e := Record{ID: id}

150 err = db.Get(ctx, &e)

151 return e, err

152}

153

154// RecordsPeriodPolicyDomain returns the reports overlapping start and end, for the

155// given policy domain. If policy domain is empty, records for all domains are

156// returned.

157func RecordsPeriodDomain(ctx context.Context, start, end time.Time, policyDomain dns.Domain) ([]Record, error) {

158 db, err := reportDB(ctx)

159 if err != nil {

160 return nil, err

161 }

162

163 q := bstore.QueryDB[Record](ctx, db)

164 var zerodom dns.Domain

165 if policyDomain != zerodom {

166 q.FilterNonzero(Record{Domain: policyDomain.Name()})

167 }

168 q.FilterFn(func(r Record) bool {

169 dr := r.Report.DateRange

170 return !dr.Start.Before(start) && dr.Start.Before(end) || dr.End.After(start) && !dr.End.After(end)

171 })

172 return q.List()

173}

174