1// Package mtasts implements MTA-STS (SMTP MTA Strict Transport Security, RFC 8461)
2// which allows a domain to specify SMTP TLS requirements.
4// SMTP for message delivery to a remote mail server always starts out unencrypted,
5// in plain text. STARTTLS allows upgrading the connection to TLS, but is optional
6// and by default mail servers will fall back to plain text communication if
7// STARTTLS does not work (which can be sabotaged by DNS manipulation or SMTP
8// connection manipulation). MTA-STS can specify a policy for requiring STARTTLS to
9// be used for message delivery. A TXT DNS record at "_mta-sts.<domain>" specifies
10// the version of the policy, and
11// "https://mta-sts.<domain>/.well-known/mta-sts.txt" serves the policy.
23 "golang.org/x/exp/slog"
25 "github.com/mjl-/adns"
27 "github.com/mjl-/mox/dns"
28 "github.com/mjl-/mox/mlog"
29 "github.com/mjl-/mox/moxio"
30 "github.com/mjl-/mox/stub"
34 MetricGet stub.HistogramVec = stub.HistogramVecIgnore{}
35 HTTPClientObserve func(ctx context.Context, log *slog.Logger, pkg, method string, statusCode int, err error, start time.Time) = stub.HTTPClientObserveIgnore
38// Pair is an extension key/value pair in a MTA-STS DNS record or policy.
44// Record is an MTA-STS DNS record, served under "_mta-sts.<domain>" as a TXT
49// v=STSv1; id=20160831085700Z
51 Version string // "STSv1", for "v=". Required.
52 ID string // Record version, for "id=". Required.
53 Extensions []Pair // Optional extensions.
56// String returns a textual version of the MTA-STS record for use as DNS TXT
58func (r Record) String() string {
59 b := &strings.Builder{}
60 fmt.Fprint(b, "v="+r.Version)
61 fmt.Fprint(b, "; id="+r.ID)
62 for _, p := range r.Extensions {
63 fmt.Fprint(b, "; "+p.Key+"="+p.Value)
68// Mode indicates how the policy should be interpreted.
74 ModeEnforce Mode = "enforce" // Policy must be followed, i.e. deliveries must fail if a TLS connection cannot be made.
75 ModeTesting Mode = "testing" // In case TLS cannot be negotiated, plain SMTP can be used, but failures must be reported, e.g. with TLSRPT.
76 ModeNone Mode = "none" // In case MTA-STS is not or no longer implemented.
79// STSMX is an allowlisted MX host name/pattern.
80// todo: find a way to name this just STSMX without getting duplicate names for "MX" in the sherpa api.
82 // "*." wildcard, e.g. if a subdomain matches. A wildcard must match exactly one
83 // label. *.example.com matches mail.example.com, but not example.com, and not
84 // foor.bar.example.com.
90// LogString returns a loggable string representing the host, with both unicode
91// and ascii version for IDNA domains.
92func (s STSMX) LogString() string {
97 if s.Domain.Unicode == "" {
98 return pre + s.Domain.ASCII
100 return pre + s.Domain.Unicode + "/" + pre + s.Domain.ASCII
103// Policy is an MTA-STS policy as served at "https://mta-sts.<domain>/.well-known/mta-sts.txt".
105 Version string // "STSv1"
108 MaxAgeSeconds int // How long this policy can be cached. Suggested values are in weeks or more.
112// String returns a textual representation for serving at the well-known URL.
113func (p Policy) String() string {
114 b := &strings.Builder{}
115 line := func(k, v string) {
116 fmt.Fprint(b, k+": "+v+"\n")
118 line("version", p.Version)
119 line("mode", string(p.Mode))
120 line("max_age", fmt.Sprintf("%d", p.MaxAgeSeconds))
121 for _, mx := range p.MX {
122 s := mx.Domain.Name()
131// Matches returns whether the hostname matches the mx list in the policy.
132func (p *Policy) Matches(host dns.Domain) bool {
134 for _, mx := range p.MX {
136 v := strings.SplitN(host.ASCII, ".", 2)
137 if len(v) == 2 && v[1] == mx.Domain.ASCII {
140 } else if host == mx.Domain {
147// TLSReportFailureReason returns a concise error for known error types, or an
148// empty string. For use in TLSRPT.
149func TLSReportFailureReason(err error) string {
150 // If this is a DNSSEC authentication error, we'll collect it for TLS reporting.
152 var errCode adns.ErrorCode
153 if errors.As(err, &errCode) && errCode.IsAuthentication() {
154 return fmt.Sprintf("dns-extended-error-%d-%s", errCode, strings.ReplaceAll(errCode.String(), " ", "-"))
157 for _, e := range mtastsErrors {
158 if errors.Is(err, e) {
159 s := strings.TrimPrefix(e.Error(), "mtasts: ")
160 return strings.ReplaceAll(s, " ", "-")
166var mtastsErrors = []error{
167 ErrNoRecord, ErrMultipleRecords, ErrDNS, ErrRecordSyntax, // Lookup
168 ErrNoPolicy, ErrPolicyFetch, ErrPolicySyntax, // Fetch
173 ErrNoRecord = errors.New("mtasts: no mta-sts dns txt record") // Domain does not implement MTA-STS. If a cached non-expired policy is available, it should still be used.
174 ErrMultipleRecords = errors.New("mtasts: multiple mta-sts records") // Should be treated as if domain does not implement MTA-STS, unless a cached non-expired policy is available.
175 ErrDNS = errors.New("mtasts: dns lookup") // For temporary DNS errors.
176 ErrRecordSyntax = errors.New("mtasts: record syntax error")
179// LookupRecord looks up the MTA-STS TXT DNS record at "_mta-sts.<domain>",
180// following CNAME records, and returns the parsed MTA-STS record and the DNS TXT
182func LookupRecord(ctx context.Context, elog *slog.Logger, resolver dns.Resolver, domain dns.Domain) (rrecord *Record, rtxt string, rerr error) {
183 log := mlog.New("mtasts", elog)
186 log.Debugx("mtasts lookup result", rerr,
187 slog.Any("domain", domain),
188 slog.Any("record", rrecord),
189 slog.Duration("duration", time.Since(start)))
194 // We lookup the txt record, but must follow CNAME records when the TXT does not
195 // exist. LookupTXT follows CNAMEs.
196 name := "_mta-sts." + domain.ASCII + "."
198 txts, _, err := dns.WithPackage(resolver, "mtasts").LookupTXT(ctx, name)
199 if dns.IsNotFound(err) {
200 return nil, "", ErrNoRecord
201 } else if err != nil {
202 return nil, "", fmt.Errorf("%w: %s", ErrDNS, err)
207 for _, txt := range txts {
208 r, ismtasts, err := ParseRecord(txt)
211 // "v=STSv1 ;" (note the space) as a non-STS record too in case of multiple TXT
212 // records. We treat it as an STS record that is invalid, which is possibly more
220 return nil, "", ErrMultipleRecords
226 return nil, "", ErrNoRecord
228 return record, text, nil
231// Policy fetch errors.
233 ErrNoPolicy = errors.New("mtasts: no policy served") // If the name "mta-sts.<domain>" does not exist in DNS or if webserver returns HTTP status 404 "File not found".
234 ErrPolicyFetch = errors.New("mtasts: cannot fetch policy") // E.g. for HTTP request errors.
235 ErrPolicySyntax = errors.New("mtasts: policy syntax error")
238// HTTPClient is used by FetchPolicy for HTTP requests.
239var HTTPClient = &http.Client{
240 CheckRedirect: func(req *http.Request, via []*http.Request) error {
245// FetchPolicy fetches a new policy for the domain, at
246// https://mta-sts.<domain>/.well-known/mta-sts.txt.
248// FetchPolicy returns the parsed policy and the literal policy text as fetched
249// from the server. If a policy was fetched but could not be parsed, the policyText
250// return value will be set.
252// Policies longer than 64KB result in a syntax error.
254// If an error is returned, callers should back off for 5 minutes until the next
256func FetchPolicy(ctx context.Context, elog *slog.Logger, domain dns.Domain) (policy *Policy, policyText string, rerr error) {
257 log := mlog.New("mtasts", elog)
260 log.Debugx("mtasts fetch policy result", rerr,
261 slog.Any("domain", domain),
262 slog.Any("policy", policy),
263 slog.String("policytext", policyText),
264 slog.Duration("duration", time.Since(start)))
268 ctx, cancel := context.WithTimeout(ctx, time.Minute)
271 // TLS requirements are what the Go standard library checks: trusted, non-expired,
273 url := "https://mta-sts." + domain.Name() + "/.well-known/mta-sts.txt"
274 req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
276 return nil, "", fmt.Errorf("%w: http request: %s", ErrPolicyFetch, err)
278 // We are not likely to reuse a connection: we cache policies and negative DNS
279 // responses. So don't keep connections open unnecessarily.
282 resp, err := HTTPClient.Do(req)
283 if dns.IsNotFound(err) {
284 return nil, "", ErrNoPolicy
287 // We pass along underlying TLS certificate errors.
288 return nil, "", fmt.Errorf("%w: http get: %w", ErrPolicyFetch, err)
290 HTTPClientObserve(ctx, log.Logger, "mtasts", req.Method, resp.StatusCode, err, start)
291 defer resp.Body.Close()
292 if resp.StatusCode == http.StatusNotFound {
293 return nil, "", ErrNoPolicy
295 if resp.StatusCode != http.StatusOK {
297 return nil, "", fmt.Errorf("%w: http status %s while status 200 is required", ErrPolicyFetch, resp.Status)
300 // We don't look at Content-Type and charset. It should be ASCII or UTF-8, we'll
304 buf, err := io.ReadAll(&moxio.LimitReader{R: resp.Body, Limit: 64 * 1024})
306 return nil, "", fmt.Errorf("%w: reading policy: %s", ErrPolicySyntax, err)
308 policyText = string(buf)
309 policy, err = ParsePolicy(policyText)
311 return nil, policyText, fmt.Errorf("parsing policy: %w", err)
313 return policy, policyText, nil
316// Get looks up the MTA-STS DNS record and fetches the policy.
318// Errors can be those returned by LookupRecord and FetchPolicy.
320// If a valid policy cannot be retrieved, a sender must treat the domain as not
321// implementing MTA-STS. If a sender has a non-expired cached policy, that policy
324// If a record was retrieved, but a policy could not be retrieved/parsed, the
325// record is still returned.
327// Also see Get in package mtastsdb.
328func Get(ctx context.Context, elog *slog.Logger, resolver dns.Resolver, domain dns.Domain) (record *Record, policy *Policy, policyText string, err error) {
329 log := mlog.New("mtasts", elog)
331 result := "lookuperror"
333 MetricGet.ObserveLabels(float64(time.Since(start))/float64(time.Second), result)
334 log.Debugx("mtasts get result", err,
335 slog.Any("domain", domain),
336 slog.Any("record", record),
337 slog.Any("policy", policy),
338 slog.Duration("duration", time.Since(start)))
341 record, _, err = LookupRecord(ctx, log.Logger, resolver, domain)
343 return nil, nil, "", err
346 result = "fetcherror"
347 policy, policyText, err = FetchPolicy(ctx, log.Logger, domain)
349 return record, nil, "", err
353 return record, policy, policyText, nil