courier: Add tests for STS policy checks

This patch adds tests for STS policy checks in combination with TLS security levels. This helps ensure we're detecting mis-matches of TLS status (plain/insecure/secure) and STS policy enforcement.
2025-12-23 15:37:01 +00:00 · 2021-10-25 12:39:09 +01:00
parent 14e270b7f5
commit 02322a74e6
2 changed files with 117 additions and 25 deletions
--- a/internal/courier/smtp.go
+++ b/internal/courier/smtp.go
@@ -152,6 +152,7 @@ func (a *attempt) deliver(mx string) (error, bool) {
 				return nil
 			},
 		}
+
 		err = c.StartTLS(config)
 		if err != nil {
 			tlsCount.Add("tls:failed", 1)
@@ -206,6 +207,9 @@ func (a *attempt) deliver(mx string) (error, bool) {
 	return nil, false
 }

+// CA roots to validate against, so we can override it for testing.
+var certRoots *x509.CertPool = nil
+
 func (a *attempt) verifyConnection(cs tls.ConnectionState) domaininfo.SecLevel {
 	// Validate certificates, using the same logic Go does, and following the
 	// official example at
@@ -213,6 +217,7 @@ func (a *attempt) verifyConnection(cs tls.ConnectionState) domaininfo.SecLevel {
 	opts := x509.VerifyOptions{
 		DNSName:       cs.ServerName,
 		Intermediates: x509.NewCertPool(),
+		Roots:         certRoots,
 	}
 	for _, cert := range cs.PeerCertificates[1:] {
 		opts.Intermediates.AddCert(cert)