Support submission (directly) over TLS (submissions/smtps/port 465)

This patch adds support for TLS-wrapped submission connections. Instead of clients establishing a connection over plain text and then using STARTTLS to switch over a TLS connection, this new mode allows the clients to connect directly over TLS, like it's done in HTTPS. This is not an official standard yet, but it's reasonably common in practice, and provides some advantages over the traditional submission port. The default port is 465, commonly used for this; chasquid defaults to systemd file descriptor passing as for the other protocols (for now).
2025-12-17 14:37:02 +00:00 · 2017-04-01 12:47:46 +01:00
parent c4255933bd
commit 213bc63a95
22 changed files with 157 additions and 48 deletions
--- a/internal/smtpsrv/server_test.go
+++ b/internal/smtpsrv/server_test.go
@@ -34,8 +34,9 @@ var (
 	// Server addresses.
 	// We default to internal ones, but may get overridden via flags.
 	// TODO: Don't hard-code the default.
-	smtpAddr       = "127.0.0.1:13444"
-	submissionAddr = "127.0.0.1:13999"
+	smtpAddr          = "127.0.0.1:13444"
+	submissionAddr    = "127.0.0.1:13999"
+	submissionTLSAddr = "127.0.0.1:13777"

 	// TLS configuration to use in the clients.
 	// Will contain the generated server certificate as root CA.
@@ -46,14 +47,28 @@ var (
 // === Tests ===
 //

-func mustDial(tb testing.TB, mode SocketMode, useTLS bool) *smtp.Client {
+func mustDial(tb testing.TB, mode SocketMode, startTLS bool) *smtp.Client {
 	addr := ""
-	if mode == ModeSMTP {
+	switch mode {
+	case ModeSMTP:
 		addr = smtpAddr
-	} else {
+	case ModeSubmission:
 		addr = submissionAddr
+	case ModeSubmissionTLS:
+		addr = submissionTLSAddr
 	}
-	c, err := smtp.Dial(addr)
+
+	var err error
+	var conn net.Conn
+	if mode.TLS {
+		conn, err = tls.Dial("tcp", addr, tlsConfig)
+	} else {
+		conn, err = net.Dial("tcp", addr)
+	}
+	if err != nil {
+		tb.Fatalf("(net||tls).Dial: %v", err)
+	}
+	c, err := smtp.NewClient(conn, "127.0.0.1")
 	if err != nil {
 		tb.Fatalf("smtp.Dial: %v", err)
 	}
@@ -62,7 +77,7 @@ func mustDial(tb testing.TB, mode SocketMode, useTLS bool) *smtp.Client {
 		tb.Fatalf("c.Hello: %v", err)
 	}

-	if useTLS {
+	if startTLS {
 		if ok, _ := c.Extension("STARTTLS"); !ok {
 			tb.Fatalf("STARTTLS not advertised in EHLO")
 		}
@@ -153,6 +168,14 @@ func TestSubmissionWithoutAuth(t *testing.T) {
 	}
 }

+func TestAuthOnTLS(t *testing.T) {
+	c := mustDial(t, ModeSubmissionTLS, false)
+	defer c.Close()
+
+	auth := smtp.PlainAuth("", "testuser@localhost", "testpasswd", "127.0.0.1")
+	sendEmailWithAuth(t, c, auth)
+}
+
 func TestAuthOnSMTP(t *testing.T) {
 	c := mustDial(t, ModeSMTP, true)
 	defer c.Close()
@@ -285,6 +308,16 @@ func TestRepeatedStartTLS(t *testing.T) {
 	}
 }

+// Test that STARTTLS fails on a TLS connection.
+func TestStartTLSOnTLS(t *testing.T) {
+	c := mustDial(t, ModeSubmissionTLS, false)
+	defer c.Close()
+
+	if err := c.StartTLS(tlsConfig); err == nil {
+		t.Errorf("STARTTLS did not fail as expected")
+	}
+}
+
 //
 // === Benchmarks ===
 //
@@ -440,6 +473,7 @@ func realMain(m *testing.M) int {
 		s.AddCerts(tmpDir+"/cert.pem", tmpDir+"/key.pem")
 		s.AddAddr(smtpAddr, ModeSMTP)
 		s.AddAddr(submissionAddr, ModeSubmission)
+		s.AddAddr(submissionTLSAddr, ModeSubmissionTLS)

 		localC := &courier.Procmail{}
 		remoteC := &courier.SMTP{}