MTA-STS is now RFC 8461

MTA-STS has been published as RFC 8461, with no major changes since the
last draft we updated (-18).

This patch updates the documentation accordingly (no code changes).

README.md

@@ -43,7 +43,7 @@ It's written in [Go](https://golang.org), and distributed under the
 [Let's Encrypt]: https://letsencrypt.org
 [Dovecot]: https://dovecot.org
 [SPF]: https://en.wikipedia.org/wiki/Sender_Policy_Framework
-[MTA-STS]: https://datatracker.ietf.org/doc/draft-ietf-uta-mta-sts/
+[MTA-STS]: https://tools.ietf.org/html/rfc8461
 [Debian]: https://debian.org
 [Ubuntu]: https://ubuntu.com
 

internal/courier/smtp.go

@@ -191,8 +191,8 @@ retry:
 	slcResults.Add("pass", 1)
 
 	if a.stsPolicy != nil && a.stsPolicy.Mode == sts.Enforce {
-		// The connection MUST be validated TLS.
-		// https://tools.ietf.org/html/draft-ietf-uta-mta-sts-18#section-4.2
+		// The connection MUST be validated by TLS.
+		// https://tools.ietf.org/html/rfc8461#section-4.2
 		if secLevel != domaininfo.SecLevel_TLS_SECURE {
 			stsSecurityResults.Add("fail", 1)
 			return a.tr.Errorf("invalid security level (%v) for STS policy",

internal/sts/sts.go

@@ -1,10 +1,9 @@
-// Package sts implements the MTA-STS (Strict Transport Security), based on
-// the current draft, https://tools.ietf.org/html/draft-ietf-uta-mta-sts-18.
-//
-// This is an EXPERIMENTAL implementation for now.
+// Package sts implements the MTA-STS (Strict Transport Security), RFC 8461.
 //
 // Note that "report" mode is not supported.
 //
+// Reference: https://tools.ietf.org/html/rfc8461
+//
 package sts
 
 import (
@@ -52,7 +51,7 @@ var (
 )
 
 // Policy represents a parsed policy.
-// https://tools.ietf.org/html/draft-ietf-uta-mta-sts-18#section-3.2
+// https://tools.ietf.org/html/rfc8461#section-3.2
 // The json annotations are used for serializing for caching purposes.
 type Policy struct {
 	Version string        `json:"version"`
@@ -144,7 +143,7 @@ func (p *Policy) Check() error {
 }
 
 // MXIsAllowed checks if the given MX is allowed, according to the policy.
-// https://tools.ietf.org/html/draft-ietf-uta-mta-sts-18#section-4.1
+// https://tools.ietf.org/html/rfc8461#section-4.1
 func (p *Policy) MXIsAllowed(mx string) bool {
 	if p.Mode != Enforce {
 		return true
@@ -197,8 +196,8 @@ func urlForDomain(domain string) string {
 	}
 
 	// URL composed from the domain, as explained in:
-	// https://tools.ietf.org/html/draft-ietf-uta-mta-sts-18#section-3.3
-	// https://tools.ietf.org/html/draft-ietf-uta-mta-sts-18#section-3.2
+	// https://tools.ietf.org/html/rfc8461#section-3.3
+	// https://tools.ietf.org/html/rfc8461#section-3.2
 	return "https://mta-sts." + domain + "/.well-known/mta-sts.txt"
 }
 
@@ -225,7 +224,7 @@ func Fetch(ctx context.Context, domain string) (*Policy, error) {
 func httpGet(ctx context.Context, url string) ([]byte, error) {
 	client := &http.Client{
 		// We MUST NOT follow redirects, see
-		// https://tools.ietf.org/html/draft-ietf-uta-mta-sts-18#section-3.3
+		// https://tools.ietf.org/html/rfc8461#section-3.3
 		CheckRedirect: rejectRedirect,
 	}
 
@@ -242,7 +241,7 @@ func httpGet(ctx context.Context, url string) ([]byte, error) {
 	// Media type must be "text/plain" to guard against cases where webservers
 	// allow untrusted users to host non-text content (like HTML or images) at
 	// a user-defined path.
-	// https://tools.ietf.org/html/draft-ietf-uta-mta-sts-18#section-3.2
+	// https://tools.ietf.org/html/rfc8461#section-3.2
 	mt, _, err := mime.ParseMediaType(resp.Header.Get("Content-type"))
 	if err != nil {
 		return nil, fmt.Errorf("HTTP media type error: %v", err)
@@ -263,7 +262,7 @@ func rejectRedirect(req *http.Request, via []*http.Request) error {
 }
 
 // matchDomain checks if the domain matches the given pattern, according to
-// from https://tools.ietf.org/html/draft-ietf-uta-mta-sts-18#section-4.1
+// from https://tools.ietf.org/html/rfc8461#section-4.1
 // (based on https://tools.ietf.org/html/rfc6125#section-6.4).
 func matchDomain(domain, pattern string) bool {
 	domain, dErr := domainToASCII(domain)