smtpsrv: Disable TLS session tickets to work around Microsoft problems

Microsoft SMTP servers have a bug that prevents them from successfully establishing a TLS connection against modern Go TLS servers, and some OpenSSL versions. It also doesn't fall back to plain-text, so this has been causing deliverablity issues. The problem started by the end of 2024 and it's still not fixed. Unfortunately, because they're quite a big provider and are not fixing their problem, it is worth to do a server-side workaround. This patch implements that workaround: it disables TLS session tickets. There is no security impact for doing so, and there is a small performance penalty which is likely to be insignificant for chasquid's main use cases. This workaround should be removed once Microsoft fixes their problem. We are going to make a 1.15.1 release for this, which this patch also documents. Thanks to Michael (l6d-dev@github) for reporting this issue and suggesting this workaround! See https://github.com/albertito/chasquid/issues/64 and https://github.com/golang/go/issues/70232 for more details.
2025-12-17 14:37:02 +00:00 · 2025-03-29 23:21:06 +00:00
parent deb2a2f22b
commit 48fe124c47
2 changed files with 32 additions and 3 deletions
--- a/docs/relnotes.md
+++ b/docs/relnotes.md
@@ -11,6 +11,16 @@ noting backward-incompatible changes or known security issues.
 - Log how many things were loaded for each domain.
 - Add fail2ban filter configuration example.

+### 1.15.1 (2025-03-30)
+
+Implement a workaround for a Microsoft bug in TLS session ticket handling,
+that is causing deliverability issues, and they are being too slow at fixing.
+
+See this [chasquid issue](https://github.com/albertito/chasquid/issues/64),
+this [Go issue](https://github.com/golang/go/issues/70232) and this
+[Postfix thread](https://www.mail-archive.com/postfix-users@postfix.org/msg104308.html)
+for more details.
+

 ## 1.14.0 (2024-04-21)

--- a/internal/smtpsrv/server.go
+++ b/internal/smtpsrv/server.go
@@ -94,9 +94,28 @@ func NewServer() *Server {
 	authr := auth.NewAuthenticator()
 	aliasesR := aliases.NewResolver(authr.Exists)
 	return &Server{
-		addrs:          map[SocketMode][]string{},
-		listeners:      map[SocketMode][]net.Listener{},
-		tlsConfig:      &tls.Config{},
+		addrs:     map[SocketMode][]string{},
+		listeners: map[SocketMode][]net.Listener{},
+
+		// Disable session tickets for now, to workaround a Microsoft bug
+		// causing deliverability issues.
+		//
+		// See https://github.com/golang/go/issues/70232 for more details.
+		//
+		// This doesn't impact security, it just makes the re-establishment of
+		// TLS sessions a bit slower, but for a server like chasquid it's not
+		// going to be significant.
+		//
+		// Note this is not a Go-specific problem, and affects other servers
+		// too (like Postfix/OpenSSL). This is a Microsoft problem that they
+		// need to fix. Unfortunately, because they're quite a big provider
+		// and are not very responsive in fixing their problems, we have to do
+		// a workaround here.
+		// TODO: Remove this once Microsoft fixes their servers.
+		tlsConfig: &tls.Config{
+			SessionTicketsDisabled: true,
+		},
+
 		connTimeout:    20 * time.Minute,
 		commandTimeout: 1 * time.Minute,
 		localDomains:   &set.String{},