sts: Experimental MTA-STS (Strict Transport Security) implementation

This EXPERIMENTAL patch has a basic implementation of MTA-STS (Strict Transport Security), based on the current draft at https://tools.ietf.org/html/draft-ietf-uta-mta-sts-02. It integrates the policy fetching and checking into the smtp-check tool for convenience, but not yet in chasquid itself. This is a proof of concept. Many features and tests are missing; in particular, there is no caching at all yet.
2025-12-17 14:37:02 +00:00 · 2017-01-04 13:26:20 -03:00
parent b8551729db
commit 933ab54cd8
3 changed files with 362 additions and 0 deletions
--- a/cmd/smtp-check/smtp-check.go
+++ b/cmd/smtp-check/smtp-check.go
@@ -2,13 +2,16 @@
 package main

 import (
+	"context"
 	"crypto/tls"
 	"flag"
 	"log"
 	"net"
 	"net/smtp"
+	"time"

 	"blitiri.com.ar/go/chasquid/internal/spf"
+	"blitiri.com.ar/go/chasquid/internal/sts"
 	"blitiri.com.ar/go/chasquid/internal/tlsconst"

 	"golang.org/x/net/idna"
@@ -34,6 +37,21 @@ func main() {
 		log.Fatalf("IDNA conversion failed: %v", err)
 	}

+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	log.Printf("=== STS policy")
+	policy, err := sts.UncheckedFetch(ctx, domain)
+	if err != nil {
+		log.Printf("Not available (%s)", err)
+	} else {
+		log.Printf("Parsed contents:  [%+v]\n", *policy)
+		if err := policy.Check(); err != nil {
+			log.Fatalf("Invalid: %v", err)
+		}
+		log.Printf("OK")
+	}
+
 	mxs, err := net.LookupMX(domain)
 	if err != nil {
 		log.Fatalf("MX lookup: %v", err)
@@ -83,6 +101,13 @@ func main() {
 			c.Close()
 		}

+		if policy != nil {
+			if !policy.MXIsAllowed(mx.Host) {
+				log.Fatalf("NOT allowed by STS policy")
+			}
+			log.Printf("Allowed by policy")
+		}
+
 		log.Printf("")
 	}