smtpsrv: Disable TLS session tickets to work around Microsoft problems

Microsoft SMTP servers have a bug that prevents them from successfully establishing a TLS connection against modern Go TLS servers, and some OpenSSL versions. It also doesn't fall back to plain-text, so this has been causing deliverablity issues. The problem started by the end of 2024 and it's still not fixed. Unfortunately, because they're quite a big provider and are not fixing their problem, it is worth to do a server-side workaround. This patch implements that workaround: it disables TLS session tickets. There is no security impact for doing so, and there is a small performance penalty which is likely to be insignificant for chasquid's main use cases. This workaround should be removed once Microsoft fixes their problem. We are going to make a 1.15.1 release for this, which this patch also documents. Thanks to Michael (l6d-dev@github) for reporting this issue and suggesting this workaround! See https://github.com/albertito/chasquid/issues/64 and https://github.com/golang/go/issues/70232 for more details.
2025-12-17 14:37:02 +00:00 · 2025-03-29 23:21:06 +00:00
parent 14892f438b
commit e5e7256d3e
2 changed files with 32 additions and 3 deletions
--- a/docs/relnotes.md
+++ b/docs/relnotes.md
@@ -11,6 +11,16 @@ noting backward-incompatible changes or known security issues.
 - Log how many things were loaded for each domain.
 - Add fail2ban filter configuration example.

+### 1.15.1 (2025-03-30)
+
+Implement a workaround for a Microsoft bug in TLS session ticket handling,
+that is causing deliverability issues, and they are being too slow at fixing.
+
+See this [chasquid issue](https://github.com/albertito/chasquid/issues/64),
+this [Go issue](https://github.com/golang/go/issues/70232) and this
+[Postfix thread](https://www.mail-archive.com/postfix-users@postfix.org/msg104308.html)
+for more details.
+

 ## 1.14.0 (2024-04-21)