courier/smtp: Retry over plaintext on STARTTLS errors

When the SMTP courier gets an error on STARTTLS (either because the command itself failed, or because there was a low-level TLS negotiation error), today we just fail that attempt. This can cause messages to never be delivered if the underlying reason is a server misconfiguration (e.g. a server certificate that Go cannot parse). This is quite rare in practice, but it can happen. To prevent this situation, this patch adds logic so that the SMTP courier retries over plaintext when STARTTLS fails. This is still subject to security level checks, so this type of failures cannot be used to downgrade connections to domains we successfully established a TLS connection previously. Note that certificate validation issues are NOT included in this type of failure, so they will not trigger a retry. The certificate validation handling is unchanged by this patch.
2025-12-20 15:07:03 +00:00 · 2023-03-03 09:51:48 +00:00
parent 1927e15ea2
commit fd9c6a748b
3 changed files with 61 additions and 22 deletions
--- a/internal/courier/smtp.go
+++ b/internal/courier/smtp.go
@@ -120,6 +120,8 @@ type attempt struct {
 }

 func (a *attempt) deliver(mx string) (error, bool) {
+	skipTLS := false
+retry:
 	conn, err := net.DialTimeout("tcp", mx+":"+*smtpPort, smtpDialTimeout)
 	if err != nil {
 		return a.tr.Errorf("Could not dial: %v", err), false
@@ -137,7 +139,7 @@ func (a *attempt) deliver(mx string) (error, bool) {
 	}

 	secLevel := domaininfo.SecLevel_PLAIN
-	if ok, _ := c.Extension("STARTTLS"); ok {
+	if ok, _ := c.Extension("STARTTLS"); ok && !skipTLS {
 		config := &tls.Config{
 			ServerName: mx,

@@ -155,8 +157,21 @@ func (a *attempt) deliver(mx string) (error, bool) {

 		err = c.StartTLS(config)
 		if err != nil {
+			// If we could not complete a jump to TLS (either because the
+			// STARTTLS command itself failed server-side, or because we got a
+			// TLS negotiation error), retry but without trying to use TLS.
+			// This should be quite rare, but it can happen if the server
+			// certificate is not parseable by the Go library, or if it has a
+			// broken TLS stack.
+			// Note that invalid and self-signed certs do NOT fall in this
+			// category, those are handled by the VerifyConnection function
+			// above, and don't need a retry. This is only needed for lower
+			// level errors.
 			tlsCount.Add("tls:failed", 1)
-			return a.tr.Errorf("TLS error: %v", err), false
+			a.tr.Errorf("TLS error, retrying without TLS: %v", err)
+			skipTLS = true
+			conn.Close()
+			goto retry
 		}
 	} else {
 		tlsCount.Add("plain", 1)