Skip to content

Commit

Permalink
add an option for the smtp delivery listener to enable/disable tls se…
Browse files Browse the repository at this point in the history
…ssion tickets

the field is optional. if absent, the default behaviour is currently to disable
session tickets. users can set the option if they want to try if delivery from
microsoft is working again. in a  future version, we can switch the default to
enabling session tickets.

the previous fix was to disable session tickets for all tls connections,
including https. that was a bit much.

for issue #237
  • Loading branch information
mjl- committed Dec 6, 2024
1 parent 4279383 commit e59f894
Show file tree
Hide file tree
Showing 5 changed files with 14 additions and 3 deletions.
1 change: 0 additions & 1 deletion autotls/autotls.go
Original file line number Diff line number Diff line change
Expand Up @@ -229,7 +229,6 @@ func (m *Manager) TLSConfig(fallbackHostname dns.Domain, fallbackNoSNI, fallback
GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
return m.loggingGetCertificate(hello, fallbackHostname, fallbackNoSNI, fallbackUnknownSNI)
},
SessionTicketsDisabled: true,
}
}

Expand Down
2 changes: 2 additions & 0 deletions config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,8 @@ type Listener struct {

FirstTimeSenderDelay *time.Duration `sconf:"optional" sconf-doc:"Delay before accepting a message from a first-time sender for the destination account. Default: 15s."`

TLSSessionTicketsDisabled *bool `sconf:"optional" sconf-doc:"Override default setting for enabling TLS session tickets. Disabling session tickets may work around TLS interoperability issues."`

DNSBLZones []dns.Domain `sconf:"-"`
} `sconf:"optional"`
Submission struct {
Expand Down
4 changes: 4 additions & 0 deletions config/doc.go
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,10 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details.
# account. Default: 15s. (optional)
FirstTimeSenderDelay: 0s
# Override default setting for enabling TLS session tickets. Disabling session
# tickets may work around TLS interoperability issues. (optional)
TLSSessionTicketsDisabled: false
# SMTP for submitting email, e.g. by email applications. Starts out in plain text,
# can be upgraded to TLS with the STARTTLS command. Prefer using Submissions which
# is always a TLS connection. (optional)
Expand Down
3 changes: 1 addition & 2 deletions mox-/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -1933,8 +1933,7 @@ func loadTLSKeyCerts(configFile, kind string, ctls *config.TLS) error {
certs = append(certs, cert)
}
ctls.Config = &tls.Config{
Certificates: certs,
SessionTicketsDisabled: true,
Certificates: certs,
}
ctls.ConfigFallback = ctls.Config
return nil
Expand Down
7 changes: 7 additions & 0 deletions smtpserver/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,13 @@ func Listen() {
port := config.Port(listener.SMTP.Port, 25)
for _, ip := range listener.IPs {
firstTimeSenderDelay := durationDefault(listener.SMTP.FirstTimeSenderDelay, firstTimeSenderDelayDefault)
if tlsConfigDelivery != nil {
tlsConfigDelivery = tlsConfigDelivery.Clone()
// Default setting is currently to have session tickets disabled, to work around
// TLS interoperability issues with incoming deliveries from Microsoft. See
// https://github.com/golang/go/issues/70232.
tlsConfigDelivery.SessionTicketsDisabled = listener.SMTP.TLSSessionTicketsDisabled == nil || *listener.SMTP.TLSSessionTicketsDisabled
}
listen1("smtp", name, ip, port, hostname, tlsConfigDelivery, false, false, maxMsgSize, false, listener.SMTP.RequireSTARTTLS, !listener.SMTP.NoRequireTLS, listener.SMTP.DNSBLZones, firstTimeSenderDelay)
}
}
Expand Down

0 comments on commit e59f894

Please sign in to comment.