From 0d033115b328d822b9f6b018641212341c943be5 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Thu, 30 Apr 2026 08:47:06 +0700
Subject: [PATCH] Include rules section

---
 README.md | 52 +++++++++++++++++++---------------------------------
 1 file changed, 19 insertions(+), 33 deletions(-)

diff --git a/README.md b/README.md
index 95c545b..db6ee21 100644
--- a/README.md
+++ b/README.md
@@ -44,40 +44,26 @@ HTML report via `ObservationGetter.GetRelated` / `ReportContext.Related`,
 so a bad certificate on an MX shows up on the SMTP service page, not
 only in a separate TLS view.
 
-## What it checks
+## Rules
 
-### DNS posture
-
-1. MX records published? (RFC 7505 null-MX is recognised and reported as INFO)
-2. MX target is a hostname, **not** an IP literal (RFC 5321 § 5.1).
-3. MX target is **not** a CNAME (RFC 5321 § 5.1).
-4. MX target resolves (A and/or AAAA).
-5. Implicit-MX fallback warned about.
-
-### Per-endpoint (port 25, for each A/AAAA of each MX)
-
-6. TCP reachability.
-7. SMTP 220 banner, captured verbatim; announced hostname parsed.
-8. ESMTP EHLO (fallback to HELO detected and flagged).
-9. Extension inventory: STARTTLS, PIPELINING, 8BITMIME, SMTPUTF8,
-   CHUNKING, DSN, ENHANCEDSTATUSCODES, SIZE, AUTH.
-10. `AUTH` advertised *before* STARTTLS (credentials-over-plaintext risk).
-11. STARTTLS negotiation and TLS version/cipher recorded (no cert checks; handed off to `checker-tls`).
-12. Post-TLS EHLO: extensions may expand after the upgrade; we union them.
-13. Reverse DNS (PTR) present for each IP.
-14. Forward-confirmed reverse DNS (FCrDNS): PTR's forward resolution must include our IP (Gmail / Outlook / Yahoo reject without this).
-15. Null sender acceptance (`MAIL FROM:<>`; RFC 5321 mandates this for bounces).
-16. Postmaster mailbox acceptance (`RCPT TO:<postmaster@domain>`; RFC 5321 § 4.5.1).
-17. **Open-relay probe** (`MAIL FROM:<checker@…>` then `RCPT TO:<postmaster@example.com>`; a 2xx indicates an open relay). The probe stops at RCPT; `DATA` is never sent.
-18. IPv4 / IPv6 coverage.
-
-The rule emits one `CheckState` per derived issue, with `Subject` set
-to the offending endpoint (`ip:25`) or MX target so the host can
-correlate findings across runs. When nothing is wrong the rule emits a
-single OK state; an RFC 7505 null MX collapses to a single INFO state.
-The HTML report renders a domain-level "What to fix" panel (sorted
-crit → warn → info) plus one collapsible section per probed endpoint,
-open by default when something is wrong.
+| Code                       | Description                                                                                       | Severity   |
+|----------------------------|---------------------------------------------------------------------------------------------------|------------|
+| `smtp.null_mx`             | Reports whether the domain publishes a null MX (RFC 7505), declaring it does not accept mail.     | INFO       |
+| `smtp.mx_present`          | Verifies the domain publishes at least one MX record (or a null MX).                              | CRITICAL   |
+| `smtp.mx_sanity`           | Flags MX targets that violate RFC 5321 § 5.1 (IP literals, CNAME chains, unresolved names).       | CRITICAL   |
+| `smtp.endpoint_reachable`  | Verifies every MX endpoint accepts a TCP connection on port 25.                                   | CRITICAL   |
+| `smtp.banner_sanity`       | Verifies every reachable endpoint emits a 220 SMTP greeting.                                      | CRITICAL   |
+| `smtp.ehlo_supported`      | Verifies every endpoint accepts EHLO (required for STARTTLS, PIPELINING, SIZE, …).                | CRITICAL   |
+| `smtp.starttls_offered`    | Verifies every endpoint advertises the STARTTLS extension.                                        | CRITICAL   |
+| `smtp.starttls_handshake`  | Verifies the STARTTLS handshake succeeds wherever STARTTLS is advertised.                         | CRITICAL   |
+| `smtp.auth_posture`        | Flags endpoints that advertise SMTP AUTH before STARTTLS (cleartext credentials).                 | CRITICAL   |
+| `smtp.reverse_dns`         | Verifies every endpoint has a matching PTR record (FCrDNS).                                       | WARNING    |
+| `smtp.null_sender`         | Verifies endpoints accept the null sender MAIL FROM:<> (required for DSNs).                       | CRITICAL   |
+| `smtp.postmaster`          | Verifies endpoints accept RCPT TO:<postmaster@domain> (RFC 5321 § 4.5.1).                         | CRITICAL   |
+| `smtp.open_relay`          | Flags endpoints that relay mail for recipients outside the tested domain.                         | CRITICAL   |
+| `smtp.extension_posture`   | Reports ESMTP extension posture (PIPELINING, 8BITMIME).                                           | INFO       |
+| `smtp.ipv6_reachable`      | Verifies at least one MX endpoint is reachable over IPv6.                                         | INFO       |
+| `smtp.tls_quality`         | Folds downstream TLS checker findings (certificate chain, hostname match, expiry) onto SMTP.      | CRITICAL   |
 
 ## Most common failures and how the report addresses them