Include rules section

2026-04-30 08:47:06 +07:00 · 2026-04-30 08:47:06 +07:00 · 0d033115b3
commit 0d033115b3
parent 485c5a4a1d
1 changed files with 20 additions and 34 deletions
--- a/README.md
+++ b/README.md
@ -44,40 +44,26 @@ HTML report via `ObservationGetter.GetRelated` / `ReportContext.Related`,
 so a bad certificate on an MX shows up on the SMTP service page, not
 only in a separate TLS view.
-## What it checks
+## Rules
-### DNS posture
+| Code                       | Description                                                                                       | Severity   |
-
+|----------------------------|---------------------------------------------------------------------------------------------------|------------|
-1. MX records published? (RFC 7505 null-MX is recognised and reported as INFO)
+| `smtp.null_mx`             | Reports whether the domain publishes a null MX (RFC 7505), declaring it does not accept mail.     | INFO       |
-2. MX target is a hostname, **not** an IP literal (RFC 5321 § 5.1).
+| `smtp.mx_present`          | Verifies the domain publishes at least one MX record (or a null MX).                              | CRITICAL   |
-3. MX target is **not** a CNAME (RFC 5321 § 5.1).
+| `smtp.mx_sanity`           | Flags MX targets that violate RFC 5321 § 5.1 (IP literals, CNAME chains, unresolved names).       | CRITICAL   |
-4. MX target resolves (A and/or AAAA).
+| `smtp.endpoint_reachable`  | Verifies every MX endpoint accepts a TCP connection on port 25.                                   | CRITICAL   |
-5. Implicit-MX fallback warned about.
+| `smtp.banner_sanity`       | Verifies every reachable endpoint emits a 220 SMTP greeting.                                      | CRITICAL   |
-
+| `smtp.ehlo_supported`      | Verifies every endpoint accepts EHLO (required for STARTTLS, PIPELINING, SIZE, …).                | CRITICAL   |
-### Per-endpoint (port 25, for each A/AAAA of each MX)
+| `smtp.starttls_offered`    | Verifies every endpoint advertises the STARTTLS extension.                                        | CRITICAL   |
-
+| `smtp.starttls_handshake`  | Verifies the STARTTLS handshake succeeds wherever STARTTLS is advertised.                         | CRITICAL   |
-6. TCP reachability.
+| `smtp.auth_posture`        | Flags endpoints that advertise SMTP AUTH before STARTTLS (cleartext credentials).                 | CRITICAL   |
-7. SMTP 220 banner, captured verbatim; announced hostname parsed.
+| `smtp.reverse_dns`         | Verifies every endpoint has a matching PTR record (FCrDNS).                                       | WARNING    |
-8. ESMTP EHLO (fallback to HELO detected and flagged).
+| `smtp.null_sender`         | Verifies endpoints accept the null sender MAIL FROM:<> (required for DSNs).                       | CRITICAL   |
-9. Extension inventory: STARTTLS, PIPELINING, 8BITMIME, SMTPUTF8,
+| `smtp.postmaster`          | Verifies endpoints accept RCPT TO:<postmaster@domain> (RFC 5321 § 4.5.1).                         | CRITICAL   |
-   CHUNKING, DSN, ENHANCEDSTATUSCODES, SIZE, AUTH.
+| `smtp.open_relay`          | Flags endpoints that relay mail for recipients outside the tested domain.                         | CRITICAL   |
-10. `AUTH` advertised *before* STARTTLS (credentials-over-plaintext risk).
+| `smtp.extension_posture`   | Reports ESMTP extension posture (PIPELINING, 8BITMIME).                                           | INFO       |
-11. STARTTLS negotiation and TLS version/cipher recorded (no cert checks; handed off to `checker-tls`).
+| `smtp.ipv6_reachable`      | Verifies at least one MX endpoint is reachable over IPv6.                                         | INFO       |
-12. Post-TLS EHLO: extensions may expand after the upgrade; we union them.
+| `smtp.tls_quality`         | Folds downstream TLS checker findings (certificate chain, hostname match, expiry) onto SMTP.      | CRITICAL   |
 13. Reverse DNS (PTR) present for each IP.
 14. Forward-confirmed reverse DNS (FCrDNS): PTR's forward resolution must include our IP (Gmail / Outlook / Yahoo reject without this).
 15. Null sender acceptance (`MAIL FROM:<>`; RFC 5321 mandates this for bounces).
 16. Postmaster mailbox acceptance (`RCPT TO:<postmaster@domain>`; RFC 5321 § 4.5.1).
 17. **Open-relay probe** (`MAIL FROM:<checker@…>` then `RCPT TO:<postmaster@example.com>`; a 2xx indicates an open relay). The probe stops at RCPT; `DATA` is never sent.
 18. IPv4 / IPv6 coverage.
 The rule emits one `CheckState` per derived issue, with `Subject` set
 to the offending endpoint (`ip:25`) or MX target so the host can
 correlate findings across runs. When nothing is wrong the rule emits a
 single OK state; an RFC 7505 null MX collapses to a single INFO state.
 The HTML report renders a domain-level "What to fix" panel (sorted
 crit → warn → info) plus one collapsible section per probed endpoint,
 open by default when something is wrong.
 ## Most common failures and how the report addresses them