From 0d033115b328d822b9f6b018641212341c943be5 Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Thu, 30 Apr 2026 08:47:06 +0700 Subject: [PATCH 1/2] Include rules section --- README.md | 52 +++++++++++++++++++--------------------------------- 1 file changed, 19 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 95c545b..db6ee21 100644 --- a/README.md +++ b/README.md @@ -44,40 +44,26 @@ HTML report via `ObservationGetter.GetRelated` / `ReportContext.Related`, so a bad certificate on an MX shows up on the SMTP service page, not only in a separate TLS view. -## What it checks +## Rules -### DNS posture - -1. MX records published? (RFC 7505 null-MX is recognised and reported as INFO) -2. MX target is a hostname, **not** an IP literal (RFC 5321 § 5.1). -3. MX target is **not** a CNAME (RFC 5321 § 5.1). -4. MX target resolves (A and/or AAAA). -5. Implicit-MX fallback warned about. - -### Per-endpoint (port 25, for each A/AAAA of each MX) - -6. TCP reachability. -7. SMTP 220 banner, captured verbatim; announced hostname parsed. -8. ESMTP EHLO (fallback to HELO detected and flagged). -9. Extension inventory: STARTTLS, PIPELINING, 8BITMIME, SMTPUTF8, - CHUNKING, DSN, ENHANCEDSTATUSCODES, SIZE, AUTH. -10. `AUTH` advertised *before* STARTTLS (credentials-over-plaintext risk). -11. STARTTLS negotiation and TLS version/cipher recorded (no cert checks; handed off to `checker-tls`). -12. Post-TLS EHLO: extensions may expand after the upgrade; we union them. -13. Reverse DNS (PTR) present for each IP. -14. Forward-confirmed reverse DNS (FCrDNS): PTR's forward resolution must include our IP (Gmail / Outlook / Yahoo reject without this). -15. Null sender acceptance (`MAIL FROM:<>`; RFC 5321 mandates this for bounces). -16. Postmaster mailbox acceptance (`RCPT TO:`; RFC 5321 § 4.5.1). -17. **Open-relay probe** (`MAIL FROM:` then `RCPT TO:`; a 2xx indicates an open relay). The probe stops at RCPT; `DATA` is never sent. -18. IPv4 / IPv6 coverage. - -The rule emits one `CheckState` per derived issue, with `Subject` set -to the offending endpoint (`ip:25`) or MX target so the host can -correlate findings across runs. When nothing is wrong the rule emits a -single OK state; an RFC 7505 null MX collapses to a single INFO state. -The HTML report renders a domain-level "What to fix" panel (sorted -crit → warn → info) plus one collapsible section per probed endpoint, -open by default when something is wrong. +| Code | Description | Severity | +|----------------------------|---------------------------------------------------------------------------------------------------|------------| +| `smtp.null_mx` | Reports whether the domain publishes a null MX (RFC 7505), declaring it does not accept mail. | INFO | +| `smtp.mx_present` | Verifies the domain publishes at least one MX record (or a null MX). | CRITICAL | +| `smtp.mx_sanity` | Flags MX targets that violate RFC 5321 § 5.1 (IP literals, CNAME chains, unresolved names). | CRITICAL | +| `smtp.endpoint_reachable` | Verifies every MX endpoint accepts a TCP connection on port 25. | CRITICAL | +| `smtp.banner_sanity` | Verifies every reachable endpoint emits a 220 SMTP greeting. | CRITICAL | +| `smtp.ehlo_supported` | Verifies every endpoint accepts EHLO (required for STARTTLS, PIPELINING, SIZE, …). | CRITICAL | +| `smtp.starttls_offered` | Verifies every endpoint advertises the STARTTLS extension. | CRITICAL | +| `smtp.starttls_handshake` | Verifies the STARTTLS handshake succeeds wherever STARTTLS is advertised. | CRITICAL | +| `smtp.auth_posture` | Flags endpoints that advertise SMTP AUTH before STARTTLS (cleartext credentials). | CRITICAL | +| `smtp.reverse_dns` | Verifies every endpoint has a matching PTR record (FCrDNS). | WARNING | +| `smtp.null_sender` | Verifies endpoints accept the null sender MAIL FROM:<> (required for DSNs). | CRITICAL | +| `smtp.postmaster` | Verifies endpoints accept RCPT TO: (RFC 5321 § 4.5.1). | CRITICAL | +| `smtp.open_relay` | Flags endpoints that relay mail for recipients outside the tested domain. | CRITICAL | +| `smtp.extension_posture` | Reports ESMTP extension posture (PIPELINING, 8BITMIME). | INFO | +| `smtp.ipv6_reachable` | Verifies at least one MX endpoint is reachable over IPv6. | INFO | +| `smtp.tls_quality` | Folds downstream TLS checker findings (certificate chain, hostname match, expiry) onto SMTP. | CRITICAL | ## Most common failures and how the report addresses them From 9bff13c728d84cfe5a61667bc2c39ddfd54a67b1 Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Sun, 10 May 2026 19:05:20 +0800 Subject: [PATCH 2/2] Add CI/CD pipeline --- .drone-manifest.yml | 22 ++++++ .drone.yml | 187 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 209 insertions(+) create mode 100644 .drone-manifest.yml create mode 100644 .drone.yml diff --git a/.drone-manifest.yml b/.drone-manifest.yml new file mode 100644 index 0000000..36a16c8 --- /dev/null +++ b/.drone-manifest.yml @@ -0,0 +1,22 @@ +image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}} +{{#if build.tags}} +tags: +{{#each build.tags}} + - {{this}} +{{/each}} +{{/if}} +manifests: + - image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64 + platform: + architecture: amd64 + os: linux + - image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64 + platform: + architecture: arm64 + os: linux + variant: v8 + - image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm + platform: + architecture: arm + os: linux + variant: v7 diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..cbe01bb --- /dev/null +++ b/.drone.yml @@ -0,0 +1,187 @@ +--- +kind: pipeline +type: docker +name: build-amd64 + +platform: + os: linux + arch: amd64 + +steps: + - name: checker build + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}" + CGO_ENABLED: 0 + when: + event: + exclude: + - tag + + - name: checker build tag + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_SEMVER}" + CGO_ENABLED: 0 + when: + event: + - tag + + - name: publish on Docker Hub + image: plugins/docker + settings: + repo: happydomain/checker-smtp + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + exclude: + - tag + + - name: publish on Docker Hub (tag) + image: plugins/docker + settings: + repo: happydomain/checker-smtp + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_SEMVER} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + - tag + +trigger: + branch: + exclude: + - renovate/* + event: + - cron + - push + - tag + +--- +kind: pipeline +type: docker +name: build-arm64 + +platform: + os: linux + arch: arm64 + +steps: + - name: checker build + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}" + CGO_ENABLED: 0 + when: + event: + exclude: + - tag + + - name: checker build tag + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_SEMVER}" + CGO_ENABLED: 0 + when: + event: + - tag + + - name: publish on Docker Hub + image: plugins/docker + settings: + repo: happydomain/checker-smtp + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + exclude: + - tag + + - name: publish on Docker Hub (tag) + image: plugins/docker + settings: + repo: happydomain/checker-smtp + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_SEMVER} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + - tag + +trigger: + event: + - cron + - push + - tag + +--- +kind: pipeline +name: docker-manifest + +platform: + os: linux + arch: arm64 + +steps: + - name: publish on Docker Hub + image: plugins/manifest + settings: + auto_tag: true + ignore_missing: true + spec: .drone-manifest.yml + username: + from_secret: docker_username + password: + from_secret: docker_password + +trigger: + branch: + exclude: + - renovate/* + event: + - cron + - push + - tag + +depends_on: + - build-amd64 + - build-arm64