diff --git a/.drone-manifest.yml b/.drone-manifest.yml deleted file mode 100644 index 36a16c8..0000000 --- a/.drone-manifest.yml +++ /dev/null @@ -1,22 +0,0 @@ -image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}} -{{#if build.tags}} -tags: -{{#each build.tags}} - - {{this}} -{{/each}} -{{/if}} -manifests: - - image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64 - platform: - architecture: amd64 - os: linux - - image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64 - platform: - architecture: arm64 - os: linux - variant: v8 - - image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm - platform: - architecture: arm - os: linux - variant: v7 diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index cbe01bb..0000000 --- a/.drone.yml +++ /dev/null @@ -1,187 +0,0 @@ ---- -kind: pipeline -type: docker -name: build-amd64 - -platform: - os: linux - arch: amd64 - -steps: - - name: checker build - image: golang:1-alpine - commands: - - apk add --no-cache git make - - make - environment: - CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}" - CGO_ENABLED: 0 - when: - event: - exclude: - - tag - - - name: checker build tag - image: golang:1-alpine - commands: - - apk add --no-cache git make - - make - environment: - CHECKER_VERSION: "${DRONE_SEMVER}" - CGO_ENABLED: 0 - when: - event: - - tag - - - name: publish on Docker Hub - image: plugins/docker - settings: - repo: happydomain/checker-smtp - auto_tag: true - auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} - dockerfile: Dockerfile - build_args: - - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT} - username: - from_secret: docker_username - password: - from_secret: docker_password - when: - event: - exclude: - - tag - - - name: publish on Docker Hub (tag) - image: plugins/docker - settings: - repo: happydomain/checker-smtp - auto_tag: true - auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} - dockerfile: Dockerfile - build_args: - - CHECKER_VERSION=${DRONE_SEMVER} - username: - from_secret: docker_username - password: - from_secret: docker_password - when: - event: - - tag - -trigger: - branch: - exclude: - - renovate/* - event: - - cron - - push - - tag - ---- -kind: pipeline -type: docker -name: build-arm64 - -platform: - os: linux - arch: arm64 - -steps: - - name: checker build - image: golang:1-alpine - commands: - - apk add --no-cache git make - - make - environment: - CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}" - CGO_ENABLED: 0 - when: - event: - exclude: - - tag - - - name: checker build tag - image: golang:1-alpine - commands: - - apk add --no-cache git make - - make - environment: - CHECKER_VERSION: "${DRONE_SEMVER}" - CGO_ENABLED: 0 - when: - event: - - tag - - - name: publish on Docker Hub - image: plugins/docker - settings: - repo: happydomain/checker-smtp - auto_tag: true - auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} - dockerfile: Dockerfile - build_args: - - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT} - username: - from_secret: docker_username - password: - from_secret: docker_password - when: - event: - exclude: - - tag - - - name: publish on Docker Hub (tag) - image: plugins/docker - settings: - repo: happydomain/checker-smtp - auto_tag: true - auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} - dockerfile: Dockerfile - build_args: - - CHECKER_VERSION=${DRONE_SEMVER} - username: - from_secret: docker_username - password: - from_secret: docker_password - when: - event: - - tag - -trigger: - event: - - cron - - push - - tag - ---- -kind: pipeline -name: docker-manifest - -platform: - os: linux - arch: arm64 - -steps: - - name: publish on Docker Hub - image: plugins/manifest - settings: - auto_tag: true - ignore_missing: true - spec: .drone-manifest.yml - username: - from_secret: docker_username - password: - from_secret: docker_password - -trigger: - branch: - exclude: - - renovate/* - event: - - cron - - push - - tag - -depends_on: - - build-amd64 - - build-arm64 diff --git a/README.md b/README.md index db6ee21..95c545b 100644 --- a/README.md +++ b/README.md @@ -44,26 +44,40 @@ HTML report via `ObservationGetter.GetRelated` / `ReportContext.Related`, so a bad certificate on an MX shows up on the SMTP service page, not only in a separate TLS view. -## Rules +## What it checks -| Code | Description | Severity | -|----------------------------|---------------------------------------------------------------------------------------------------|------------| -| `smtp.null_mx` | Reports whether the domain publishes a null MX (RFC 7505), declaring it does not accept mail. | INFO | -| `smtp.mx_present` | Verifies the domain publishes at least one MX record (or a null MX). | CRITICAL | -| `smtp.mx_sanity` | Flags MX targets that violate RFC 5321 § 5.1 (IP literals, CNAME chains, unresolved names). | CRITICAL | -| `smtp.endpoint_reachable` | Verifies every MX endpoint accepts a TCP connection on port 25. | CRITICAL | -| `smtp.banner_sanity` | Verifies every reachable endpoint emits a 220 SMTP greeting. | CRITICAL | -| `smtp.ehlo_supported` | Verifies every endpoint accepts EHLO (required for STARTTLS, PIPELINING, SIZE, …). | CRITICAL | -| `smtp.starttls_offered` | Verifies every endpoint advertises the STARTTLS extension. | CRITICAL | -| `smtp.starttls_handshake` | Verifies the STARTTLS handshake succeeds wherever STARTTLS is advertised. | CRITICAL | -| `smtp.auth_posture` | Flags endpoints that advertise SMTP AUTH before STARTTLS (cleartext credentials). | CRITICAL | -| `smtp.reverse_dns` | Verifies every endpoint has a matching PTR record (FCrDNS). | WARNING | -| `smtp.null_sender` | Verifies endpoints accept the null sender MAIL FROM:<> (required for DSNs). | CRITICAL | -| `smtp.postmaster` | Verifies endpoints accept RCPT TO: (RFC 5321 § 4.5.1). | CRITICAL | -| `smtp.open_relay` | Flags endpoints that relay mail for recipients outside the tested domain. | CRITICAL | -| `smtp.extension_posture` | Reports ESMTP extension posture (PIPELINING, 8BITMIME). | INFO | -| `smtp.ipv6_reachable` | Verifies at least one MX endpoint is reachable over IPv6. | INFO | -| `smtp.tls_quality` | Folds downstream TLS checker findings (certificate chain, hostname match, expiry) onto SMTP. | CRITICAL | +### DNS posture + +1. MX records published? (RFC 7505 null-MX is recognised and reported as INFO) +2. MX target is a hostname, **not** an IP literal (RFC 5321 § 5.1). +3. MX target is **not** a CNAME (RFC 5321 § 5.1). +4. MX target resolves (A and/or AAAA). +5. Implicit-MX fallback warned about. + +### Per-endpoint (port 25, for each A/AAAA of each MX) + +6. TCP reachability. +7. SMTP 220 banner, captured verbatim; announced hostname parsed. +8. ESMTP EHLO (fallback to HELO detected and flagged). +9. Extension inventory: STARTTLS, PIPELINING, 8BITMIME, SMTPUTF8, + CHUNKING, DSN, ENHANCEDSTATUSCODES, SIZE, AUTH. +10. `AUTH` advertised *before* STARTTLS (credentials-over-plaintext risk). +11. STARTTLS negotiation and TLS version/cipher recorded (no cert checks; handed off to `checker-tls`). +12. Post-TLS EHLO: extensions may expand after the upgrade; we union them. +13. Reverse DNS (PTR) present for each IP. +14. Forward-confirmed reverse DNS (FCrDNS): PTR's forward resolution must include our IP (Gmail / Outlook / Yahoo reject without this). +15. Null sender acceptance (`MAIL FROM:<>`; RFC 5321 mandates this for bounces). +16. Postmaster mailbox acceptance (`RCPT TO:`; RFC 5321 § 4.5.1). +17. **Open-relay probe** (`MAIL FROM:` then `RCPT TO:`; a 2xx indicates an open relay). The probe stops at RCPT; `DATA` is never sent. +18. IPv4 / IPv6 coverage. + +The rule emits one `CheckState` per derived issue, with `Subject` set +to the offending endpoint (`ip:25`) or MX target so the host can +correlate findings across runs. When nothing is wrong the rule emits a +single OK state; an RFC 7505 null MX collapses to a single INFO state. +The HTML report renders a domain-level "What to fix" panel (sorted +crit → warn → info) plus one collapsible section per probed endpoint, +open by default when something is wrong. ## Most common failures and how the report addresses them