happyDomain/checker-smtp
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: happyDomain:master
Branches Tags
happyDomain:master
happyDomain:v0.1.0
..
compare: happyDomain:v0.1.0
Branches Tags
happyDomain:master
happyDomain:v0.1.0

No commits in common. "master" and "v0.1.0" have entirely different histories.
master ... v0.1.0

3 changed files with 34 additions and 229 deletions
Download patch file Download diff file Expand all files Collapse all files

22
.drone-manifest.yml
View file

@ -1,22 +0,0 @@
image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
{{#if build.tags}}
tags:
{{#each build.tags}}
- {{this}}
{{/each}}
{{/if}}
manifests:
- image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
platform:
architecture: amd64
os: linux
- image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
platform:
architecture: arm64
os: linux
variant: v8
- image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm
platform:
architecture: arm
os: linux
variant: v7

187
.drone.yml
View file

@ -1,187 +0,0 @@
---
kind: pipeline
type: docker
name: build-amd64
platform:
os: linux
arch: amd64
steps:
- name: checker build
image: golang:1-alpine
commands:
- apk add --no-cache git make
- make
environment:
CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
CGO_ENABLED: 0
when:
event:
exclude:
- tag
- name: checker build tag
image: golang:1-alpine
commands:
- apk add --no-cache git make
- make
environment:
CHECKER_VERSION: "${DRONE_SEMVER}"
CGO_ENABLED: 0
when:
event:
- tag
- name: publish on Docker Hub
image: plugins/docker
settings:
repo: happydomain/checker-smtp
auto_tag: true
auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
dockerfile: Dockerfile
build_args:
- CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- tag
- name: publish on Docker Hub (tag)
image: plugins/docker
settings:
repo: happydomain/checker-smtp
auto_tag: true
auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
dockerfile: Dockerfile
build_args:
- CHECKER_VERSION=${DRONE_SEMVER}
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
- tag
trigger:
branch:
exclude:
- renovate/*
event:
- cron
- push
- tag
---
kind: pipeline
type: docker
name: build-arm64
platform:
os: linux
arch: arm64
steps:
- name: checker build
image: golang:1-alpine
commands:
- apk add --no-cache git make
- make
environment:
CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
CGO_ENABLED: 0
when:
event:
exclude:
- tag
- name: checker build tag
image: golang:1-alpine
commands:
- apk add --no-cache git make
- make
environment:
CHECKER_VERSION: "${DRONE_SEMVER}"
CGO_ENABLED: 0
when:
event:
- tag
- name: publish on Docker Hub
image: plugins/docker
settings:
repo: happydomain/checker-smtp
auto_tag: true
auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
dockerfile: Dockerfile
build_args:
- CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
exclude:
- tag
- name: publish on Docker Hub (tag)
image: plugins/docker
settings:
repo: happydomain/checker-smtp
auto_tag: true
auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
dockerfile: Dockerfile
build_args:
- CHECKER_VERSION=${DRONE_SEMVER}
username:
from_secret: docker_username
password:
from_secret: docker_password
when:
event:
- tag
trigger:
event:
- cron
- push
- tag
---
kind: pipeline
name: docker-manifest
platform:
os: linux
arch: arm64
steps:
- name: publish on Docker Hub
image: plugins/manifest
settings:
auto_tag: true
ignore_missing: true
spec: .drone-manifest.yml
username:
from_secret: docker_username
password:
from_secret: docker_password
trigger:
branch:
exclude:
- renovate/*
event:
- cron
- push
- tag
depends_on:
- build-amd64
- build-arm64

52
README.md
View file

@ -44,26 +44,40 @@ HTML report via `ObservationGetter.GetRelated` / `ReportContext.Related`,
so a bad certificate on an MX shows up on the SMTP service page, not so a bad certificate on an MX shows up on the SMTP service page, not
only in a separate TLS view. only in a separate TLS view.
## Rules ## What it checks
| Code | Description | Severity | ### DNS posture
|----------------------------|---------------------------------------------------------------------------------------------------|------------|
| `smtp.null_mx` | Reports whether the domain publishes a null MX (RFC 7505), declaring it does not accept mail. | INFO | 1. MX records published? (RFC 7505 null-MX is recognised and reported as INFO)
| `smtp.mx_present` | Verifies the domain publishes at least one MX record (or a null MX). | CRITICAL | 2. MX target is a hostname, **not** an IP literal (RFC 5321 § 5.1).
| `smtp.mx_sanity` | Flags MX targets that violate RFC 5321 § 5.1 (IP literals, CNAME chains, unresolved names). | CRITICAL | 3. MX target is **not** a CNAME (RFC 5321 § 5.1).
| `smtp.endpoint_reachable` | Verifies every MX endpoint accepts a TCP connection on port 25. | CRITICAL | 4. MX target resolves (A and/or AAAA).
| `smtp.banner_sanity` | Verifies every reachable endpoint emits a 220 SMTP greeting. | CRITICAL | 5. Implicit-MX fallback warned about.
| `smtp.ehlo_supported` | Verifies every endpoint accepts EHLO (required for STARTTLS, PIPELINING, SIZE, …). | CRITICAL |
| `smtp.starttls_offered` | Verifies every endpoint advertises the STARTTLS extension. | CRITICAL | ### Per-endpoint (port 25, for each A/AAAA of each MX)
| `smtp.starttls_handshake` | Verifies the STARTTLS handshake succeeds wherever STARTTLS is advertised. | CRITICAL |
| `smtp.auth_posture` | Flags endpoints that advertise SMTP AUTH before STARTTLS (cleartext credentials). | CRITICAL | 6. TCP reachability.
| `smtp.reverse_dns` | Verifies every endpoint has a matching PTR record (FCrDNS). | WARNING | 7. SMTP 220 banner, captured verbatim; announced hostname parsed.
| `smtp.null_sender` | Verifies endpoints accept the null sender MAIL FROM:<> (required for DSNs). | CRITICAL | 8. ESMTP EHLO (fallback to HELO detected and flagged).
| `smtp.postmaster` | Verifies endpoints accept RCPT TO:<postmaster@domain> (RFC 5321 § 4.5.1). | CRITICAL | 9. Extension inventory: STARTTLS, PIPELINING, 8BITMIME, SMTPUTF8,
| `smtp.open_relay` | Flags endpoints that relay mail for recipients outside the tested domain. | CRITICAL | CHUNKING, DSN, ENHANCEDSTATUSCODES, SIZE, AUTH.
| `smtp.extension_posture` | Reports ESMTP extension posture (PIPELINING, 8BITMIME). | INFO | 10. `AUTH` advertised *before* STARTTLS (credentials-over-plaintext risk).
| `smtp.ipv6_reachable` | Verifies at least one MX endpoint is reachable over IPv6. | INFO | 11. STARTTLS negotiation and TLS version/cipher recorded (no cert checks; handed off to `checker-tls`).
| `smtp.tls_quality` | Folds downstream TLS checker findings (certificate chain, hostname match, expiry) onto SMTP. | CRITICAL | 12. Post-TLS EHLO: extensions may expand after the upgrade; we union them.
13. Reverse DNS (PTR) present for each IP.
14. Forward-confirmed reverse DNS (FCrDNS): PTR's forward resolution must include our IP (Gmail / Outlook / Yahoo reject without this).
15. Null sender acceptance (`MAIL FROM:<>`; RFC 5321 mandates this for bounces).
16. Postmaster mailbox acceptance (`RCPT TO:<postmaster@domain>`; RFC 5321 § 4.5.1).
17. **Open-relay probe** (`MAIL FROM:<checker@…>` then `RCPT TO:<postmaster@example.com>`; a 2xx indicates an open relay). The probe stops at RCPT; `DATA` is never sent.
18. IPv4 / IPv6 coverage.
The rule emits one `CheckState` per derived issue, with `Subject` set
to the offending endpoint (`ip:25`) or MX target so the host can
correlate findings across runs. When nothing is wrong the rule emits a
single OK state; an RFC 7505 null MX collapses to a single INFO state.
The HTML report renders a domain-level "What to fix" panel (sorted
crit → warn → info) plus one collapsible section per probed endpoint,
open by default when something is wrong.
## Most common failures and how the report addresses them ## Most common failures and how the report addresses them