Add CI/CD pipeline

Include rules section
2026-05-10 19:28:36 +08:00 · 2026-04-30 08:47:06 +07:00
3 changed files with 229 additions and 34 deletions
--- a/.drone-manifest.yml
+++ b/.drone-manifest.yml
@ -0,0 +1,22 @@
 image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
 {{#if build.tags}}
 tags:
 {{#each build.tags}}
  - {{this}}
 {{/each}}
 {{/if}}
 manifests:
  - image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
    platform:
      architecture: amd64
      os: linux
  - image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
    platform:
      architecture: arm64
      os: linux
      variant: v8
  - image: happydomain/checker-smtp:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm
    platform:
      architecture: arm
      os: linux
      variant: v7
--- a/.drone.yml
+++ b/.drone.yml
@ -0,0 +1,187 @@
 ---
 kind: pipeline
 type: docker
 name: build-amd64
 platform:
  os: linux
  arch: amd64
 steps:
  - name: checker build
    image: golang:1-alpine
    commands:
      - apk add --no-cache git make
      - make
    environment:
      CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
      CGO_ENABLED: 0
    when:
      event:
        exclude:
          - tag
  - name: checker build tag
    image: golang:1-alpine
    commands:
      - apk add --no-cache git make
      - make
    environment:
      CHECKER_VERSION: "${DRONE_SEMVER}"
      CGO_ENABLED: 0
    when:
      event:
        - tag
  - name: publish on Docker Hub
    image: plugins/docker
    settings:
      repo: happydomain/checker-smtp
      auto_tag: true
      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
      dockerfile: Dockerfile
      build_args:
        - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password
    when:
      event:
        exclude:
          - tag
  - name: publish on Docker Hub (tag)
    image: plugins/docker
    settings:
      repo: happydomain/checker-smtp
      auto_tag: true
      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
      dockerfile: Dockerfile
      build_args:
        - CHECKER_VERSION=${DRONE_SEMVER}
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password
    when:
      event:
        - tag
 trigger:
  branch:
    exclude:
      - renovate/*
  event:
    - cron
    - push
    - tag
 ---
 kind: pipeline
 type: docker
 name: build-arm64
 platform:
  os: linux
  arch: arm64
 steps:
  - name: checker build
    image: golang:1-alpine
    commands:
      - apk add --no-cache git make
      - make
    environment:
      CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
      CGO_ENABLED: 0
    when:
      event:
        exclude:
          - tag
  - name: checker build tag
    image: golang:1-alpine
    commands:
      - apk add --no-cache git make
      - make
    environment:
      CHECKER_VERSION: "${DRONE_SEMVER}"
      CGO_ENABLED: 0
    when:
      event:
        - tag
  - name: publish on Docker Hub
    image: plugins/docker
    settings:
      repo: happydomain/checker-smtp
      auto_tag: true
      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
      dockerfile: Dockerfile
      build_args:
        - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password
    when:
      event:
        exclude:
          - tag
  - name: publish on Docker Hub (tag)
    image: plugins/docker
    settings:
      repo: happydomain/checker-smtp
      auto_tag: true
      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
      dockerfile: Dockerfile
      build_args:
        - CHECKER_VERSION=${DRONE_SEMVER}
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password
    when:
      event:
        - tag
 trigger:
  event:
    - cron
    - push
    - tag
 ---
 kind: pipeline
 name: docker-manifest
 platform:
  os: linux
  arch: arm64
 steps:
  - name: publish on Docker Hub
    image: plugins/manifest
    settings:
      auto_tag: true
      ignore_missing: true
      spec: .drone-manifest.yml
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password
 trigger:
  branch:
    exclude:
      - renovate/*
  event:
    - cron
    - push
    - tag
 depends_on:
  - build-amd64
  - build-arm64
--- a/README.md
+++ b/README.md
@ -44,40 +44,26 @@ HTML report via `ObservationGetter.GetRelated` / `ReportContext.Related`,
 so a bad certificate on an MX shows up on the SMTP service page, not
 only in a separate TLS view.
-## What it checks
+## Rules
-### DNS posture
+| Code                       | Description                                                                                       | Severity   |
-
+|----------------------------|---------------------------------------------------------------------------------------------------|------------|
-1. MX records published? (RFC 7505 null-MX is recognised and reported as INFO)
+| `smtp.null_mx`             | Reports whether the domain publishes a null MX (RFC 7505), declaring it does not accept mail.     | INFO       |
-2. MX target is a hostname, **not** an IP literal (RFC 5321 § 5.1).
+| `smtp.mx_present`          | Verifies the domain publishes at least one MX record (or a null MX).                              | CRITICAL   |
-3. MX target is **not** a CNAME (RFC 5321 § 5.1).
+| `smtp.mx_sanity`           | Flags MX targets that violate RFC 5321 § 5.1 (IP literals, CNAME chains, unresolved names).       | CRITICAL   |
-4. MX target resolves (A and/or AAAA).
+| `smtp.endpoint_reachable`  | Verifies every MX endpoint accepts a TCP connection on port 25.                                   | CRITICAL   |
-5. Implicit-MX fallback warned about.
+| `smtp.banner_sanity`       | Verifies every reachable endpoint emits a 220 SMTP greeting.                                      | CRITICAL   |
-
+| `smtp.ehlo_supported`      | Verifies every endpoint accepts EHLO (required for STARTTLS, PIPELINING, SIZE, …).                | CRITICAL   |
-### Per-endpoint (port 25, for each A/AAAA of each MX)
+| `smtp.starttls_offered`    | Verifies every endpoint advertises the STARTTLS extension.                                        | CRITICAL   |
-
+| `smtp.starttls_handshake`  | Verifies the STARTTLS handshake succeeds wherever STARTTLS is advertised.                         | CRITICAL   |
-6. TCP reachability.
+| `smtp.auth_posture`        | Flags endpoints that advertise SMTP AUTH before STARTTLS (cleartext credentials).                 | CRITICAL   |
-7. SMTP 220 banner, captured verbatim; announced hostname parsed.
+| `smtp.reverse_dns`         | Verifies every endpoint has a matching PTR record (FCrDNS).                                       | WARNING    |
-8. ESMTP EHLO (fallback to HELO detected and flagged).
+| `smtp.null_sender`         | Verifies endpoints accept the null sender MAIL FROM:<> (required for DSNs).                       | CRITICAL   |
-9. Extension inventory: STARTTLS, PIPELINING, 8BITMIME, SMTPUTF8,
+| `smtp.postmaster`          | Verifies endpoints accept RCPT TO:<postmaster@domain> (RFC 5321 § 4.5.1).                         | CRITICAL   |
-   CHUNKING, DSN, ENHANCEDSTATUSCODES, SIZE, AUTH.
+| `smtp.open_relay`          | Flags endpoints that relay mail for recipients outside the tested domain.                         | CRITICAL   |
-10. `AUTH` advertised *before* STARTTLS (credentials-over-plaintext risk).
+| `smtp.extension_posture`   | Reports ESMTP extension posture (PIPELINING, 8BITMIME).                                           | INFO       |
-11. STARTTLS negotiation and TLS version/cipher recorded (no cert checks; handed off to `checker-tls`).
+| `smtp.ipv6_reachable`      | Verifies at least one MX endpoint is reachable over IPv6.                                         | INFO       |
-12. Post-TLS EHLO: extensions may expand after the upgrade; we union them.
+| `smtp.tls_quality`         | Folds downstream TLS checker findings (certificate chain, hostname match, expiry) onto SMTP.      | CRITICAL   |
 13. Reverse DNS (PTR) present for each IP.
 14. Forward-confirmed reverse DNS (FCrDNS): PTR's forward resolution must include our IP (Gmail / Outlook / Yahoo reject without this).
 15. Null sender acceptance (`MAIL FROM:<>`; RFC 5321 mandates this for bounces).
 16. Postmaster mailbox acceptance (`RCPT TO:<postmaster@domain>`; RFC 5321 § 4.5.1).
 17. **Open-relay probe** (`MAIL FROM:<checker@…>` then `RCPT TO:<postmaster@example.com>`; a 2xx indicates an open relay). The probe stops at RCPT; `DATA` is never sent.
 18. IPv4 / IPv6 coverage.
 The rule emits one `CheckState` per derived issue, with `Subject` set
 to the offending endpoint (`ip:25`) or MX target so the host can
 correlate findings across runs. When nothing is wrong the rule emits a
 single OK state; an RFC 7505 null MX collapses to a single INFO state.
 The HTML report renders a domain-level "What to fix" panel (sorted
 crit → warn → info) plus one collapsible section per probed endpoint,
 open by default when something is wrong.
 ## Most common failures and how the report addresses them
Author	SHA1	Message	Date
Pierre-Olivier Mercier	9bff13c728	Add CI/CD pipeline All checks were successful continuous-integration/drone/push Build is passing Details	2026-05-10 19:28:36 +08:00
Pierre-Olivier Mercier	0d033115b3	Include rules section	2026-04-30 08:47:06 +07:00