happyDomain/happyDeliver
2
0
Fork 0
Code Issues 8 Pull requests 5 Projects Releases Packages Wiki Activity Actions

Compare commits

base: happyDomain:master
Branches Tags
happyDomain:master
happyDomain:renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x
happyDomain:renovate/prettier-plugin-svelte-4.x
happyDomain:renovate/github.com-oapi-codegen-runtime-1.x
happyDomain:renovate/github.com-getkin-kin-openapi-0.x
happyDomain:renovate/major-vitest-monorepo
happyDomain:build
happyDomain:renovate/npm-svelte-vulnerability
happyDomain:renovate/npm-sveltejs-kit-vulnerability
happyDomain:f/rspamd
happyDomain:f/unsubscribe-link-detection
happyDomain:internal_resolver
happyDomain:renovate/eslint-plugin-svelte-3.x-lockfile
happyDomain:renovate/node-22.x-lockfile
happyDomain:renovate/eslint-compat-1.x-lockfile
happyDomain:renovate/sveltejs-kit-2.x-lockfile
happyDomain:renovate/svelte-5.x-lockfile
happyDomain:v1.2.0
happyDomain:v1.1.1
happyDomain:v1.1.0
happyDomain:v1.0.0
..
compare: happyDomain:renovate/prettier-plugin-svelte-4.x
Branches Tags
happyDomain:master
happyDomain:renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x
happyDomain:renovate/prettier-plugin-svelte-4.x
happyDomain:renovate/github.com-oapi-codegen-runtime-1.x
happyDomain:renovate/github.com-getkin-kin-openapi-0.x
happyDomain:renovate/major-vitest-monorepo
happyDomain:build
happyDomain:renovate/npm-svelte-vulnerability
happyDomain:renovate/npm-sveltejs-kit-vulnerability
happyDomain:f/rspamd
happyDomain:f/unsubscribe-link-detection
happyDomain:internal_resolver
happyDomain:renovate/eslint-plugin-svelte-3.x-lockfile
happyDomain:renovate/node-22.x-lockfile
happyDomain:renovate/eslint-compat-1.x-lockfile
happyDomain:renovate/sveltejs-kit-2.x-lockfile
happyDomain:renovate/svelte-5.x-lockfile
happyDomain:v1.2.0
happyDomain:v1.1.1
happyDomain:v1.1.0
happyDomain:v1.0.0

1 commit
master ... renovate/p

Author SHA1 Message Date
Renovate Bot
a6e882c60b chore(deps): update dependency prettier-plugin-svelte to v4 2026-06-04 03:06:56 +00:00
24 changed files with 12 additions and 1530 deletions
Download patch file Download diff file Expand all files Collapse all files

98
api/schemas.yaml
View file

@ -434,29 +434,6 @@ components:
type: string
description: Reverse DNS (PTR record) for the IP address
example: "mail.example.com"
tls:
$ref: '#/components/schemas/TLSInfo'
description: TLS details of the connection for this hop, if encrypted
TLSInfo:
type: object
properties:
version:
type: string
description: TLS protocol version
example: "TLSv1.3"
cipher:
type: string
description: Cipher suite used
example: "TLS_AES_256_GCM_SHA384"
bits:
type: integer
description: Cipher strength in bits
example: 256
verified:
type: boolean
description: Whether the peer certificate was verified/trusted
example: true
DKIMDomainInfo:
type: object
@ -560,14 +537,6 @@ components:
x_aligned_from:
$ref: '#/components/schemas/AuthResult'
description: X-Aligned-From authentication result (checks address alignment)
x_ptr:
$ref: '#/components/schemas/XPtrResult'
description: X-Ptr result (HELO hostname vs reverse DNS consistency check)
x_tls:
$ref: '#/components/schemas/AuthResult'
description: >-
Transport TLS encryption of the inbound connection (x-tls).
Synthesized from the inbound Received hop when no x-tls header is present.
AuthResult:
type: object
@ -637,29 +606,6 @@ components:
description: Additional details about the IP reverse lookup
example: "smtp.remote-ip=195.110.101.58 (authsmtp74.register.it)"
XPtrResult:
type: object
required:
- result
properties:
result:
type: string
enum: [pass, fail, none, temperror, permerror]
description: HELO/PTR consistency check result
example: "fail"
helo:
type: string
description: HELO/EHLO hostname announced by the sending server (smtp.helo)
example: "relay.example.org"
ptr:
type: string
description: Reverse DNS (PTR) hostname of the sender IP (policy.ptr)
example: "mail.example.com"
details:
type: string
description: Additional details about the x-ptr check
example: "smtp.helo=relay.example.org policy.ptr=mail.example.com"
SpamAssassinResult:
type: object
required:
@ -850,56 +796,12 @@ components:
type: string
description: A or AAAA records resolved from the PTR hostnames (forward confirmation)
example: ["192.0.2.1", "2001:db8::1"]
helo_hostname:
type: string
description: HELO/EHLO hostname announced by the sending server (from the first Received hop)
example: "mail.example.com"
helo_ptr_match:
type: boolean
description: Whether the announced HELO hostname matches one of the sender's PTR records (case-insensitive)
return_ok:
$ref: '#/components/schemas/ReturnOK'
errors:
type: array
items:
type: string
description: DNS lookup errors
ReturnOK:
type: object
description: Whether the sender domains can receive replies and bounces (MX, with A/AAAA fallback)
properties:
from:
$ref: '#/components/schemas/ReturnOKDomain'
return_path:
$ref: '#/components/schemas/ReturnOKDomain'
ReturnOKDomain:
type: object
required:
- domain
- status
properties:
domain:
type: string
description: Domain that was evaluated
example: "example.com"
status:
type: string
enum: [pass, warn, fail]
x-go-type: string
description: pass = MX present, warn = only A/AAAA records (implicit MX), fail = no records
has_mx:
type: boolean
description: Whether the domain has at least one MX record
has_address:
type: boolean
description: Whether the domain has an A or AAAA record (implicit MX fallback)
org_domain:
type: string
description: Organizational domain used as fallback when the domain itself had no records
example: "example.com"
MXRecord:
type: object
required:

2
docker/authentication_milter/authentication_milter.json
View file

@ -52,8 +52,6 @@
"PTR" : {},
"TLS" : {},
"SenderID" : {
"hide_none" : 1
},

5
docker/postfix/main.cf
View file

@ -7,7 +7,7 @@ myhostname = __HOSTNAME__
mydomain = __DOMAIN__
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all
inet_protocols = ipv4
# Recipient settings
mydestination = localhost.$mydomain, localhost
@ -36,8 +36,5 @@ smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination
# TLS - record the negotiated cipher/protocol in the Received: header
smtpd_tls_received_header = yes
# Logging
debug_peer_level = 2

3
docker/postfix/master.cf
View file

@ -3,9 +3,6 @@
# SMTP service
smtp inet n - n - - smtpd
# TLS session cache and PRNG manager (required for STARTTLS)
tlsmgr unix - - n 1000? 1 tlsmgr
# Pickup service
pickup unix n - n 60 1 pickup

17
pkg/analyzer/authentication.go
View file

@ -140,20 +140,6 @@ func (a *AuthenticationAnalyzer) parseAuthenticationResultsHeader(header string,
results.XAlignedFrom = a.parseXAlignedFromResult(part)
}
}
// Parse x-ptr
if strings.HasPrefix(part, "x-ptr=") {
if results.XPtr == nil {
results.XPtr = a.parseXPtrResult(part)
}
}
// Parse x-tls
if strings.HasPrefix(part, "x-tls=") {
if results.XTls == nil {
results.XTls = a.parseXTLSResult(part)
}
}
}
}
@ -190,9 +176,6 @@ func (a *AuthenticationAnalyzer) CalculateAuthenticationScore(results *model.Aut
// Penalty-only: X-Aligned-From (up to -5 points on failure)
score += 5 * a.calculateXAlignedFromScore(results) / 100
// Penalty-only: X-TLS / transport encryption (-10 points when not encrypted)
score += 10 * a.calculateXTLSScore(results) / 100
// Ensure score doesn't exceed 100
if score > 100 {
score = 100

61
pkg/analyzer/authentication_x_ptr.go
View file

@ -1,61 +0,0 @@
// This file is part of the happyDeliver (R) project.
// Copyright (c) 2025-2026 happyDomain
// Authors: Pierre-Olivier Mercier, et al.
//
// This program is offered under a commercial and under the AGPL license.
// For commercial licensing, contact us at <contact@happydomain.org>.
//
// For AGPL licensing:
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package analyzer
import (
"regexp"
"strings"
"git.happydns.org/happyDeliver/internal/model"
"git.happydns.org/happyDeliver/internal/utils"
)
// parseXPtrResult parses the x-ptr result from Authentication-Results.
// Example: x-ptr=fail smtp.helo=relay.example.org policy.ptr=mail.example.com
func (a *AuthenticationAnalyzer) parseXPtrResult(part string) *model.XPtrResult {
result := &model.XPtrResult{}
// Extract result (pass, fail, none, temperror, permerror)
re := regexp.MustCompile(`x-ptr=(\w+)`)
if matches := re.FindStringSubmatch(part); len(matches) > 1 {
resultStr := strings.ToLower(matches[1])
result.Result = model.XPtrResultResult(resultStr)
}
// Extract announced HELO hostname (smtp.helo)
heloRe := regexp.MustCompile(`smtp\.helo=([^\s;()]+)`)
if matches := heloRe.FindStringSubmatch(part); len(matches) > 1 {
helo := matches[1]
result.Helo = &helo
}
// Extract reverse DNS hostname (policy.ptr)
ptrRe := regexp.MustCompile(`policy\.ptr=([^\s;()]+)`)
if matches := ptrRe.FindStringSubmatch(part); len(matches) > 1 {
ptr := matches[1]
result.Ptr = &ptr
}
result.Details = utils.PtrTo(strings.TrimPrefix(part, "x-ptr="))
return result
}

81
pkg/analyzer/authentication_x_ptr_test.go
View file

@ -1,81 +0,0 @@
// This file is part of the happyDeliver (R) project.
// Copyright (c) 2025-2026 happyDomain
// Authors: Pierre-Olivier Mercier, et al.
//
// This program is offered under a commercial and under the AGPL license.
// For commercial licensing, contact us at <contact@happydomain.org>.
//
// For AGPL licensing:
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package analyzer
import (
"testing"
"git.happydns.org/happyDeliver/internal/model"
"git.happydns.org/happyDeliver/internal/utils"
)
func TestParseXPtrResult(t *testing.T) {
a := NewAuthenticationAnalyzer("receiver.com")
tests := []struct {
name string
part string
expectedResult model.XPtrResultResult
expectedHelo *string
expectedPtr *string
}{
{
name: "x-ptr fail with helo and ptr",
part: "x-ptr=fail smtp.helo=relay.example.org policy.ptr=mail.example.com",
expectedResult: model.XPtrResultResultFail,
expectedHelo: utils.PtrTo("relay.example.org"),
expectedPtr: utils.PtrTo("mail.example.com"),
},
{
name: "x-ptr pass",
part: "x-ptr=pass smtp.helo=mail.example.com policy.ptr=mail.example.com",
expectedResult: model.XPtrResultResultPass,
expectedHelo: utils.PtrTo("mail.example.com"),
expectedPtr: utils.PtrTo("mail.example.com"),
},
{
name: "x-ptr none without ptr",
part: "x-ptr=none smtp.helo=relay.example.org",
expectedResult: model.XPtrResultResultNone,
expectedHelo: utils.PtrTo("relay.example.org"),
expectedPtr: nil,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := a.parseXPtrResult(tt.part)
if result == nil {
t.Fatal("expected non-nil result")
}
if result.Result != tt.expectedResult {
t.Errorf("Result = %q, want %q", result.Result, tt.expectedResult)
}
if !equalStrPtr(result.Helo, tt.expectedHelo) {
t.Errorf("Helo = %v, want %v", result.Helo, tt.expectedHelo)
}
if !equalStrPtr(result.Ptr, tt.expectedPtr) {
t.Errorf("Ptr = %v, want %v", result.Ptr, tt.expectedPtr)
}
})
}
}

154
pkg/analyzer/authentication_x_tls.go
View file

@ -1,154 +0,0 @@
// This file is part of the happyDeliver (R) project.
// Copyright (c) 2025 happyDomain
// Authors: Pierre-Olivier Mercier, et al.
//
// This program is offered under a commercial and under the AGPL license.
// For commercial licensing, contact us at <contact@happydomain.org>.
//
// For AGPL licensing:
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package analyzer
import (
"fmt"
"regexp"
"strings"
"git.happydns.org/happyDeliver/internal/model"
"git.happydns.org/happyDeliver/internal/utils"
)
// parseXTLSResult parses the x-tls result from Authentication-Results.
// Example: x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384 smtp.bits=256
func (a *AuthenticationAnalyzer) parseXTLSResult(part string) *model.AuthResult {
result := &model.AuthResult{}
// Extract result (pass, fail, none, ...)
re := regexp.MustCompile(`x-tls=(\w+)`)
if matches := re.FindStringSubmatch(part); len(matches) > 1 {
result.Result = model.AuthResultResult(strings.ToLower(matches[1]))
}
result.Details = utils.PtrTo(formatTLSDetails(
submatch(part, `smtp\.version=([^\s;()]+)`),
submatch(part, `smtp\.cipher=([^\s;()]+)`),
submatch(part, `smtp\.bits=(\d+)`),
))
return result
}
// calculateXTLSScore returns a penalty for a negative transport-TLS result.
// pass (or absent) does not alter the score; any other result is penalized.
func (a *AuthenticationAnalyzer) calculateXTLSScore(results *model.AuthenticationResults) (score int) {
if results.XTls != nil {
switch results.XTls.Result {
case model.AuthResultResultPass:
// pass: don't alter the score
default:
return -100
}
}
return 0
}
// ReconcileXTLS fills in the x-tls result from the inbound connection's parsed TLS
// information when no x-tls Authentication-Results header was present. The inbound
// connection is the most recent hop (index 0) of the received chain.
func (a *AuthenticationAnalyzer) ReconcileXTLS(results *model.AuthenticationResults, chain *[]model.ReceivedHop) {
if results == nil || results.XTls != nil {
return
}
if chain == nil || len(*chain) == 0 {
return
}
inbound := (*chain)[0]
switch {
case inbound.Tls != nil:
// Full TLS parenthetical present (smtpd_tls_received_header = yes).
var version, cipher, bits string
if inbound.Tls.Version != nil {
version = *inbound.Tls.Version
}
if inbound.Tls.Cipher != nil {
cipher = *inbound.Tls.Cipher
}
if inbound.Tls.Bits != nil {
bits = fmt.Sprintf("%d", *inbound.Tls.Bits)
}
results.XTls = &model.AuthResult{
Result: model.AuthResultResultPass,
Details: utils.PtrTo(formatTLSDetails(version, cipher, bits)),
}
case protocolIndicatesTLS(inbound.With):
// No TLS parenthetical (smtpd_tls_received_header may be disabled), but the
// transport keyword (ESMTPS, ESMTPSA, ...) tells us the session was encrypted.
// We just don't have the cipher details.
results.XTls = &model.AuthResult{
Result: model.AuthResultResultPass,
Details: utils.PtrTo(fmt.Sprintf("Encrypted connection (%s); cipher details unavailable", *inbound.With)),
}
case inbound.With != nil:
// A plaintext transport keyword (SMTP, ESMTP, ESMTPA, ...) is positive
// evidence the inbound connection was not encrypted.
results.XTls = &model.AuthResult{
Result: model.AuthResultResultNone,
Details: utils.PtrTo(fmt.Sprintf("Inbound connection was not encrypted (%s)", *inbound.With)),
}
default:
// Neither TLS details nor a transport keyword: we cannot tell whether the
// connection was encrypted. Leave x-tls unset rather than wrongly penalize.
}
}
// protocolIndicatesTLS reports whether an SMTP "with" transport keyword denotes a
// TLS-encrypted session. Per RFC 3848 the keyword gains a trailing "S" when STARTTLS
// (or implicit TLS) was negotiated: ESMTPS, ESMTPSA, SMTPS, LMTPS, LMTPSA, UTF8SMTPS...
// The plaintext variants end in "P" (SMTP, ESMTP, LMTP) or "A" (ESMTPA, LMTPA).
func protocolIndicatesTLS(with *string) bool {
if with == nil {
return false
}
p := strings.ToUpper(strings.TrimSpace(*with))
return strings.HasSuffix(p, "S") || strings.HasSuffix(p, "SA")
}
// submatch returns the first capture group of pattern in s, or "".
func submatch(s, pattern string) string {
if matches := regexp.MustCompile(pattern).FindStringSubmatch(s); len(matches) > 1 {
return matches[1]
}
return ""
}
// formatTLSDetails builds a human-readable summary of the TLS parameters.
func formatTLSDetails(version, cipher, bits string) string {
var parts []string
if version != "" {
parts = append(parts, version)
}
if cipher != "" {
parts = append(parts, "cipher "+cipher)
}
if bits != "" {
parts = append(parts, bits+" bits")
}
return strings.Join(parts, ", ")
}

165
pkg/analyzer/authentication_x_tls_test.go
View file

@ -1,165 +0,0 @@
// This file is part of the happyDeliver (R) project.
// Copyright (c) 2025 happyDomain
// Authors: Pierre-Olivier Mercier, et al.
//
// This program is offered under a commercial and under the AGPL license.
// For commercial licensing, contact us at <contact@happydomain.org>.
//
// For AGPL licensing:
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package analyzer
import (
"strings"
"testing"
"git.happydns.org/happyDeliver/internal/model"
"git.happydns.org/happyDeliver/internal/utils"
)
func TestParseXTLSResult(t *testing.T) {
analyzer := NewAuthenticationAnalyzer("")
result := analyzer.parseXTLSResult("x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384 smtp.bits=256")
if result.Result != model.AuthResultResultPass {
t.Errorf("Result = %v, want pass", result.Result)
}
if result.Details == nil {
t.Fatal("Details should not be nil")
}
for _, want := range []string{"TLSv1.3", "TLS_AES_256_GCM_SHA384", "256 bits"} {
if !strings.Contains(*result.Details, want) {
t.Errorf("Details %q should contain %q", *result.Details, want)
}
}
}
func TestCalculateXTLSScore(t *testing.T) {
analyzer := NewAuthenticationAnalyzer("")
tests := []struct {
name string
xtls *model.AuthResult
score int
}{
{"nil", nil, 0},
{"pass", &model.AuthResult{Result: model.AuthResultResultPass}, 0},
{"none", &model.AuthResult{Result: model.AuthResultResultNone}, -100},
{"fail", &model.AuthResult{Result: model.AuthResultResultFail}, -100},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
results := &model.AuthenticationResults{XTls: tt.xtls}
if got := analyzer.calculateXTLSScore(results); got != tt.score {
t.Errorf("calculateXTLSScore = %d, want %d", got, tt.score)
}
})
}
}
func TestReconcileXTLS(t *testing.T) {
analyzer := NewAuthenticationAnalyzer("")
t.Run("keeps existing x-tls header result", func(t *testing.T) {
existing := &model.AuthResult{Result: model.AuthResultResultFail}
results := &model.AuthenticationResults{XTls: existing}
chain := &[]model.ReceivedHop{{Tls: &model.TLSInfo{Version: utils.PtrTo("TLSv1.3")}}}
analyzer.ReconcileXTLS(results, chain)
if results.XTls != existing {
t.Error("existing XTls should be preserved")
}
})
t.Run("synthesizes pass from encrypted inbound hop", func(t *testing.T) {
results := &model.AuthenticationResults{}
chain := &[]model.ReceivedHop{{Tls: &model.TLSInfo{
Version: utils.PtrTo("TLSv1.3"),
Cipher: utils.PtrTo("TLS_AES_256_GCM_SHA384"),
Bits: utils.PtrTo(256),
}}}
analyzer.ReconcileXTLS(results, chain)
if results.XTls == nil || results.XTls.Result != model.AuthResultResultPass {
t.Fatalf("expected synthesized pass, got %+v", results.XTls)
}
if results.XTls.Details == nil || !strings.Contains(*results.XTls.Details, "TLSv1.3") {
t.Errorf("details should mention TLS version, got %v", results.XTls.Details)
}
})
t.Run("synthesizes pass from ESMTPS protocol without TLS parenthetical", func(t *testing.T) {
// smtpd_tls_received_header disabled: no TLS details, but ESMTPS proves encryption.
results := &model.AuthenticationResults{}
chain := &[]model.ReceivedHop{{With: utils.PtrTo("ESMTPS")}}
analyzer.ReconcileXTLS(results, chain)
if results.XTls == nil || results.XTls.Result != model.AuthResultResultPass {
t.Fatalf("expected synthesized pass, got %+v", results.XTls)
}
})
t.Run("synthesizes none from plaintext ESMTP protocol", func(t *testing.T) {
results := &model.AuthenticationResults{}
chain := &[]model.ReceivedHop{{With: utils.PtrTo("ESMTP")}}
analyzer.ReconcileXTLS(results, chain)
if results.XTls == nil || results.XTls.Result != model.AuthResultResultNone {
t.Fatalf("expected synthesized none, got %+v", results.XTls)
}
})
t.Run("leaves nil when neither TLS info nor protocol is known", func(t *testing.T) {
results := &model.AuthenticationResults{}
chain := &[]model.ReceivedHop{{}}
analyzer.ReconcileXTLS(results, chain)
if results.XTls != nil {
t.Errorf("expected nil XTls when undetermined, got %+v", results.XTls)
}
})
t.Run("leaves nil with empty chain", func(t *testing.T) {
results := &model.AuthenticationResults{}
analyzer.ReconcileXTLS(results, &[]model.ReceivedHop{})
if results.XTls != nil {
t.Errorf("expected nil XTls, got %+v", results.XTls)
}
})
}
func TestProtocolIndicatesTLS(t *testing.T) {
tests := []struct {
with string
want bool
}{
{"ESMTPS", true},
{"ESMTPSA", true},
{"SMTPS", true},
{"LMTPS", true},
{"LMTPSA", true},
{"SMTP", false},
{"ESMTP", false},
{"ESMTPA", false},
{"LMTP", false},
}
for _, tt := range tests {
t.Run(tt.with, func(t *testing.T) {
if got := protocolIndicatesTLS(utils.PtrTo(tt.with)); got != tt.want {
t.Errorf("protocolIndicatesTLS(%q) = %v, want %v", tt.with, got, tt.want)
}
})
}
if protocolIndicatesTLS(nil) {
t.Error("protocolIndicatesTLS(nil) should be false")
}
}

30
pkg/analyzer/dns.go
View file

@ -88,16 +88,6 @@ func (d *DNSAnalyzer) AnalyzeDNS(email *EmailMessage, headersResults *model.Head
if len(forwardRecords) > 0 {
results.PtrForwardRecords = &forwardRecords
}
// Record the announced HELO name and whether it matches the PTR record
if firstHop.From != nil && *firstHop.From != "" {
helo := *firstHop.From
results.HeloHostname = &helo
if len(ptrRecords) > 0 {
match := checkHeloPtrMatch(helo, ptrRecords)
results.HeloPtrMatch = &match
}
}
}
}
@ -110,15 +100,6 @@ func (d *DNSAnalyzer) AnalyzeDNS(email *EmailMessage, headersResults *model.Head
results.RpMxRecords = d.checkMXRecords(*results.RpDomain)
}
// Verify the sender domains can actually receive replies/bounces (MX, with
// A/AAAA fallback), mirroring the ReturnOK milter check.
results.ReturnOk = &model.ReturnOK{
From: d.checkReturnOKDomain(fromDomain, orgDomainOrEmpty(headersResults.DomainAlignment.FromOrgDomain)),
}
if results.RpDomain != nil && *results.RpDomain != "" {
results.ReturnOk.ReturnPath = d.checkReturnOKDomain(*results.RpDomain, orgDomainOrEmpty(headersResults.DomainAlignment.ReturnPathOrgDomain))
}
// Check SPF records (for Return-Path domain - this is the envelope sender)
// SPF validates the MAIL FROM command, which corresponds to Return-Path
results.SpfRecords = d.checkSPFRecords(spfDomain)
@ -157,11 +138,6 @@ func (d *DNSAnalyzer) AnalyzeDomainOnly(domain string) *model.DNSResults {
// Check SPF records
results.SpfRecords = d.checkSPFRecords(domain)
// Verify the domain can receive replies/bounces (MX, with A/AAAA fallback)
results.ReturnOk = &model.ReturnOK{
From: d.checkReturnOKDomain(domain, ""),
}
// Check DMARC record
results.DmarcRecord = d.checkDMARCRecord(domain)
@ -193,9 +169,6 @@ func (d *DNSAnalyzer) CalculateDomainOnlyScore(results *model.DNSResults) (int,
// DMARC Record: 40 points
score += 40 * d.calculateDMARCScore(results) / 100
// Penalty when a sender domain cannot receive replies/bounces at all
score += calculateReturnOKPenalty(results)
// BIMI Record: only bonus
if results.BimiRecord != nil && results.BimiRecord.Valid {
if score >= 100 {
@ -241,9 +214,6 @@ func (d *DNSAnalyzer) CalculateDNSScore(results *model.DNSResults, senderIP stri
// DMARC Record: 20 points
score += 20 * d.calculateDMARCScore(results) / 100
// Penalty when a sender domain cannot receive replies/bounces at all
score += calculateReturnOKPenalty(results)
// BIMI Record
// BIMI is optional but indicates advanced email branding
if results.BimiRecord != nil && results.BimiRecord.Valid {

21
pkg/analyzer/dns_fcr.go
View file

@ -23,7 +23,6 @@ package analyzer
import (
"context"
"strings"
"git.happydns.org/happyDeliver/internal/model"
)
@ -63,21 +62,6 @@ func (d *DNSAnalyzer) checkPTRAndForward(ip string) ([]string, []string) {
return ptrNames, forwardIPs
}
// checkHeloPtrMatch reports whether the announced HELO hostname matches one of
// the sender's PTR records (case-insensitive, trailing dot ignored).
func checkHeloPtrMatch(helo string, ptrRecords []string) bool {
helo = strings.TrimSuffix(strings.ToLower(strings.TrimSpace(helo)), ".")
if helo == "" {
return false
}
for _, ptr := range ptrRecords {
if strings.TrimSuffix(strings.ToLower(ptr), ".") == helo {
return true
}
}
return false
}
// Proper reverse DNS (PTR) and forward-confirmed reverse DNS (FCrDNS) is important for deliverability
func (d *DNSAnalyzer) calculatePTRScore(results *model.DNSResults, senderIP string) (score int) {
if results.PtrRecords != nil && len(*results.PtrRecords) > 0 {
@ -89,11 +73,6 @@ func (d *DNSAnalyzer) calculatePTRScore(results *model.DNSResults, senderIP stri
score -= 15
}
// Penalty when the announced HELO name doesn't match the PTR hostname
if results.HeloPtrMatch != nil && !*results.HeloPtrMatch {
score -= 15
}
// Additional 50 points for forward-confirmed reverse DNS (FCrDNS)
// This means the PTR hostname resolves back to IPs that include the original sender IP
if results.PtrForwardRecords != nil && len(*results.PtrForwardRecords) > 0 && senderIP != "" {

104
pkg/analyzer/dns_fcr_test.go
View file

@ -1,104 +0,0 @@
// This file is part of the happyDeliver (R) project.
// Copyright (c) 2025-2026 happyDomain
// Authors: Pierre-Olivier Mercier, et al.
//
// This program is offered under a commercial and under the AGPL license.
// For commercial licensing, contact us at <contact@happydomain.org>.
//
// For AGPL licensing:
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package analyzer
import (
"testing"
"git.happydns.org/happyDeliver/internal/model"
)
func TestCheckHeloPtrMatch(t *testing.T) {
tests := []struct {
name string
helo string
ptrRecords []string
want bool
}{
{"exact match", "mail.example.com", []string{"mail.example.com"}, true},
{"case insensitive", "Mail.Example.COM", []string{"mail.example.com"}, true},
{"trailing dot ignored", "mail.example.com.", []string{"mail.example.com"}, true},
{"mismatch", "relay.example.org", []string{"mail.example.com"}, false},
{"match among several", "smtp.example.com", []string{"mail.example.com", "smtp.example.com"}, true},
{"empty helo", "", []string{"mail.example.com"}, false},
{"no ptr records", "mail.example.com", nil, false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := checkHeloPtrMatch(tt.helo, tt.ptrRecords); got != tt.want {
t.Errorf("checkHeloPtrMatch(%q, %v) = %v, want %v", tt.helo, tt.ptrRecords, got, tt.want)
}
})
}
}
func TestCalculatePTRScoreHeloMismatch(t *testing.T) {
d := NewDNSAnalyzer(0)
senderIP := "80.67.179.207"
ptr := []string{"mail.example.com"}
forward := []string{senderIP}
matchTrue := true
matchFalse := false
tests := []struct {
name string
results *model.DNSResults
want int
}{
{
name: "helo matches ptr - no penalty (PTR+FCrDNS)",
results: &model.DNSResults{
PtrRecords: &ptr,
PtrForwardRecords: &forward,
HeloPtrMatch: &matchTrue,
},
want: 100,
},
{
name: "helo mismatch - 15 point penalty",
results: &model.DNSResults{
PtrRecords: &ptr,
PtrForwardRecords: &forward,
HeloPtrMatch: &matchFalse,
},
want: 85,
},
{
name: "no helo info - no penalty",
results: &model.DNSResults{
PtrRecords: &ptr,
PtrForwardRecords: &forward,
},
want: 100,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := d.calculatePTRScore(tt.results, senderIP); got != tt.want {
t.Errorf("calculatePTRScore() = %d, want %d", got, tt.want)
}
})
}
}

113
pkg/analyzer/dns_returnok.go
View file

@ -1,113 +0,0 @@
// This file is part of the happyDeliver (R) project.
// Copyright (c) 2025-2026 happyDomain
// Authors: Pierre-Olivier Mercier, et al.
//
// This program is offered under a commercial and under the AGPL license.
// For commercial licensing, contact us at <contact@happydomain.org>.
//
// For AGPL licensing:
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package analyzer
import (
"context"
"git.happydns.org/happyDeliver/internal/model"
"git.happydns.org/happyDeliver/internal/utils"
)
// ReturnOKDomain.Status values, matching the schema enum. Kept as a plain string
// in the generated model (x-go-type) to avoid colliding with other "pass"/"fail"
// enums in the global enum namespace.
const (
returnOKStatusPass = "pass"
returnOKStatusWarn = "warn"
returnOKStatusFail = "fail"
)
// domainCanReceive reports whether a domain can accept mail, looking up records
// in the same order as Fastmail's ReturnOK milter: MX first, then A/AAAA.
func (d *DNSAnalyzer) domainCanReceive(domain string) (hasMX, hasAddress bool) {
ctx, cancel := context.WithTimeout(context.Background(), d.Timeout)
defer cancel()
if mxRecords, err := d.resolver.LookupMX(ctx, domain); err == nil && len(mxRecords) > 0 {
return true, false
}
if addrs, err := d.resolver.LookupHost(ctx, domain); err == nil && len(addrs) > 0 {
return false, true
}
return false, false
}
// checkReturnOKDomain verifies that a domain can receive replies/bounces.
// It checks the domain itself, then falls back to its organizational domain
// (when different) the same way the ReturnOK milter retries the org domain.
func (d *DNSAnalyzer) checkReturnOKDomain(domain, orgDomain string) *model.ReturnOKDomain {
if domain == "" {
return nil
}
result := &model.ReturnOKDomain{Domain: domain}
hasMX, hasAddress := d.domainCanReceive(domain)
// Fall back to the organizational domain when the domain itself has nothing.
if !hasMX && !hasAddress && orgDomain != "" && orgDomain != domain {
if orgMX, orgAddr := d.domainCanReceive(orgDomain); orgMX || orgAddr {
hasMX, hasAddress = orgMX, orgAddr
result.OrgDomain = utils.PtrTo(orgDomain)
}
}
result.HasMx = utils.PtrTo(hasMX)
result.HasAddress = utils.PtrTo(hasAddress)
switch {
case hasMX:
result.Status = returnOKStatusPass
case hasAddress:
result.Status = returnOKStatusWarn
default:
result.Status = returnOKStatusFail
}
return result
}
// calculateReturnOKPenalty returns a non-positive value: each sender domain that
// can receive neither replies nor bounces (status=fail) costs points, since
// those messages would be silently lost.
func calculateReturnOKPenalty(results *model.DNSResults) (penalty int) {
if results.ReturnOk == nil {
return 0
}
for _, dom := range []*model.ReturnOKDomain{results.ReturnOk.From, results.ReturnOk.ReturnPath} {
if dom != nil && dom.Status == returnOKStatusFail {
penalty -= 10
}
}
return
}
// orgDomainOrEmpty dereferences an optional organizational domain pointer.
func orgDomainOrEmpty(orgDomain *string) string {
if orgDomain == nil {
return ""
}
return *orgDomain
}

170
pkg/analyzer/dns_returnok_test.go
View file

@ -1,170 +0,0 @@
// This file is part of the happyDeliver (R) project.
// Copyright (c) 2025-2026 happyDomain
// Authors: Pierre-Olivier Mercier, et al.
//
// This program is offered under a commercial and under the AGPL license.
// For commercial licensing, contact us at <contact@happydomain.org>.
//
// For AGPL licensing:
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package analyzer
import (
"context"
"net"
"testing"
"time"
"git.happydns.org/happyDeliver/internal/model"
)
// returnOKMockResolver lets tests control MX and host (A/AAAA) lookups per domain.
type returnOKMockResolver struct {
mx map[string][]*net.MX
hosts map[string][]string
}
func (m *returnOKMockResolver) LookupMX(_ context.Context, name string) ([]*net.MX, error) {
if recs, ok := m.mx[name]; ok {
return recs, nil
}
return nil, &net.DNSError{Err: "no such host", Name: name, IsNotFound: true}
}
func (m *returnOKMockResolver) LookupHost(_ context.Context, host string) ([]string, error) {
if recs, ok := m.hosts[host]; ok {
return recs, nil
}
return nil, &net.DNSError{Err: "no such host", Name: host, IsNotFound: true}
}
func (m *returnOKMockResolver) LookupTXT(_ context.Context, _ string) ([]string, error) {
return nil, nil
}
func (m *returnOKMockResolver) LookupAddr(_ context.Context, _ string) ([]string, error) {
return nil, nil
}
func TestCheckReturnOKDomain(t *testing.T) {
mx := []*net.MX{{Host: "mail.example.com.", Pref: 10}}
tests := []struct {
name string
domain string
orgDomain string
resolver *returnOKMockResolver
wantStatus string
wantHasMX bool
wantHasAddr bool
wantOrgDomain string // "" means OrgDomain should be nil
}{
{
name: "domain with MX passes",
domain: "example.com",
resolver: &returnOKMockResolver{mx: map[string][]*net.MX{"example.com": mx}},
wantStatus: returnOKStatusPass,
wantHasMX: true,
wantHasAddr: false,
},
{
name: "no MX but A/AAAA warns",
domain: "example.com",
resolver: &returnOKMockResolver{hosts: map[string][]string{"example.com": {"192.0.2.1"}}},
wantStatus: returnOKStatusWarn,
wantHasMX: false,
wantHasAddr: true,
},
{
name: "fallback to org domain MX",
domain: "sub.example.com",
orgDomain: "example.com",
resolver: &returnOKMockResolver{mx: map[string][]*net.MX{"example.com": mx}},
wantStatus: returnOKStatusPass,
wantHasMX: true,
wantHasAddr: false,
wantOrgDomain: "example.com",
},
{
name: "nothing anywhere fails",
domain: "example.com",
orgDomain: "example.com",
resolver: &returnOKMockResolver{},
wantStatus: returnOKStatusFail,
wantHasMX: false,
wantHasAddr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
d := NewDNSAnalyzerWithResolver(5*time.Second, tt.resolver)
got := d.checkReturnOKDomain(tt.domain, tt.orgDomain)
if got == nil {
t.Fatalf("checkReturnOKDomain returned nil")
}
if got.Status != tt.wantStatus {
t.Errorf("Status = %q, want %q", got.Status, tt.wantStatus)
}
if got.HasMx == nil || *got.HasMx != tt.wantHasMX {
t.Errorf("HasMx = %v, want %v", got.HasMx, tt.wantHasMX)
}
if got.HasAddress == nil || *got.HasAddress != tt.wantHasAddr {
t.Errorf("HasAddress = %v, want %v", got.HasAddress, tt.wantHasAddr)
}
if tt.wantOrgDomain == "" {
if got.OrgDomain != nil {
t.Errorf("OrgDomain = %v, want nil", *got.OrgDomain)
}
} else {
if got.OrgDomain == nil || *got.OrgDomain != tt.wantOrgDomain {
t.Errorf("OrgDomain = %v, want %q", got.OrgDomain, tt.wantOrgDomain)
}
}
})
}
}
func TestCheckReturnOKDomainEmpty(t *testing.T) {
d := NewDNSAnalyzerWithResolver(5*time.Second, &returnOKMockResolver{})
if got := d.checkReturnOKDomain("", ""); got != nil {
t.Errorf("checkReturnOKDomain(\"\") = %v, want nil", got)
}
}
func TestCalculateReturnOKPenalty(t *testing.T) {
fail := &model.ReturnOKDomain{Domain: "a.example", Status: returnOKStatusFail}
pass := &model.ReturnOKDomain{Domain: "b.example", Status: returnOKStatusPass}
warn := &model.ReturnOKDomain{Domain: "c.example", Status: returnOKStatusWarn}
tests := []struct {
name string
results *model.DNSResults
want int
}{
{"nil return_ok", &model.DNSResults{}, 0},
{"both pass", &model.DNSResults{ReturnOk: &model.ReturnOK{From: pass, ReturnPath: pass}}, 0},
{"warn is not penalised", &model.DNSResults{ReturnOk: &model.ReturnOK{From: warn}}, 0},
{"one fail", &model.DNSResults{ReturnOk: &model.ReturnOK{From: fail, ReturnPath: pass}}, -10},
{"both fail", &model.DNSResults{ReturnOk: &model.ReturnOK{From: fail, ReturnPath: fail}}, -20},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := calculateReturnOKPenalty(tt.results); got != tt.want {
t.Errorf("calculateReturnOKPenalty() = %d, want %d", got, tt.want)
}
})
}
}

46
pkg/analyzer/headers.go
View file

@ -26,7 +26,6 @@ import (
"net"
"net/mail"
"regexp"
"strconv"
"strings"
"time"
@ -694,50 +693,5 @@ func (h *HeaderAnalyzer) parseReceivedHeader(receivedValue string) *model.Receiv
}
}
// Extract TLS details from the Received header parentheticals
// (e.g. "(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) ...)")
hop.Tls = parseReceivedTLS(normalized)
return hop
}
// parseReceivedTLS extracts TLS connection details from a normalized Received header value.
// Returns nil when the hop was not encrypted (no TLS version/cipher found).
func parseReceivedTLS(normalized string) *model.TLSInfo {
tls := &model.TLSInfo{}
found := false
// TLS protocol version, e.g. "using TLSv1.3"
if matches := regexp.MustCompile(`(?i)using\s+(TLSv[0-9.]+|SSLv[0-9.]+)`).FindStringSubmatch(normalized); len(matches) > 1 {
tls.Version = &matches[1]
found = true
}
// Cipher suite, e.g. "with cipher TLS_AES_256_GCM_SHA384"
if matches := regexp.MustCompile(`(?i)with cipher\s+([A-Za-z0-9_-]+)`).FindStringSubmatch(normalized); len(matches) > 1 {
tls.Cipher = &matches[1]
found = true
}
// Cipher strength, e.g. "(256/256 bits)"
if matches := regexp.MustCompile(`\((\d+)/\d+ bits\)`).FindStringSubmatch(normalized); len(matches) > 1 {
if bits, err := strconv.Atoi(matches[1]); err == nil {
tls.Bits = &bits
}
}
if !found {
return nil
}
// Certificate verification status. Postfix emits "(verified OK)" when the peer
// certificate was trusted, "(not verified)" otherwise. "No client certificate
// requested" leaves the field unset (trust is simply not applicable).
if regexp.MustCompile(`(?i)verified OK`).MatchString(normalized) {
tls.Verified = utils.PtrTo(true)
} else if regexp.MustCompile(`(?i)not verified`).MatchString(normalized) {
tls.Verified = utils.PtrTo(false)
}
return tls
}

75
pkg/analyzer/headers_test.go
View file

@ -677,77 +677,6 @@ func TestParseReceivedHeader(t *testing.T) {
}
}
func TestParseReceivedTLS(t *testing.T) {
tests := []struct {
name string
receivedValue string
expectNil bool
expectVersion *string
expectCipher *string
expectBits *int
expectVerified *bool
}{
{
name: "TLS 1.3 no client certificate",
receivedValue: "from mail.example.com (unknown [IPv6:2001:db8::1]) " +
"(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) " +
"key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256) " +
"(No client certificate requested) " +
"by mx.example.org (Postfix) with ESMTPSA id 1EFD11611EA; Sun, 19 Oct 2025 09:40:33 +0000 (UTC)",
expectVersion: strPtr("TLSv1.3"),
expectCipher: strPtr("TLS_AES_256_GCM_SHA384"),
expectBits: intPtr(256),
expectVerified: nil,
},
{
name: "TLS with verified client certificate",
receivedValue: "from mail.example.com (mail.example.com [192.0.2.1]) " +
"(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) " +
"(Client CN \"example\", Issuer \"CA\" (verified OK)) " +
"by mx.receiver.com (Postfix) with ESMTPS id ABC; Mon, 01 Jan 2024 12:00:00 +0000",
expectVersion: strPtr("TLSv1.2"),
expectCipher: strPtr("ECDHE-RSA-AES128-GCM-SHA256"),
expectBits: intPtr(128),
expectVerified: boolPtr(true),
},
{
name: "Plaintext (no TLS)",
receivedValue: "from mail.example.com (mail.example.com [192.0.2.1]) by mx.receiver.com (Postfix) with ESMTP id ABC; Mon, 01 Jan 2024 12:00:00 +0000",
expectNil: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
normalized := strings.Join(strings.Fields(tt.receivedValue), " ")
tls := parseReceivedTLS(normalized)
if tt.expectNil {
if tls != nil {
t.Fatalf("expected nil TLS info, got %+v", tls)
}
return
}
if tls == nil {
t.Fatal("parseReceivedTLS returned nil")
}
if !equalStrPtr(tls.Version, tt.expectVersion) {
t.Errorf("Version = %v, want %v", ptrToStr(tls.Version), ptrToStr(tt.expectVersion))
}
if !equalStrPtr(tls.Cipher, tt.expectCipher) {
t.Errorf("Cipher = %v, want %v", ptrToStr(tls.Cipher), ptrToStr(tt.expectCipher))
}
if (tls.Bits == nil) != (tt.expectBits == nil) || (tls.Bits != nil && *tls.Bits != *tt.expectBits) {
t.Errorf("Bits = %v, want %v", tls.Bits, tt.expectBits)
}
if (tls.Verified == nil) != (tt.expectVerified == nil) || (tls.Verified != nil && *tls.Verified != *tt.expectVerified) {
t.Errorf("Verified = %v, want %v", tls.Verified, tt.expectVerified)
}
})
}
}
func TestGenerateHeaderAnalysis_WithReceivedChain(t *testing.T) {
analyzer := NewHeaderAnalyzer()
@ -979,10 +908,6 @@ func strPtr(s string) *string {
return &s
}
func boolPtr(b bool) *bool {
return &b
}
func ptrToStr(p *string) string {
if p == nil {
return "<nil>"

4
pkg/analyzer/report.go
View file

@ -85,10 +85,6 @@ func (r *ReportGenerator) AnalyzeEmail(email *EmailMessage) *AnalysisResults {
// Run all analyzers
results.Authentication = r.authAnalyzer.AnalyzeAuthentication(email)
results.Headers = r.headerAnalyzer.GenerateHeaderAnalysis(email, results.Authentication)
// Fall back to the received chain's inbound TLS when no x-tls header was present.
if results.Authentication != nil && results.Headers != nil {
r.authAnalyzer.ReconcileXTLS(results.Authentication, results.Headers.ReceivedChain)
}
results.DNS = r.dnsAnalyzer.AnalyzeDNS(email, results.Headers)
results.RBL = r.rblChecker.CheckEmail(email)
results.DNSWL = r.dnswlChecker.CheckEmail(email)

29
web/package-lock.json generated
View file

@ -25,7 +25,7 @@
"eslint-plugin-svelte": "^3.12.4",
"globals": "^17.0.0",
"prettier": "^3.6.2",
"prettier-plugin-svelte": "^3.4.0",
"prettier-plugin-svelte": "^4.0.0",
"svelte": "^5.39.5",
"svelte-check": "^4.3.2",
"typescript": "^6.0.0",
@ -4007,14 +4007,17 @@
}
},
"node_modules/prettier-plugin-svelte": {
"version": "3.5.2",
"resolved": "https://registry.npmjs.org/prettier-plugin-svelte/-/prettier-plugin-svelte-3.5.2.tgz",
"integrity": "sha512-ItFouLvzSFE3ulNl4DKoWM3BGcbDCNVpIyy/Y3F2gC3aNiGLxtFUdffVqO5Z5hhYG+DFT5KULWaxmeFFpdbvaQ==",
"version": "4.1.0",
"resolved": "https://registry.npmjs.org/prettier-plugin-svelte/-/prettier-plugin-svelte-4.1.0.tgz",
"integrity": "sha512-YZkhA2Q9oOerFFG9tq+2f98WYT7Z2JgrybJrAyrB78jpsH9i/DdgplXemehuFPgsldetFNCcR/yCcYlDjPy94Q==",
"dev": true,
"license": "MIT",
"engines": {
"node": ">=20"
},
"peerDependencies": {
"prettier": "^3.0.0",
"svelte": "^3.2.0 || ^4.0.0-next.0 || ^5.0.0-next.0"
"svelte": "^5.0.0"
}
},
"node_modules/punycode": {
@ -5035,22 +5038,6 @@
"url": "https://github.com/sponsors/sindresorhus"
}
},
"node_modules/yaml": {
"version": "2.9.0",
"resolved": "https://registry.npmjs.org/yaml/-/yaml-2.9.0.tgz",
"integrity": "sha512-2AvhNX3mb8zd6Zy7INTtSpl1F15HW6Wnqj0srWlkKLcpYl/gMIMJiyuGq2KeI2YFxUPjdlB+3Lc10seMLtL4cA==",
"extraneous": true,
"license": "ISC",
"bin": {
"yaml": "bin.mjs"
},
"engines": {
"node": ">= 14.6"
},
"funding": {
"url": "https://github.com/sponsors/eemeli"
}
},
"node_modules/yocto-queue": {
"version": "0.1.0",
"resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz",

2
web/package.json
View file

@ -28,7 +28,7 @@
"eslint-plugin-svelte": "^3.12.4",
"globals": "^17.0.0",
"prettier": "^3.6.2",
"prettier-plugin-svelte": "^3.4.0",
"prettier-plugin-svelte": "^4.0.0",
"svelte": "^5.39.5",
"svelte-check": "^4.3.2",
"typescript": "^6.0.0",

82
web/src/lib/components/AuthenticationCard.svelte
View file

@ -170,88 +170,6 @@
</div>
{/if}
<!-- X-Ptr (HELO / reverse DNS consistency) -->
{#if authentication.x_ptr}
<div class="list-group-item" id="authentication-x-ptr">
<div class="d-flex align-items-start">
<i
class="bi {getAuthResultIcon(
authentication.x_ptr.result,
true,
)} {getAuthResultClass(authentication.x_ptr.result, true)} me-2 fs-5"
></i>
<div>
<strong>HELO / PTR</strong>
<i
class="bi bi-info-circle text-muted ms-1"
title="Checks that the HELO/EHLO hostname announced by the sending server matches the sender IP's reverse DNS (PTR) record."
></i>
<span
class="text-uppercase ms-2 {getAuthResultClass(
authentication.x_ptr.result,
true,
)}"
>
{authentication.x_ptr.result}
</span>
{#if authentication.x_ptr.helo}
<div class="small">
<strong>Announced HELO:</strong>
<span class="text-muted">{authentication.x_ptr.helo}</span>
</div>
{/if}
{#if authentication.x_ptr.ptr}
<div class="small">
<strong>Reverse DNS (PTR):</strong>
<span class="text-muted">{authentication.x_ptr.ptr}</span>
</div>
{/if}
{#if authentication.x_ptr.details}
<pre
class="p-2 mb-0 {$theme === 'light'
? 'bg-light'
: 'bg-secondary'} text-muted small"
style="white-space: pre-wrap">{authentication.x_ptr.details}</pre>
{/if}
</div>
</div>
</div>
{/if}
<!-- X-TLS (Transport encryption) -->
{#if authentication.x_tls}
<div class="list-group-item" id="authentication-x-tls">
<div class="d-flex align-items-start">
<i
class="bi {getAuthResultIcon(
authentication.x_tls.result,
true,
)} {getAuthResultClass(authentication.x_tls.result, true)} me-2 fs-5"
></i>
<div>
<strong>Transport TLS</strong>
<i
class="bi bi-info-circle text-muted ms-1"
title="Whether the inbound connection that delivered this message used TLS encryption (x-tls). Falls back to the inbound Received hop when no x-tls header is present."
></i>
<span
class="text-uppercase ms-2 {getAuthResultClass(
authentication.x_tls.result,
true,
)}"
>
{authentication.x_tls.result}
</span>
{#if authentication.x_tls.details}
<div class="small text-muted mt-1">
{authentication.x_tls.details}
</div>
{/if}
</div>
</div>
</div>
{/if}
<!-- SPF (Required) -->
<div class="list-group-item">
<div class="d-flex align-items-start" id="authentication-spf">

15
web/src/lib/components/DnsRecordsCard.svelte
View file

@ -6,11 +6,9 @@
import DkimRecordsDisplay from "./DkimRecordsDisplay.svelte";
import DmarcRecordDisplay from "./DmarcRecordDisplay.svelte";
import GradeDisplay from "./GradeDisplay.svelte";
import HeloPtrMatchDisplay from "./HeloPtrMatchDisplay.svelte";
import MxRecordsDisplay from "./MxRecordsDisplay.svelte";
import PtrForwardRecordsDisplay from "./PtrForwardRecordsDisplay.svelte";
import PtrRecordsDisplay from "./PtrRecordsDisplay.svelte";
import ReturnOkDisplay from "./ReturnOkDisplay.svelte";
import SpfRecordsDisplay from "./SpfRecordsDisplay.svelte";
interface Props {
@ -94,16 +92,6 @@
{senderIp}
/>
<!-- HELO / PTR Consistency -->
<HeloPtrMatchDisplay
heloHostname={dnsResults.helo_hostname ?? receivedChain?.[0]?.from}
ptrRecords={dnsResults.ptr_records}
heloPtrMatch={dnsResults.helo_ptr_match}
/>
<!-- Return Address Reachability (ReturnOK) -->
<ReturnOkDisplay returnOk={dnsResults.return_ok} />
<hr class="my-4" />
<!-- Return-Path Domain Section -->
@ -154,7 +142,8 @@
</h4>
{#if dnsResults.rp_domain && dnsResults.rp_domain !== dnsResults.from_domain}
<span class="badge bg-danger ms-2">
<i class="bi bi-exclamation-triangle-fill"></i> Differs from Return-Path domain
<i class="bi bi-exclamation-triangle-fill"></i> Differs from Return-Path
domain
</span>
{/if}
</div>

72
web/src/lib/components/EmailPathCard.svelte
View file

@ -7,21 +7,6 @@
}
let { receivedChain }: Props = $props();
// Mirror of the backend protocolIndicatesTLS (RFC 3848): the transport keyword
// gains a trailing "S" when TLS was used (ESMTPS, ESMTPSA, SMTPS, LMTPS, LMTPSA...).
function protocolIndicatesTLS(withProto: string | undefined | null): boolean {
if (!withProto) return false;
const p = withProto.trim().toUpperCase();
return p.endsWith("S") || p.endsWith("SA");
}
// RFC 3848: a trailing "A" means the sender authenticated (SMTP AUTH):
// ESMTPA, ESMTPSA, LMTPA, LMTPSA...
function protocolIndicatesAuth(withProto: string | undefined | null): boolean {
if (!withProto) return false;
return withProto.trim().toUpperCase().endsWith("A");
}
</script>
{#if receivedChain && receivedChain.length > 0}
@ -75,63 +60,6 @@
{/if}
</p>
{/if}
<p class="mb-0 small d-flex flex-wrap align-items-center gap-3">
{#if hop.tls}
<span class="badge bg-success">
<i class="bi bi-lock-fill me-1"></i>TLS
</span>
{#if hop.tls.version}
<span>
<span class="text-muted">Version:</span>
<code>{hop.tls.version}</code>
</span>
{/if}
{#if hop.tls.cipher}
<span>
<span class="text-muted">Cipher:</span>
<code>{hop.tls.cipher}</code>
</span>
{/if}
{#if hop.tls.bits}
<span>
<span class="text-muted">Strength:</span>
<code>{hop.tls.bits} bits</code>
</span>
{/if}
{#if hop.tls.verified !== undefined}
<span
class:text-success={hop.tls.verified}
class:text-warning={!hop.tls.verified}
>
<i
class="bi {hop.tls.verified
? 'bi-patch-check-fill'
: 'bi-patch-exclamation-fill'} me-1"
></i>
{hop.tls.verified
? "Certificate trusted"
: "Certificate not trusted"}
</span>
{/if}
{:else if protocolIndicatesTLS(hop.with)}
<span class="badge bg-success">
<i class="bi bi-lock-fill me-1"></i>TLS
</span>
{:else if hop.with}
<span class="badge bg-secondary">
<i class="bi bi-unlock me-1"></i>No TLS
</span>
{:else}
<span class="badge bg-light text-muted border">
<i class="bi bi-question-circle me-1"></i>TLS unknown
</span>
{/if}
{#if protocolIndicatesAuth(hop.with)}
<span class="badge bg-info">
<i class="bi bi-person-check-fill me-1"></i>Authenticated
</span>
{/if}
</p>
</div>
{/each}
</div>

87
web/src/lib/components/HeloPtrMatchDisplay.svelte
View file

@ -1,87 +0,0 @@
<script lang="ts">
interface Props {
heloHostname?: string;
ptrRecords?: string[];
heloPtrMatch?: boolean;
}
let { heloHostname, ptrRecords, heloPtrMatch }: Props = $props();
const normalize = (host: string) => host.replace(/\.$/, "").trim().toLowerCase();
// Local comparison, identical to the per-record badge logic below, so the
// summary alert can never contradict the individual "Match" badges.
const localMatch = $derived(
!!heloHostname &&
!!ptrRecords &&
ptrRecords.some((ptr) => normalize(heloHostname) === normalize(ptr)),
);
// Prefer the backend verdict when it is present; otherwise fall back to the
// local comparison (e.g. for results produced before helo_ptr_match existed).
const isMatch = $derived(heloPtrMatch ?? localMatch);
</script>
{#if heloHostname}
<div class="card mb-4">
<div class="card-header d-flex justify-content-between align-items-center">
<h5 class="text-muted mb-0">
<i
class="bi"
class:bi-check-circle-fill={isMatch}
class:text-success={isMatch}
class:bi-x-circle-fill={!isMatch}
class:text-danger={!isMatch}
></i>
HELO / PTR Consistency
</h5>
<span class="badge bg-secondary">HELO</span>
</div>
<div class="card-body">
<p class="card-text small text-muted mb-0">
The HELO/EHLO hostname is the name the sending server announces when it connects.
Many mail servers check that this name matches the sender IP's reverse DNS (PTR)
record. A mismatch is a common spam signal and can hurt deliverability.
</p>
<div class="mt-2">
<strong>Announced HELO:</strong> <code>{heloHostname}</code>
</div>
{#if ptrRecords && ptrRecords.length > 0}
<div class="mt-1">
<strong>PTR Hostname(s):</strong>
{#each ptrRecords as ptr}
<div class="d-flex gap-2 align-items-center mt-1">
{#if normalize(heloHostname) === normalize(ptr)}
<span class="badge bg-success">Match</span>
{:else}
<span class="badge bg-secondary">Different</span>
{/if}
<code>{ptr}</code>
</div>
{/each}
</div>
{/if}
</div>
{#if !isMatch}
<div class="list-group list-group-flush">
<div class="list-group-item">
<div class="alert alert-warning mb-0">
<i class="bi bi-exclamation-triangle me-1"></i>
<strong>Warning:</strong> The announced HELO hostname
<code>{heloHostname}</code>
{#if ptrRecords && ptrRecords.length > 0}
does not match the sender's PTR record{ptrRecords.length > 1 ? "s" : ""}
({#each ptrRecords as ptr, i}<code>{ptr}</code>{i <
ptrRecords.length - 1
? ", "
: ""}{/each}).
{:else}
could not be matched against a PTR record.
{/if}
Configuring the HELO name to match reverse DNS improves deliverability.
</div>
</div>
</div>
{/if}
</div>
{/if}

106
web/src/lib/components/ReturnOkDisplay.svelte
View file

@ -1,106 +0,0 @@
<script lang="ts">
import type { SchemasReturnOk, SchemasReturnOkDomain } from "$lib/api/types.gen";
interface Props {
returnOk?: SchemasReturnOk;
}
let { returnOk }: Props = $props();
type Row = { label: string; entry: SchemasReturnOkDomain };
const rows = $derived<Row[]>(
[
returnOk?.from ? { label: "From", entry: returnOk.from } : undefined,
returnOk?.return_path
? { label: "Return-Path", entry: returnOk.return_path }
: undefined,
].filter((r): r is Row => r !== undefined),
);
const hasFail = $derived(rows.some((r) => r.entry.status === "fail"));
const hasWarn = $derived(rows.some((r) => r.entry.status === "warn"));
const allPass = $derived(rows.length > 0 && rows.every((r) => r.entry.status === "pass"));
// Header icon reflects the worst status across the checked domains.
const headerOk = $derived(allPass);
function badgeClass(status: string): string {
if (status === "pass") return "bg-success";
if (status === "warn") return "bg-warning text-dark";
return "bg-danger";
}
function badgeLabel(status: string): string {
if (status === "pass") return "MX";
if (status === "warn") return "A/AAAA only";
return "Unreachable";
}
</script>
{#if rows.length > 0}
<div class="card mb-4">
<div class="card-header d-flex justify-content-between align-items-center">
<h5 class="text-muted mb-0">
<i
class="bi"
class:bi-check-circle-fill={headerOk}
class:text-success={headerOk}
class:bi-exclamation-triangle-fill={!headerOk && !hasFail}
class:text-warning={!headerOk && !hasFail}
class:bi-x-circle-fill={hasFail}
class:text-danger={hasFail}
></i>
Return Address Reachability
</h5>
<span class="badge bg-secondary">RETURN-OK</span>
</div>
<div class="card-body">
<p class="card-text small text-muted mb-0">
Replies (to the From address) and bounces (to the Return-Path) can only be delivered
if the sender's domains accept mail. A domain should publish MX records; an A/AAAA
record works as an implicit fallback but is not recommended. A domain with neither
is unreachable and silently drops replies and bounces.
</p>
</div>
<div class="list-group list-group-flush">
{#each rows as { label, entry } (label)}
<div class="list-group-item">
<div class="d-flex align-items-center gap-2 flex-wrap">
<span class="text-muted" style="min-width: 6.5rem">{label} domain:</span>
<code>{entry.domain}</code>
<span class="badge {badgeClass(entry.status)}">
{badgeLabel(entry.status)}
</span>
{#if entry.org_domain}
<small class="text-muted">
via organizational domain <code>{entry.org_domain}</code>
</small>
{/if}
</div>
</div>
{/each}
</div>
{#if hasFail || hasWarn}
<div class="list-group list-group-flush">
<div class="list-group-item">
{#if hasFail}
<div class="alert alert-danger mb-0">
<i class="bi bi-x-circle me-1"></i>
<strong>Error:</strong> At least one sender domain has no MX and no A/AAAA record.
Replies or bounce messages to that domain will be lost. Publish an MX record pointing
to a mail server that accepts mail.
</div>
{:else if hasWarn}
<div class="alert alert-warning mb-0">
<i class="bi bi-exclamation-triangle me-1"></i>
<strong>Warning:</strong> A sender domain has no MX record and relies on its A/AAAA
record (implicit MX). Mail is still deliverable, but publishing an explicit MX
record is recommended.
</div>
{/if}
</div>
</div>
{/if}
</div>
{/if}