happyDomain/help
2
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
help/content/reference/checkers/smtp.en.md
Pierre-Olivier Mercier 5ccdd8892f
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
docs: add checker reference pages and update homepage feature list 
Add individual reference pages for all domain health checkers (EN/FR),
update the homepage feature descriptions in both languages to highlight
monitoring, notifications, and domain availability checks.
2026-06-11 17:27:47 +09:00

52 lines
4.3 KiB
Markdown
Raw Permalink Blame History

---
date: 2026-06-11T09:00:00+02:00
author: nemunaire
title: SMTP
description: "Probes every MX target of a domain on port 25 the way an operator would with swaks: TCP connect, banner, EHLO, STARTTLS, mail-transaction and open-relay probes, reverse DNS and IPv6 coverage."
weight: 200
---
The **Inbound SMTP (MX posture)** checker exercises the *inbound* side of a domain's mail service. For every MX target of the zone it performs the live probes a human operator would run with `swaks` or `telnet … 25`: TCP connect, ESMTP banner and EHLO, STARTTLS negotiation, mail-transaction probes (null sender, postmaster, open-relay), reverse DNS / FCrDNS, extension inventory, and IPv4/IPv6 coverage. The result is an actionable HTML report.
**Scope:** service-level. It attaches to services of type `svcs.MXs` (the DNS-level MX record set) and is configured from that service's **Checks** tab.
The probe answers "can this domain *receive* mail correctly?". It does **not** test outbound deliverability (SPF/DKIM/DMARC alignment, spam scoring, blacklist status), which is the job of the {{< relref "/reference/checkers/happydeliver" >}} checker. Mail-transaction probes always stop at `RCPT` and emit `RSET`: no `DATA` is sent, so no mail is delivered.
## What it checks
| Rule | Verifies | Severity |
|------|----------|----------|
| `smtp.null_mx` | Reports whether the domain publishes a null MX (RFC 7505). | Info |
| `smtp.mx_present` | The domain publishes at least one MX record (or a null MX). | Critical |
| `smtp.mx_sanity` | Flags MX targets violating RFC 5321 § 5.1 (IP literals, CNAME chains, unresolved names). | Critical |
| `smtp.endpoint_reachable` | Every MX endpoint accepts a TCP connection on port 25. | Critical |
| `smtp.banner_sanity` | Every reachable endpoint emits a 220 SMTP greeting. | Critical |
| `smtp.ehlo_supported` | Every endpoint accepts EHLO. | Critical |
| `smtp.starttls_offered` | Every endpoint advertises the STARTTLS extension. | Critical |
| `smtp.starttls_handshake` | The STARTTLS handshake succeeds wherever advertised. | Critical |
| `smtp.auth_posture` | Flags endpoints advertising SMTP AUTH before STARTTLS (cleartext credentials). | Critical |
| `smtp.reverse_dns` | Every endpoint has a matching PTR record (FCrDNS). | Warning |
| `smtp.null_sender` | Endpoints accept the null sender `MAIL FROM:<>` (required for DSNs). | Critical |
| `smtp.postmaster` | Endpoints accept `RCPT TO:<postmaster@domain>` (RFC 5321 § 4.5.1). | Critical |
| `smtp.open_relay` | Flags endpoints that relay mail for recipients outside the tested domain. | Critical |
| `smtp.extension_posture` | Reports ESMTP extension posture (PIPELINING, 8BITMIME). | Info |
| `smtp.ipv6_reachable` | At least one MX endpoint is reachable over IPv6. | Info |
| `smtp.tls_quality` | Folds downstream TLS findings (chain, hostname, expiry) onto SMTP. | Critical |
Certificate posture itself is out of scope here: each MX target is published as a `tls.endpoint.v1` discovery entry (opportunistic STARTTLS), and the {{< relref "/reference/checkers/tls" >}} checker runs certificate analysis on the same connection. Its findings are folded back into the `smtp.tls_quality` rule and the HTML report.
## Options
| Option | Meaning | Default |
|--------|---------|---------|
| Domain (`domain`) | Domain to test. Auto-filled from the service. | (from service) |
| Per-endpoint timeout (seconds) (`timeout`) | Per-endpoint connection timeout. | 12 |
| EHLO hostname (`helo_name`) | Hostname announced in EHLO/HELO. Use a name that resolves and has a valid PTR. | `mx-checker.happydomain.org` |
| Probe null sender (`test_null_sender`) | Probe `MAIL FROM:<>` (RFC 5321 DSN acceptance). | true |
| Probe postmaster (`test_postmaster`) | Probe `RCPT TO:<postmaster@domain>` (RFC 5321 § 4.5.1). | true |
| Probe open-relay posture (`test_open_relay`) | Probe a recipient outside the tested domain to detect open relays. | true |
| Open-relay probe recipient (`test_probe_address`) | Mailbox (outside the tested domain) used for the open-relay probe. | `postmaster@example.com` |
## In happyDomain
This is a service-level checker: configure it from the **Checks** tab of the *E-Mail servers* (MX) service. To confirm that mail your domain *sends* lands in the inbox, pair it with the {{< relref "/reference/checkers/happydeliver" >}} checker. For the general workflow of configuring and reading checks, see {{< relref "/pages/checks" >}}.
Reference in a new issue View git blame Copy permalink