From c9a846d019b4c0c97c195214bb5dee80ee7ab48f Mon Sep 17 00:00:00 2001 From: Mechiel Lukkien Date: Sun, 4 Jun 2023 17:55:55 +0200 Subject: [PATCH] more logging around smtp and mtasts tls connections i wondered why self-signed mtasts certs didn't result in delivery failure. it's because it was a first-time request of the mtasts policy (clean test container). and for that case it means mtasts should be ignored. --- mtastsdb/db.go | 1 + smtpclient/client.go | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/mtastsdb/db.go b/mtastsdb/db.go index d649b607ba..efd9835b77 100644 --- a/mtastsdb/db.go +++ b/mtastsdb/db.go @@ -233,6 +233,7 @@ func Get(ctx context.Context, resolver dns.Resolver, domain dns.Domain) (policy switch { case errors.Is(err, mtasts.ErrNoRecord) || errors.Is(err, mtasts.ErrMultipleRecords) || errors.Is(err, mtasts.ErrRecordSyntax) || errors.Is(err, mtasts.ErrNoPolicy) || errors.Is(err, mtasts.ErrPolicyFetch) || errors.Is(err, mtasts.ErrPolicySyntax): // Remote is not doing MTA-STS, continue below. ../rfc/8461:333 ../rfc/8461:574 + log.Debugx("interpreting mtasts error to mean remote is not doing mta-sts", err) default: // Interpret as temporary error, e.g. mtasts.ErrDNS, try again later. return nil, false, fmt.Errorf("lookup up mta-sts policy: %w", err) diff --git a/smtpclient/client.go b/smtpclient/client.go index 271c7137bb..acbab04d16 100644 --- a/smtpclient/client.go +++ b/smtpclient/client.go @@ -509,7 +509,7 @@ func (c *Client) hello(ctx context.Context, tlsMode TLSMode, remoteHostname, aut // Attempt TLS if remote understands STARTTLS or if caller requires it. if c.extStartTLS && tlsMode != TLSSkip || tlsMode == TLSStrict { - c.log.Debug("starting tls client") + c.log.Debug("starting tls client", mlog.Field("tlsmode", tlsMode), mlog.Field("servername", remoteHostname)) c.cmds[0] = "starttls" c.cmdStart = time.Now() c.xwritelinef("STARTTLS") @@ -556,7 +556,7 @@ func (c *Client) hello(ctx context.Context, tlsMode TLSMode, remoteHostname, aut c.w = bufio.NewWriter(c.tw) tlsversion, ciphersuite := mox.TLSInfo(nconn) - c.log.Debug("tls client handshake done", mlog.Field("tls", tlsversion), mlog.Field("ciphersuite", ciphersuite)) + c.log.Debug("tls client handshake done", mlog.Field("tls", tlsversion), mlog.Field("ciphersuite", ciphersuite), mlog.Field("servername", remoteHostname), mlog.Field("insecureskipverify", tlsConfig.InsecureSkipVerify)) hello(false) }