feat(backend): implement MTA-STS and TLS-RPT support for email security visibility #1736
Conversation
Danelif
changed the title
Danelif
changed the title
Danelif
force-pushed
the
mta-sts-implementation
branch
from
b71d266 to
73b0247
Compare
Danelif
force-pushed
the
mta-sts-implementation
branch
from
73b0247 to
d09124e
Compare
| private static function fetch_policy($domain) { | ||
| $policy_url = "https://mta-sts.{$domain}/.well-known/mta-sts.txt"; | ||
|
|
||
| // Use cURL if available, otherwise use file_get_contents with SSL context |
There was a problem hiding this comment.
You should try to reuse what is available in Cypht. There are already Hm_Functions methods to use with curl, curl extension is required via composer, so it is safe to assume you can use it. Also, see other modules, hm-feed, for example, users curl and falls back to file_get_contents. Most of the modules use Hm_API_Curl. Only when we need really low-level stream functionality like smtp/imap connections - there we use stream socket client.
| $domain = Hm_MTA_STS::extract_domain($email); | ||
| if ($domain) { | ||
| $result = Hm_MTA_STS::check_domain($domain); | ||
| $tls_rpt = Hm_MTA_STS::check_tls_rpt($domain); |
There was a problem hiding this comment.
Please refactor the sts class to get rid of all static methods - using a class with static methods like this is not much different than using plain simple functions. I'd like to see class instantiation and you call methods on the object. For example, you can initialize the object with the domain and then just call $sts->check_domain(), $sts->check_tls_rpt while the class itself keeps the data it needs to share locally and privately.
| foreach ($recipients as $email) { | ||
| $domain = Hm_MTA_STS::extract_domain($email); | ||
| if ($domain) { | ||
| $result = Hm_MTA_STS::check_domain($domain); |
There was a problem hiding this comment.
This will be quite slow to run on each and every compose page. I think it deserves a setting or a checkbox on the compose page if user wants this behavior.
| * Output MTA-STS status indicator in compose form | ||
| * @subpackage mta_sts/output | ||
| */ | ||
| class Hm_Output_mta_sts_status_indicator extends Hm_Output_Module { |
There was a problem hiding this comment.
Besides the checks and status indicator don't we need to update our hm-smtp functionality to work with STS? Example concerning point that I don't see implemented: https://datatracker.ietf.org/doc/html/rfc8461#section-5
| # TLS-RPT (RFC 8460): Provides a reporting mechanism for TLS connection issues | ||
| # | ||
| # Usage: ./setup_mta_sts.sh [domain] [mx-servers] | ||
| # Example: ./setup_mta_sts.sh example.com "mail.example.com,mail2.example.com" |
There was a problem hiding this comment.
This whole script is setting something up for the server. Cypht is a client. I don't think its place is in Cypht. It is more oriented for sysadmins supporting their own smtp servers but they probably know enough to set up the servers themselves.
This PR implements comprehensive MTA-STS (Mail Transfer Agent Strict Transport Security) and TLS-RPT (TLS Reporting) support in Cypht, addressing #337.