git » chasquid » commit e5e7256

smtpsrv: Disable TLS session tickets to work around Microsoft problems

author Alberto Bertogli
2025-03-29 23:21:06 UTC
committer Alberto Bertogli
2025-03-31 08:19:45 UTC
parent 14892f438bf935c41c9940d26fdfa86d9347aac9
smtpsrv: Disable TLS session tickets to work around Microsoft problems

Microsoft SMTP servers have a bug that prevents them from successfully
establishing a TLS connection against modern Go TLS servers, and some
OpenSSL versions. It also doesn't fall back to plain-text, so this has
been causing deliverablity issues.

The problem started by the end of 2024 and it's still not fixed.

Unfortunately, because they're quite a big provider and are not fixing
their problem, it is worth to do a server-side workaround.

This patch implements that workaround: it disables TLS session tickets.

There is no security impact for doing so, and there is a small
performance penalty which is likely to be insignificant for chasquid's
main use cases.

This workaround should be removed once Microsoft fixes their problem.

We are going to make a 1.15.1 release for this, which this patch also
documents.

Thanks to Michael (l6d-dev@github) for reporting this issue and
suggesting this workaround!

See https://github.com/albertito/chasquid/issues/64 and
https://github.com/golang/go/issues/70232 for more details.
docs/relnotes.md +10 -0
internal/smtpsrv/server.go +22 -3 
diff --git a/docs/relnotes.md b/docs/relnotes.md
index c07bd4f..8eb3d34 100644
--- a/docs/relnotes.md
+++ b/docs/relnotes.md
@@ -11,6 +11,16 @@ noting backward-incompatible changes or known security issues.
 - Log how many things were loaded for each domain.
 - Add fail2ban filter configuration example.
 
+### 1.15.1 (2025-03-30)
+
+Implement a workaround for a Microsoft bug in TLS session ticket handling,
+that is causing deliverability issues, and they are being too slow at fixing.
+
+See this [chasquid issue](https://github.com/albertito/chasquid/issues/64),
+this [Go issue](https://github.com/golang/go/issues/70232) and this
+[Postfix thread](https://www.mail-archive.com/postfix-users@postfix.org/msg104308.html)
+for more details.
+
 
 ## 1.14.0 (2024-04-21)
 
diff --git a/internal/smtpsrv/server.go b/internal/smtpsrv/server.go
index 3232621..fc9fa7e 100644
--- a/internal/smtpsrv/server.go
+++ b/internal/smtpsrv/server.go
@@ -94,9 +94,28 @@ func NewServer() *Server {
 	authr := auth.NewAuthenticator()
 	aliasesR := aliases.NewResolver(authr.Exists)
 	return &Server{
-		addrs:          map[SocketMode][]string{},
-		listeners:      map[SocketMode][]net.Listener{},
-		tlsConfig:      &tls.Config{},
+		addrs:     map[SocketMode][]string{},
+		listeners: map[SocketMode][]net.Listener{},
+
+		// Disable session tickets for now, to workaround a Microsoft bug
+		// causing deliverability issues.
+		//
+		// See https://github.com/golang/go/issues/70232 for more details.
+		//
+		// This doesn't impact security, it just makes the re-establishment of
+		// TLS sessions a bit slower, but for a server like chasquid it's not
+		// going to be significant.
+		//
+		// Note this is not a Go-specific problem, and affects other servers
+		// too (like Postfix/OpenSSL). This is a Microsoft problem that they
+		// need to fix. Unfortunately, because they're quite a big provider
+		// and are not very responsive in fixing their problems, we have to do
+		// a workaround here.
+		// TODO: Remove this once Microsoft fixes their servers.
+		tlsConfig: &tls.Config{
+			SessionTicketsDisabled: true,
+		},
+
 		connTimeout:    20 * time.Minute,
 		commandTimeout: 1 * time.Minute,
 		localDomains:   &set.String{},