diff --git a/autotls/autotls.go b/autotls/autotls.go index 77c7b15601..4bbc229356 100644 --- a/autotls/autotls.go +++ b/autotls/autotls.go @@ -229,7 +229,6 @@ func (m *Manager) TLSConfig(fallbackHostname dns.Domain, fallbackNoSNI, fallback GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) { return m.loggingGetCertificate(hello, fallbackHostname, fallbackNoSNI, fallbackUnknownSNI) }, - SessionTicketsDisabled: true, } } diff --git a/config/config.go b/config/config.go index 86acb2b318..5d36df6d54 100644 --- a/config/config.go +++ b/config/config.go @@ -158,6 +158,8 @@ type Listener struct { FirstTimeSenderDelay *time.Duration `sconf:"optional" sconf-doc:"Delay before accepting a message from a first-time sender for the destination account. Default: 15s."` + TLSSessionTicketsDisabled *bool `sconf:"optional" sconf-doc:"Override default setting for enabling TLS session tickets. Disabling session tickets may work around TLS interoperability issues."` + DNSBLZones []dns.Domain `sconf:"-"` } `sconf:"optional"` Submission struct { diff --git a/config/doc.go b/config/doc.go index a2e25711ac..cccc5bbc0b 100644 --- a/config/doc.go +++ b/config/doc.go @@ -262,6 +262,10 @@ See https://pkg.go.dev/github.com/mjl-/sconf for details. # account. Default: 15s. (optional) FirstTimeSenderDelay: 0s + # Override default setting for enabling TLS session tickets. Disabling session + # tickets may work around TLS interoperability issues. (optional) + TLSSessionTicketsDisabled: false + # SMTP for submitting email, e.g. by email applications. Starts out in plain text, # can be upgraded to TLS with the STARTTLS command. Prefer using Submissions which # is always a TLS connection. (optional) diff --git a/mox-/config.go b/mox-/config.go index 1abd00c728..826aa16066 100644 --- a/mox-/config.go +++ b/mox-/config.go @@ -1933,8 +1933,7 @@ func loadTLSKeyCerts(configFile, kind string, ctls *config.TLS) error { certs = append(certs, cert) } ctls.Config = &tls.Config{ - Certificates: certs, - SessionTicketsDisabled: true, + Certificates: certs, } ctls.ConfigFallback = ctls.Config return nil diff --git a/smtpserver/server.go b/smtpserver/server.go index f933a8f4df..e90f0c997c 100644 --- a/smtpserver/server.go +++ b/smtpserver/server.go @@ -229,6 +229,13 @@ func Listen() { port := config.Port(listener.SMTP.Port, 25) for _, ip := range listener.IPs { firstTimeSenderDelay := durationDefault(listener.SMTP.FirstTimeSenderDelay, firstTimeSenderDelayDefault) + if tlsConfigDelivery != nil { + tlsConfigDelivery = tlsConfigDelivery.Clone() + // Default setting is currently to have session tickets disabled, to work around + // TLS interoperability issues with incoming deliveries from Microsoft. See + // https://github.com/golang/go/issues/70232. + tlsConfigDelivery.SessionTicketsDisabled = listener.SMTP.TLSSessionTicketsDisabled == nil || *listener.SMTP.TLSSessionTicketsDisabled + } listen1("smtp", name, ip, port, hostname, tlsConfigDelivery, false, false, maxMsgSize, false, listener.SMTP.RequireSTARTTLS, !listener.SMTP.NoRequireTLS, listener.SMTP.DNSBLZones, firstTimeSenderDelay) } }