feat(backend): implement MTA-STS and TLS-RPT support for email security visibility #1736
Conversation
Danelif
changed the title
Danelif
changed the title
Danelif
force-pushed
the
mta-sts-implementation
branch
2 times, most recently
from
73b0247 to
d09124e
Compare
| * Output MTA-STS status indicator in compose form | ||
| * @subpackage mta_sts/output | ||
| */ | ||
| class Hm_Output_mta_sts_status_indicator extends Hm_Output_Module { |
There was a problem hiding this comment.
Besides the checks and status indicator don't we need to update our hm-smtp functionality to work with STS? Example concerning point that I don't see implemented: https://datatracker.ietf.org/doc/html/rfc8461#section-5
There was a problem hiding this comment.
Implementing RFC 8461 Section 5 (actual SMTP client enforcement) would require modifying the hm-smtp.php SMTP client to:
- Verify MX records match the MTA-STS policy
- Enforce TLS connections only
- Validate certificate names against policy
- Handle policy fetch failures
This is a significantly larger feature that would need to be addressed as a separate issue/PR, as it changes core email sending behavior and could break existing functionality if not implemented carefully.
There was a problem hiding this comment.
I don't see the purpose of implementing the RFC in 20 or 30%. It will be confusing to the user to enable something that's not fully implemented/working. It is better to address the full implementation in one MR here and test it well before merging.
There was a problem hiding this comment.
Got it, let me work on that !
Danelif
force-pushed
the
mta-sts-implementation
branch
from
fa5966d to
31a26b1
Compare
Danelif
force-pushed
the
mta-sts-implementation
branch
from
dc61c9d to
13638ce
Compare
Danelif
force-pushed
the
mta-sts-implementation
branch
from
13638ce to
ae87509
Compare
This PR implements comprehensive MTA-STS (Mail Transfer Agent Strict Transport Security) and TLS-RPT (TLS Reporting) support in Cypht, addressing #337.