[PR #295] Add configurable TLS profiles for listeners #288

New issue

Open

opened 2026-02-26 18:34:07 +03:00 by kerem · 0 comments

kerem commented 2026-02-26 18:34:07 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/decke/smtprelay/pull/295
Author: @StrongWind1
Created: 12/28/2025
Status: 🔄 Open

Base: master ← Head: tls_profile

---

📝 Commits (1)

• 048d4e9 add tls_profile options

📊 Changes

3 files changed (+106 additions, -1 deletions)

View changed files

📝 config.go (+1 -0)
📝 main.go (+82 -1)
📝 smtprelay.ini (+23 -0)

📄 Description

This PR adds a new configuration option, tls_profile, to control the TLS policy used by inbound starttls:// and tls:// listeners.

Why:

• I deploy smtprelay to internal networks, where we sometimes need to accept connections from older/embedded devices (e.g., printers, scanners, legacy appliances) that don’t support modern cipher suites
• I wanted to include the internet facing option where stricter TLS settings are needed (e.g., TLS 1.3 only or TLS 1.2+ without CBC fallback suites)
• Even in "legacy" environments, SMTP over TLS with weaker ciphers is still preferable to plaintext/unauthenticated SMTP

Changes:

• Add a new config/flag: tls_profile (default: default)
• Implement five TLS profiles:
  • default: Go standard library defaults (recommended for most deployments)
  • modern: TLS 1.3 only
  • hardened: TLS 1.2 and TLS 1.3; TLS 1.2 restricted to modern AEAD + ECDHE suites (GCM + ChaCha20). No CBC fallback suites.
  • extended: TLS 1.2 and TLS 1.3; hardened plus additional TLS 1.2 compatibility suites (CBC + RSA key exchange) to support older internal clients.
  • legacy: last resort; enables TLS 1.0+ and all TLS 1.0–1.2 cipher suites exposed by the Go standard library.

File updates:

• config.go
  • Add tls_profile option (flag/config) with accepted values: modern | hardened | default | extended | legacy (default is the default )
• main.go
  • Update getTLSConfig() to apply the selected TLS profile
• smtprelay.ini
  • Add a commented help section describing tls_profile and example usage

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/decke/smtprelay/pull/295 **Author:** [@StrongWind1](https://github.com/StrongWind1) **Created:** 12/28/2025 **Status:** 🔄 Open **Base:** `master` ← **Head:** `tls_profile` --- ### 📝 Commits (1) - [`048d4e9`](https://github.com/decke/smtprelay/commit/048d4e9ebae50125b184a365c0d2235f7d17c4c4) add tls_profile options ### 📊 Changes **3 files changed** (+106 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `config.go` (+1 -0) 📝 `main.go` (+82 -1) 📝 `smtprelay.ini` (+23 -0) </details> ### 📄 Description This PR adds a new configuration option, `tls_profile`, to control the TLS policy used by inbound `starttls://` and `tls://` listeners. Why: - I deploy smtprelay to internal networks, where we sometimes need to accept connections from older/embedded devices (e.g., printers, scanners, legacy appliances) that don’t support modern cipher suites - I wanted to include the internet facing option where stricter TLS settings are needed (e.g., TLS 1.3 only or TLS 1.2+ without CBC fallback suites) - Even in "legacy" environments, SMTP over TLS with weaker ciphers is still preferable to plaintext/unauthenticated SMTP Changes: - Add a new config/flag: `tls_profile` (default: `default`) - Implement five TLS profiles: - `default`: Go standard library defaults (recommended for most deployments) - `modern`: TLS 1.3 only - `hardened`: TLS 1.2 and TLS 1.3; TLS 1.2 restricted to modern AEAD + ECDHE suites (GCM + ChaCha20). No CBC fallback suites. - `extended`: TLS 1.2 and TLS 1.3; hardened plus additional TLS 1.2 compatibility suites (CBC + RSA key exchange) to support older internal clients. - `legacy`: last resort; enables TLS 1.0+ and all TLS 1.0–1.2 cipher suites exposed by the Go standard library. File updates: - `config.go` - Add `tls_profile` option (flag/config) with accepted values: `modern | hardened | default | extended | legacy` (default is the default ) - `main.go` - Update `getTLSConfig()` to apply the selected TLS profile - `smtprelay.ini` - Add a commented help section describing `tls_profile` and example usage --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem added the

pull-request

label 2026-02-26 18:34:07 +03:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/go_modules/github.com/rs/zerolog-1.35.1

dependabot/go_modules/github.com/DeRuina/timberjack-1.4.2

dependabot/go_modules/github.com/chrj/smtpd-1.0.0

dependabot/github_actions/step-security/harden-runner-2.19.0

dependabot/github_actions/github/codeql-action-4.35.2

add-service

v1.13.2

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.0

v1.5.0

v1.4.0

v1.3.0

v1.2.0

v1.1.0

v1.0.1

v1.0.0

Labels

Clear labels   

bug

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/smtprelay#288

No description provided.