Add TLS/STARTTLS support

[Mynacol]

Hi, first of all: Thanks for this incredible service. I really love it! :heart:

Unfortunately, I noticed that the main instance, kill-the-newsletter.com (thanks for hosting) does not support STARTTLS, which is a no-go IMO. The used smtp-server library has support for it, but you disable it.

Enabling support seems to be relatively easy: First, do not disable the STARTTLS command. Second, set up key, cert and eventually ca parameters to point to the certificate you already have for HTTPS.

Congrats, you have enabled encryption! :confetti_ball:

---

Additionally, if you are already at it, check recommendations from internet.nl:

• Add a DANE record pinning the Let's Encrypt CA certificates. Pinning the two CA certificates makes the TLSA records safe for the next decades. You just have to stick to Let's Encrypt. They should be:

  # ISRG Root X1
  _25._tcp.kill-the-newsletter.com.	10800	IN	TLSA	2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3
  # ISRG Root X2
  _25._tcp.kill-the-newsletter.com.	10800	IN	TLSA	2 1 1 762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332
  

  You already have the required DNSSEC on the kill-the-newsletter.com domain. You can use this test page if you have deployed it.
• Add IPv6 support to the mail server. It's 2022, IPv6 should be supported by default. And as you only receive mails, you should not fear deliverability problems.
• Avoid misuse of your domain for spam. Also see this Cloudflare article.
  • Add a SPF record. If you never send email from your domain, just set

    kill-the-newsletter.com.	10800	IN	TXT	"v=spf1 -all"
    

    Alternatively v=spf1 mx -all to allow the mail server to send mail.
  • Eventually add a null DKIM record as described by the Cloudflare article. Cloudflare wants to set the wildcard record *._domainkey.kill-the-newsletter.com, check if your DNS provider supports wildcard records.
  • Add a DMARC record rejecting mail for failing SPF/DKIM checks

  _dmarc.kill-the-newsletter.com.	10800	IN	TXT	"v=DMARC1; p=reject;"
  

You can also consult hardenize.com for great email server reports.

[leafac]

Hi, first of all: Thanks for this incredible service. I really love it! ❤️

Thanks for the kind words.

---

When I was developing Kill the Newsletter! I thought about doing what you’re proposing and use the HTTPS keys for the email server. But then I thought: How will the email server pick up new TLS keys when they’re renewed (automatically) by the HTTPS server? I suppose it would have to hook into some event system from the HTTPS server, or monitor the filesystem, or something to that effect. And at that point I disabled STARTTLS 🤷

Do you have a better answer for this?

---

Thanks for the other recommendations. I’ll look into them…

[Mynacol]

After your message I dug deeper in the source code and I understand now why you had problems with tls encryption. While you use auto-encrypt, which does everything automatically for HTTPS, I was assuming you were using something like certbot, which places the private key and certificate chains as PEM files somewhere.

After determining that auto-encrypt cannot give us the certificates for the mail server, I found greenlock, which would work similarly. Unfortunately, the package got no update in the last two years and it is kinda convoluted to get the new certificate when an automatic renewal happens – you have to setup a new store for "saving" the certificate, and that would eliminate the default file-system storage for system restarts at first.

So the easiest solution IMO would be to use an external tool like certbot, which does the renewal by itself, but can restart the nodejs program on completion, switching it to the new certificate.

---

And BTW you could run npm update once. It would fix a couple of known security vulnerabilities. But beware there is an error sneaking in:

source/index.ts:176:18 - error TS2345: Argument of type 'Buffer' is not assignable to parameter of type 'string | string[]'.
  Type 'Buffer' is missing the following properties from type 'string[]': pop, push, concat, shift, and 5 more.

176               $${logo}
                     ~~~~

[leafac]

Fair enough. Thanks for investigating. I’ll update some things about Kill the Newsletter! in the near future and include the STARTTLS in the process.

[Mynacol]

Thanks in advance! That's more than I have hoped for!

[Mynacol]

Just a quick reminder from my side

[Mynacol]

Thanks for deploying v2 of kill-the-newsletter. I see you have added TLS support for mail transfer and I just got a newsletter mail that I didn't receive the last months. Coincidence? :) Thanks to heavy rate limiting I can't determine what TLS versions and ciphers you support, but at least TLS 1.3 :+1:.

Anyways, the main intent of this issue is solved hence you can close it. I'd still recommend adding at least a SPF record to prevent others spoofing mail from kill-the-newsletter.com. If you never send mail from this domain you can set the following DNS entry:

kill-the-newsletter.com.	10800	IN	TXT	"v=spf1 -all"

DANE and CAA are nice to have but not really necessary here. Equally DMARC, which would strengthen the spoofing resistnace even further. I'd still love IPv6 support. Your hoster DigitalOcean supports it at no additional cost. I guess deployment of IPv6 is easy for this service (check if both caddy and the smtp server listen on IPv6 sockets with ss -tulpn and you should be good to go).

[leafac]

Hi @Mynacol,

Yes, the solution really ended up being monitoring the filesystem for updates on the certificate and restarting the email server.

I’ll look into the other suggestions in the near future. Thank you very much.