support requiring verified TLS certs on specific ports

[msimerson]

Fixes #2543

This is largely the same as #2543 except:

• includes tests (which surfaced a couple issues)
• config setting named requireAuthorized instead of authorizationRequired
• no boolean option (simpler, easier to document)
• has support for SMTPS server (was only for STARTTLS)
• more GFM formatting in tls.ini

Checklist:

• docs updated
• tests updated
• Changes updated

[codecov]

Codecov Report

Merging #2554 into master will increase coverage by 0.21%.
The diff coverage is 82.35%.

@@            Coverage Diff             @@
##           master    #2554      +/-   ##
==========================================
+ Coverage   58.72%   58.94%   +0.21%     
==========================================
  Files          29       29              
  Lines        6401     6413      +12     
  Branches     1581     1585       +4     
==========================================
+ Hits         3759     3780      +21     
+ Misses       2642     2633       -9

Impacted Files	Coverage Δ
server.js	39.03% <100%> (+0.16%)	⬆️
smtp_client.js	52.78% <50%> (ø)	⬆️
tls_socket.js	75.45% <83.33%> (+1.51%)	⬆️
connection.js	51.07% <0%> (+0.24%)	⬆️
plugins.js	77.49% <0%> (+0.96%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 562bb79...6482a5d. Read the comment docs.

[AuspeXeu]

Wouldn't it be more secure to have this default to true?

[msimerson]

Yes, and unplugging the network cable would also be more secure. Neither one is very useful for MTA operators wanting to receive emails.

[msimerson]

Typical connections that send mail to a MTA will not present a valid TLS client certificate. If you set rejectUnauthorized=true, then you'll block the vast majority of mail. This is really an "edge case" feature, where you have clients that will authenticate to Haraka with a signed certificate instead of user/pass.

[AuspeXeu]

Yeah, I shot a bit quickly and was only thinking about using Haraka as an outbound mail server. In this case it would only send emails to other MTAs that support TLS with this option, no?

[msimerson]

Likely the best way to make this point is to refer you to your Haraka mail logs with grep. Here's a few of my connections:

# grep verified=false /var/log/maillog | wc -l             
    1165
# grep verified=true /var/log/maillog | wc -l
      11

[msimerson]

In this case it would only send emails to other MTAs that support TLS with this option, no?

Not quite. Haraka outbound would only be able to send mail to remote MTAs that present valid (is, verified by a CA that's included in the CAs that are bundled with Node.js) TLS certificates. This would be a higher than for inbound, but I think you'd still end up with lots of undelivered mail in your outbound queue.

[AuspeXeu]

Maybe more secure default?