SMTP
2025-06-30
2000/06,RFC 2852。
https://www.rfc-editor.org/search/rfc_search_detail.php?page=All&title=smtp
该扩展允许发送方在 RCPT TO 阶段声明期望的投递时限(如 RCPT TO:<user@example.com> DELIVERBY=3600),要求接收方在指定秒数内完成投递,否则可触发退回或降级处理。
语法
RCPT TO:<forward-path> DELIVERBY=<duration>
例如:
S: 250 OK
C: RCPT TO:<user@example.com> DELIVERBY=1800
S: 250 Accepted with DELIVERBY=1800
ABNF
by-parameter = "BY="by-value
by-value = by-time";"by-mode[by-trace]
by-time = ["-" / "+"]1*9digit ; a negative or zero value is not
; allowed with a by-mode of "R"
by-mode = "N" / "R" ; "Notify" or "Return"
by-trace = "T" ; "Trace"
- by-mode(可选):
- N(Notify):超时后 通知发送方(DSN 报告)
- R(Return):超时后 直接退回邮件
- by-trace(可选):
- T 表示需(在邮件服务器日志中)记录投递路径追踪信息 (例如超时事件的时间戳、目标服务器等)
记录详细信息通过 DSN 报告给发送方?
SMTP
2025-05-31
stateDiagram-v2
[*] --> Connected
Connected --> AwaitingGreeting: TCP连接建立
# 协议握手阶段
AwaitingGreeting --> HelloCommand: 收到220后发送EHLO
HelloCommand --> TLS_Decision: 解析250扩展
# 加密与认证决策
TLS_Decision --> TLS_Handshake: 需要STARTTLS
TLS_Handshake --> HelloCommand: 加密后重发EHLO
TLS_Decision --> Auth_Decision: 无需TLS
Auth_Decision --> AUTH_Login: 需要认证
AUTH_Login --> MailFromCommand: 认证成功
Auth_Decision --> MailFromCommand: 无需认证
# 邮件传输流程
MailFromCommand --> RcptToCommand: 收到250后发送RCPT TO
RcptToCommand --> DataCommand: 收到250(最终收件人)后发送DATA
DataCommand --> Data: 收到354后发送邮件内容
Data --> QuitCommand: 收到250后发送QUIT
QuitCommand --> Disconnected: 收到221断开连接
Disconnected --> [*]
# 统一错误处理
state ErrorHandler <<choice>>
HelloCommand --> ErrorHandler: 错误响应
MailFromCommand --> ErrorHandler: 错误响应
RcptToCommand --> ErrorHandler: 错误响应
DataCommand --> ErrorHandler: 错误响应
Data --> ErrorHandler: 错误响应
ErrorHandler --> RSETCommand: 可恢复错误
RSETCommand --> MailFromCommand: 重置到发件人状态
ErrorHandler --> Disconnected: 致命错误
OpenSSL HTTPS SMTP TLS
2023-12-10
HTTPS
echo | openssl s_client -connect sendcloud.net:443
echo | openssl s_client -showcerts -connect sendcloud.net:443
echo | openssl s_client -showcerts -debug -connect sendcloud.net:443 >/dev/null
echo | openssl s_client -showcerts -debug -connect sendcloud.net:443 2>/dev/null | openssl x509 -inform pem -noout -text
# 导出证书
openssl s_client -connect sendcloud.net:443 </dev/null | openssl x509 -outform pem > sendcloud.net.cer
# 导出所有证书
openssl s_client -showcerts -connect sendcloud.net:443 </dev/null | sed -n '/-----BEGIN/,/-----END/p' > sendcloud.net.cer
# 查看证书信息
openssl s_client -showcerts -connect sendcloud.net:443 </dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -text
# 查看证书链上所有证书信息
OLDIFS=$IFS; IFS=':' certs=$(openssl s_client -showcerts -connect sendcloud.net:443 2>/dev/null </dev/null | sed -n '/-----BEGIN/,/-----END/{/-----BEGIN/ s/^/:/; p}'); for cert in ${certs#:}; do echo $cert | openssl x509 -noout -text; done; IFS=$OLDIFS
# # 查看证书链上所有证书 OCSP URI
OLDIFS=$IFS; IFS=':' certs=$(openssl s_client -showcerts -connect sendcloud.net:443 2>/dev/null </dev/null | sed -n '/-----BEGIN/,/-----END/{/-----BEGIN/ s/^/:/; p}'); for cert in ${certs#:}; do echo $cert | openssl x509 -noout -ocsp_uri; done; IFS=$OLDIFS
# -ocsp_uri
# -serial
# -fingerprint
# -subject
# 检查证书在 30 天之后有没有过期
openssl s_client -connect sendcloud.net:443 2>/dev/null </dev/null | openssl x509 -outform pem | openssl x509 -noout -checkend 2592000
# -checkend intmax Check whether the cert expires in the next arg seconds
# -checkhost val Check certificate matches host
# -checkemail val Check certificate matches email
# -checkip val Check certificate matches ipaddr
echo | openssl s_client -verify_hostname baidu.com -connect sendcloud.net:443 1>/dev/null
SMTP
一样的,只是加 -starttls smtp。
echo | openssl s_client -connect smtp.sendcloud.net:25 -starttls smtp
echo | openssl s_client -connect smtp.sendcloud.net:25 -starttls smtp 2>/dev/null | openssl x509 -inform pem -noout -text
其他
校验证书
# echo | openssl s_client -connect smtp.sendcloud.net:25 -starttls smtp 2>/dev/null | openssl verify
# echo | openssl s_client -showcerts -connect smtp.sendcloud.net:25 -starttls smtp 2>/dev/null | openssl verify
echo | openssl s_client -showcerts -connect smtp.sendcloud.net:25 -starttls smtp 2>/dev/null | sed -n '/-----BEGIN/,/-----END/p' > smtp.sendcloud.net.cer
openssl verify -CAfile smtp.sendcloud.net.cer smtp.sendcloud.net.cer
IMAP
echo | openssl s_client -connect imap.126.com:143 -starttls imap
测试 TLS 1.3 支持
echo | openssl s_client -connect smtp.sendcloud.net:25 -starttls smtp -tls1_3
OCSP 检测
用上面的 sendcloud.net.cer 举例,需要将文件中第一个证书和下面的其他证书拆开,分成 sendcloud.cer 和 chain.cer
openssl x509 -noout -ocsp_uri -in sendcloud.cer
# http://ocsp.sectigo.com
openssl ocsp -issuer chain.cer -cert sendcloud.cer -text -url http://ocsp.sectigo.com
# Error querying OCSP responder
# 140052849842064:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=400,Reason=Bad Request
遇到上面报错是因为 OSCP 客户端使用 HTTP 1.0,但是服务器端现在都是 1.1,需要 Host 头。
$ openssl ocsp -issuer chain.cer -cert sendcloud.cer -text -url http://ocsp.sectigo.com -header "HOST" "ocsp.sectigo.com"
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 21F3459A10CAA6C84BDA1E3962B127D5338A7C48
Issuer Key Hash: 17D9D6252767F931C24943D93036448C6CA94FEB
Serial Number: DB5F1FFAFFB770CA38E8120A6121852E
Request Extensions:
OCSP Nonce:
0410F47624DDB17E9703BFCDCC96E983018B
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 17D9D6252767F931C24943D93036448C6CA94FEB
Produced At: Dec 9 07:52:17 2023 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 21F3459A10CAA6C84BDA1E3962B127D5338A7C48
Issuer Key Hash: 17D9D6252767F931C24943D93036448C6CA94FEB
Serial Number: DB5F1FFAFFB770CA38E8120A6121852E
Cert Status: good
This Update: Dec 9 07:52:17 2023 GMT
Next Update: Dec 16 07:52:16 2023 GMT
Signature Algorithm: sha256WithRSAEncryption
5f:65:bf:3e:d1:8c:16:63:76:bc:83:82:b8:a3:67:54:1d:26:
78:e1:b9:7f:64:c7:61:bc:40:0d:4b:b0:7f:49:29:bc:38:48:
43:87:a5:dd:a1:e6:b4:74:ce:58:44:24:30:c3:0d:f5:ab:da:
8c:f9:25:0e:3e:e2:fe:5a:64:5f:32:d9:f5:15:6f:0c:0c:89:
97:30:f6:6c:07:56:6e:54:81:4f:d3:22:1f:16:94:a0:2b:99:
49:2f:2c:0f:c8:b7:b4:90:2f:60:01:54:9c:f9:34:c0:c6:e1:
09:3f:93:d4:dd:a7:0b:34:bb:cb:4b:06:c3:5a:8c:fc:dc:85:
4f:9d:a7:08:c3:22:98:06:b8:b9:d4:47:51:9c:36:43:f3:53:
db:f5:d1:2f:4c:a6:97:c7:5a:f5:15:04:c4:94:a4:9e:95:4c:
03:fd:5a:60:b8:4c:75:e8:02:74:e4:80:1c:8f:17:85:8a:a2:
9e:b9:5d:74:4a:2e:7d:9f:5e:d8:40:6b:60:63:74:3f:dc:11:
d4:f6:b4:86:6e:6b:83:8a:ff:57:cf:b4:41:1f:a3:66:b2:e2:
00:6a:3a:33:dc:c3:3d:13:1d:37:97:d9:9c:d9:b5:9b:24:74:
24:82:7a:f9:ca:51:b3:39:24:e3:90:f4:ff:4b:8e:be:f8:0f:
ec:7a:16:55
WARNING: no nonce in response
Response Verify Failure
139766041024400:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:92:
sendcloud.cer: good
This Update: Dec 9 07:52:17 2023 GMT
Next Update: Dec 16 07:52:16 2023 GMT
SMTP Email
2023-02-15
Python
import smtplib
import ssl
host = 'smtp.126.com'
s = smtplib.SMTP(host)
context = ssl.create_default_context()
context.check_hostname = True
s.starttls(context=context)
s.quit()
Golang
如果服务器支持 STARTTLS,标准库 net/smtp 的 SendMail 方法就会校验主机名。
package main
import (
"crypto/tls"
"fmt"
"net/smtp"
)
func main() {
host := "smtp.126.com"
port := 25
c, err := smtp.Dial(fmt.Sprintf("%s:%d", host, port))
if err != nil {
panic(err)
}
tlsConfig := &tls.Config{ServerName: host}
if err := c.StartTLS(tlsConfig); err != nil {
panic(err) // panic: x509: certificate is valid for xxx, not yyy
}
if err = c.Quit(); err != nil {
panic(err)
}
}
Golang SMTP
2021-01-15
package main
import (
"crypto/tls"
"errors"
"fmt"
"net"
"net/smtp"
)
// ============================================================================
type Transaction struct {
Host string
Port uint16
LocalName string
TlsEnable bool
Username string
Password string
MailFrom string
RcptTo []string
Data []byte
}
func NewTransaction() Transaction {
trans := Transaction{}
return trans
}
func (trans Transaction) Send() error {
addr := fmt.Sprintf("%s:%d", trans.Host, trans.Port)
// SendMail(addr string, a Auth, from string, to []string, msg []byte) error
c, err := smtp.Dial(addr)
if err != nil {
return err
}
defer c.Close()
c.Hello(trans.LocalName)
if ok, _ := c.Extension("STARTTLS"); ok {
serverName, _, _ := net.SplitHostPort(addr)
config := &tls.Config{
InsecureSkipVerify: true,
ServerName: serverName,
}
if err = c.StartTLS(config); err != nil {
return err
}
} else {
fmt.Printf("smtp: server doesn't support STARTTLS\n")
}
if trans.Username != "" {
if ok, _ := c.Extension("AUTH"); !ok {
return errors.New("smtp: server doesn't support AUTH")
}
auth := smtp.PlainAuth("", trans.Username, trans.Password, trans.Host)
if err = c.Auth(auth); err != nil {
fmt.Println("smtp: authentication failed")
return err
}
}
if err = c.Mail(trans.MailFrom); err != nil {
return err
}
for _, addr := range trans.RcptTo {
if err = c.Rcpt(addr); err != nil {
return err
}
}
w, err := c.Data()
if err != nil {
return err
}
_, err = w.Write(trans.Data)
if err != nil {
return err
}
err = w.Close()
if err != nil {
return err
}
return c.Quit()
}
// ============================================================================
func main() {
from := "ninedoors@126.com"
to := "ninedoors@qq.com"
msg := []byte{}
fmt.Println("============================================================")
trans := Transaction{
"smtp.126.com", 25, "peach", false,
from, "password",
from, []string{to},
msg,
}
trans.Send()
}
net/smtp 没有发现有好的日志实现,我只能定制了一个版本实现了日志smtp.Client -> textproto.Conn -> textproto.Writer
SMTP Email
2018-05-18
最常见的三种 SMTP 认证方法:
Python SMTP PythonSimpleServer Email
2018-05-07
Python2
python2 -m smtpd -h
# An RFC 2821 smtp proxy.
# Usage: /usr/lib/python2.7/smtpd.py [options] [localhost:localport [remotehost:remoteport]]
# --nosetuid, -n
# --version, -V
# --class classname, -c classname
# --debug, -d
# --help, -h
Python3
python -m smtpd -h
# An RFC 5321 smtp proxy with optional RFC 1870 and RFC 6531 extensions.
# Usage: /usr/lib/python3.9/smtpd.py [options] [localhost:localport [remotehost:remoteport]]
# --nosetuid, -n 默认会设置用户为 nobody,如果不是 root 会因权限不足失败
# --version, -V
# --class classname, -c classname 默认: PureProxy
# --size limit, -s limit 消息大小限制(RFC 1870 SIZE extension),默认是 33554432 字节,即 32MB
# --smtputf8, -u 启用 SMTPUTF8 扩展(RFC 6531)
# --debug, -d
# --help, -h
# 如果不指定主机,就使用 localhost
# 如果主机是 localhost,端口使用 8025
# 如果是其他主机,端口使用 25
python3 -m smtpd -n
# 默认的 PureProxy 会给转信出去,正常情况会被服务器拒绝
python3 -m smtpd -n -c smtpd.DebuggingServer
Python 3.9 的 PureProxy 有 BUG,会报 process_message() got an unexpected keyword argument 'mail_options'。
自定义黑洞服务器
blackhole.py
import smtpd
import time
class BlackHoleServer(smtpd.SMTPServer):
def process_message(self, peer, mailfrom, rcpttos, data, **kwargs):
print('%s %s %s -> %s' % (time.strftime('%Y-%m-%d %H:%M:%S'), peer, mailfrom, rcpttos))
setup.py
import setuptools
setuptools.setup(name="blackhole", py_modules=["blackhole"])
附件下载:blackhole.zip
python setup.py install --user
python -m smtpd -n -c blackhole.BlackHoleServer
测试
import smtplib
smtp = smtplib.SMTP('localhost', 8025)
from_addr = 'admin@markjour.com'
to_addr = 'you@markjour.com'
smtp.sendmail(from_addr, to_addr,
f"""From: {from_addr}\nTo: {to_addr}\nSubject: just4fun\n\nhello, world!""")
SMTP Email
2018-04-24
RFC#821 定义的 SMTP 协议非常简单(简陋)。
1993 年,RFC#1425 SMTP Service Extensions 定义了 SMTP 协议的拓展框架。
这个向前兼容的安全拓展框架是通过 EHLO 命令来实现。