{"id":20814692,"url":"https://github.com/richfelker/mxclient","last_synced_at":"2025-05-07T12:03:41.838Z","repository":{"id":46659161,"uuid":"246157877","full_name":"richfelker/mxclient","owner":"richfelker","description":"A minimalist client for sending mail direct to recipient's MX","archived":false,"fork":false,"pushed_at":"2024-02-21T18:57:42.000Z","size":52,"stargazers_count":40,"open_issues_count":2,"forks_count":1,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-05-02T04:17:56.900Z","etag":null,"topics":["dane","mail-exchanger","password-reset","sendmail","smtp","starttls"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/richfelker.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-03-09T22:47:48.000Z","updated_at":"2024-05-02T04:17:56.901Z","dependencies_parsed_at":"2023-01-30T21:25:11.685Z","dependency_job_id":null,"html_url":"https://github.com/richfelker/mxclient","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/richfelker%2Fmxclient","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/richfelker%2Fmxclient/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/richfelker%2Fmxclient/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/richfelker%2Fmxclient/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/richfelker","download_url":"https://codeload.github.com/richfelker/mxclient/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225091432,"owners_count":17419495,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dane","mail-exchanger","password-reset","sendmail","smtp","starttls"],"created_at":"2024-11-17T21:17:48.168Z","updated_at":"2024-11-17T21:17:48.813Z","avatar_url":"https://github.com/richfelker.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# mxclient\n\nmxclient is not a normal MTA. Rather, it's a minimalist client for\nsending mail *direct to the recipient's MX*, or mail exchanger, in\ncontrast to the widespread practice of sending through a \"smarthost\"\nor \"outgoing mail server\".\n\nIn combination with sufficient cryptographic measures, this ensures\nthat no one outside the receiving domain's mail system can intercept\nor alter the contents of the message, making mxclient suitable for:\n\n- Private bi-directional communication between individuals (with\n  personal domains) or organizations that mutually implement this kind\n  of delivery.\n\n- Delivery of sensitive data like account access or password reset\n  tokens without them passing through third party mailer systems.\n\n- Avoiding dragnet surveillance of outgoing mail in otherwise\n  conventional mail setups.\n\nmxclient is not an outgoing mail queue. It delivers mail\nsynchronously, to a single recipient, reporting success, temporary\nfailure, or permanent failure via the exit status (using `sysexits.h`\ncodes). It can be used as the backend for the separate queuing\nfrontend to yield a full \"sendmail\" command for use by MUAs or scripts\nthat expect asynchronous delivery.\n\nAbility to send mail directly to the recipient's MX depends on having\nunblocked outgoing port 25 (many residential and mobile ISPs firewall\nit) and on not being on one of several \"dialup\"/residential IP address\nlists that many sites' mail systems use to block likely spammers. To\nget around this while still maintaining the security and privacy\nproperties of interfacing directly with the recipient's MX, future\nversions of mxclient will support performing the actual TCP connection\nthrough a (SOCKS5 or `ssh -W` child process) proxy while keeping the\nactual TLS endpoint local.\n\n\n## Project Status\n\nmxclient is incomplete but under active development. Proxy support is\nmissing, and DANE modes other than DANE-EE with public key only (vs\nfull cert) are untested. Otherwise all basic functionality is present.\n\n\n## Background on SMTP and TLS\n\nSMTP does not use a separate port/service for TLS-encrypted sessions,\nbut rather a \"STARTTLS\" command, advertised in the greeting response,\nto upgrade a connection to TLS. Originally this provided only\nopportunistic encryption that was easily stripped by MITM devices, and\nprovided no authentication of the server to the client. Since the CA\ninfrastructure used on the web does not carry over to SMTP, mail\nservers generally used self-signed certificates.\n\nWith DANE and DNSSEC, however, it's possible to have a full chain of\ntrust for the intended recipient domain. In short, DANE publishes key\nor certificate pinnings for a domain in DNS records, and DNSSEC\nprovides a signature chain proving the authenticity of both the DANE\nrecords and the conventional record types used for mail (MX for the\ndomain's mail exchangers, and A/AAAA/CNAME records used to find the IP\naddress of the server to send to).\n\nmxclient uses the SMTP STARTTLS extension whenever it is advertised by\nthe server or DANE is in use for the domain, and enforces DANE-EE\nunless it can determine non-existence of TLSA (DANE) records for the\nrecipient domain's MX. It relies on a local DNSSEC-validating\nnameserver, ideally on localhost, to obtain this information.\n\n\n## Building\n\nThe only dependencies for mxclient are\n[BearSSL](https://www.bearssl.org/) and a libc with the\n`arpa/nameser.h` and `res_query` interfaces. Drop-in replacements for\nthese can be used on systems that don't have them.\n\nA `config.mak` file can be created to override default compile/link\nflags or install paths. Future versions will ship a `configure` script\nthat can generate a `config.mak` for you.\n\nAfter checking and adusting config as needed, simply run `make`.\nmxclient can be installed with `make install`, but installation is not\nneeded to use it. The program is entirely self-contained and\nstand-alone.\n\n\n## Usage\n\nBasic usage is:\n\n    mxclient -f you@your.example.com them@their.example.com \u003c message\n\nwhere `message` *should* be in standard RFC 822/2822 email message\nform, but is not processed locally by mxclient. In particular, a line\ncontaining a lone `.` is not special; input ends only at EOF (like\nsendmail with the `-i` option). Either ordinary newlines or CR/LF line\nendings (or any mix) are accepted.\n\nmxclient accepts (and mostly ignores) a few common `sendmail` command\nline options, including `-F`, `-i`, and `-o*`. The only option it\nactually uses is `-f`, to set the envelope sender (for the `MAIL\nFROM:` command).\n\nExit code will be 75 for temporary/retryable errors, and another (from\namong `sysexits.h` codes) nonzero value for non-retryable errors, or\nzero for success. During operation, progress is printed to `stdout`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frichfelker%2Fmxclient","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frichfelker%2Fmxclient","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frichfelker%2Fmxclient/lists"}