fix: do STARTTLS upgrade if available (#57)

* fix: do STARTTLS upgrade if available

Replace the missing STARTTLS upgrade call.

Fixes #56 (thanks @Top-Ranger!)

* chore: disable gosec MinVersion lint for STARTTLS

Realistically STARTTLS is insecure in the first place, so there's no real harm
here - any attacker would simply prevent the STARTTLS extension from being
advertised rather than trying to downgrade the protocol.

sender.go

@@ -2,6 +2,7 @@ package mailyak
 
 import (
 	"bufio"
+	"crypto/tls"
 	"io"
 	"net"
 	"net/smtp"
@@ -37,14 +38,26 @@ type sendableMail interface {
 // conn.
 //
 // serverName must be the hostname (or IP address) of the remote endpoint.
-func smtpExchange(m sendableMail, conn net.Conn, serverName string) error {
+func smtpExchange(m sendableMail, conn net.Conn, serverName string, tryTLSUpgrade bool) error {
 	// Connect to the SMTP server
 	c, err := smtp.NewClient(conn, serverName)
 	if err != nil {
 		return err
 	}
 	defer func() { _ = c.Quit() }()
 
+	if tryTLSUpgrade {
+		if ok, _ := c.Extension("STARTTLS"); ok {
+			//nolint:gosec
+			config := &tls.Config{
+				ServerName: serverName,
+			}
+			if err = c.StartTLS(config); err != nil {
+				return err
+			}
+		}
+	}
+
 	// Attempt to authenticate if credentials were provided
 	var nilAuth smtp.Auth
 	if auth := m.getAuth(); auth != nilAuth {

sender_explicit_tls.go

@@ -26,7 +26,7 @@ func (s *senderExplicitTLS) Send(m sendableMail) error {
 
 	// Perform the SMTP protocol conversation, using the provided TLS ServerName
 	// as the SMTP server name.
-	return smtpExchange(m, conn, s.hostname)
+	return smtpExchange(m, conn, s.hostname, false)
 }
 
 // newSenderWithExplicitTLS constructs a new senderExplicitTLS.

sender_starttls.go

@@ -20,7 +20,7 @@ func (s *senderWithStartTLS) Send(m sendableMail) error {
 	}
 	defer func() { _ = conn.Close() }()
 
-	return smtpExchange(m, conn, s.hostname)
+	return smtpExchange(m, conn, s.hostname, true)
 }
 
 func newSenderWithStartTLS(hostAndPort string) *senderWithStartTLS {