for external domains (for which we only accept external dmarc reports), don't try to fetch tls certificates at startup for autoconfig host

http/web.go

@@ -682,13 +682,22 @@ func Listen() {
 			if l.HostnameDomain.ASCII != "" {
 				hosts[l.HostnameDomain] = struct{}{}
 			}
-			// All domains are served on all listeners.
+			// All domains are served on all listeners. Gather autoconfig hostnames to ensure
+			// presence of TLS certificates for.
 			for _, name := range mox.Conf.Domains() {
-				dom, err := dns.ParseDomain("autoconfig." + name)
+				if dom, err := dns.ParseDomain(name); err != nil {
+					xlog.Errorx("parsing domain from config", err)
+				} else if d, _ := mox.Conf.Domain(dom); d.DMARC != nil && d.DMARC.Domain != "" && d.DMARC.DNSDomain != dom {
+					// Do not gather autoconfig name if this domain is configured to process reports
+					// for domains hosted elsewhere.
+					continue
+				}
+
+				autoconfdom, err := dns.ParseDomain("autoconfig." + name)
 				if err != nil {
 					xlog.Errorx("parsing domain from config for autoconfig", err)
 				} else {
-					hosts[dom] = struct{}{}
+					hosts[autoconfdom] = struct{}{}
 				}
 			}
 

mox-/config.go

@@ -251,6 +251,12 @@ func (c *Config) allowACMEHosts(checkACMEHosts bool) {
 		}
 
 		for _, dom := range c.Dynamic.Domains {
+			if dom.DMARC != nil && dom.DMARC.Domain != "" && dom.DMARC.DNSDomain != dom.Domain {
+				// Do not allow TLS certificates for domains for which we only accept DMARC reports
+				// as external party.
+				continue
+			}
+
 			if l.AutoconfigHTTPS.Enabled && !l.AutoconfigHTTPS.NonTLS {
 				if d, err := dns.ParseDomain("autoconfig." + dom.Domain.ASCII); err != nil {
 					xlog.Errorx("parsing autoconfig domain", err, mlog.Field("domain", dom.Domain))