diff --git a/http/web.go b/http/web.go index 381eb71..5ced90e 100644 --- a/http/web.go +++ b/http/web.go @@ -682,13 +682,22 @@ func Listen() { if l.HostnameDomain.ASCII != "" { hosts[l.HostnameDomain] = struct{}{} } - // All domains are served on all listeners. + // All domains are served on all listeners. Gather autoconfig hostnames to ensure + // presence of TLS certificates for. for _, name := range mox.Conf.Domains() { - dom, err := dns.ParseDomain("autoconfig." + name) + if dom, err := dns.ParseDomain(name); err != nil { + xlog.Errorx("parsing domain from config", err) + } else if d, _ := mox.Conf.Domain(dom); d.DMARC != nil && d.DMARC.Domain != "" && d.DMARC.DNSDomain != dom { + // Do not gather autoconfig name if this domain is configured to process reports + // for domains hosted elsewhere. + continue + } + + autoconfdom, err := dns.ParseDomain("autoconfig." + name) if err != nil { xlog.Errorx("parsing domain from config for autoconfig", err) } else { - hosts[dom] = struct{}{} + hosts[autoconfdom] = struct{}{} } } diff --git a/mox-/config.go b/mox-/config.go index ef1aef7..4448273 100644 --- a/mox-/config.go +++ b/mox-/config.go @@ -251,6 +251,12 @@ func (c *Config) allowACMEHosts(checkACMEHosts bool) { } for _, dom := range c.Dynamic.Domains { + if dom.DMARC != nil && dom.DMARC.Domain != "" && dom.DMARC.DNSDomain != dom.Domain { + // Do not allow TLS certificates for domains for which we only accept DMARC reports + // as external party. + continue + } + if l.AutoconfigHTTPS.Enabled && !l.AutoconfigHTTPS.NonTLS { if d, err := dns.ParseDomain("autoconfig." + dom.Domain.ASCII); err != nil { xlog.Errorx("parsing autoconfig domain", err, mlog.Field("domain", dom.Domain))