for tlsrpt results (for outgoing reports), after a delivery attempt, only add a no-policy-found (mta-sts) result if there wasn't also a tlsa result for the same policy domain

to prevent confusing operators with both a tlsa result and no-policy-result.
This commit is contained in:
Mechiel Lukkien 2023-11-12 14:35:47 +01:00
parent ff4237e88a
commit 6e6f716e91
No known key found for this signature in database

View file

@ -598,7 +598,7 @@ func deliver(resolver dns.Resolver, m Msg) {
var recipientDomainResult tlsrpt.Result var recipientDomainResult tlsrpt.Result
var hostResults []tlsrpt.Result var hostResults []tlsrpt.Result
defer func() { defer func() {
if mox.Conf.Static.NoOutgoingTLSReports || !m.RecipientDomain.IsDomain() { if mox.Conf.Static.NoOutgoingTLSReports || m.RecipientDomain.IsIP() {
return return
} }
@ -606,6 +606,7 @@ func deliver(resolver dns.Resolver, m Msg) {
dayUTC := now.UTC().Format("20060102") dayUTC := now.UTC().Format("20060102")
results := make([]tlsrptdb.TLSResult, 0, 1+len(hostResults)) results := make([]tlsrptdb.TLSResult, 0, 1+len(hostResults))
tlsaPolicyDomains := map[string]bool{}
addResult := func(r tlsrpt.Result, isHost bool) { addResult := func(r tlsrpt.Result, isHost bool) {
var zerotype tlsrpt.PolicyType var zerotype tlsrpt.PolicyType
if r.Policy.Type == zerotype { if r.Policy.Type == zerotype {
@ -619,6 +620,10 @@ func deliver(resolver dns.Resolver, m Msg) {
return return
} }
if r.Policy.Type == tlsrpt.TLSA {
tlsaPolicyDomains[policyDomain.ASCII] = true
}
tlsResult := tlsrptdb.TLSResult{ tlsResult := tlsrptdb.TLSResult{
PolicyDomain: policyDomain.Name(), PolicyDomain: policyDomain.Name(),
DayUTC: dayUTC, DayUTC: dayUTC,
@ -629,10 +634,16 @@ func deliver(resolver dns.Resolver, m Msg) {
} }
results = append(results, tlsResult) results = append(results, tlsResult)
} }
addResult(recipientDomainResult, false)
for _, result := range hostResults { for _, result := range hostResults {
addResult(result, true) addResult(result, true)
} }
// If we were delivering to a mail host directly (not a domain with MX records), we
// are more likely to get a TLSA policy than an STS policy. Don't potentially
// confuse operators with both a tlsa and no-policy-found result.
// todo spec: ../rfc/8460:440 an explicit no-sts-policy result would be useful.
if recipientDomainResult.Policy.Type != tlsrpt.NoPolicyFound || !tlsaPolicyDomains[recipientDomainResult.Policy.Domain] {
addResult(recipientDomainResult, false)
}
if len(results) > 0 { if len(results) > 0 {
err := tlsrptdb.AddTLSResults(context.Background(), results) err := tlsrptdb.AddTLSResults(context.Background(), results)