mirror of
https://github.com/mjl-/mox.git
synced 2024-12-26 16:33:47 +03:00
for tlsrpt results (for outgoing reports), after a delivery attempt, only add a no-policy-found (mta-sts) result if there wasn't also a tlsa result for the same policy domain
to prevent confusing operators with both a tlsa result and no-policy-result.
This commit is contained in:
parent
ff4237e88a
commit
6e6f716e91
1 changed files with 13 additions and 2 deletions
|
@ -598,7 +598,7 @@ func deliver(resolver dns.Resolver, m Msg) {
|
||||||
var recipientDomainResult tlsrpt.Result
|
var recipientDomainResult tlsrpt.Result
|
||||||
var hostResults []tlsrpt.Result
|
var hostResults []tlsrpt.Result
|
||||||
defer func() {
|
defer func() {
|
||||||
if mox.Conf.Static.NoOutgoingTLSReports || !m.RecipientDomain.IsDomain() {
|
if mox.Conf.Static.NoOutgoingTLSReports || m.RecipientDomain.IsIP() {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -606,6 +606,7 @@ func deliver(resolver dns.Resolver, m Msg) {
|
||||||
dayUTC := now.UTC().Format("20060102")
|
dayUTC := now.UTC().Format("20060102")
|
||||||
|
|
||||||
results := make([]tlsrptdb.TLSResult, 0, 1+len(hostResults))
|
results := make([]tlsrptdb.TLSResult, 0, 1+len(hostResults))
|
||||||
|
tlsaPolicyDomains := map[string]bool{}
|
||||||
addResult := func(r tlsrpt.Result, isHost bool) {
|
addResult := func(r tlsrpt.Result, isHost bool) {
|
||||||
var zerotype tlsrpt.PolicyType
|
var zerotype tlsrpt.PolicyType
|
||||||
if r.Policy.Type == zerotype {
|
if r.Policy.Type == zerotype {
|
||||||
|
@ -619,6 +620,10 @@ func deliver(resolver dns.Resolver, m Msg) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if r.Policy.Type == tlsrpt.TLSA {
|
||||||
|
tlsaPolicyDomains[policyDomain.ASCII] = true
|
||||||
|
}
|
||||||
|
|
||||||
tlsResult := tlsrptdb.TLSResult{
|
tlsResult := tlsrptdb.TLSResult{
|
||||||
PolicyDomain: policyDomain.Name(),
|
PolicyDomain: policyDomain.Name(),
|
||||||
DayUTC: dayUTC,
|
DayUTC: dayUTC,
|
||||||
|
@ -629,10 +634,16 @@ func deliver(resolver dns.Resolver, m Msg) {
|
||||||
}
|
}
|
||||||
results = append(results, tlsResult)
|
results = append(results, tlsResult)
|
||||||
}
|
}
|
||||||
addResult(recipientDomainResult, false)
|
|
||||||
for _, result := range hostResults {
|
for _, result := range hostResults {
|
||||||
addResult(result, true)
|
addResult(result, true)
|
||||||
}
|
}
|
||||||
|
// If we were delivering to a mail host directly (not a domain with MX records), we
|
||||||
|
// are more likely to get a TLSA policy than an STS policy. Don't potentially
|
||||||
|
// confuse operators with both a tlsa and no-policy-found result.
|
||||||
|
// todo spec: ../rfc/8460:440 an explicit no-sts-policy result would be useful.
|
||||||
|
if recipientDomainResult.Policy.Type != tlsrpt.NoPolicyFound || !tlsaPolicyDomains[recipientDomainResult.Policy.Domain] {
|
||||||
|
addResult(recipientDomainResult, false)
|
||||||
|
}
|
||||||
|
|
||||||
if len(results) > 0 {
|
if len(results) > 0 {
|
||||||
err := tlsrptdb.AddTLSResults(context.Background(), results)
|
err := tlsrptdb.AddTLSResults(context.Background(), results)
|
||||||
|
|
Loading…
Reference in a new issue