diff --git a/mox-/admin.go b/mox-/admin.go index 06bff0a..ac4dc7f 100644 --- a/mox-/admin.go +++ b/mox-/admin.go @@ -684,6 +684,9 @@ func DomainSPFIPs() (ips []net.IP) { } for _, ipstr := range ipstrs { ip := net.ParseIP(ipstr) + if ip.IsUnspecified() { + continue + } ips = append(ips, ip) } } diff --git a/webadmin/admin.go b/webadmin/admin.go index 8d95698..3ea7466 100644 --- a/webadmin/admin.go +++ b/webadmin/admin.go @@ -953,6 +953,8 @@ EOF defer logPanic(ctx) defer wg.Done() + ips := mox.DomainSPFIPs() + // Verify a domain with the configured IPs that do SMTP. verifySPF := func(isHost bool, domain dns.Domain) (string, *SPFRecord, spf.Record) { kind := "domain" @@ -1000,10 +1002,9 @@ EOF } } - for _, ip := range mox.DomainSPFIPs() { + for _, ip := range ips { checkSPFIP(ip) } - if !isHost { spfr.Directives = append(spfr.Directives, spf.Directive{Mechanism: "mx"}) } @@ -1022,6 +1023,10 @@ EOF // todo: possibly check all hosts for MX records? assuming they are also sending mail servers. r.SPF.HostTXT, r.SPF.HostRecord, _ = verifySPF(true, mox.Conf.Static.HostnameDomain) + if len(ips) == 0 { + addf(&r.SPF.Warnings, `No explicitly configured IPs found to check SPF policy against. Consider configuring public IPs instead of unspecified addresses (0.0.0.0 and/or ::) in the "public" listener in mox.conf, or NATIPs in case of NAT.`) + } + dtxt, err := dspfr.Record() if err != nil { addf(&r.SPF.Errors, "Making SPF record for instructions: %s", err)