From 73373a19c1347e781aed16a76419ba41e2a1620d Mon Sep 17 00:00:00 2001 From: Mechiel Lukkien Date: Thu, 27 Jun 2024 15:57:04 +0200 Subject: [PATCH] in dnscheck, warn when dane is not configured (through static host keys), instead of showing "OK" if no host keys are configured, show as warning (yellow) that dane isn't configured, and show instructions to enable it. for issue #185 by morki, thanks for reporting! --- webadmin/admin.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/webadmin/admin.go b/webadmin/admin.go index bd2f46e..0873a4b 100644 --- a/webadmin/admin.go +++ b/webadmin/admin.go @@ -929,6 +929,11 @@ EOF instr += fmt.Sprintf("\t_25._tcp.%s. TLSA %s\n", pubDom.ASCII, r) } addf(&r.DANE.Instructions, instr) + } else { + addf(&r.DANE.Warnings, "DANE not configured: no static TLS host keys.") + + instr := "Add static TLS keys for use with DANE to mox.conf under: Listeners, public, TLS, HostPrivateKeyFiles.\n\nIf automatic TLS certificate management with ACME is configured, run \"mox config ensureacmehostprivatekeys\" to generate static TLS keys and to print a snippet for \"HostPrivateKeyFiles\" for inclusion in mox.conf.\n\nIf TLS keys and certificates are managed externally, configure the TLS keys manually under \"HostPrivateKeyFiles\" in mox.conf, and make sure new TLS keys are not generated for each new certificate (look for an option to \"reuse private keys\" when doing ACME). Important: Before using new TLS keys, corresponding new DANE (TLSA) DNS records must be published (taking TTL into account to let the previous records expire). Using new TLS keys without updating DANE (TLSA) DNS records will cause DANE verification failures, breaking incoming deliveries.\n\nWith \"HostPrivateKeyFiles\" configured, DNS records for DANE based on those TLS keys will be suggested, and future DNS checks will look for those DNS records. Once those DNS records are published, DANE is active for all domains with an MX record pointing to the host." + addf(&r.DANE.Instructions, instr) } }()