more helpful error message when the queue tries to deliver a message but the remote host is not listed in the mta-sts policy

based on questions on irc by Nemain where this better error message would probably have made the problem easier to find and fix.
2024-12-26 00:13:47 +03:00 · 2023-06-01 16:15:33 +02:00 · 2023-06-01 16:15:33 +02:00 · 77d78191f8
commit 77d78191f8
parent cafbfc5fdf
2 changed files with 19 additions and 2 deletions
--- a/mtasts/mtasts.go
+++ b/mtasts/mtasts.go
@ -96,6 +96,19 @@ type STSMX struct {
 	Domain dns.Domain
 }

+// LogString returns a loggable string representing the host, with both unicode
+// and ascii version for IDNA domains.
+func (s STSMX) LogString() string {
+	pre := ""
+	if s.Wildcard {
+		pre = "*."
+	}
+	if s.Domain.Unicode == "" {
+		return pre + s.Domain.ASCII
+	}
+	return pre + s.Domain.Unicode + "/" + pre + s.Domain.ASCII
+}
+
 // Policy is an MTA-STS policy as served at "https://mta-sts.<domain>/.well-known/mta-sts.txt".
 type Policy struct {
 	Version       string // "STSv1"
--- a/queue/queue.go
+++ b/queue/queue.go
@ -572,8 +572,12 @@ func deliver(resolver dns.Resolver, m Msg) {

 		// ../rfc/8461:913
 		if policy != nil && policy.Mode == mtasts.ModeEnforce && !policy.Matches(h.Domain) {
-			errmsg = fmt.Sprintf("mx host %s does not match enforced mta-sts policy", h.Domain)
-			qlog.Error("mx host does not match enforce mta-sts policy, skipping", mlog.Field("host", h.Domain))
+			var policyHosts []string
+			for _, mx := range policy.MX {
+				policyHosts = append(policyHosts, mx.LogString())
+			}
+			errmsg = fmt.Sprintf("mx host %s does not match enforced mta-sts policy with hosts %s", h.Domain, strings.Join(policyHosts, ","))
+			qlog.Error("mx host does not match enforce mta-sts policy, skipping", mlog.Field("host", h.Domain), mlog.Field("policyhosts", policyHosts))
 			continue
 		}