From 77d78191f8a63cfeba9532e453e728b8e7b565a3 Mon Sep 17 00:00:00 2001 From: Mechiel Lukkien Date: Thu, 1 Jun 2023 16:15:33 +0200 Subject: [PATCH] more helpful error message when the queue tries to deliver a message but the remote host is not listed in the mta-sts policy based on questions on irc by Nemain where this better error message would probably have made the problem easier to find and fix. --- mtasts/mtasts.go | 13 +++++++++++++ queue/queue.go | 8 ++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/mtasts/mtasts.go b/mtasts/mtasts.go index 54ba880..24fd031 100644 --- a/mtasts/mtasts.go +++ b/mtasts/mtasts.go @@ -96,6 +96,19 @@ type STSMX struct { Domain dns.Domain } +// LogString returns a loggable string representing the host, with both unicode +// and ascii version for IDNA domains. +func (s STSMX) LogString() string { + pre := "" + if s.Wildcard { + pre = "*." + } + if s.Domain.Unicode == "" { + return pre + s.Domain.ASCII + } + return pre + s.Domain.Unicode + "/" + pre + s.Domain.ASCII +} + // Policy is an MTA-STS policy as served at "https://mta-sts./.well-known/mta-sts.txt". type Policy struct { Version string // "STSv1" diff --git a/queue/queue.go b/queue/queue.go index 6059ea6..be77214 100644 --- a/queue/queue.go +++ b/queue/queue.go @@ -572,8 +572,12 @@ func deliver(resolver dns.Resolver, m Msg) { // ../rfc/8461:913 if policy != nil && policy.Mode == mtasts.ModeEnforce && !policy.Matches(h.Domain) { - errmsg = fmt.Sprintf("mx host %s does not match enforced mta-sts policy", h.Domain) - qlog.Error("mx host does not match enforce mta-sts policy, skipping", mlog.Field("host", h.Domain)) + var policyHosts []string + for _, mx := range policy.MX { + policyHosts = append(policyHosts, mx.LogString()) + } + errmsg = fmt.Sprintf("mx host %s does not match enforced mta-sts policy with hosts %s", h.Domain, strings.Join(policyHosts, ",")) + qlog.Error("mx host does not match enforce mta-sts policy, skipping", mlog.Field("host", h.Domain), mlog.Field("policyhosts", policyHosts)) continue }