more helpful error message when the queue tries to deliver a message but the remote host is not listed in the mta-sts policy

based on questions on irc by Nemain where this better error message would
probably have made the problem easier to find and fix.

mtasts/mtasts.go

@@ -96,6 +96,19 @@ type STSMX struct {
 	Domain dns.Domain
 }
 
+// LogString returns a loggable string representing the host, with both unicode
+// and ascii version for IDNA domains.
+func (s STSMX) LogString() string {
+	pre := ""
+	if s.Wildcard {
+		pre = "*."
+	}
+	if s.Domain.Unicode == "" {
+		return pre + s.Domain.ASCII
+	}
+	return pre + s.Domain.Unicode + "/" + pre + s.Domain.ASCII
+}
+
 // Policy is an MTA-STS policy as served at "https://mta-sts.<domain>/.well-known/mta-sts.txt".
 type Policy struct {
 	Version       string // "STSv1"

queue/queue.go

@@ -572,8 +572,12 @@ func deliver(resolver dns.Resolver, m Msg) {
 
 		// ../rfc/8461:913
 		if policy != nil && policy.Mode == mtasts.ModeEnforce && !policy.Matches(h.Domain) {
-			errmsg = fmt.Sprintf("mx host %s does not match enforced mta-sts policy", h.Domain)
+			var policyHosts []string
-			qlog.Error("mx host does not match enforce mta-sts policy, skipping", mlog.Field("host", h.Domain))
+			for _, mx := range policy.MX {
+				policyHosts = append(policyHosts, mx.LogString())
+			}
+			errmsg = fmt.Sprintf("mx host %s does not match enforced mta-sts policy with hosts %s", h.Domain, strings.Join(policyHosts, ","))
+			qlog.Error("mx host does not match enforce mta-sts policy, skipping", mlog.Field("host", h.Domain), mlog.Field("policyhosts", policyHosts))
 			continue
 		}