on mtasts error during delivery from queue, continue delivery but with strict tls

no need to not even try delivering in that case. if anyone is preventing mtasts to work, nothing was achieved, because our fallback is the strictest behaviour that could have been specified in the policy.
2024-12-26 00:13:47 +03:00 · 2023-02-17 17:16:04 +01:00 · 2023-02-17 17:16:04 +01:00 · ad900b74e7
commit ad900b74e7
parent 3608d0e246
1 changed files with 5 additions and 4 deletions
--- a/queue/queue.go
+++ b/queue/queue.go
@ -519,11 +519,14 @@ func deliver(resolver dns.Resolver, m Msg) {
 	// allowed when a CNAME record is present.
 	var policyFresh bool
 	var policy *mtasts.Policy
+	tlsModeDefault := smtpclient.TLSOpportunistic
 	if !effectiveDomain.IsZero() {
 		cidctx := context.WithValue(mox.Context, mlog.CidKey, cid)
 		policy, policyFresh, err = mtastsdb.Get(cidctx, resolver, effectiveDomain)
 		if err != nil {
-			fail(false, dsn.NameIP{}, "", err.Error())
+			// No need to refuse to deliver if we have some mtasts error.
+			qlog.Infox("mtasts failed, continuing with strict tls requirement", err, mlog.Field("domain", effectiveDomain))
+			tlsModeDefault = smtpclient.TLSStrict
 			return
 		}
 		// note: policy can be nil, if a domain does not implement MTA-STS or its the first
@ -557,11 +560,9 @@ func deliver(resolver dns.Resolver, m Msg) {
 		cid := mox.Cid()
 		nqlog := qlog.WithCid(cid)
 		var remoteIP net.IP
-		var tlsMode smtpclient.TLSMode
+		tlsMode := tlsModeDefault
 		if policy != nil && policy.Mode == mtasts.ModeEnforce {
 			tlsMode = smtpclient.TLSStrict
-		} else {
-			tlsMode = smtpclient.TLSOpportunistic
 		}
 		permanent, badTLS, secodeOpt, remoteIP, errmsg, ok = deliverHost(nqlog, resolver, cid, h, &m, tlsMode)
 		if !ok && badTLS && tlsMode == smtpclient.TLSOpportunistic {