From ad900b74e732096605572a508c09088912671144 Mon Sep 17 00:00:00 2001 From: Mechiel Lukkien Date: Fri, 17 Feb 2023 17:16:04 +0100 Subject: [PATCH] on mtasts error during delivery from queue, continue delivery but with strict tls no need to not even try delivering in that case. if anyone is preventing mtasts to work, nothing was achieved, because our fallback is the strictest behaviour that could have been specified in the policy. --- queue/queue.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/queue/queue.go b/queue/queue.go index ca429a1..9e70586 100644 --- a/queue/queue.go +++ b/queue/queue.go @@ -519,11 +519,14 @@ func deliver(resolver dns.Resolver, m Msg) { // allowed when a CNAME record is present. var policyFresh bool var policy *mtasts.Policy + tlsModeDefault := smtpclient.TLSOpportunistic if !effectiveDomain.IsZero() { cidctx := context.WithValue(mox.Context, mlog.CidKey, cid) policy, policyFresh, err = mtastsdb.Get(cidctx, resolver, effectiveDomain) if err != nil { - fail(false, dsn.NameIP{}, "", err.Error()) + // No need to refuse to deliver if we have some mtasts error. + qlog.Infox("mtasts failed, continuing with strict tls requirement", err, mlog.Field("domain", effectiveDomain)) + tlsModeDefault = smtpclient.TLSStrict return } // note: policy can be nil, if a domain does not implement MTA-STS or its the first @@ -557,11 +560,9 @@ func deliver(resolver dns.Resolver, m Msg) { cid := mox.Cid() nqlog := qlog.WithCid(cid) var remoteIP net.IP - var tlsMode smtpclient.TLSMode + tlsMode := tlsModeDefault if policy != nil && policy.Mode == mtasts.ModeEnforce { tlsMode = smtpclient.TLSStrict - } else { - tlsMode = smtpclient.TLSOpportunistic } permanent, badTLS, secodeOpt, remoteIP, errmsg, ok = deliverHost(nqlog, resolver, cid, h, &m, tlsMode) if !ok && badTLS && tlsMode == smtpclient.TLSOpportunistic {