on mtasts error during delivery from queue, continue delivery but with strict tls

no need to not even try delivering in that case. if anyone is preventing mtasts
to work, nothing was achieved, because our fallback is the strictest behaviour
that could have been specified in the policy.
This commit is contained in:
Mechiel Lukkien 2023-02-17 17:16:04 +01:00
parent 3608d0e246
commit ad900b74e7
No known key found for this signature in database

View file

@ -519,11 +519,14 @@ func deliver(resolver dns.Resolver, m Msg) {
// allowed when a CNAME record is present. // allowed when a CNAME record is present.
var policyFresh bool var policyFresh bool
var policy *mtasts.Policy var policy *mtasts.Policy
tlsModeDefault := smtpclient.TLSOpportunistic
if !effectiveDomain.IsZero() { if !effectiveDomain.IsZero() {
cidctx := context.WithValue(mox.Context, mlog.CidKey, cid) cidctx := context.WithValue(mox.Context, mlog.CidKey, cid)
policy, policyFresh, err = mtastsdb.Get(cidctx, resolver, effectiveDomain) policy, policyFresh, err = mtastsdb.Get(cidctx, resolver, effectiveDomain)
if err != nil { if err != nil {
fail(false, dsn.NameIP{}, "", err.Error()) // No need to refuse to deliver if we have some mtasts error.
qlog.Infox("mtasts failed, continuing with strict tls requirement", err, mlog.Field("domain", effectiveDomain))
tlsModeDefault = smtpclient.TLSStrict
return return
} }
// note: policy can be nil, if a domain does not implement MTA-STS or its the first // note: policy can be nil, if a domain does not implement MTA-STS or its the first
@ -557,11 +560,9 @@ func deliver(resolver dns.Resolver, m Msg) {
cid := mox.Cid() cid := mox.Cid()
nqlog := qlog.WithCid(cid) nqlog := qlog.WithCid(cid)
var remoteIP net.IP var remoteIP net.IP
var tlsMode smtpclient.TLSMode tlsMode := tlsModeDefault
if policy != nil && policy.Mode == mtasts.ModeEnforce { if policy != nil && policy.Mode == mtasts.ModeEnforce {
tlsMode = smtpclient.TLSStrict tlsMode = smtpclient.TLSStrict
} else {
tlsMode = smtpclient.TLSOpportunistic
} }
permanent, badTLS, secodeOpt, remoteIP, errmsg, ok = deliverHost(nqlog, resolver, cid, h, &m, tlsMode) permanent, badTLS, secodeOpt, remoteIP, errmsg, ok = deliverHost(nqlog, resolver, cid, h, &m, tlsMode)
if !ok && badTLS && tlsMode == smtpclient.TLSOpportunistic { if !ok && badTLS && tlsMode == smtpclient.TLSOpportunistic {