From df105a028c66fed6aa1524d8e415e615c365679c Mon Sep 17 00:00:00 2001 From: Mechiel Lukkien Date: Thu, 7 Mar 2024 11:19:08 +0100 Subject: [PATCH] unbreak enforcing dane since previous commits by using the correct variable. should have automated tests for this. found it by manual test through email-security-scans.org, useful service! --- queue/direct.go | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/queue/direct.go b/queue/direct.go index 0dfe1da..affd50b 100644 --- a/queue/direct.go +++ b/queue/direct.go @@ -247,11 +247,6 @@ func deliverDirect(qlog mlog.Log, resolver dns.Resolver, dialer smtpclient.Diale // recipientDomainResult. If DANE is encountered, it will add a DANE reporting // result for generic TLS and DANE-specific errors. - // Set if TLSA records were found. Means TLS is required for this host, usually - // with verification of the certificate, and that we cannot fall back to - // opportunistic TLS. - var tlsDANE bool - msgResps := make([]*msgResp, len(msgs)) for i := range msgs { msgResps[i] = &msgResp{msg: msgs[i]} @@ -273,7 +268,7 @@ func deliverDirect(qlog mlog.Log, resolver dns.Resolver, dialer smtpclient.Diale // We don't fall back to plain text for DMARC reports. ../rfc/7489:1768 ../rfc/7489:2683 // We queue outgoing TLS reports with tlsRequiredNo, so reports can be delivered in // case of broken TLS. - if result.err != nil && errors.Is(result.err, smtpclient.ErrTLS) && (!enforceMTASTS && tlsMode == smtpclient.TLSOpportunistic && !tlsDANE && !m0.IsDMARCReport || tlsRequiredNo) { + if result.err != nil && errors.Is(result.err, smtpclient.ErrTLS) && (!enforceMTASTS && tlsMode == smtpclient.TLSOpportunistic && !result.tlsDANE && !m0.IsDMARCReport || tlsRequiredNo) { metricPlaintextFallback.Inc() if tlsRequiredNo { metricTLSRequiredNoIgnored.WithLabelValues("badtls").Inc() @@ -282,7 +277,7 @@ func deliverDirect(qlog mlog.Log, resolver dns.Resolver, dialer smtpclient.Diale // todo future: add a configuration option to not fall back? nqlog.Info("connecting again for delivery attempt without tls", slog.Bool("enforcemtasts", enforceMTASTS), - slog.Bool("tlsdane", tlsDANE), + slog.Bool("tlsdane", result.tlsDANE), slog.Any("requiretls", m0.RequireTLS)) result = deliverHost(nqlog, resolver, dialer, ourHostname, transportName, h, enforceMTASTS, haveMX, origNextHopAuthentic, origNextHop, expandedNextHopAuthentic, expandedNextHop, msgResps, smtpclient.TLSSkip, false, &tlsrpt.Result{}) }