mirror of
https://github.com/mjl-/mox.git
synced 2024-12-27 08:53:48 +03:00
unbreak enforcing dane since previous commits
by using the correct variable. should have automated tests for this. found it by manual test through email-security-scans.org, useful service!
This commit is contained in:
parent
484ffa67d1
commit
df105a028c
1 changed files with 2 additions and 7 deletions
|
@ -247,11 +247,6 @@ func deliverDirect(qlog mlog.Log, resolver dns.Resolver, dialer smtpclient.Diale
|
||||||
// recipientDomainResult. If DANE is encountered, it will add a DANE reporting
|
// recipientDomainResult. If DANE is encountered, it will add a DANE reporting
|
||||||
// result for generic TLS and DANE-specific errors.
|
// result for generic TLS and DANE-specific errors.
|
||||||
|
|
||||||
// Set if TLSA records were found. Means TLS is required for this host, usually
|
|
||||||
// with verification of the certificate, and that we cannot fall back to
|
|
||||||
// opportunistic TLS.
|
|
||||||
var tlsDANE bool
|
|
||||||
|
|
||||||
msgResps := make([]*msgResp, len(msgs))
|
msgResps := make([]*msgResp, len(msgs))
|
||||||
for i := range msgs {
|
for i := range msgs {
|
||||||
msgResps[i] = &msgResp{msg: msgs[i]}
|
msgResps[i] = &msgResp{msg: msgs[i]}
|
||||||
|
@ -273,7 +268,7 @@ func deliverDirect(qlog mlog.Log, resolver dns.Resolver, dialer smtpclient.Diale
|
||||||
// We don't fall back to plain text for DMARC reports. ../rfc/7489:1768 ../rfc/7489:2683
|
// We don't fall back to plain text for DMARC reports. ../rfc/7489:1768 ../rfc/7489:2683
|
||||||
// We queue outgoing TLS reports with tlsRequiredNo, so reports can be delivered in
|
// We queue outgoing TLS reports with tlsRequiredNo, so reports can be delivered in
|
||||||
// case of broken TLS.
|
// case of broken TLS.
|
||||||
if result.err != nil && errors.Is(result.err, smtpclient.ErrTLS) && (!enforceMTASTS && tlsMode == smtpclient.TLSOpportunistic && !tlsDANE && !m0.IsDMARCReport || tlsRequiredNo) {
|
if result.err != nil && errors.Is(result.err, smtpclient.ErrTLS) && (!enforceMTASTS && tlsMode == smtpclient.TLSOpportunistic && !result.tlsDANE && !m0.IsDMARCReport || tlsRequiredNo) {
|
||||||
metricPlaintextFallback.Inc()
|
metricPlaintextFallback.Inc()
|
||||||
if tlsRequiredNo {
|
if tlsRequiredNo {
|
||||||
metricTLSRequiredNoIgnored.WithLabelValues("badtls").Inc()
|
metricTLSRequiredNoIgnored.WithLabelValues("badtls").Inc()
|
||||||
|
@ -282,7 +277,7 @@ func deliverDirect(qlog mlog.Log, resolver dns.Resolver, dialer smtpclient.Diale
|
||||||
// todo future: add a configuration option to not fall back?
|
// todo future: add a configuration option to not fall back?
|
||||||
nqlog.Info("connecting again for delivery attempt without tls",
|
nqlog.Info("connecting again for delivery attempt without tls",
|
||||||
slog.Bool("enforcemtasts", enforceMTASTS),
|
slog.Bool("enforcemtasts", enforceMTASTS),
|
||||||
slog.Bool("tlsdane", tlsDANE),
|
slog.Bool("tlsdane", result.tlsDANE),
|
||||||
slog.Any("requiretls", m0.RequireTLS))
|
slog.Any("requiretls", m0.RequireTLS))
|
||||||
result = deliverHost(nqlog, resolver, dialer, ourHostname, transportName, h, enforceMTASTS, haveMX, origNextHopAuthentic, origNextHop, expandedNextHopAuthentic, expandedNextHop, msgResps, smtpclient.TLSSkip, false, &tlsrpt.Result{})
|
result = deliverHost(nqlog, resolver, dialer, ourHostname, transportName, h, enforceMTASTS, haveMX, origNextHopAuthentic, origNextHop, expandedNextHopAuthentic, expandedNextHop, msgResps, smtpclient.TLSSkip, false, &tlsrpt.Result{})
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue