serv/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2024-12-26 16:33:47 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

unbreak enforcing dane since previous commits

Browse source 
by using the correct variable.
should have automated tests for this.
found it by manual test through email-security-scans.org, useful service!
This commit is contained in:
Mechiel Lukkien 2024-03-07 11:19:08 +01:00
parent 484ffa67d1
commit df105a028c
No known key found for this signature in database
1 changed files with 2 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
queue/direct.go
View file

@ -247,11 +247,6 @@ func deliverDirect(qlog mlog.Log, resolver dns.Resolver, dialer smtpclient.Diale
// recipientDomainResult. If DANE is encountered, it will add a DANE reporting // recipientDomainResult. If DANE is encountered, it will add a DANE reporting
// result for generic TLS and DANE-specific errors. // result for generic TLS and DANE-specific errors.
// Set if TLSA records were found. Means TLS is required for this host, usually
// with verification of the certificate, and that we cannot fall back to
// opportunistic TLS.
var tlsDANE bool
msgResps := make([]*msgResp, len(msgs)) msgResps := make([]*msgResp, len(msgs))
for i := range msgs { for i := range msgs {
msgResps[i] = &msgResp{msg: msgs[i]} msgResps[i] = &msgResp{msg: msgs[i]}
@ -273,7 +268,7 @@ func deliverDirect(qlog mlog.Log, resolver dns.Resolver, dialer smtpclient.Diale
// We don't fall back to plain text for DMARC reports. ../rfc/7489:1768 ../rfc/7489:2683 // We don't fall back to plain text for DMARC reports. ../rfc/7489:1768 ../rfc/7489:2683
// We queue outgoing TLS reports with tlsRequiredNo, so reports can be delivered in // We queue outgoing TLS reports with tlsRequiredNo, so reports can be delivered in
// case of broken TLS. // case of broken TLS.
if result.err != nil && errors.Is(result.err, smtpclient.ErrTLS) && (!enforceMTASTS && tlsMode == smtpclient.TLSOpportunistic && !tlsDANE && !m0.IsDMARCReport || tlsRequiredNo) { if result.err != nil && errors.Is(result.err, smtpclient.ErrTLS) && (!enforceMTASTS && tlsMode == smtpclient.TLSOpportunistic && !result.tlsDANE && !m0.IsDMARCReport || tlsRequiredNo) {
metricPlaintextFallback.Inc() metricPlaintextFallback.Inc()
if tlsRequiredNo { if tlsRequiredNo {
metricTLSRequiredNoIgnored.WithLabelValues("badtls").Inc() metricTLSRequiredNoIgnored.WithLabelValues("badtls").Inc()
@ -282,7 +277,7 @@ func deliverDirect(qlog mlog.Log, resolver dns.Resolver, dialer smtpclient.Diale
// todo future: add a configuration option to not fall back? // todo future: add a configuration option to not fall back?
nqlog.Info("connecting again for delivery attempt without tls", nqlog.Info("connecting again for delivery attempt without tls",
slog.Bool("enforcemtasts", enforceMTASTS), slog.Bool("enforcemtasts", enforceMTASTS),
slog.Bool("tlsdane", tlsDANE), slog.Bool("tlsdane", result.tlsDANE),
slog.Any("requiretls", m0.RequireTLS)) slog.Any("requiretls", m0.RequireTLS))
result = deliverHost(nqlog, resolver, dialer, ourHostname, transportName, h, enforceMTASTS, haveMX, origNextHopAuthentic, origNextHop, expandedNextHopAuthentic, expandedNextHop, msgResps, smtpclient.TLSSkip, false, &tlsrpt.Result{}) result = deliverHost(nqlog, resolver, dialer, ourHostname, transportName, h, enforceMTASTS, haveMX, origNextHopAuthentic, origNextHop, expandedNextHopAuthentic, expandedNextHop, msgResps, smtpclient.TLSSkip, false, &tlsrpt.Result{})
} }