serv/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2024-12-26 16:33:47 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

unbreak enforcing dane since previous commits

Browse source 
by using the correct variable.
should have automated tests for this.
found it by manual test through email-security-scans.org, useful service!
This commit is contained in:
Mechiel Lukkien 2024-03-07 11:19:08 +01:00
parent 484ffa67d1
commit df105a028c
No known key found for this signature in database
1 changed files with 2 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
queue/direct.go
View file

@ -247,11 +247,6 @@ func deliverDirect(qlog mlog.Log, resolver dns.Resolver, dialer smtpclient.Diale
// recipientDomainResult. If DANE is encountered, it will add a DANE reporting
// result for generic TLS and DANE-specific errors.
// Set if TLSA records were found. Means TLS is required for this host, usually
// with verification of the certificate, and that we cannot fall back to
// opportunistic TLS.
var tlsDANE bool
msgResps := make([]*msgResp, len(msgs))
for i := range msgs {
msgResps[i] = &msgResp{msg: msgs[i]}
@ -273,7 +268,7 @@ func deliverDirect(qlog mlog.Log, resolver dns.Resolver, dialer smtpclient.Diale
// We don't fall back to plain text for DMARC reports. ../rfc/7489:1768 ../rfc/7489:2683
// We queue outgoing TLS reports with tlsRequiredNo, so reports can be delivered in
// case of broken TLS.
if result.err != nil && errors.Is(result.err, smtpclient.ErrTLS) && (!enforceMTASTS && tlsMode == smtpclient.TLSOpportunistic && !tlsDANE && !m0.IsDMARCReport || tlsRequiredNo) {
if result.err != nil && errors.Is(result.err, smtpclient.ErrTLS) && (!enforceMTASTS && tlsMode == smtpclient.TLSOpportunistic && !result.tlsDANE && !m0.IsDMARCReport || tlsRequiredNo) {
metricPlaintextFallback.Inc()
if tlsRequiredNo {
metricTLSRequiredNoIgnored.WithLabelValues("badtls").Inc()
@ -282,7 +277,7 @@ func deliverDirect(qlog mlog.Log, resolver dns.Resolver, dialer smtpclient.Diale
// todo future: add a configuration option to not fall back?
nqlog.Info("connecting again for delivery attempt without tls",
slog.Bool("enforcemtasts", enforceMTASTS),
slog.Bool("tlsdane", tlsDANE),
slog.Bool("tlsdane", result.tlsDANE),
slog.Any("requiretls", m0.RequireTLS))
result = deliverHost(nqlog, resolver, dialer, ourHostname, transportName, h, enforceMTASTS, haveMX, origNextHopAuthentic, origNextHop, expandedNextHopAuthentic, expandedNextHop, msgResps, smtpclient.TLSSkip, false, &tlsrpt.Result{})
}