better handling of outgoing tls reports to recipient domains vs hosts

based on discussion on uta mailing list. it seems the intention of the tlsrpt
is to only send reports to recipient domains. but i was able to interpret the
tlsrpt rfc as sending reports to mx hosts too ("policy domain", and because it
makes sense given how DANE works per MX host, not recipient domain). this
change makes the behaviour of outgoing reports to recipient domains work more
in line with expectations most folks may have about tls reporting (i.e. also
include per-mx host tlsa policies in the report). this also keeps reports to mx
hosts working, and makes them more useful by including the recipient domains of
affected deliveries.
This commit is contained in:
Mechiel Lukkien
2023-11-20 11:31:46 +01:00
parent e5f77a0411
commit 73a2a09711
8 changed files with 466 additions and 125 deletions

View File

@ -570,14 +570,24 @@ describe-static" and "mox config describe-domains":
# DMARC evaluations are sent to domains if their DMARC policy requests them.
# Reports are sent at whole hours, with a minimum of 1 hour and maximum of 24
# hours, rounded up so a whole number of intervals cover 24 hours, aligned at
# whole days in UTC. (optional)
# whole days in UTC. Reports are sent from the postmaster@<mailhostname> address.
# (optional)
NoOutgoingDMARCReports: false
# Do not send TLS reports. By default, reports about successful and failed SMTP
# STARTTLS connections are sent to domains if their TLSRPT DNS record requests
# them. Reports covering a 24 hour UTC interval are sent daily. (optional)
# Do not send TLS reports. By default, reports about failed SMTP STARTTLS
# connections and related MTA-STS/DANE policies are sent to domains if their
# TLSRPT DNS record requests them. Reports covering a 24 hour UTC interval are
# sent daily. Reports are sent from the postmaster address of the configured
# domain the mailhostname is in. If there is no such domain, or it does not have
# DKIM configured, no reports are sent. (optional)
NoOutgoingTLSReports: false
# Also send TLS reports if there were no SMTP STARTTLS connection failures. By
# default, reports are only sent when at least one failure occurred. If a report
# is sent, it does always include the successful connection counts as well.
# (optional)
OutgoingTLSReportsForAllSuccess: false
# domains.conf
# NOTE: This config file is in 'sconf' format. Indent with tabs. Comments must be