infrastructure/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2025-07-12 17:04:39 +03:00
Code Issues Packages Projects Releases Wiki Activity

do not log an error for tls requests with ipv6 addresses as sni server name

Browse Source 
ip addresses are invalid in server names. for ipv6 addresses, the
autocert.GetCertificate calls would return an error, which we logged, and
increased a metric about. but the alerts for this situation aren't helpful. so
recognize ip addresses early. if we are lenient about unknown server names (for
incoming smtp deliveries), we switch to the fallback hostname, otherwise we
return an error.

this was the error logged:

	l=error m="requesting certificate" err="acme/autocert: server name component count invalid"

for ipv4 addresses, the name wouldn't be in our allowlist and should already
have caused us to switch to the fallback hostname.
This commit is contained in:
Mechiel Lukkien
2025-02-23 10:44:17 +01:00
parent cad585a70e
commit 797c1cf9f0
2 changed files with 37 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
rfc/index.txt
View File

@ -365,9 +365,11 @@ See implementation guide, https://jmap.io/server.html
8616 Yes - Email Authentication for Internationalized Mail
# TLS
4366 - Obs (RFC 6066) Transport Layer Security (TLS) Extensions
5056 Yes - On the Use of Channel Bindings to Secure Channels
5705 Yes - Keying Material Exporters for Transport Layer Security (TLS)
5929 Yes - Channel Bindings for TLS
6066 - - Transport Layer Security (TLS) Extensions: Extension Definitions
6125 -? - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)
7250 -No - Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
7525 -? - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
@ -377,6 +379,7 @@ See implementation guide, https://jmap.io/server.html
8996 Yes - Deprecating TLS 1.0 and TLS 1.1
8997 Yes - Deprecation of TLS 1.1 for Email Submission and Access
9266 Yes - Channel Bindings for TLS 1.3
9325 -? - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
# ACME
8555 Yes - Automatic Certificate Management Environment (ACME)