mirror of
https://github.com/mjl-/mox.git
synced 2025-07-10 09:54:40 +03:00
when suggesting CAA records for a domain, suggest variants that bind to the account id and with validation methods used by mox
should prevent potential mitm attacks. especially when done close to the machine itself (where a http/tls challenge is intercepted to get a valid certificate), as seen on the internet last month.
This commit is contained in:
16
main.go
16
main.go
@ -792,7 +792,21 @@ configured.
|
||||
xcheckf(err, "looking up record for dnssec-status")
|
||||
}
|
||||
|
||||
records, err := mox.DomainRecords(domConf, d, result.Authentic)
|
||||
var certIssuerDomainName, acmeAccountURI string
|
||||
public := mox.Conf.Static.Listeners["public"]
|
||||
if public.TLS != nil && public.TLS.ACME != "" {
|
||||
acme, ok := mox.Conf.Static.ACME[public.TLS.ACME]
|
||||
if ok && acme.Manager.Manager.Client != nil {
|
||||
certIssuerDomainName = acme.IssuerDomainName
|
||||
acc, err := acme.Manager.Manager.Client.GetReg(context.Background(), "")
|
||||
c.log.Check(err, "get public acme account")
|
||||
if err == nil {
|
||||
acmeAccountURI = acc.URI
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
records, err := mox.DomainRecords(domConf, d, result.Authentic, certIssuerDomainName, acmeAccountURI)
|
||||
xcheckf(err, "records")
|
||||
fmt.Print(strings.Join(records, "\n") + "\n")
|
||||
}
|
||||
|
Reference in New Issue
Block a user