add suppression list for outgoing dmarc and tls reports

for reporting addresses that cause DSNs to be returned. that just adds noise. the admin can add/remove/extend addresses through the webadmin. in the future, we could send reports with a smtp mail from of "postmaster+<signed-encoded-recipient>@...", and add the reporting recipient on the suppression list automatically when a DSN comes in on that address, but for now this will probably do.
2025-07-12 17:04:39 +03:00 · 2023-11-13 13:48:52 +01:00
parent 6ce69d5425
commit e24e1bee19
12 changed files with 697 additions and 17 deletions
--- a/tlsrptdb/db.go
+++ b/tlsrptdb/db.go
@ -17,7 +17,7 @@ var (
 	mutex         sync.Mutex

 	// Accessed directly by tlsrptsend.
-	ResultDBTypes = []any{TLSResult{}}
+	ResultDBTypes = []any{TLSResult{}, TLSRPTSuppressAddress{}}
 	ResultDB      *bstore.DB
 )

--- a/tlsrptdb/result.go
+++ b/tlsrptdb/result.go
@ -51,6 +51,18 @@ type TLSResult struct {
 	Results []tlsrpt.Result
 }

+// todo: TLSRPTSuppressAddress should be named just SuppressAddress, but would clash with dmarcdb.SuppressAddress in sherpa api.
+
+// TLSRPTSuppressAddress is a reporting address for which outgoing TLS reports
+// will be suppressed for a period.
+type TLSRPTSuppressAddress struct {
+	ID               int64
+	Inserted         time.Time `bstore:"default now"`
+	ReportingAddress string    `bstore:"unique"`
+	Until            time.Time `bstore:"nonzero"`
+	Comment          string
+}
+
 func resultDB(ctx context.Context) (rdb *bstore.DB, rerr error) {
 	mutex.Lock()
 	defer mutex.Unlock()
@ -159,3 +171,49 @@ func RemoveResultsPolicyDomain(ctx context.Context, policyDomain dns.Domain, day
 	_, err = bstore.QueryDB[TLSResult](ctx, db).FilterNonzero(TLSResult{PolicyDomain: policyDomain.Name(), DayUTC: dayUTC}).Delete()
 	return err
 }
+
+// SuppressAdd adds an address to the suppress list.
+func SuppressAdd(ctx context.Context, ba *TLSRPTSuppressAddress) error {
+	db, err := resultDB(ctx)
+	if err != nil {
+		return err
+	}
+
+	return db.Insert(ctx, ba)
+}
+
+// SuppressList returns all reporting addresses on the suppress list.
+func SuppressList(ctx context.Context) ([]TLSRPTSuppressAddress, error) {
+	db, err := resultDB(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return bstore.QueryDB[TLSRPTSuppressAddress](ctx, db).SortDesc("ID").List()
+}
+
+// SuppressRemove removes a reporting address record from the suppress list.
+func SuppressRemove(ctx context.Context, id int64) error {
+	db, err := resultDB(ctx)
+	if err != nil {
+		return err
+	}
+
+	return db.Delete(ctx, &TLSRPTSuppressAddress{ID: id})
+}
+
+// SuppressUpdate updates the until field of a reporting address record.
+func SuppressUpdate(ctx context.Context, id int64, until time.Time) error {
+	db, err := resultDB(ctx)
+	if err != nil {
+		return err
+	}
+
+	ba := TLSRPTSuppressAddress{ID: id}
+	err = db.Get(ctx, &ba)
+	if err != nil {
+		return err
+	}
+	ba.Until = until
+	return db.Update(ctx, &ba)
+}