scottk/Mailu
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/Mailu.git synced 2025-11-04 03:57:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ensure we also pin ISRG X2 in TLSA

Browse Source
This commit is contained in:
Florent Daigniere
2024-03-11 10:21:54 +01:00
parent d76e543b2d
commit 7089cfea48
4 changed files with 18 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
core/admin/mailu/models.py
View File

@@ -281,9 +281,14 @@ class Domain(Base):
def dns_tlsa(self): def dns_tlsa(self):
""" return TLSA record for domain when using letsencrypt """ """ return TLSA record for domain when using letsencrypt """
hostname = app.config['HOSTNAME'] hostname = app.config['HOSTNAME']
if app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'): if True:# app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
return [
# current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902 # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
return f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3' f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3',
# current ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2) @20240311
f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332',
]
return []
@property @property
def dkim_key(self): def dkim_key(self):

11
core/admin/mailu/ui/templates/domain/details.html
View File

@@ -48,11 +48,14 @@
</td> </td>
</tr> </tr>
{%- endif %} {%- endif %}
{%- set tlsa_record=domain.dns_tlsa %} {%- if domain.dns_tlsa|length > 0 %}
{%- if tlsa_record %}
<tr> <tr>
<th>{% trans %}DNS TLSA entry{% endtrans %}</br><span class="text-secondary text-xs font-weight-normal">Let's Encrypt</br>ISRG Root X1</span></th> <th>{% trans %}DNS TLSA entry{% endtrans %}</br><span class="text-secondary text-xs font-weight-normal">Let's Encrypt ISRG Roots</span></th>
<td>{{ macros.clip("dns_tlsa") }}<pre id="dns_tlsa" class="pre-config border bg-light">{{ tlsa_record }}</pre></td> <td>{{ macros.clip("dns_tlsa") }}<pre id="dns_tlsa" class="pre-config border bg-light">
{%- for line in domain.dns_tlsa %}
{{ line }}
{%- endfor -%}
</pre></td>
</tr> </tr>
{%- endif %} {%- endif %}
<tr> <tr>

4
core/admin/mailu/ui/views/domains.py
View File

@@ -81,8 +81,8 @@ def domain_download_zonefile(domain_name):
txt = ' '.join(f'"{txt[p:p+250]}"' for p in range(0, len(txt), 250)) txt = ' '.join(f'"{txt[p:p+250]}"' for p in range(0, len(txt), 250))
res.append(f'{record} {txt}') res.append(f'{record} {txt}')
res.append(domain.dns_dmarc) res.append(domain.dns_dmarc)
if domain.dns_tlsa: for tlsa in domain.dns_tlsa:
res.append(domain.dns_tlsa) res.append(tlsa)
res.extend(domain.dns_autoconfig) res.extend(domain.dns_autoconfig)
res.append("") res.append("")
return flask.Response( return flask.Response(

1
towncrier/newsfragments/3191.feature Normal file
View File

@@ -0,0 +1 @@
Ensure that we encourage users to also pin ISRG X2 in their TLSA records