Implement the DANE-only lookup policyd

https://github.com/Snawoot/postfix-mta-sts-resolver/issues/67 for context
2025-11-01 18:47:52 +00:00 · 2021-08-31 20:24:06 +02:00
parent d607ba0ef2
commit a1da4daa4c
4 changed files with 28 additions and 2 deletions
--- a/core/admin/mailu/internal/views/postfix.py
+++ b/core/admin/mailu/internal/views/postfix.py
@@ -7,6 +7,9 @@ import idna
 import re
 import srslib

+@internal.route("/postfix/dane/<domain_name>")
+def postfix_dane_map(domain_name):
+    return flask.jsonify('dane-only') if utils.has_dane_record(domain_name) else flask.abort(404)

@internal.route("/postfix/domain/<domain_name>")
 def postfix_mailbox_domain(domain_name):
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -6,6 +6,9 @@ try:
 except ImportError:
    import pickle

+import dns
+import dns.resolver
+
 import hmac
 import secrets
 import time
@@ -25,7 +28,6 @@ from itsdangerous.encoding import want_bytes
 from werkzeug.datastructures import CallbackDict
 from werkzeug.contrib import fixers

-
 # Login configuration
 login = flask_login.LoginManager()
 login.login_view = "ui.login"
@@ -37,6 +39,26 @@ def handle_needs_login():
        flask.url_for('ui.login', next=flask.request.endpoint)
    )

+# DNS stub configured to do DNSSEC enabled queries
+resolver = dns.resolver.Resolver()
+resolver.use_edns(0, 0, 1500)
+resolver.flags = dns.flags.AD | dns.flags.RD
+
+def has_dane_record(domain, timeout=5):
+    try:
+        result = resolver.query(f'_25._tcp.{domain}', dns.rdatatype.TLSA,dns.rdataclass.IN, lifetime=timeout)
+        if (result.response.flags & dns.flags.AD) == dns.flags.AD:
+            for record in result:
+                if isinstance(record, dns.rdtypes.ANY.TLSA.TLSA):
+                    record.validate()
+                    if record.usage in [2,3]: # postfix wants DANE-only
+                        return True
+    except dns.resolver.NoNameservers:
+        # this could be an attack / a failed DNSSEC lookup
+        return True
+    except:
+        pass
+
 # Rate limiter
 limiter = limiter.LimitWraperFactory()

--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -60,7 +60,7 @@ smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
 smtp_tls_dane_insecure_mx_policy = {% if DEFER_ON_TLS_ERROR == 'false' %}may{% else %}dane{% endif %}
-smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
+smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
 smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -21,6 +21,7 @@ def start_podop():
    run_server(0, "postfix", "/tmp/podop.socket", [
 		("transport", "url", url + "transport/§"),
 		("alias", "url", url + "alias/§"),
+                ("dane", "url", url + "dane/§"),
 		("domain", "url", url + "domain/§"),
        ("mailbox", "url", url + "mailbox/§"),
        ("recipientmap", "url", url + "recipient/map/§"),