From 9f66e2672b3c646570fba1f644f1b35e44ebaeec Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 31 Aug 2021 20:44:57 +0200
Subject: [PATCH] Use DEFER_ON_TLS_ERROR here too

We just don't know whether the lookup failed because we are under attack
or whether it's a glitch; the safe behaviour is to defer
---
 core/admin/mailu/configuration.py | 1 +
 core/admin/mailu/utils.py         | 6 ++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 7cd3a56b..4c48fcc4 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -35,6 +35,7 @@ DEFAULT_CONFIG = {
     'WILDCARD_SENDERS': '',
     'TLS_FLAVOR': 'cert',
     'INBOUND_TLS_ENFORCE': False,
+    'DEFER_ON_TLS_ERROR': True,
     'AUTH_RATELIMIT': '1000/minute;10000/hour',
     'AUTH_RATELIMIT_SUBNET': False,
     'DISABLE_STATISTICS': False,
diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 914638fa..2313a1e6 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -54,8 +54,10 @@ def has_dane_record(domain, timeout=5):
                     if record.usage in [2,3]: # postfix wants DANE-only
                         return True
     except dns.resolver.NoNameservers:
-        # this could be an attack / a failed DNSSEC lookup
-        return True
+        # If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled
+        # we will receive this non-specific exception. The safe behaviour is to
+        # accept to defer the email.
+        return app.config['DEFER_ON_TLS_ERROR']
     except:
         pass