Use DEFER_ON_TLS_ERROR here too

We just don't know whether the lookup failed because we are under attack
or whether it's a glitch; the safe behaviour is to defer
master
Florent Daigniere 3 years ago
parent a1da4daa4c
commit 9f66e2672b

@ -35,6 +35,7 @@ DEFAULT_CONFIG = {
'WILDCARD_SENDERS': '', 'WILDCARD_SENDERS': '',
'TLS_FLAVOR': 'cert', 'TLS_FLAVOR': 'cert',
'INBOUND_TLS_ENFORCE': False, 'INBOUND_TLS_ENFORCE': False,
'DEFER_ON_TLS_ERROR': True,
'AUTH_RATELIMIT': '1000/minute;10000/hour', 'AUTH_RATELIMIT': '1000/minute;10000/hour',
'AUTH_RATELIMIT_SUBNET': False, 'AUTH_RATELIMIT_SUBNET': False,
'DISABLE_STATISTICS': False, 'DISABLE_STATISTICS': False,

@ -54,8 +54,10 @@ def has_dane_record(domain, timeout=5):
if record.usage in [2,3]: # postfix wants DANE-only if record.usage in [2,3]: # postfix wants DANE-only
return True return True
except dns.resolver.NoNameservers: except dns.resolver.NoNameservers:
# this could be an attack / a failed DNSSEC lookup # If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled
return True # we will receive this non-specific exception. The safe behaviour is to
# accept to defer the email.
return app.config['DEFER_ON_TLS_ERROR']
except: except:
pass pass

Loading…
Cancel
Save