From c1d94bb72563430d151916de0e3d9e31708348fe Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Wed, 1 Sep 2021 09:01:04 +0200
Subject: [PATCH] Ensure that postfix will be able to use the TLSA records

see https://www.huque.com/dane/testsite/ for the testcases
---
 core/admin/mailu/utils.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 2313a1e6..66cf0476 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -44,14 +44,14 @@ resolver = dns.resolver.Resolver()
 resolver.use_edns(0, 0, 1500)
 resolver.flags = dns.flags.AD | dns.flags.RD
 
-def has_dane_record(domain, timeout=5):
+def has_dane_record(domain, timeout=10):
     try:
         result = resolver.query(f'_25._tcp.{domain}', dns.rdatatype.TLSA,dns.rdataclass.IN, lifetime=timeout)
         if (result.response.flags & dns.flags.AD) == dns.flags.AD:
             for record in result:
                 if isinstance(record, dns.rdtypes.ANY.TLSA.TLSA):
                     record.validate()
-                    if record.usage in [2,3]: # postfix wants DANE-only
+                    if record.usage in [2,3] and record.selector in [0,1] and record.mtype in [0,1,2]:
                         return True
     except dns.resolver.NoNameservers:
         # If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled