Incorrect rua email address for Host TLSRPT

mjl- / mox

modern full-featured open source secure mail server for low-maintenance self-hosted email

https://www.xmox.nl

MIT License

3.36k stars 89 forks source link

Incorrect rua email address for Host TLSRPT #125

Closed lmeunier closed 4 months ago

lmeunier commented 5 months ago

Mox version :

# mox version
0.0.9
go1.21.6 linux/arm64

Mox config files are initialized with this command :

# mox quickstart -existing-webserver -hostname ftth4.example.com admin@infra.example.com

In the "DNS records to add" section, I was asked to add to following DNS record:

; Request reporting about success/failures of TLS connections to (MX) host, for DANE.
_smtp._tls.ftth4.example.com.                 TXT "v=TLSRPTv1; rua=mailto:tls-reports@ftth4.example.com"

Shouldn't the rua email address be tls-reports@infra.example.com instead of tls-reports@ftth4.example.com ? As there is no MX record for ftth4.example.com and the domain ftth4.example.com is not listed in the domains managed by mox, emails sent to tls-reports@ftth4.example.com will always be rejected.

mjl- commented 5 months ago

The default config enables a "host tlsrpt" setting to accept TLS reports aimed at the host. See https://www.xmox.nl/config/#cfg-mox-conf-HostTLSRPT

While implementing TLS reporting, it confused me quite a bit. TLS reporting is written with/for MTA-STS. MTA-STS protects recipient domains. TLS reporting can also report on DANE TLS connectivity. DANE protects MX hosts. So I went down the rabbit hole of "TLS reporting for hosts"... Also see https://mailarchive.ietf.org/arch/msg/uta/F7m4BAnILJB6HmmAPs6rAtvcD-w/

In general, TLS reporting for MX hosts can be useful, regardless of the question of recipient domain vs MX host: Email to postmaster@ will be delivered with TLS too, and reporting on it can be useful.

So I'm not so sure my implementation of TLS reports towards MX hosts about recipient domains is a great idea, the generated configuration is intentional, and mox should be accepting reports sent to that address.

lmeunier commented 5 months ago

Thanks for your response.

In general, TLS reporting for MX hosts can be useful, regardless of the question of recipient domain vs MX host: Email to postmaster@ will be delivered with TLS too, and reporting on it can be useful.

I agree with you. A TLSRPT record for MX hosts (ftth4.example.com in my case) is useful.

My question was more about the email address defined in the mailto TLSRPT record for the MX host. As ftth4.example.com is not listed in the domains managed by mox (not present in the domains.conf file), I expect that emails send to the domain ftth4.example.com will be rejected by mox (with a permanent error 550 5.1.1 not accepting email for domain).

I just tested it and ... it seems I was wrong and mox also accepts emails for the domain ftth4.example.com. So everything seems to be fine (I should have tested before opening this issue, my bad).

It was not obvious to me that mox also accepts emails for the domain corresponding to the MX host.