Remove technical subdomains from MTA-STS policies and TLS records (closes #429)

2025-09-15 00:14:31 +08:00 · 2024-05-23 14:47:50 +02:00 · 2024-05-23 14:47:50 +02:00 · f366dc3fd3
commit f366dc3fd3
parent d52180dcf1
2 changed files with 12 additions and 6 deletions
--- a/crates/common/src/config/smtp/resolver.rs
+++ b/crates/common/src/config/smtp/resolver.rs
@ -308,11 +308,13 @@ impl Policy {

 impl Core {
    pub fn build_mta_sts_policy(&self) -> Option<Policy> {
-        self.smtp
-            .session
-            .mta_sts_policy
-            .clone()
-            .and_then(|policy| policy.try_build(self.tls.certificates.load().keys()))
+        self.smtp.session.mta_sts_policy.clone().and_then(|policy| {
+            policy.try_build(self.tls.certificates.load().keys().filter(|key| {
+                !key.starts_with("mta-sts.")
+                    && !key.starts_with("autoconfig.")
+                    && !key.starts_with("autodiscover.")
+            }))
+        })
    }
 }

--- a/crates/jmap/src/api/management/domain.rs
+++ b/crates/jmap/src/api/management/domain.rs
@ -297,7 +297,11 @@ impl JMAP {

        // Add TLSA records
        for (name, key) in self.core.tls.certificates.load().iter() {
-            if !name.ends_with(domain_name) {
+            if !name.ends_with(domain_name)
+                || name.starts_with("mta-sts.")
+                || name.starts_with("autoconfig.")
+                || name.starts_with("autodiscover.")
+            {
                continue;
            }