16 "github.com/mjl-/adns"
18 "github.com/mjl-/mox/dns"
19 "github.com/mjl-/mox/mlog"
23 errCNAMELoop = errors.New("cname loop")
24 errCNAMELimit = errors.New("too many cname records")
25 errDNS = errors.New("dns lookup error")
26 errNoMail = errors.New("domain does not accept email as indicated with single dot for mx record")
29// HostPref is a host for delivery, with preference for MX records.
32 Pref int // -1 when not an MX record.
35// GatherDestinations looks up the hosts to deliver email to a domain ("next-hop").
36// If it is an IP address, it is the only destination to try. Otherwise CNAMEs of
37// the domain are followed. Then MX records for the expanded CNAME are looked up.
38// If no MX record is present, the original domain is returned. If an MX record is
39// present but indicates the domain does not accept email, ErrNoMail is returned.
40// If valid MX records were found, the MX target hosts are returned.
42// haveMX indicates if an MX record was found.
44// origNextHopAuthentic indicates if the DNS record for the initial domain name was
45// DNSSEC secure (CNAME, MX).
47// expandedNextHopAuthentic indicates if the DNS records after following CNAMEs were
50// These authentic results are needed for DANE, to determine where to look up TLSA
51// records, and which names to allow in the remote TLS certificate. If MX records
52// were found, both the original and expanded next-hops must be authentic for DANE
53// to be option. For a non-IP with no MX records found, the authentic result can
54// be used to decide which of the names to use as TLSA base domain.
55func GatherDestinations(ctx context.Context, elog *slog.Logger, resolver dns.Resolver, origNextHop dns.IPDomain) (haveMX, origNextHopAuthentic, expandedNextHopAuthentic bool, expandedNextHop dns.Domain, hostPrefs []HostPref, permanent bool, err error) {
58 log := mlog.New("smtpclient", elog)
60 // IP addresses are dialed directly, and don't have TLSA records.
61 if len(origNextHop.IP) > 0 {
62 return false, false, false, expandedNextHop, []HostPref{{origNextHop, -1}}, false, nil
65 // We start out assuming the result is authentic. Updated with each lookup.
66 origNextHopAuthentic = true
67 expandedNextHopAuthentic = true
69 // We start out delivering to the recipient domain. We follow CNAMEs.
70 rcptDomain := origNextHop.Domain
71 // Domain we are actually delivering to, after following CNAME record(s).
72 expandedNextHop = rcptDomain
73 // Keep track of CNAMEs we have followed, to detect loops.
74 domainsSeen := map[string]bool{}
76 if domainsSeen[expandedNextHop.ASCII] {
77 // todo: only mark as permanent failure if TTLs for all records are beyond latest possibly delivery retry we would do.
78 err := fmt.Errorf("%w: recipient domain %s: already saw %s", errCNAMELoop, rcptDomain, expandedNextHop)
79 return false, origNextHopAuthentic, expandedNextHopAuthentic, expandedNextHop, nil, false, err
81 domainsSeen[expandedNextHop.ASCII] = true
83 // note: The Go resolver returns the requested name if the domain has no CNAME
84 // record but has a host record.
86 // We have a maximum number of CNAME records we follow. There is no hard limit for
87 // DNS, and you might think folks wouldn't configure CNAME chains at all, but for
88 // (non-mail) domains, CNAME chains of 10 records have been encountered according
90 // todo: only mark as permanent failure if TTLs for all records are beyond latest possibly delivery retry we would do.
91 err := fmt.Errorf("%w: recipient domain %s, last resolved domain %s", errCNAMELimit, rcptDomain, expandedNextHop)
92 return false, origNextHopAuthentic, expandedNextHopAuthentic, expandedNextHop, nil, false, err
95 // Do explicit CNAME lookup. Go's LookupMX also resolves CNAMEs, but we want to
96 // know the final name, and we're interested in learning if the first vs later
97 // results were DNSSEC-(in)secure.
99 cctx, ccancel := context.WithTimeout(ctx, 30*time.Second)
101 cname, cnameResult, err := resolver.LookupCNAME(cctx, expandedNextHop.ASCII+".")
104 origNextHopAuthentic = origNextHopAuthentic && cnameResult.Authentic
106 expandedNextHopAuthentic = expandedNextHopAuthentic && cnameResult.Authentic
107 if err != nil && !dns.IsNotFound(err) {
108 err = fmt.Errorf("%w: cname lookup for %s: %v", errDNS, expandedNextHop, err)
109 return false, origNextHopAuthentic, expandedNextHopAuthentic, expandedNextHop, nil, false, err
111 if err == nil && cname != expandedNextHop.ASCII+"." {
112 d, err := dns.ParseDomain(strings.TrimSuffix(cname, "."))
114 // todo: only mark as permanent failure if TTLs for all records are beyond latest possibly delivery retry we would do.
115 err = fmt.Errorf("%w: parsing cname domain %s: %v", errDNS, expandedNextHop, err)
116 return false, origNextHopAuthentic, expandedNextHopAuthentic, expandedNextHop, nil, false, err
119 // Start again with new domain.
123 // Not a CNAME, so lookup MX record.
124 mctx, mcancel := context.WithTimeout(ctx, 30*time.Second)
126 // Note: LookupMX can return an error and still return records: Invalid records are
127 // filtered out and an error returned. We must process any records that are valid.
129 mxl, mxResult, err := resolver.LookupMX(mctx, expandedNextHop.ASCII+".")
132 origNextHopAuthentic = origNextHopAuthentic && mxResult.Authentic
134 expandedNextHopAuthentic = expandedNextHopAuthentic && mxResult.Authentic
135 if err != nil && len(mxl) == 0 {
136 if !dns.IsNotFound(err) {
137 err = fmt.Errorf("%w: mx lookup for %s: %v", errDNS, expandedNextHop, err)
138 return false, origNextHopAuthentic, expandedNextHopAuthentic, expandedNextHop, nil, false, err
142 hostPrefs = []HostPref{{dns.IPDomain{Domain: expandedNextHop}, -1}}
143 return false, origNextHopAuthentic, expandedNextHopAuthentic, expandedNextHop, hostPrefs, false, nil
144 } else if err != nil {
145 log.Infox("mx record has some invalid records, keeping only the valid mx records", err)
149 if err == nil && len(mxl) == 1 && mxl[0].Host == "." {
150 // Note: Depending on MX record TTL, this record may be replaced with a more
151 // receptive MX record before our final delivery attempt. But it's clearly the
152 // explicit desire not to be bothered with email delivery attempts, so mark failure
154 return true, origNextHopAuthentic, expandedNextHopAuthentic, expandedNextHop, nil, true, errNoMail
157 // The Go resolver already sorts by preference, randomizing records of same
159 for _, mx := range mxl {
160 // Parsing lax (unless pedantic mode) for MX targets with underscores as seen in the wild.
161 host, err := dns.ParseDomainLax(strings.TrimSuffix(mx.Host, "."))
163 // note: should not happen because Go resolver already filters these out.
164 err = fmt.Errorf("%w: invalid host name in mx record %q: %v", errDNS, mx.Host, err)
165 return true, origNextHopAuthentic, expandedNextHopAuthentic, expandedNextHop, nil, true, err
167 hostPrefs = append(hostPrefs, HostPref{dns.IPDomain{Domain: host}, int(mx.Pref)})
169 if len(hostPrefs) > 0 {
172 return true, origNextHopAuthentic, expandedNextHopAuthentic, expandedNextHop, hostPrefs, false, err
176// GatherIPs looks up the IPs to try for connecting to host, with the IPs ordered
177// to take previous attempts into account. For use with DANE, the CNAME-expanded
178// name is returned, and whether the DNS responses were authentic.
179func GatherIPs(ctx context.Context, elog *slog.Logger, resolver dns.Resolver, network string, host dns.IPDomain, dialedIPs map[string][]net.IP) (authentic bool, expandedAuthentic bool, expandedHost dns.Domain, ips []net.IP, dualstack bool, rerr error) {
180 log := mlog.New("smtpclient", elog)
182 if len(host.IP) > 0 {
183 return false, false, dns.Domain{}, []net.IP{host.IP}, false, nil
187 expandedAuthentic = true
189 // The Go resolver automatically follows CNAMEs, which is not allowed for host
190 // names in MX records, but seems to be accepted and is documented for DANE SMTP
191 // behaviour. We resolve CNAMEs explicitly, so we can return the final name, which
194 name := host.Domain.ASCII + "."
197 cname, result, err := resolver.LookupCNAME(ctx, name)
199 authentic = result.Authentic
201 expandedAuthentic = expandedAuthentic && result.Authentic
202 if dns.IsNotFound(err) {
204 } else if err != nil {
205 return authentic, expandedAuthentic, dns.Domain{}, nil, dualstack, err
206 } else if strings.TrimSuffix(cname, ".") == strings.TrimSuffix(name, ".") {
210 return authentic, expandedAuthentic, dns.Domain{}, nil, dualstack, fmt.Errorf("mx lookup: %w", errCNAMELimit)
212 name = strings.TrimSuffix(cname, ".") + "."
215 if name == host.Domain.ASCII+"." {
216 expandedHost = host.Domain
219 expandedHost, err = dns.ParseDomain(strings.TrimSuffix(name, "."))
221 return authentic, expandedAuthentic, dns.Domain{}, nil, dualstack, fmt.Errorf("parsing cname-resolved domain: %w", err)
225 ipaddrs, result, err := resolver.LookupIP(ctx, network, name)
226 authentic = authentic && result.Authentic
227 expandedAuthentic = expandedAuthentic && result.Authentic
228 if err != nil || len(ipaddrs) == 0 {
229 return authentic, expandedAuthentic, expandedHost, nil, false, fmt.Errorf("looking up %q: %w", name, err)
231 var have4, have6 bool
232 for _, ipaddr := range ipaddrs {
233 ips = append(ips, ipaddr)
234 if ipaddr.To4() == nil {
240 dualstack = have4 && have6
241 prevIPs := dialedIPs[host.String()]
242 if len(prevIPs) > 0 {
243 prevIP := prevIPs[len(prevIPs)-1]
244 prevIs4 := prevIP.To4() != nil
246 for _, ip := range prevIPs {
247 is4 := ip.To4() != nil
252 preferPrev := sameFamily == 1
253 // We use stable sort so any preferred/randomized listing from DNS is kept intact.
254 sort.SliceStable(ips, func(i, j int) bool {
255 aIs4 := ips[i].To4() != nil
256 bIs4 := ips[j].To4() != nil
258 // Prefer "i" if it is not same address family.
259 return aIs4 != prevIs4
261 // Prefer "i" if it is the same as last and we should be preferring it.
262 return preferPrev && ips[i].Equal(prevIP)
264 log.Debug("ordered ips for dialing", slog.Any("ips", ips))
269// GatherTLSA looks up TLSA record for either expandedHost or host, and returns
270// records usable for DANE with SMTP, and host names to allow in DANE-TA
271// certificate name verification.
273// If no records are found, this isn't necessarily an error. It can just indicate
274// the domain/host does not opt-in to DANE, and nil records and a nil error are
277// Only usable records are returned. If any record was found, DANE is required and
278// this is indicated with daneRequired. If no usable records remain, the caller
279// must do TLS, but not verify the remote TLS certificate.
281// Returned values are always meaningful, also when an error was returned.
282func GatherTLSA(ctx context.Context, elog *slog.Logger, resolver dns.Resolver, host dns.Domain, expandedAuthentic bool, expandedHost dns.Domain) (daneRequired bool, daneRecords []adns.TLSA, tlsaBaseDomain dns.Domain, err error) {
283 log := mlog.New("smtpclient", elog)
286 // This function is only called when the lookup of host was authentic.
290 tlsaBaseDomain = host
291 if host == expandedHost || !expandedAuthentic {
292 l, err = lookupTLSACNAME(ctx, log, resolver, 25, "tcp", host)
293 } else if expandedAuthentic {
295 tlsaBaseDomain = expandedHost
296 l, err = lookupTLSACNAME(ctx, log, resolver, 25, "tcp", expandedHost)
297 if err == nil && len(l) == 0 {
298 tlsaBaseDomain = host
299 l, err = lookupTLSACNAME(ctx, log, resolver, 25, "tcp", host)
302 if len(l) == 0 || err != nil {
303 daneRequired = err != nil
304 log.Debugx("gathering tlsa records failed", err, slog.Bool("danerequired", daneRequired), slog.Any("basedomain", tlsaBaseDomain))
305 return daneRequired, nil, tlsaBaseDomain, err
307 daneRequired = len(l) > 0
308 l = filterUsableTLSARecords(log, l)
309 log.Debug("tlsa records exist",
310 slog.Bool("danerequired", daneRequired),
311 slog.Any("records", l),
312 slog.Any("basedomain", tlsaBaseDomain))
313 return daneRequired, l, tlsaBaseDomain, err
316// lookupTLSACNAME composes a TLSA domain name to lookup, follows CNAMEs and looks
317// up TLSA records. no TLSA records exist, a nil error is returned as it means
318// the host does not opt-in to DANE.
319func lookupTLSACNAME(ctx context.Context, log mlog.Log, resolver dns.Resolver, port int, protocol string, host dns.Domain) (l []adns.TLSA, rerr error) {
320 name := fmt.Sprintf("_%d._%s.%s", port, protocol, host.ASCII+".")
322 cname, result, err := resolver.LookupCNAME(ctx, name)
323 if dns.IsNotFound(err) {
324 if !result.Authentic {
325 log.Debugx("cname nxdomain result during tlsa lookup not authentic, not doing dane for host", err, slog.Any("host", host), slog.String("name", name))
329 } else if err != nil {
330 return nil, fmt.Errorf("looking up cname for tlsa candidate base domain: %w", err)
331 } else if !result.Authentic {
332 log.Debugx("cname result during tlsa lookup not authentic, not doing dane for host", err, slog.Any("host", host), slog.String("name", name))
336 return nil, fmt.Errorf("looking up cname for tlsa candidate base domain: %w", errCNAMELimit)
338 name = strings.TrimSuffix(cname, ".") + "."
340 var result adns.Result
342 l, result, err = resolver.LookupTLSA(ctx, 0, "", name)
343 if dns.IsNotFound(err) || err == nil && len(l) == 0 {
344 log.Debugx("no tlsa records for host, not doing dane", err,
345 slog.Any("host", host),
346 slog.String("name", name),
347 slog.Bool("authentic", result.Authentic))
349 } else if err != nil {
350 return nil, fmt.Errorf("looking up tlsa records for tlsa candidate base domain: %w", err)
351 } else if !result.Authentic {
352 log.Debugx("tlsa lookup not authentic, not doing dane for host", err, slog.Any("host", host), slog.String("name", name))
358func filterUsableTLSARecords(log mlog.Log, l []adns.TLSA) []adns.TLSA {
361 for _, r := range l {
365 case adns.TLSAUsageDANETA, adns.TLSAUsageDANEEE:
371 case adns.TLSASelectorCert, adns.TLSASelectorSPKI:
376 case adns.TLSAMatchTypeFull:
377 if r.Selector == adns.TLSASelectorCert {
378 if _, err := x509.ParseCertificate(r.CertAssoc); err != nil {
379 log.Debugx("parsing certificate in dane tlsa record, ignoring", err)
382 } else if r.Selector == adns.TLSASelectorSPKI {
383 if _, err := x509.ParsePKIXPublicKey(r.CertAssoc); err != nil {
384 log.Debugx("parsing certificate in dane tlsa record, ignoring", err)
388 case adns.TLSAMatchTypeSHA256:
389 if len(r.CertAssoc) != sha256.Size {
390 log.Debug("dane tlsa record with wrong data size for sha2-256", slog.Int("got", len(r.CertAssoc)), slog.Int("expect", sha256.Size))
393 case adns.TLSAMatchTypeSHA512:
394 if len(r.CertAssoc) != sha512.Size {
395 log.Debug("dane tlsa record with wrong data size for sha2-512", slog.Int("got", len(r.CertAssoc)), slog.Int("expect", sha512.Size))
408// GatherTLSANames returns the allowed names in TLS certificates for verification
409// with PKIX-* or DANE-TA. The first name should be used for SNI.
411// If there was no MX record, the next-hop domain parameters (i.e. the original
412// email destination host, and its CNAME-expanded host, that has MX records) are
413// ignored and only the base domain parameters are taken into account.
414func GatherTLSANames(haveMX, expandedNextHopAuthentic, expandedTLSABaseDomainAuthentic bool, origNextHop, expandedNextHop, origTLSABaseDomain, expandedTLSABaseDomain dns.Domain) []dns.Domain {
418 if !expandedTLSABaseDomainAuthentic || origTLSABaseDomain == expandedTLSABaseDomain {
419 return []dns.Domain{origTLSABaseDomain}
421 return []dns.Domain{expandedTLSABaseDomain, origTLSABaseDomain}
422 } else if expandedNextHopAuthentic {
425 if expandedTLSABaseDomainAuthentic {
426 l = []dns.Domain{expandedTLSABaseDomain}
428 if expandedTLSABaseDomain != origTLSABaseDomain {
429 l = append(l, origTLSABaseDomain)
431 l = append(l, origNextHop)
432 if origNextHop != expandedNextHop {
433 l = append(l, expandedNextHop)
437 // We don't attempt DANE after insecure MX, but behaviour for it is specified.
439 return []dns.Domain{origNextHop}