More granularity for queue.outbound.tls.allow-invalid-certs

[bcspragu]

I had an email bounce recently because a large provider has let their certificate expire (by 36 days at this point!). I don't want to set queue.outbound.tls.allow-invalid-certs = true because I think that would allow other types of invalid certs, like self-signed certs or other types of invalidity that could be the result of an actual MitM attack.

But other mail providers (i.e. GMail) seem to be fine sending mail to this server despite the expired cert, so I'd like to relax the constraints in this one specific way.

I'd be happy to try implementing this if it's a more broadly desirable feature.

[mdecimus]

You could implement this with an expression, something like this:

allow-invalid-certs = "contains(['broken_domain1.com', 'broken_domain2.com'], mx)"

Or if you want to manage these domains from a lookup store you can use:

allow-invalid-certs = "key_exists('lookup_store', mx)"

[bcspragu]

Good to know! That's a useful workaround. Interestingly, it's simultaneously a stronger security posture (don't blindly allow all expired certificates) and also a weaker one (if I allowlist broken_domain1.com for being expired, and later on someone MitM's with a self-signed cert, they intercept the emails). Of course, the latter is a pretty esoteric example, but I still think there's value in differentiating the different types of invalid-certs, as some are more 'serious' than others

[mdecimus]

The variables available from an expression are going to be expanded after v0.7.0 is out. You will be able to access the retry attempt number and the DSNs from previous attempts. That will allow you to automatically disable TLS if the first attempt failed, something like this:

allow-invalid-certs = "attempt_num > 0 && contains(last_status, 'TLS')"

This is a rough example, the way to access the previous DSN still needs to be polished.