Fix MTA-STS policy id so it does not have invalid characters, fixes #1779

This commit is contained in:
Joshua Tauberer 2020-06-12 13:09:11 -04:00
parent 224242dfde
commit 6fd3195275
1 changed files with 6 additions and 4 deletions

View File

@ -340,11 +340,13 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
# 'break' was not encountered above, so both domains are good # 'break' was not encountered above, so both domains are good
mta_sts_enabled = True mta_sts_enabled = True
if mta_sts_enabled: if mta_sts_enabled:
# Compute a up-to-32-character hash of the policy file. We'll take a SHA-1 hash of the policy # Compute an up-to-32-character hash of the policy file. We'll take a SHA-1 hash of the policy
# file (20 bytes) and encode it as base-64 (60 bytes) but then just take its first 20 bytes # file (20 bytes) and encode it as base-64 (28 bytes, using alphanumeric alternate characters
# which should be sufficient to change whenever the policy file changes. # instead of '+' and '/' which are not allowed in an MTA-STS policy id) but then just take its
# first 20 characters, which is more than sufficient to change whenever the policy file changes
# (and ensures any '=' padding at the end of the base64 encoding is dropped).
with open("/var/lib/mailinabox/mta-sts.txt", "rb") as f: with open("/var/lib/mailinabox/mta-sts.txt", "rb") as f:
mta_sts_policy_id = base64.b64encode(hashlib.sha1(f.read()).digest()).decode("ascii")[0:20] mta_sts_policy_id = base64.b64encode(hashlib.sha1(f.read()).digest(), altchars=b"AA").decode("ascii")[0:20]
mta_sts_records.extend([ mta_sts_records.extend([
("_mta-sts", "TXT", "v=STSv1; id=" + mta_sts_policy_id, "Optional. Part of the MTA-STS policy for incoming mail. If set, a MTA-STS policy must also be published.") ("_mta-sts", "TXT", "v=STSv1; id=" + mta_sts_policy_id, "Optional. Part of the MTA-STS policy for incoming mail. If set, a MTA-STS policy must also be published.")
]) ])