Verify more of the policy language

2026-06-06 07:12:54 -04:00 · 2014-06-16 14:23:33 -07:00 · 2014-06-16 14:23:33 -07:00 · 2eba47a716
commit 2eba47a716
parent 8d6b6c358a
2 changed files with 25 additions and 5 deletions
--- a/ConfigParser.py
+++ b/ConfigParser.py
@ -35,6 +35,8 @@ class Config:
  def __init__(self, cfg_file_name = "config.json"):
    f = open(cfg_file_name)
    self.cfg = json.loads(f.read())
+    self.tls_policies = {}
+    self.mx_map = {}
    for atr, val in self.cfg.items():
      # Verify each attribute of the structure
      if atr.startswith("comment"):
@ -47,21 +49,39 @@ class Config:
      elif atr == "expires":
        self.expires = parse_timestamp(val)
      elif atr == "tls-policies":
-        self.tls_policies = {}
        for domain,policies in self.check_tls_policy_domains(val):
          if type(policies) != dict:
            raise TypeError, domain + "'s policies should be a dict: " + `policies`
          self.tls_policies[domain] = {} # being here enforces TLS at all
-          for policy, value in policies.items():
-            if policy == "min-tls-version":
+          for policy, v in policies.items():
+            value = lower(str(v))
+            if policy == "require-tls":
+              if value in ("true", "1", "yes"):
+                self.tls_policies[domain]["required"] = True
+              elif value in ("false", "0", "no"):
+                self.tls_policies[domain]["required"] = False
+              else:
+                raise ValueError, "Unknown require-tls value " + `value`
+            elif policy == "min-tls-version":
              reasonable = ["TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
              if not value in reasonable:
                raise ValueError, "Not a valid TLS version string: " + `value`
              self.tls_policies[domain]["min-tls-version"] = str(value)
+            elif policy == "enforce-mode":
+              if value == "enforce":
+                self.tls_policies[domain]["enforce"] = True
+              elif value == "log-only":
+                self.tls_policies[domain]["enforce"] = False
+              else:
+                raise ValueError, "Not a known enoforcement policy " + `value`
      elif atr == "acceptable-mxs":
-        pass
+        for domain, mxball in acceptable_mx:
+          pass
      else:
        sys.stderr.write("Uknown attribute: " + `atr` + "\n")
+    # XXX is it ever permissible to have a domain with an acceptable-mx 
+    # that does not point to a TLS security policy?  If not, check/warn/fail
+    # here
    print self.tls_policies

  def check_tls_policy_domains(self, val):
--- a/MTAConfigGenerator.py
+++ b/MTAConfigGenerator.py
@ -78,7 +78,7 @@ class PostfixConfigGenerator(MTAConfigGenerator):
    # Check we're currently accepting inbound STARTTLS sensibly
    self.ensure_cf_var("smtpd_use_tls", "yes", [])
    # Ideally we use it opportunistically in the outbound direction
-    self.ensure_cf_var("smtp_tls_security_level", "may", ["encrypt"])
+    self.ensure_cf_var("smtp_tls_security_level", "may", ["encrypt","dane"])
    # Maximum verbosity lets us collect failure information
    self.ensure_cf_var("smtp_tls_loglevel", "1", [])
    # Inject a reference to our per-domain policy map