smtpsrv: Flag to disable incoming DomainInfo rejection

This flag makes us never reject incoming mail based on DomainInfo checks, effectively turning the check into a warning. This can be useful for situations where it's better to accept insecure email than to reject it.
2026-01-07 17:47:14 +00:00 · 2024-11-11 21:52:48 +00:00
parent 45bc70ee33
commit 9b2bb352b2
1 changed files with 13 additions and 0 deletions
--- a/internal/smtpsrv/conn.go
+++ b/internal/smtpsrv/conn.go
@@ -72,6 +72,14 @@ var (
 	maxReceivedHeaders = flag.Int("testing__max_received_headers", 50,
 		"max Received headers, for loop detection; ONLY FOR TESTING")

+	// Disable incoming domain info rejection. This is insecure, as it allows
+	// connection downgrading attacks.
+	// This flag is experimental and likely to be either removed, or replaced
+	// by a config option.
+	disableDomainInfoIncomingRejection = flag.Bool(
+		"insecure__disable_domain_info_incoming_rejection", false,
+		"disable rejection based on incoming domain info checks; INSECURE")
+
 	// Some go tests disable SPF, to avoid leaking DNS lookups.
 	disableSPFForTesting = false
 )
@@ -559,6 +567,11 @@ func (c *Conn) secLevelCheck(addr string) bool {
 		c.tr.Errorf("security level check for %s failed (%s)", domain, level)
 	}

+	if *disableDomainInfoIncomingRejection {
+		c.tr.Debugf("DomainInfo incoming rejection disabled, accepting mail")
+		return true
+	}
+
 	return ok
 }