admin: in self-check for spf records against our ip's, don't try chec…

…king the unspecified addresses (0.0.0.0 and ::), and warn if there are no explicitly configured ips based on question by spectral369 on #mox on matrix
mjl- · Nov 24, 2024 · 726c093 · 726c093
1 parent 501f594
commit 726c093
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/mox-/admin.go b/mox-/admin.go
@@ -684,6 +684,9 @@ func DomainSPFIPs() (ips []net.IP) {
 		}
 		for _, ipstr := range ipstrs {
 			ip := net.ParseIP(ipstr)
+			if ip.IsUnspecified() {
+				continue
+			}
 			ips = append(ips, ip)
 		}
 	}

diff --git a/webadmin/admin.go b/webadmin/admin.go
@@ -953,6 +953,8 @@ EOF
 		defer logPanic(ctx)
 		defer wg.Done()
 
+		ips := mox.DomainSPFIPs()
+
 		// Verify a domain with the configured IPs that do SMTP.
 		verifySPF := func(isHost bool, domain dns.Domain) (string, *SPFRecord, spf.Record) {
 			kind := "domain"
@@ -1000,10 +1002,9 @@ EOF
 				}
 			}
 
-			for _, ip := range mox.DomainSPFIPs() {
+			for _, ip := range ips {
 				checkSPFIP(ip)
 			}
-
 			if !isHost {
 				spfr.Directives = append(spfr.Directives, spf.Directive{Mechanism: "mx"})
 			}
@@ -1022,6 +1023,10 @@ EOF
 		// todo: possibly check all hosts for MX records? assuming they are also sending mail servers.
 		r.SPF.HostTXT, r.SPF.HostRecord, _ = verifySPF(true, mox.Conf.Static.HostnameDomain)
 
+		if len(ips) == 0 {
+			addf(&r.SPF.Warnings, `No explicitly configured IPs found to check SPF policy against. Consider configuring public IPs instead of unspecified addresses (0.0.0.0 and/or ::) in the "public" listener in mox.conf, or NATIPs in case of NAT.`)
+		}
+
 		dtxt, err := dspfr.Record()
 		if err != nil {
 			addf(&r.SPF.Errors, "Making SPF record for instructions: %s", err)