Ensure we also pin ISRG X2 in TLSA

2025-05-31 23:10:01 +02:00 · 2024-03-11 10:21:54 +01:00 · 2024-03-11 10:21:54 +01:00 · 7089cfea48
commit 7089cfea48
parent d76e543b2d
4 changed files with 18 additions and 9 deletions
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@ -281,9 +281,14 @@ class Domain(Base):
    def dns_tlsa(self):
        """ return TLSA record for domain when using letsencrypt """
        hostname = app.config['HOSTNAME']
-        if app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
-            # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
-            return f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3'
+        if True:# app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
+            return [
+                # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
+                f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3',
+                # current ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2) @20240311
+                f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332',
+            ]
+        return []

    @property
    def dkim_key(self):
--- a/core/admin/mailu/ui/templates/domain/details.html
+++ b/core/admin/mailu/ui/templates/domain/details.html
@ -48,11 +48,14 @@
  </td>
 </tr>
 {%- endif %}
-{%- set tlsa_record=domain.dns_tlsa %}
-{%- if tlsa_record %}
+{%- if domain.dns_tlsa|length > 0 %}
 <tr>
-  <th>{% trans %}DNS TLSA entry{% endtrans %}</br><span class="text-secondary text-xs font-weight-normal">Let's Encrypt</br>ISRG Root X1</span></th>
-  <td>{{ macros.clip("dns_tlsa") }}<pre id="dns_tlsa" class="pre-config border bg-light">{{ tlsa_record }}</pre></td>
+  <th>{% trans %}DNS TLSA entry{% endtrans %}</br><span class="text-secondary text-xs font-weight-normal">Let's Encrypt ISRG Roots</span></th>
+  <td>{{ macros.clip("dns_tlsa") }}<pre id="dns_tlsa" class="pre-config border bg-light">
+{%- for line in domain.dns_tlsa %}
+{{ line }}
+{%- endfor -%}
+  </pre></td>
 </tr>
 {%- endif %}
 <tr>
--- a/core/admin/mailu/ui/views/domains.py
+++ b/core/admin/mailu/ui/views/domains.py
@ -81,8 +81,8 @@ def domain_download_zonefile(domain_name):
        txt = ' '.join(f'"{txt[p:p+250]}"' for p in range(0, len(txt), 250))
        res.append(f'{record} {txt}')
        res.append(domain.dns_dmarc)
-    if domain.dns_tlsa:
-        res.append(domain.dns_tlsa)
+    for tlsa in domain.dns_tlsa:
+        res.append(tlsa)
    res.extend(domain.dns_autoconfig)
    res.append("")
    return flask.Response(
--- a/towncrier/newsfragments/3191.feature
+++ b/towncrier/newsfragments/3191.feature
@ -0,0 +1 @@
+Ensure that we encourage users to also pin ISRG X2 in their TLSA records
				`@ -0,0 +1 @@`
				`Ensure that we encourage users to also pin ISRG X2 in their TLSA records`