Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check MX record hostname validity #358

Merged
merged 9 commits into from
Nov 29, 2023
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## Unreleased
### Fixed
- Invalid hostname specified in MX record bypasses e-mail address revalidation

## [0.14.2] - 2023-10-25
### Fixed
- IRMA session gets stuck in communicating status when user is requested to confirm PIN in `irmaclient`
Expand Down
28 changes: 20 additions & 8 deletions server/keyshare/email.go
Original file line number Diff line number Diff line change
Expand Up @@ -150,21 +150,33 @@ func VerifyMXRecord(email string) error {

host := email[strings.LastIndex(email, "@")+1:]

if records, err := net.LookupMX(host); err != nil || len(records) == 0 {
if err != nil {
if derr, ok := err.(*net.DNSError); ok && (derr.IsTemporary || derr.IsTimeout) {
// When DNS is not resolving or there is no active network connection
server.Logger.WithField("error", err).Error("No active network connection")
return ErrNoNetwork
}
records, err := net.LookupMX(host)

if err != nil || len(records) == 0 {
if derr, ok := err.(*net.DNSError); ok && (derr.IsTemporary || derr.IsTimeout) {
// When DNS is not resolving or there is no active network connection
server.Logger.WithField("error", err).Error("No active network connection")
return ErrNoNetwork
}

// Check if there is a valid A or AAAA record which is used as fallback by mailservers
// when there are no MX records present
if records, err := net.LookupIP(host); err != nil || len(records) == 0 {
return ErrInvalidEmailDomain
}
return nil
}

invalidHosts := 0
for _, h := range records {
// Check if host specified at MX record valid
if addr, err := net.LookupHost(h.Host); err != nil || len(addr) == 0 {
invalidHosts++
}
}

if invalidHosts >= len(records) {
return ErrInvalidEmailDomain
}
ivard marked this conversation as resolved.
Show resolved Hide resolved

return nil
}
Loading