ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

feat(domains): surface autodiscovery SRV records (RFC 6186)
ci / changes (push) Successful in 4s
Details
ci / tc_booking (push) Has been skipped
Details
ci / tc_operator (push) Has been skipped
Details
ci / tc_website (push) Has been skipped
Details
ci / tc_platform_api (push) Successful in 20s
Details
ci / tc_portal (push) Failing after 27s
Details
ci / build_booking (push) Has been skipped
Details
ci / build_operator (push) Has been skipped
Details
ci / build_portal (push) Has been skipped
Details
ci / test_platform_api (push) Successful in 33s
Details
ci / build_platform_api (push) Successful in 15s
Details
ci / deploy (push) Failing after 3m5s
Details

Browse Source 
Mail clients could never autoconfigure: Stalwart's zone file contains the
_imaps/_submissions/_pop3s SRV records but classify() dropped everything
except mx/spf/dkim/dmarc, so customers never saw them and every client
needed manual server entry. New 'autodiscovery' record kind: classified
from the zone (only the services actually reachable in prod — the
_jmap/_caldavs SRVs target :443 which Traefik owns, deferred to the
webmail story), verified via resolveSrv (missing=bad, wrong target=warn),
shown as an OPTIONAL slot on the portal Domains page that never gates the
domain status or the records-to-fix nag.

Also fixed on the live server via management JMAP (x:SystemSettings):
hostname was the machine name node1.dezky.eu from the v0.16 auto-bootstrap
— MX/SRV targets and the SMTP banner now say mail.dezky.eu, and the LE
x:Certificate is set as defaultCertificateId.
This commit is contained in:
Ronni Baslund
2026-06-10 22:11:34 +02:00
parent e77a963390
commit f6bac10ff3
5 changed files with 57 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
services/platform-api/src/domains/dns-verifier.service.ts
+25
View File
@@ -42,11 +42,36 @@ export class DnsVerifierService {
return this.checkDkim(record.fqdn, record.expected)
case 'dmarc':
return this.checkDmarc(domain)
case 'autodiscovery':
return this.checkSrv(record.fqdn, record.expected)
default:
return { status: 'pending' }
}
}
// Autodiscovery SRV (RFC 6186): the record must exist and point at our mail
// host on the expected port. expected is the zone's RDATA, e.g.
// "0 1 993 mail.dezky.eu." — we compare target + port and ignore
// priority/weight (any values route fine for a single host).
private async checkSrv(fqdn: string, expected: string): Promise<CheckResult> {
const parts = expected.trim().split(/\s+/)
const expPort = Number(parts[2])
const expTarget = (parts[3] ?? '').replace(/\.$/, '').toLowerCase()
let srvs: { name: string; port: number }[]
try {
srvs = await this.resolver.resolveSrv(fqdn)
} catch {
return { status: 'bad' }
}
if (!srvs.length) return { status: 'bad' }
const hit = srvs.find(
(r) => r.port === expPort && r.name.replace(/\.$/, '').toLowerCase() === expTarget,
)
const observed = srvs.map((r) => `${r.port} ${r.name}`).join(', ')
// Present-but-wrong gets warn (client will try a bad endpoint), missing is bad.
return hit ? { observed, status: 'ok' } : { observed, status: 'warn' }
}
// Resolve TXT, joining each record's character-strings into one value.
private async txt(fqdn: string): Promise<string[]> {
try {
services/platform-api/src/domains/domains.service.ts
+9 -2
View File
@@ -28,8 +28,9 @@ import { Tenant, TenantDocument } from '../schemas/tenant.schema.js'
import { User, UserDocument } from '../schemas/user.schema.js'
import { DnsVerifierService } from './dns-verifier.service.js'
// The four status slots the customer-admin Domains page renders, plus ownership.
const CHECK_KINDS: RecordKind[] = ['ownership', 'mx', 'spf', 'dkim', 'dmarc']
// The status slots the customer-admin Domains page renders: ownership + the
// four required mail kinds + the optional autodiscovery SRVs.
const CHECK_KINDS: RecordKind[] = ['ownership', 'mx', 'spf', 'dkim', 'dmarc', 'autodiscovery']
// Minimal tenant identity the service needs — the controller resolves the full
// doc for its membership gate and hands us this.
@@ -432,6 +433,12 @@ function classify(z: StalwartZoneRecord, domain: string): RecordKind | null {
if (z.type === 'TXT' && z.fqdn === domain && /^v=spf1\b/i.test(z.value)) return 'spf'
if (z.type === 'TXT' && z.fqdn.endsWith(`._domainkey.${domain}`)) return 'dkim'
if (z.type === 'TXT' && z.fqdn === `_dmarc.${domain}` && /^v=DMARC1\b/i.test(z.value)) return 'dmarc'
// RFC 6186 client autodiscovery. Only the services that are actually
// reachable in production: IMAPS 993, SMTP submission 465, POP3S 995.
// The zone also offers _jmap/_caldavs/_carddavs SRVs targeting :443 —
// that port belongs to Traefik on the node, not Stalwart, so publishing
// them would advertise endpoints that 404. Revisit with the webmail story.
if (z.type === 'SRV' && /^_(imaps|submissions|pop3s)\._tcp\./.test(z.fqdn)) return 'autodiscovery'
return null
}
services/platform-api/src/schemas/domain.schema.ts
+5 -2
View File
@@ -15,8 +15,11 @@ export type DomainStatus = 'pending' | 'verifying' | 'active' | 'error'
export type RecordStatus = 'ok' | 'warn' | 'bad' | 'pending'
// Which DNS concern a record belongs to. `ownership` is the one-time TXT proving
// the customer controls the domain; the other four map to the UI's status slots.
export type RecordKind = 'ownership' | 'mx' | 'spf' | 'dkim' | 'dmarc'
// the customer controls the domain; mx/spf/dkim/dmarc map to the UI's required
// status slots. `autodiscovery` carries the optional SRV records (RFC 6186)
// that let mail clients configure themselves from just an email address — it
// never gates the domain's overall status.
export type RecordKind = 'ownership' | 'mx' | 'spf' | 'dkim' | 'dmarc' | 'autodiscovery'
export type DmarcPolicy = 'none' | 'quarantine' | 'reject'