Fix no_tls_hosts related docs & tests (#3404)

- Add tests for `no_tls_hosts` config entry - Improve docs for `no_tls_hosts` so that it's less surprising
haraka · Sep 17, 2024 · 1dc98f4 · 1dc98f4
1 parent 72c902d
commit 1dc98f4
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 4 deletions.
diff --git a/Changes.md b/Changes.md
@@ -4,6 +4,8 @@
 #### Changed
 
 - removed dependency on ldap plugins #3399
+- doc(tls.md): add note for no_tls_hosts for outbound
+- test(tls): add tests for no_tls_hosts for inbound & outbound
 
 
 ### [3.0.4] - 2024-08-21

diff --git a/config/tls.ini b/config/tls.ini
@@ -77,5 +77,7 @@
 ; key=tls_key.pem
 ; cert=tls_cert.pem
 ; dhparam=dhparams.pem
+; no_tls_hosts[]=127.0.0.1
+; no_tls_hosts[]=192.168.1.1
 
 ; and other options from [main] section above
diff --git a/docs/plugins/tls.md b/docs/plugins/tls.md
@@ -109,6 +109,14 @@ If needed, add this section to the `config/tls.ini` file and list any IP ranges
 172.16.0.0/16
 ```
 
+Note: `[no_tls_hosts]` section applies to inbound only. For outbound mail, this feature is implemented as an array like `force_tls_hosts`:
+
+```ini
+[outbound]
+no_tls_hosts[]=192.168.1.3
+no_tls_hosts[]=172.16.0.0/16
+```
+
 The [Node.js TLS](http://nodejs.org/api/tls.html) page has additional information about the following options.
 
 ### no_starttls_ports

diff --git a/test/config/tls.ini b/test/config/tls.ini
@@ -26,8 +26,8 @@ no_starttls_ports[]=2525
 
 ; no_tls_hosts - disable TLS for servers with broken TLS.
 [no_tls_hosts]
-; 127.0.0.1
-; 192.168.1.1
+192.168.1.1
+172.16.0.0/16
 ; 172.16.0.0/16
 
 [outbound]
@@ -41,3 +41,5 @@ requestCert=false
 honorCipherOrder=false
 force_tls_hosts[]=first.example.com
 force_tls_hosts[]=second.example.net
+no_tls_hosts[]=127.0.0.2
+no_tls_hosts[]=192.168.31.1/24
diff --git a/test/outbound/index.js b/test/outbound/index.js
@@ -109,7 +109,7 @@ describe('outbound', () => {
                 requestCert: false,
                 honorCipherOrder: false,
                 redis: { disable_for_failed_hosts: false },
-                no_tls_hosts: [],
+                no_tls_hosts: ['127.0.0.2', '192.168.31.1/24'],
                 force_tls_hosts: ['first.example.com', 'second.example.net']
             })
         })

diff --git a/test/tls_socket.js b/test/tls_socket.js
@@ -152,7 +152,10 @@ describe('tls_socket', () => {
                     no_starttls_ports: [2525],
                 },
                 redis: { disable_for_failed_hosts: false },
-                no_tls_hosts: {},
+                no_tls_hosts: {
+                    '192.168.1.1': undefined,
+                    '172.16.0.0/16': undefined,
+                },
                 mutual_auth_hosts: {},
                 mutual_auth_hosts_exclude: {},
                 outbound: {
@@ -165,6 +168,7 @@ describe('tls_socket', () => {
                     requestCert: false,
                     honorCipherOrder: false,
                     force_tls_hosts: ['first.example.com', 'second.example.net'],
+                    no_tls_hosts: ['127.0.0.2', '192.168.31.1/24'],
                 }
             })
         })