Status Checks Change Notice -- Error Handling

stuzbot · May 6, 2022, 8:07am

Just a heads up for the devs here:

As reported in another thread, I have been having some error messages in my MIAB status page about not having MTA-STS policies on the domains my MIAB was handling. Before I had finished setting up the MTA-STS policies [which took a day or two, as I was working on other stuff too] I received a few of the ‘Status Checks Change Notice’ emails. However, in those emails, the errors themselves were mostly obscured by a Python exception traceback:

Exception in callback None()
handle: <Handle cancelled>
Traceback (most recent call last):
  File "/usr/lib/python3.6/asyncio/events.py", line 145, in _run
    self._callback(*self._args)
  File "/usr/lib/python3.6/asyncio/selector_events.py", line 721, in _read_ready
    self._protocol.data_received(data)
  File "/usr/lib/python3.6/asyncio/sslproto.py", line 505, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/usr/lib/python3.6/asyncio/sslproto.py", line 201, in feed_ssldata
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 694, in do_handshake
    match_hostname(self.getpeercert(), self.server_hostname)
  File "/usr/local/lib/mailinabox/env/lib/python3.6/site-packages/idna_ssl.py", line 19, in patched_match_hostname
    return real_match_hostname(cert, hostname)
  File "/usr/lib/python3.6/ssl.py", line 327, in match_hostname
    % (hostname, ', '.join(map(repr, dnsnames))))
ssl.CertificateError: hostname 'mta-sts.domain01.com' doesn't match either of 'maindomain.com', 'mta-sts.maindomain.com', 'www.maindomain.com'
Exception in callback None()
handle: <Handle cancelled>
Traceback (most recent call last):
  File "/usr/lib/python3.6/asyncio/events.py", line 145, in _run
    self._callback(*self._args)
  File "/usr/lib/python3.6/asyncio/selector_events.py", line 721, in _read_ready
    self._protocol.data_received(data)
  File "/usr/lib/python3.6/asyncio/sslproto.py", line 505, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/usr/lib/python3.6/asyncio/sslproto.py", line 201, in feed_ssldata
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 694, in do_handshake
    match_hostname(self.getpeercert(), self.server_hostname)
  File "/usr/local/lib/mailinabox/env/lib/python3.6/site-packages/idna_ssl.py", line 19, in patched_match_hostname
    return real_match_hostname(cert, hostname)
  File "/usr/lib/python3.6/ssl.py", line 327, in match_hostname
    % (hostname, ', '.join(map(repr, dnsnames))))
ssl.CertificateError: hostname 'mta-sts.domain02.com' doesn't match either of 'maindomain.com', 'mta-sts.maindomain.com', 'www.maindomain.com'
STS policy fetch for domain 'domain02.com' failed with error: Cannot connect to host mta-sts.domain02.com:443 ssl:True [CertificateError: ("hostname 'mta-sts.domain02.com' doesn't match either of 'maindomain.com', 'mta-sts.maindomain.com', 'www.maindomain.com'",)]
STS policy fetch for domain 'domain01.com' failed with error: Cannot connect to host mta-sts.domain01.com:443 ssl:True [CertificateError: ("hostname 'mta-sts.domain01.com' doesn't match either of 'maindomain.com', 'mta-sts.maindomain.com', 'www.maindomain.com'",)]
Exception in callback None()
handle: <Handle cancelled>
Traceback (most recent call last):
  File "/usr/lib/python3.6/asyncio/events.py", line 145, in _run
    self._callback(*self._args)
  File "/usr/lib/python3.6/asyncio/selector_events.py", line 721, in _read_ready
    self._protocol.data_received(data)
  File "/usr/lib/python3.6/asyncio/sslproto.py", line 505, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/usr/lib/python3.6/asyncio/sslproto.py", line 201, in feed_ssldata
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 694, in do_handshake
    match_hostname(self.getpeercert(), self.server_hostname)
  File "/usr/local/lib/mailinabox/env/lib/python3.6/site-packages/idna_ssl.py", line 19, in patched_match_hostname
    return real_match_hostname(cert, hostname)
  File "/usr/lib/python3.6/ssl.py", line 327, in match_hostname
    % (hostname, ', '.join(map(repr, dnsnames))))
ssl.CertificateError: hostname 'mta-sts.domain03.com' doesn't match either of 'maindomain.com', 'mta-sts.maindomain.com', 'www.maindomain.com'
STS policy fetch for domain 'domain03.com' failed with error: Cannot connect to host mta-sts.domain03.com:443 ssl:True [CertificateError: ("hostname 'mta-sts.domain03.com' doesn't match either of 'maindomain.com', 'mta-sts.maindomain.com', 'www.maindomain.com'",)]
Exception in callback None()
handle: <Handle cancelled>
Traceback (most recent call last):
  File "/usr/lib/python3.6/asyncio/events.py", line 145, in _run
    self._callback(*self._args)
  File "/usr/lib/python3.6/asyncio/selector_events.py", line 721, in _read_ready
    self._protocol.data_received(data)
  File "/usr/lib/python3.6/asyncio/sslproto.py", line 505, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/usr/lib/python3.6/asyncio/sslproto.py", line 201, in feed_ssldata
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 694, in do_handshake
    match_hostname(self.getpeercert(), self.server_hostname)
  File "/usr/local/lib/mailinabox/env/lib/python3.6/site-packages/idna_ssl.py", line 19, in patched_match_hostname
    return real_match_hostname(cert, hostname)
  File "/usr/lib/python3.6/ssl.py", line 327, in match_hostname
    % (hostname, ', '.join(map(repr, dnsnames))))
ssl.CertificateError: hostname 'mta-sts.domain04.com' doesn't match either of 'maindomain.com', 'mta-sts.maindomain.com', 'www.maindomain.com'
STS policy fetch for domain 'domain04.com' failed with error: Cannot connect to host mta-sts.domain04.com:443 ssl:True [CertificateError: ("hostname 'mta-sts.domain04.com' doesn't match either of 'maindomain.com', 'mta-sts.maindomain.com', 'www.maindomain.com'",)]

System -- Previously:
=====================
✖  There are 2 software packages that can be updated.
   [1 standard security update] ()
   libmysqlclient20 (5.7.38-0ubuntu0.18.04.1)

System -- Currently:
====================
✓  System software is up to date.

maindomain.com -- Previously:
========================
✖  This domain's DNS MX record is incorrect. It is currently set to '1 ASPMX.L.GOOGLE.COM; 10 ALT3.ASPMX.L.GOOGLE.COM; 10 ALT4.ASPMX.L.GOOGLE.COM; 5 ALT1.ASPMX.L.GOOGLE.COM; 5 ALT2.ASPMX.L.GOOGLE.COM' but should be '10 post.maindomain.com'. Mail will not be delivered to this box. It may take several hours for public DNS to update after a change. This problem may result from other issues listed here.

maindomain.com -- Currently:
=======================
✓  Domain's email is directed to this domain. [maindomain.com ↦ 10 post.maindomain.com]
✖  MTA-STS policy is present but has unexpected settings. [{'mx': ['post.maindomain.com'], 'version': 'STSv1', 'mode': 'testing', 'max_age': 86400}]

Compare to the much more reader-friendly Status Checks Change Notice email I got this morning after finishing my MTA-STS setup on all my other domains [albeit, as per that other thread, still getting an ‘unexpected content’ error]:

System -- Previously:
=====================
✓  System software is up to date.

System -- Currently:
====================
✖  There are 8 software packages that can be updated.
   [7 standard security updates] ()
   sqlite3 (3.22.0-1ubuntu0.5)
   libsqlite3-0 (3.22.0-1ubuntu0.5)
   libssl-dev (1.1.1-1ubuntu2.1~18.04.17)
   libssl1.1 (1.1.1-1ubuntu2.1~18.04.17)
   networkd-dispatcher (1.7-0ubuntu3.5)
   openssl (1.1.1-1ubuntu2.1~18.04.17)
   libssl1.0.0 (1.0.2n-1ubuntu5.9)

domain01.com -- Previously:
=============================
✖  MTA-STS policy is missing: STSFetchResult.FETCH_ERROR

domain01.com -- Currently:
============================
✖  MTA-STS policy is present but has unexpected settings. [{'mx': ['post.maindomain.com'], 'version': 'STSv1', 'mode': 'testing', 'max_age': 86400}]

domain02.com -- Previously:
===========================
✖  MTA-STS policy is missing: STSFetchResult.FETCH_ERROR

domain02.com -- Currently:
==========================
✖  MTA-STS policy is present but has unexpected settings. [{'mx': ['post.maindomain.com'], 'version': 'STSv1', 'mode': 'testing', 'max_age': 86400}]

domain03.com -- Previously:
============================
✖  MTA-STS policy is missing: STSFetchResult.FETCH_ERROR

domain03.com -- Currently:
===========================
✖  MTA-STS policy is present but has unexpected settings. [{'mx': ['post.maindomain.com'], 'version': 'STSv1', 'mode': 'testing', 'max_age': 86400}]

domain04.com -- Previously:
=======================
✖  MTA-STS policy is missing: STSFetchResult.FETCH_ERROR

domain04.com -- Currently:
======================
✖  MTA-STS policy is present but has unexpected settings. [{'mx': ['post.maindomain.com'], 'version': 'STSv1', 'mode': 'testing', 'max_age': 86400}]

So, obviously, in the first example where I had the MTA-STS records set in my DNS but hadn’t yet completed the full setup [subdomains not setup yet, hence no policy doc, no SSL cert in place yet] the setup was so incomplete/broken that it actually caused an exception in the Python reporting script itself. Which wasn’t handled very gracefully.

system · July 6, 2022, 8:08am

This topic was automatically closed after 61 days. New replies are no longer allowed.