DANE: add dane:fail event

1 files changed, 18 insertions, 1 deletions

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 2d81f3bff..add425326 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1618,6 +1618,9 @@ if (!continue_hostname)
 				  string_sprintf("DANE error: tlsa lookup %s",
 				    rc == DEFER ? "DEFER" : "FAIL"),
 				  rc, FALSE);
+				(void) event_raise(sx->tblock->event_action,
+				  US"dane:fail", sx->dane_required
+				    ?  US"dane-required" : US"dnssec-invalid");
 				return rc;
 	  }
       }
@@ -1626,6 +1629,8 @@ if (!continue_hostname)
       set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER,
 	string_sprintf("DANE error: %s lookup not DNSSEC", sx->host->name),
 	FAIL, FALSE);
+      (void) event_raise(sx->tblock->event_action,
+	US"dane:fail", US"dane-required");
       return FAIL;
       }
     }
@@ -1959,9 +1964,14 @@ if (  smtp_peer_options & OPTION_TLS
     if (rc != OK)
       {
 # ifdef SUPPORT_DANE
-      if (sx->dane) log_write(0, LOG_MAIN,
+      if (sx->dane)
+        {
+	log_write(0, LOG_MAIN,
 	  "DANE attempt failed; TLS connection to %s [%s]: %s",
 	  sx->host->name, sx->host->address, errstr);
+	(void) event_raise(sx->tblock->event_action,
+	  US"dane:fail", US"validation-failure");	/* could do with better detail */
+	}
 # endif
 
       errno = ERRNO_TLSFAILURE;
@@ -2055,6 +2065,13 @@ else if (  sx->smtps
   message = string_sprintf("a TLS session is required, but %s",
     smtp_peer_options & OPTION_TLS
     ? "an attempt to start TLS failed" : "the server did not offer TLS support");
+# ifdef SUPPORT_DANE
+  if (sx->dane)
+    (void) event_raise(sx->tblock->event_action, US"dane:fail",
+      smtp_peer_options & OPTION_TLS
+      ? US"validation-failure"		/* could do with better detail */
+      : US"starttls-not-supported");
+# endif
   goto TLS_FAILED;
   }
 #endif	/*SUPPORT_TLS*/