git://git.exim.org
/
exim.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
da830d0
)
Fix DANE for multiple-MX when all TLSA lookup defer. Bug 1634
author
Jeremy Harris
<jgh146exb@wizmail.org>
Thu, 21 May 2015 22:22:16 +0000
(23:22 +0100)
committer
Jeremy Harris
<jgh146exb@wizmail.org>
Thu, 21 May 2015 22:30:57 +0000
(23:30 +0100)
src/src/dns.c
patch
|
blob
|
history
src/src/transports/smtp.c
patch
|
blob
|
history
test/dnszones-src/db.test.ex
patch
|
blob
|
history
test/log/5840
patch
|
blob
|
history
test/scripts/5840-DANE-OpenSSL/5840
patch
|
blob
|
history
diff --git
a/src/src/dns.c
b/src/src/dns.c
index 6358eada683849b5ecd314bd15077ba42c912a4a..4ca349cd118546cfb6177dc6e2b1967f8811bd3e 100644
(file)
--- a/
src/src/dns.c
+++ b/
src/src/dns.c
@@
-137,7
+137,7
@@
if (stat(CS utilname, &statbuf) >= 0)
}
else
{
}
else
{
-
DEBUG(D_dns) debug_printf("fakens (%s) not found\n", utilname);
+ DEBUG(D_dns) debug_printf("fakens (%s) not found\n", utilname);
}
/* fakens utility not found, or it returned "pass on" */
}
/* fakens utility not found, or it returned "pass on" */
diff --git
a/src/src/transports/smtp.c
b/src/src/transports/smtp.c
index 986fcee6fd0b883396a35cb9bdafed084b7a19e3..477e7b3bf4ce0492a1dc2fd271ebfec876131f04 100644
(file)
--- a/
src/src/transports/smtp.c
+++ b/
src/src/transports/smtp.c
@@
-1468,12
+1468,20
@@
if (continue_hostname == NULL)
)
&& (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK
)
)
&& (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK
)
- return rc;
+ {
+ set_errno(addrlist, ERRNO_DNSDEFER,
+ string_sprintf("DANE error: tlsa lookup %s",
+ rc == DEFER ? "DEFER" : "FAIL"),
+ rc, FALSE, NULL);
+ return rc;
+ }
}
else if (dane_required)
{
}
else if (dane_required)
{
- log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name);
- return FAIL;
+ set_errno(addrlist, ERRNO_DNSDEFER,
+ string_sprintf("DANE error: %s lookup not DNSSEC", host->name),
+ FAIL, FALSE, NULL);
+ return FAIL;
}
if (dane)
}
if (dane)
@@
-3690,16
+3698,12
@@
for (cutoff_retry = 0; expired &&
case, see if any of them are deferred. */
if (rc == OK)
case, see if any of them are deferred. */
if (rc == OK)
- {
- for (addr = addrlist; addr != NULL; addr = addr->next)
- {
+ for (addr = addrlist; addr; addr = addr->next)
if (addr->transport_return == DEFER)
{
some_deferred = TRUE;
break;
}
if (addr->transport_return == DEFER)
{
some_deferred = TRUE;
break;
}
- }
- }
/* If no addresses deferred or the result was ERROR, return. We do this for
ERROR because a failing filter set-up or add_headers expansion is likely to
/* If no addresses deferred or the result was ERROR, return. We do this for
ERROR because a failing filter set-up or add_headers expansion is likely to
diff --git
a/test/dnszones-src/db.test.ex
b/test/dnszones-src/db.test.ex
index 4acadce4d114c18d97914ceeb4cace3b11c361a2..09e84fee04681f629597331820445a410d44a7ff 100644
(file)
--- a/
test/dnszones-src/db.test.ex
+++ b/
test/dnszones-src/db.test.ex
@@
-414,19
+414,31
@@
AA a-aa A V4NET.0.0.100
; ------- Testing DANE ------------
; full suite dns chain, sha512
; ------- Testing DANE ------------
; full suite dns chain, sha512
-DNSSEC mxdane512ee MX 1 dane512ee
.
-DNSSEC dane512ee A
HOSTIPV4
+DNSSEC mxdane512ee MX 1 dane512ee
+DNSSEC dane512ee A HOSTIPV4
DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d
; A-only, sha256
DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d
; A-only, sha256
-DNSSEC dane256ee A
HOSTIPV4
+DNSSEC dane256ee A HOSTIPV4
DNSSEC _1225._tcp.dane256ee TLSA 3 1 1 2bb55f418bb03411a5007cecbfcd3ec1c94404312c0d53a44bb2166b32654db3
; full MX, sha256, TA-mode
DNSSEC _1225._tcp.dane256ee TLSA 3 1 1 2bb55f418bb03411a5007cecbfcd3ec1c94404312c0d53a44bb2166b32654db3
; full MX, sha256, TA-mode
-DNSSEC mxdane256ta MX 1 dane256ta
.
-DNSSEC dane256ta A
HOSTIPV4
+DNSSEC mxdane256ta MX 1 dane256ta
+DNSSEC dane256ta A HOSTIPV4
DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 b2c6f27f2d16390b4f71cacc69742bf610d750534fab240516c0f2deb4042ad4
DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 b2c6f27f2d16390b4f71cacc69742bf610d750534fab240516c0f2deb4042ad4
+; ------- Testing DANE ------------
+
+; full suite dns chain, sha512
+DNSSEC mxdanelazy MX 1 danelazy
+DNSSEC mxdanelazy MX 2 danelazy2
+
+DNSSEC danelazy A HOSTIPV4
+DNSSEC danelazy2 A 127.0.0.1
+
+DNSSEC _1225._tcp.danelazy CNAME test.again.dns.
+DNSSEC _1225._tcp.danelazy2 CNAME test.again.dns.
+
; ------- Testing delays ------------
DELAY=500 delay500 A HOSTIPV4
; ------- Testing delays ------------
DELAY=500 delay500 A HOSTIPV4
diff --git
a/test/log/5840
b/test/log/5840
index 24d6e89e27e91265c2c9b6b268c741a0e374b609..30bed39fcf65dead5015b1f2d58c2377220d2392 100644
(file)
--- a/
test/log/5840
+++ b/
test/log/5840
@@
-23,6
+23,12
@@
1999-03-02 09:44:33 10HmbF-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmbF-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdanelazy.test.ex
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy.test.ex [ip4.ip4.ip4.ip4]: DANE error: tlsa lookup DEFER
+1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER
+1999-03-02 09:44:33 10HmbH-0005vi-00 == CALLER@mxdanelazy.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
@@
-44,3
+50,4
@@
1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex for CALLER@thishost.test.ex
1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <CALLER@thishost.test.ex> R=server
1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex for CALLER@thishost.test.ex
1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <CALLER@thishost.test.ex> R=server
1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
diff --git
a/test/scripts/5840-DANE-OpenSSL/5840
b/test/scripts/5840-DANE-OpenSSL/5840
index deff4a6a4ddcc3075ea253f70003d21ef10daee2..e031b5d8fadee8a4362f904ff8f087f578ccd27f 100644
(file)
--- a/
test/scripts/5840-DANE-OpenSSL/5840
+++ b/
test/scripts/5840-DANE-OpenSSL/5840
@@
-54,3
+54,15
@@
exim -DOPT=no_certname -qf
****
killdaemon
#
****
killdaemon
#
+#
+# A server with two MXs for which both TLSA lookups return defer
+exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
+****
+# TLSA (3 1 2)
+exim -odq CALLER@mxdanelazy.test.ex
+Testing
+****
+exim -qf
+****
+killdaemon
+no_msglog_check