CHUNKING support, Exim will attempt to use BDAT commands rather than DATA.
BDAT will not be used in conjunction with a transport filter.
-.option hosts_try_dane smtp "host list&!!" unset
+.option hosts_try_dane smtp "host list&!!" *
.cindex DANE "transport options"
.cindex DANE "attempting for certain servers"
If built with DANE support, Exim will lookup a
for multiple message deliveries, by default. Previoud the default was to
not do so.
+JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
+ default. If built with the facility, DANE will be used. The facility is
+ now enabled in the prototype build Makefile "EDITME".
+
Exim version 4.92
#------------------------------------------------------------------------------
-# Uncomment the following line to add DANE support
+# Comment out the following line to remove DANE support
# Note: Enabling this unconditionally overrides DISABLE_DNSSEC
# For DANE under GnuTLS we need an additional library. See TLS_LIBS below.
-# SUPPORT_DANE=yes
+SUPPORT_DANE=yes
#------------------------------------------------------------------------------
# Additional libraries and include directories may be required for some
.hosts_require_auth = NULL,
.hosts_try_chunking = US"*",
#ifdef SUPPORT_DANE
- .hosts_try_dane = NULL,
+ .hosts_try_dane = US"*",
.hosts_require_dane = NULL,
.dane_require_tls_ciphers = NULL,
#endif
# DANE/GnuTLS
SERVER=
+CONTROL= *
.include DIR/aux-var/tls_conf_prefix
allow_localhost
port = PORT_D
- hosts_try_dane = *
+ hosts_try_dane = CONTROL
hosts_require_dane = HOSTIPV4
tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
tls_try_verify_hosts = thishost.test.ex
# DANE/OpenSSL
SERVER=
+CONTROL= *
.include DIR/aux-var/tls_conf_prefix
allow_localhost
port = PORT_D
- hosts_try_dane = *
+ hosts_try_dane = CONTROL
hosts_require_dane = HOSTIPV4
tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
tls_try_verify_hosts = thishost.test.ex
1999-03-02 09:44:33 10HmbZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken8.example.com
1999-03-02 09:44:33 10HmbZ-0005vi-00 => CALLER@danebroken8.example.com R=client T=send_to_server H=danebroken8.example.com [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="CN=server1.example.net" C="250 OK id=10HmcA-0005vi-00"
1999-03-02 09:44:33 10HmbZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmcB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken2.test.ex
+1999-03-02 09:44:33 10HmcB-0005vi-00 => CALLER@danebroken2.test.ex R=client T=send_to_server H=danebroken2.test.ex [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="CN=server1.example.com" C="250 OK id=10HmcC-0005vi-00"
+1999-03-02 09:44:33 10HmcB-0005vi-00 Completed
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for CALLER@danebroken8.example.com
1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: <CALLER@danebroken8.example.com> R=server
1999-03-02 09:44:33 10HmcA-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmcC-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcB-0005vi-00@myhost.test.ex for CALLER@danebroken2.test.ex
+1999-03-02 09:44:33 10HmcC-0005vi-00 => :blackhole: <CALLER@danebroken2.test.ex> R=server
+1999-03-02 09:44:33 10HmcC-0005vi-00 Completed
1999-03-02 09:44:33 10HmbZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken8.example.com
1999-03-02 09:44:33 10HmbZ-0005vi-00 => CALLER@danebroken8.example.com R=client T=send_to_server H=danebroken8.example.com [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="/CN=server1.example.net" C="250 OK id=10HmcA-0005vi-00"
1999-03-02 09:44:33 10HmbZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmcB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken2.test.ex
+1999-03-02 09:44:33 10HmcB-0005vi-00 => CALLER@danebroken2.test.ex R=client T=send_to_server H=danebroken2.test.ex [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmcC-0005vi-00"
+1999-03-02 09:44:33 10HmcB-0005vi-00 Completed
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for CALLER@danebroken8.example.com
1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: <CALLER@danebroken8.example.com> R=server
1999-03-02 09:44:33 10HmcA-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmcC-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcB-0005vi-00@myhost.test.ex for CALLER@danebroken2.test.ex
+1999-03-02 09:44:33 10HmcC-0005vi-00 => :blackhole: <CALLER@danebroken2.test.ex> R=server
+1999-03-02 09:44:33 10HmcC-0005vi-00 Completed
****
#
### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
-# that way round to excersize more code in the implementation
+# that way round to exercise more code in the implementation
exim -odf CALLER@danemixed.test.ex
Testing
****
exim -odf CALLER@danebroken8.example.com
Testing
****
+killdaemon
+#
#
+sudo rm DIR/spool/db/retry
+exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
+****
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
+exim -odf -DCONTROL=: CALLER@danebroken2.test.ex
+****
killdaemon
+#
no_msglog_check
#
exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
****
-### TLSA (3 1 1)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
exim -odq CALLER@dane256ee.test.ex
Testing
****
-### TLSA (3 1 2)
+### TLSA (3 1 2) ( SHA2-512)
exim -odq CALLER@mxdane512ee.test.ex
Testing
****
#
exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D
****
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
exim -odf CALLER@mxdane256ta.test.ex
Testing
****
****
#
killdaemon
-
-
+#
+#
+#
### A server with a name not matching the cert. TA-mode; should fail
exim -DSERVER=server -DDETAILS=cert.net -bd -oX PORT_D
****
exim -odf CALLER@danebroken8.example.com
Testing
****
+killdaemon
+#
#
+sudo rm DIR/spool/db/retry
+exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
+****
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
+exim -odf -DCONTROL=: CALLER@danebroken2.test.ex
+****
killdaemon
+#
no_msglog_check
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
->>> processing "accept" (TESTSUITE/test-config 85)
+>>> processing "accept" (TESTSUITE/test-config 86)
>>> check verify = recipient/callout
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing rcptuser@dane256ee.test.ex
### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
******** SERVER ********
### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) ( SHA2-512)
### Recipient callout
>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
->>> processing "accept" (TESTSUITE/test-config 90)
+>>> processing "accept" (TESTSUITE/test-config 91)
>>> check verify = recipient/callout
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing rcptuser@dane256ee.test.ex
>>> accept: condition test succeeded in inline ACL
>>> end of inline ACL: ACCEPT
LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
### TLSA (2 1 1)
### A server with a nonverifying cert and no TLSA
### A server with a verifying cert and no TLSA
### A server insecurely serving a good A record, dane required (delivery should fail)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
******** SERVER ********
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) ( SHA2-512)
### Recipient callout
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
### TLSA (2 1 1)
### A server with a nonverifying cert and no TLSA
### A server with a verifying cert and no TLSA
### A server insecurely serving a good A record, dane required (delivery should fail)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
******** SERVER ********
### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) ( SHA2-512)
### Recipient callout
**** SMTP testing session as if from host 127.0.0.1
250 OK\r
250 Accepted\r
421 myhost.test.ex lost input connection\r
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
### TLSA (2 1 1)
### A server with a nonverifying cert and no TLSA
### A server with a verifying cert and no TLSA
### A server insecurely serving a good A record, dane required (delivery should fail)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
******** SERVER ********
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) ( SHA2-512)
### Recipient callout
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
### TLSA (2 1 1)
### A server with a nonverifying cert and no TLSA
### A server with a verifying cert and no TLSA
### A server insecurely serving a good A record, dane required (delivery should fail)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
git://git.exim.org / exim.git / commitdiff