default:
case DNS_FAIL:
if (dane_required)
- {
- log_write(0, LOG_MAIN, "DANE error: TLSA lookup failed");
return FAIL;
- }
break;
case DNS_SUCCEED:
|| verify_check_given_host(&ob->hosts_try_dane, host) == OK
)
&& (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK
+ && dane_required
)
{
set_errno(addrlist, ERRNO_DNSDEFER,
DNSSEC mx-sec-a-unsec MX 5 a-unsec
DNSSEC mx-sec-a-sec MX 5 a-sec
DNSSEC mx-sec-a-aa MX 5 a-aa
-AA mx-aa-a-sec MX 5 a-sec
+AA mx-aa-a-sec MX 5 a-sec
-a-unsec A V4NET.0.0.100
-DNSSEC a-sec A V4NET.0.0.100
-DNSSEC l-sec A 127.0.0.1
+a-unsec A V4NET.0.0.100
+DNSSEC a-sec A V4NET.0.0.100
+DNSSEC l-sec A 127.0.0.1
-AA a-aa A V4NET.0.0.100
+AA a-aa A V4NET.0.0.100
; ------- Testing DANE ------------
; full suite dns chain, sha512
-DNSSEC mxdane512ee MX 1 dane512ee
-DNSSEC dane512ee A HOSTIPV4
+DNSSEC mxdane512ee MX 1 dane512ee
+DNSSEC dane512ee A HOSTIPV4
DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d
; A-only, sha256
-DNSSEC dane256ee A HOSTIPV4
+DNSSEC dane256ee A HOSTIPV4
DNSSEC _1225._tcp.dane256ee TLSA 3 1 1 2bb55f418bb03411a5007cecbfcd3ec1c94404312c0d53a44bb2166b32654db3
; full MX, sha256, TA-mode
-DNSSEC mxdane256ta MX 1 dane256ta
-DNSSEC dane256ta A HOSTIPV4
-DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 b2c6f27f2d16390b4f71cacc69742bf610d750534fab240516c0f2deb4042ad4
+DNSSEC mxdane256ta MX 1 dane256ta
+DNSSEC dane256ta A HOSTIPV4
+DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 b2c6f27f2d16390b4f71cacc69742bf610d750534fab240516c0f2deb4042ad4
-; ------- Testing DANE ------------
-; full suite dns chain, sha512
-DNSSEC mxdanelazy MX 1 danelazy
-DNSSEC mxdanelazy MX 2 danelazy2
+; A multiple-return MX where all TLSA lookups defer
+DNSSEC mxdanelazy MX 1 danelazy
+DNSSEC MX 2 danelazy2
+
+DNSSEC danelazy A HOSTIPV4
+DNSSEC danelazy2 A 127.0.0.1
-DNSSEC danelazy A HOSTIPV4
-DNSSEC danelazy2 A 127.0.0.1
+DNSSEC _1225._tcp.danelazy CNAME test.again.dns.
+DNSSEC _1225._tcp.danelazy2 CNAME test.again.dns.
-DNSSEC _1225._tcp.danelazy CNAME test.again.dns.
-DNSSEC _1225._tcp.danelazy2 CNAME test.again.dns.
+; hosts with no TLSA
+DNSSEC dane.no.1 A HOSTIPV4
+DNSSEC dane.no.2 A 127.0.0.1
; ------- Testing delays ------------
1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdanelazy.test.ex
+1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.1.test.ex
+1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.2.test.ex
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy.test.ex [ip4.ip4.ip4.ip4]: DANE error: tlsa lookup DEFER
-1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER
-1999-03-02 09:44:33 10HmbH-0005vi-00 == CALLER@mxdanelazy.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER
+1999-03-02 09:44:33 10HmbH-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmbH-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+1999-03-02 09:44:33 10HmbH-0005vi-00 => CALLER@mxdanelazy.test.ex R=client T=send_to_server H=danelazy2.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbK-0005vi-00"
+1999-03-02 09:44:33 10HmbH-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbI-0005vi-00 ** CALLER@dane.no.1.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL
+1999-03-02 09:44:33 10HmbL-0005vi-00 <= <> R=10HmbI-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@myhost.test.ex
+1999-03-02 09:44:33 10HmbL-0005vi-00 H=myhost.test.ex [V4NET.10.10.10] Network Error
+1999-03-02 09:44:33 10HmbL-0005vi-00 == CALLER@myhost.test.ex R=client T=send_to_server defer (dd): Network Error
+1999-03-02 09:44:33 10HmbI-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbJ-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmbJ-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+1999-03-02 09:44:33 10HmbJ-0005vi-00 => CALLER@dane.no.2.test.ex R=client T=send_to_server H=dane.no.2.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbM-0005vi-00"
+1999-03-02 09:44:33 10HmbJ-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <CALLER@thishost.test.ex> R=server
1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbH-0005vi-00@myhost.test.ex for CALLER@mxdanelazy.test.ex
+1999-03-02 09:44:33 10HmbK-0005vi-00 => :blackhole: <CALLER@mxdanelazy.test.ex> R=server
+1999-03-02 09:44:33 10HmbK-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbM-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbJ-0005vi-00@myhost.test.ex for CALLER@dane.no.2.test.ex
+1999-03-02 09:44:33 10HmbM-0005vi-00 => :blackhole: <CALLER@dane.no.2.test.ex> R=server
+1999-03-02 09:44:33 10HmbM-0005vi-00 Completed
killdaemon
#
#
-# A server with two MXs for which both TLSA lookups return defer
exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
****
-# TLSA (3 1 2)
+# A server with two MXs for which both TLSA lookups return defer
exim -odq CALLER@mxdanelazy.test.ex
Testing
****
+# A server lacking a TLSA, required
+exim -odq CALLER@dane.no.1.test.ex
+Testing
+****
+# A server lacking a TLSA, requested only
+exim -odq CALLER@dane.no.2.test.ex
+Testing
+****
exim -qf
****
killdaemon
HOST_NOT_FOUND.
Any DNS record line in a zone file can be prefixed with "DELAY=" and
-a number of milliseconds (followed by whitespace).
+a number of milliseconds (followed by one space).
-Any DNS record line in a zone file can be prefixed with "DNSSEC" and
-at least one space; if all the records found by a lookup are marked
+Any DNS record line in a zone file can be prefixed with "DNSSEC ";
+if all the records found by a lookup are marked
as such then the response will have the "AD" bit set.
-Any DNS record line in a zone file can be prefixed with "AA" and
-at least one space; if all the records found by a lookup are marked
+Any DNS record line in a zone file can be prefixed with "AA "
+if all the records found by a lookup are marked
as such then the response will have the "AA" bit set.
*/
else if (Ustrncmp(p, US"DELAY=", 6) == 0) /* delay before response */
{
for (p += 6; *p >= '0' && *p <= '9'; p++) delay = delay*10 + *p - '0';
- while (isspace(*p)) p++;
+ if (isspace(*p)) p++;
}
else
break;
}
- if (!isspace(*p))
+ if (!isspace(*p)) /* new domain name */
{
uschar *pp = rrdomain;
uschar *PP = RRdomain;
pp[-1] = 0;
PP[-1] = 0;
}
- }
+ } /* else use previous line's domain name */
/* Compare domain names; first check for a wildcard */