sending the request. Values are &"yes"& (the default) or &"no"&
(preferred, eg. by some webservers).
+.next
+&*sni*&
+Controls the use of Server Name Identification on the connection.
+Any nonempty value will be the SNI sent; TLS will be forced.
+
.next
&*tls*&
Controls the use of TLS on the connection.
10. A commandline option to print just the message IDs of the queue
+ 11. An option for the ${readsocket } expansion to set an SNI for TLS.
+
Version 4.96
------------
extern void tls_clean_env(void);
extern BOOL tls_client_start(client_conn_ctx *, smtp_connect_args *,
void *, tls_support *, uschar **);
+extern BOOL tls_client_adjunct_start(host_item *, client_conn_ctx *,
+ const uschar *, uschar **);
extern void tls_client_creds_reload(BOOL);
extern void tls_close(void *, int);
static int
internal_readsock_open(client_conn_ctx * cctx, const uschar * sspec,
- int timeout, BOOL do_tls, uschar ** errmsg)
+ int timeout, uschar * do_tls, uschar ** errmsg)
{
const uschar * server_name;
host_item host;
#ifndef DISABLE_TLS
if (do_tls)
- {
- union sockaddr_46 interface_sock;
- EXIM_SOCKLEN_T size = sizeof(interface_sock);
- smtp_connect_args conn_args = {.host = &host };
- tls_support tls_dummy = { .sni = NULL };
- uschar * errstr;
-
- if (getsockname(cctx->sock, (struct sockaddr *) &interface_sock, &size) == 0)
- conn_args.sending_ip_address = host_ntoa(-1, &interface_sock, NULL, NULL);
- else
- {
- *errmsg = string_sprintf("getsockname failed: %s", strerror(errno));
+ if (!tls_client_adjunct_start(&host, cctx, do_tls, errmsg))
goto bad;
- }
-
- if (!tls_client_start(cctx, &conn_args, NULL, &tls_dummy, &errstr))
- {
- *errmsg = string_sprintf("TLS connect failed: %s", errstr);
- goto bad;
- }
- }
#endif
DEBUG(D_expand|D_lookup) debug_printf_indent(" connected to socket %s\n", sspec);
int sep = ',';
struct {
BOOL do_shutdown:1;
- BOOL do_tls:1;
BOOL cache:1;
+ uschar * do_tls; /* NULL, empty-string, or SNI */
} lf = {.do_shutdown = TRUE};
uschar * eol = NULL;
int timeout = 5;
else if (Ustrncmp(s, "shutdown=", 9) == 0)
lf.do_shutdown = Ustrcmp(s + 9, "no") != 0;
#ifndef DISABLE_TLS
- else if (Ustrncmp(s, "tls=", 4) == 0 && Ustrcmp(s + 4, US"no") != 0)
- lf.do_tls = TRUE;
+ else if (Ustrncmp(s, "tls=", 4) == 0 && Ustrcmp(s + 4, US"no") != 0 && !lf.do_tls)
+ lf.do_tls = US"";
+ else if (Ustrncmp(s, "sni=", 4) == 0)
+ lf.do_tls = s + 4;
#endif
else if (Ustrncmp(s, "eol=", 4) == 0)
eol = string_unprinting(s + 4);
#endif
}
+
+
+/* Start TLS as a client for an ajunct connection, eg. readsocket
+Return boolean success.
+*/
+
+BOOL
+tls_client_adjunct_start(host_item * host, client_conn_ctx * cctx,
+ const uschar * sni, uschar ** errmsg)
+{
+union sockaddr_46 interface_sock;
+EXIM_SOCKLEN_T size = sizeof(interface_sock);
+smtp_connect_args conn_args = {.host = host };
+tls_support tls_dummy = { .sni = NULL };
+uschar * errstr;
+
+if (getsockname(cctx->sock, (struct sockaddr *) &interface_sock, &size) == 0)
+ conn_args.sending_ip_address = host_ntoa(-1, &interface_sock, NULL, NULL);
+else
+ {
+ *errmsg = string_sprintf("getsockname failed: %s", strerror(errno));
+ return FALSE;
+ }
+
+/* To handle SNI we need to emulate more of a real transport because the
+base tls code assumes that is where the SNI string lives. */
+
+if (*sni)
+ {
+ transport_instance * tb;
+ smtp_transport_options_block * ob;
+
+ conn_args.tblock = tb = store_get(sizeof(*tb), GET_UNTAINTED);
+ memset(tb, 0, sizeof(*tb));
+
+ tb->options_block = ob = store_get(sizeof(*ob), GET_UNTAINTED);
+ memcpy(ob, &smtp_transport_option_defaults, sizeof(*ob));
+
+ ob->tls_sni = sni;
+ }
+
+if (!tls_client_start(cctx, &conn_args, NULL, &tls_dummy, &errstr))
+ {
+ *errmsg = string_sprintf("TLS connect failed: %s", errstr);
+ return FALSE;
+ }
+return TRUE;
+}
+
+
+
#endif /*!DISABLE_TLS*/
#endif /*!MACRO_PREDEF*/
tls_certificate = DIR/aux-fixed/cert1
tls_privatekey = DIR/aux-fixed/cert1
+acl_smtp_helo = accept logwrite = HELO <$sender_helo_name> SNI <$tls_in_sni>
+
# End
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTPS on port PORT_D
+1999-03-02 09:44:33 HELO <tester> SNI <fubar>
millisleep 500
exim -be
1 >>${readsocket{inet:thisloop:PORT_D}{QUIT\n}{2s:tls=yes}}<<
+2 >>${readsocket{inet:thisloop:PORT_D}{EHLO tester\n}{1s:tls=yes:sni=fubar}}<<
****
millisleep 500
#
> 1 >>220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
221 myhost.test.ex closing connection\r
<<
+> Failed: socket read timed out
>
git://git.exim.org / exim.git / commitdiff