.cindex "TLS" SNI
.cindex SNI "setting in client"
.vindex "&$tls_sni$&"
-If this option is set then it sets the $tls_out_sni variable and causes any
+If this option is set
+.new
+and the connection is not DANE-validated
+.wen
+then it sets the $tls_out_sni variable and causes any
TLS session to pass this value as the Server Name Indication extension to
the remote side, which can be used by the remote side to select an appropriate
certificate and private key for the session.
only point of caution. The &$tls_out_sni$& variable will be set to this string
for the lifetime of the client connection (including during authentication).
+.new
+If DAVE validated the connection attempt then the value of the &%tls_sni%& option
+is forced to the domain part of the recipient address.
+.wen
+
Except during SMTP client sessions, if &$tls_in_sni$& is set then it is a string
received from a client.
It can be logged with the &%log_selector%& item &`+tls_sni`&.
It also allows the server to declare (implicitly) that connections to it should use TLS. An MITM could simply
fail to pass on a server's STARTTLS.
-DANE scales better than having to maintain (and side-channel communicate) copies of server certificates
+DANE scales better than having to maintain (and communicate via side-channel) copies of server certificates
for every possible target server. It also scales (slightly) better than having to maintain on an SMTP
client a copy of the standard CAs bundle. It also means not having to pay a CA for certificates.
tls_verify_certificates
tls_crl
tls_verify_cert_hostnames
+ tls_sni
.endd
If DANE is not usable, whether requested or not, and CA-anchored
not in 127.0.0.0/8 to help in spotting list domains taken over by a
domain-parking registrar.
-JH/21 Bug 2630: Fix trace eol-replacement string for the ${readsocket }
- expansion. Previously when a whitespace character was specified it
- was not inserted after removing the newline.
+JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion.
+ Previously when a whitespace character was specified it was not inserted
+ after removing the newline.
+
+JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be
+ the domain part of the recipient address. This overrides any tls_sni
+ option set, which was previously used.
+
+JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI
+ in quotes.
Exim version 4.94
if (LOGGING(tls_peerdn) && tls_in.peerdn)
g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\"");
if (LOGGING(tls_sni) && tls_in.sni)
- g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\"");
+ g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE));
#endif
if (sender_host_authenticated)
if (LOGGING(tls_peerdn) && tls_in.peerdn)
g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\"");
if (LOGGING(tls_sni) && tls_in.sni)
- g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\"");
+ g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE));
return g;
}
#endif
/* If dane is flagged, have either request or require dane for this host, and
a TLSA record found. Therefore, dane verify required. Which implies cert must
be requested and supplied, dane verify must pass, and cert verify irrelevant
-(incl. hostnames), and (caller handled) require_tls */
+(incl. hostnames), and (caller handled) require_tls and sni=$domain */
if (conn_args->dane && ob->dane_require_tls_ciphers)
{
#ifndef DISABLE_OCSP
{
# ifdef SUPPORT_DANE
+ /*XXX this should be moved to caller, to be common across gnutls/openssl */
if ( conn_args->dane
&& ob->hosts_request_ocsp[0] == '*'
&& ob->hosts_request_ocsp[1] == '\0'
{
case OK: sx->conn_args.dane = TRUE;
ob->tls_tempfail_tryclear = FALSE;
+ ob->tls_sni = sx->addrlist->domain;
break;
case FAIL_FORCED: break;
default: set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER,
acl_smtp_rcpt = accept verify = recipient/callout
.endif
-log_selector = +received_recipients +tls_peerdn +tls_certificate_verified
+log_selector = +received_recipients +tls_peerdn +tls_certificate_verified \
+ +tls_sni
queue_run_in_order
acl_smtp_rcpt = accept verify = recipient/callout
.endif
-log_selector = +received_recipients +tls_peerdn +tls_certificate_verified
+log_selector = +received_recipients +tls_peerdn +tls_certificate_verified \
+ +tls_sni
queue_run_in_order
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 SNI <fred>
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=fred S=sss id=E10HmaX-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 SNI <fred>
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=fred S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@test.ex
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 SNI <bill>
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="bill" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=bill S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex
1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <abcd@test.ex> R=server
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 SNI <fred>
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=fred S=sss id=E10HmaX-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 SNI <fred>
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=fred S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@test.ex
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@test.ex> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 SNI <bill>
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="bill" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=bill S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex
1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <abcd@test.ex> R=server
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for t1@dane256ee.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256ee.test.ex S=sss id=E10HmaX-0005vi-00@myhost.test.ex for t1@dane256ee.test.ex
1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: <t1@dane256ee.test.ex> R=server
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for t2@mxdane512ee.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane512ee.test.ex S=sss id=E10HmaY-0005vi-00@myhost.test.ex for t2@mxdane512ee.test.ex
1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <t2@mxdane512ee.test.ex> R=server
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
1999-03-02 09:44:33 "rcpt ACL"
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for t4@mxdane256ta.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane256ta.test.ex S=sss id=E10HmbB-0005vi-00@myhost.test.ex for t4@mxdane256ta.test.ex
1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <t4@mxdane256ta.test.ex> R=server
1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmbU-0005vi-00 => :blackhole: <t17@danebroken5.test.ex> R=server
1999-03-02 09:44:33 10HmbU-0005vi-00 Completed
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbX-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbW-0005vi-00@myhost.test.ex for t18a@danemixed.test.ex
+1999-03-02 09:44:33 10HmbX-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=danemixed.test.ex S=sss id=E10HmbW-0005vi-00@myhost.test.ex for t18a@danemixed.test.ex
1999-03-02 09:44:33 10HmbX-0005vi-00 => :blackhole: <t18a@danemixed.test.ex> R=server
1999-03-02 09:44:33 10HmbX-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (recv): A TLS fatal alert has been received: Certificate is bad
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for t20@danebroken8.example.com
+1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=danebroken8.example.com S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for t20@danebroken8.example.com
1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: <t20@danebroken8.example.com> R=server
1999-03-02 09:44:33 10HmcA-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for t1@dane256ee.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256ee.test.ex S=sss id=E10HmaX-0005vi-00@myhost.test.ex for t1@dane256ee.test.ex
1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: <t1@dane256ee.test.ex> R=server
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for t2@mxdane512ee.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane512ee.test.ex S=sss id=E10HmaY-0005vi-00@myhost.test.ex for t2@mxdane512ee.test.ex
1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <t2@mxdane512ee.test.ex> R=server
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
1999-03-02 09:44:33 "rcpt ACL"
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for t4@mxdane256ta.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane256ta.test.ex S=sss id=E10HmbB-0005vi-00@myhost.test.ex for t4@mxdane256ta.test.ex
1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <t4@mxdane256ta.test.ex> R=server
1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for t5@mxdane256tak.test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane256tak.test.ex S=sss id=E10HmbD-0005vi-00@myhost.test.ex for t5@mxdane256tak.test.ex
1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <t5@mxdane256tak.test.ex> R=server
1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for t20@danebroken8.example.com
+1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=danebroken8.example.com S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for t20@danebroken8.example.com
1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: <t20@danebroken8.example.com> R=server
1999-03-02 09:44:33 10HmcA-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
->>> processing "accept" (TESTSUITE/test-config 87)
+>>> processing "accept" (TESTSUITE/test-config 88)
>>> check verify = recipient/callout
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing rcptuser@dane256ee.test.ex
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
->>> processing "accept" (TESTSUITE/test-config 92)
+>>> processing "accept" (TESTSUITE/test-config 93)
>>> check verify = recipient/callout
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing rcptuser@dane256ee.test.ex
git://git.exim.org / exim.git / commitdiff