the message override the banner message that is otherwise specified by the
&%smtp_banner%& option.
+.new
+For tls-on-connect connections, the ACL is run after the TLS connection
+is accepted (however, &%host_reject_connection%& is tested before).
+.wen
+
.section "The EHLO/HELO ACL" "SECID192"
.cindex "EHLO" "ACL for"
The name is placed in the variable &$event_name$& and the event action
expansion must check this, as it will be called for every possible event type.
+.new
The current list of events is:
.display
&`dane:fail after transport `& per connection
&`tcp:connect before transport `& per connection
&`tcp:close after transport `& per connection
&`tls:cert before both `& per certificate in verification chain
+&`tls:fail:connect after main `& per connection
&`smtp:connect after transport `& per connection
&`smtp:ehlo after transport `& per connection
.endd
+.wen
New event types may be added in future.
The event name is a colon-separated list, defining the type of
&`msg:rcpt:host:defer `& error string
&`msg:rcpt:defer `& error string
&`tls:cert `& verification chain depth
+&`tls:fail:connect `& error string
&`smtp:connect `& smtp banner
&`smtp:ehlo `& smtp ehlo response
.endd
2. A variant of the "mask" expansion operator to give normalised IPv6.
- 3. UTC output option for exim_dumpdb, exim_fixdb
+ 3. UTC output option for exim_dumpdb, exim_fixdb.
+
+ 4. An event for failing TLS connects to the daemon.
Version 4.95
#ifndef DISABLE_TLS
static BOOL
-smtp_log_tls_fail(uschar * errstr)
+smtp_log_tls_fail(const uschar * errstr)
{
-uschar * conn_info = smtp_get_connection_info();
+const uschar * conn_info = smtp_get_connection_info();
if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
/* I'd like to get separated H= here, but too hard for now */
if (rc != GNUTLS_E_SUCCESS)
{
+ DEBUG(D_tls) debug_printf(" error %d from gnutls_handshake: %s\n",
+ rc, gnutls_strerror(rc));
+
/* It seems that, except in the case of a timeout, we have to close the
connection right here; otherwise if the other end is running OpenSSL it hangs
until the server times out. */
if (sigalrm_seen)
{
tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
+ (void) event_raise(event_action, US"tls:fail:connect", *errstr);
gnutls_db_remove_session(state->session);
}
else
{
tls_error_gnu(state, US"gnutls_handshake", rc, errstr);
+ (void) event_raise(event_action, US"tls:fail:connect", *errstr);
(void) gnutls_alert_send_appropriate(state->session, rc);
gnutls_deinit(state->session);
gnutls_certificate_free_credentials(state->lib_state.x509_cred);
case SSL_ERROR_ZERO_RETURN:
DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
(void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
+ (void) event_raise(event_action, US"tls:fail:connect", *errstr);
if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
SSL_shutdown(ssl);
|| r == SSL_R_VERSION_TOO_LOW
#endif
|| r == SSL_R_UNKNOWN_PROTOCOL || r == SSL_R_UNSUPPORTED_PROTOCOL)
- s = string_sprintf("%s (%s)", s, SSL_get_version(ssl));
+ s = string_sprintf("(%s)", SSL_get_version(ssl));
(void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : s, errstr);
+ (void) event_raise(event_action, US"tls:fail:connect", *errstr);
return FAIL;
}
if (!errno)
{
*errstr = US"SSL_accept: TCP connection closed by peer";
+ (void) event_raise(event_action, US"tls:fail:connect", *errstr);
return FAIL;
}
DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno));
sigalrm_seen ? US"timed out"
: ERR_peek_error() ? NULL : string_sprintf("ret %d", error),
errstr);
+ (void) event_raise(event_action, US"tls:fail:connect", *errstr);
return FAIL;
}
}
--- /dev/null
+# Exim test configuration 5711
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_connect = accept logwrite = ACL conn
+acl_smtp_quit = accept logwrite = ACL quit
+acl_smtp_notquit = accept logwrite = ACL notquit
+
+tls_advertise_hosts = *
+tls_certificate = DIR/aux-fixed/cert1
+
+host_reject_connection = ${acl {hrc}}
+event_action = ${acl {tls_fail}}
+
+# ------ ACL ------
+
+begin acl
+
+hrc:
+ accept logwrite = eval host_reject_connection
+ # no mesage= hence host_reject_connection should be empty
+
+tls_fail:
+ warn logwrite = EV $event_name
+ accept condition = ${if eq {tls:fail:connect}{$event_name}}
+ logwrite = EVDATA: $event_data
+ accept
+
+
+# End
--- /dev/null
+# Exim test configuration 5721
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_connect = accept logwrite = ACL conn
+acl_smtp_quit = accept logwrite = ACL quit
+acl_smtp_notquit = accept logwrite = ACL notquit
+
+tls_advertise_hosts = *
+tls_certificate = DIR/aux-fixed/cert1
+
+host_reject_connection = ${acl {hrc}}
+event_action = ${acl {tls_fail}}
+
+# ------ ACL ------
+
+begin acl
+
+hrc:
+ accept logwrite = eval host_reject_connection
+ # no mesage= hence host_reject_connection should be empty
+
+tls_fail:
+ warn logwrite = EV $event_name
+ accept condition = ${if eq {tls:fail:connect}{$event_name}}
+ logwrite = EVDATA: $event_data
+ accept
+
+
+# End
--- /dev/null
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTPS on port PORT_D
+1999-03-02 09:44:33 eval host_reject_connection
+1999-03-02 09:44:33 ACL conn
+1999-03-02 09:44:33 ACL quit
+1999-03-02 09:44:33 eval host_reject_connection
+1999-03-02 09:44:33 ACL conn
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated.
+1999-03-02 09:44:33 ACL notquit
+1999-03-02 09:44:33 eval host_reject_connection
+1999-03-02 09:44:33 EV tls:fail:connect
+1999-03-02 09:44:33 EVDATA: (gnutls_handshake): The TLS connection was non-properly terminated.
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (tls lib accept fn): TCP connection closed by peer
--- /dev/null
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTPS on port PORT_D
+1999-03-02 09:44:33 eval host_reject_connection
+1999-03-02 09:44:33 ACL conn
+1999-03-02 09:44:33 ACL quit
+1999-03-02 09:44:33 eval host_reject_connection
+1999-03-02 09:44:33 ACL conn
+1999-03-02 09:44:33 ACL notquit
+1999-03-02 09:44:33 eval host_reject_connection
+1999-03-02 09:44:33 EV tls:fail:connect
+1999-03-02 09:44:33 EVDATA: SSL_accept: TCP connection closed by peer
+1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (tls lib accept fn): TCP connection closed by peer
--- /dev/null
+# smtp-on-connect drop-before-tls-accept
+#
+exim -DSERVER=server -tls-on-connect -bd -oX PORT_D
+****
+#
+# Normal, full connect and quit
+client-anytls -tls-on-connect 127.0.0.1 PORT_D
+??? 220
+quit
+??? 221
+****
+#
+# full connect but no quit
+client-anytls -tls-on-connect 127.0.0.1 PORT_D
+??? 220
+****
+#
+# client disconnects before server TLS accept completes
+client 127.0.0.1 PORT_D
++++ 1
+****
+#
+sleep 1
+killdaemon
--- /dev/null
+# smtp-on-connect drop-before-tls-accept
+#
+exim -DSERVER=server -tls-on-connect -bd -oX PORT_D
+****
+#
+# Normal, full connect and quit
+client-anytls -tls-on-connect 127.0.0.1 PORT_D
+??? 220
+quit
+??? 221
+****
+#
+# full connect but no quit
+client-anytls -tls-on-connect 127.0.0.1 PORT_D
+??? 220
+****
+#
+# client disconnects before server TLS accept completes
+client 127.0.0.1 PORT_D
++++ 1
+****
+#
+killdaemon
--- /dev/null
+Connecting to 127.0.0.1 port 1225 ... connected
+Attempting to start TLS
+Succeeded in starting TLS
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+Connecting to 127.0.0.1 port 1225 ... connected
+Attempting to start TLS
+Succeeded in starting TLS
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+End of script
+Connecting to 127.0.0.1 port 1225 ... connected
++++ 1
+End of script
--- /dev/null
+Connecting to 127.0.0.1 port 1225 ... connected
+Attempting to start TLS
+Succeeded in starting TLS
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> quit
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+Connecting to 127.0.0.1 port 1225 ... connected
+Attempting to start TLS
+Succeeded in starting TLS
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+End of script
+Connecting to 127.0.0.1 port 1225 ... connected
++++ 1
+End of script
git://git.exim.org / exim.git / commitdiff