From: Heiko Schlittermann (HS12-RIPE) Date: Tue, 11 May 2021 08:48:17 +0000 (+0200) Subject: TLS DANE to multiple recipients w/ different DNSSec status X-Git-Tag: exim-4.95-RC0~58 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/36237af9cff98b4df7a8535d0dc199e499abd986?ds=sidebyside TLS DANE to multiple recipients w/ different DNSSec status --- diff --git a/src/src/deliver.c b/src/src/deliver.c index f2187e22a..ba2948dfd 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -521,8 +521,12 @@ while (one && two) else if (one->port != two->port) return FALSE; - /* Hosts matched */ +#ifdef SUPPORT_DANE + /* DNSSEC equality */ + if (one->dnssec != two->dnssec) return FALSE; +#endif + /* Hosts matched */ one = one->next; two = two->next; } diff --git a/test/confs/5802 b/test/confs/5802 new file mode 100644 index 000000000..304cab0b8 --- /dev/null +++ b/test/confs/5802 @@ -0,0 +1,92 @@ +# Exim test configuration 5802 +# DANE and MX chains + +SERVER= +OPT= + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +.ifndef OPT +acl_smtp_rcpt = accept +.else +acl_smtp_rcpt = accept verify = recipient/callout +.endif + +log_selector = +received_recipients +tls_certificate_verified +tls_sni + +queue_run_in_order + +tls_advertise_hosts = * +.ifdef _HAVE_GNUTLS +# needed to force generation +tls_dhparam = historic +.endif + +# Set certificate only if server +CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com + + +tls_certificate = ${if eq {SERVER}{server} \ + {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ + {CDIR2/fullchain.pem}\ + {CDIR1/fullchain.pem}}}\ + fail} + +tls_privatekey = ${if eq {SERVER}{server} \ + {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ + {CDIR2/server1.example.com.unlocked.key}\ + {CDIR1/server1.example.net.unlocked.key}}}\ + fail} + +# ----- Routers ----- + +begin routers + +client: + driver = dnslookup + condition = ${if eq {SERVER}{}} + dnssec_request_domains = * + self = send + transport = send_to_server + errors_to = "" + no_more + +server: + driver = redirect + data = :blackhole: + + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_fastopen = : + +.ifdef REQUIRE_DANE + hosts_require_dane = * +.else + hosts_try_dane = * +.endif + tls_sni = OPT + tls_verify_certificates = + + + +# ----- Retry ----- + + +begin retry + +* * F,5d,10s + + +# End diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index 52972a907..8eeff20a2 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -440,12 +440,28 @@ AA a-aa A V4NET.0.0.100 ; | openssl dgst -sha512 \ ; | awk '{print $2}' ; +DNSSEC mxnodane MX 1 nodane DNSSEC mxdane512ee MX 1 dane512ee DNSSEC mxdane512ee1 MX 1 dane512ee mxnondane512ee MX 1 dane512ee DNSSEC dane512ee A HOSTIPV4 +DNSSEC nodane A HOSTIPV4 + DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 c0c2fc12e9fe1abf0ae7b1f2ad2798a4689668db8cf7f7b771a43bf8a4f1d9741ef103bad470b1201157150fbd6182054b0170e90ce66b944a82a0a9c81281af +# mx of mxdane owns a secure A and TLSA record +# used in 5802 +DNSSEC mxdane MX 1 dane512ee + +# mx of mxdanesecchain is a CNAME, with a secure target, that owns a secure A and TLSA record +DNSSEC mxdanesecchain MX 1 danesecchain +DNSSEC danesecchain CNAME dane512ee + +# mx of mxdaneinsecchain is CNAME, with an insecure target that own a secure A and TLSA record +# DANE should report a failure if the message is for ...@mxdaneinsecurechain +DNSSEC mxdaneinsecchain MX 1 daneinsecchain +daneinsecchain CNAME dane512ee + ; A-only, sha256 ; ; openssl x509 -in aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem -noout -pubkey \ diff --git a/test/log/5802 b/test/log/5802 new file mode 100644 index 000000000..f9e40379c --- /dev/null +++ b/test/log/5802 @@ -0,0 +1,75 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for t0@mxdane512ee.test.ex t0@mxdane512ee1.test.ex +1999-03-02 09:44:33 10HmaX-0005vi-00 => t0@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => t0@mxdane512ee1.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for t1@mxdane512ee.test.ex t1@mxnodane.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 => t1@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmbA-0005vi-00 => t1@mxnodane.test.ex R=client T=send_to_server H=nodane.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for t2@mxdanesecchain.test.ex +1999-03-02 09:44:33 10HmbD-0005vi-00 => t2@mxdanesecchain.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for t3@mxdaneinsecchain.test.ex +1999-03-02 09:44:33 10HmbF-0005vi-00 ** t3@mxdaneinsecchain.test.ex R=client T=send_to_server: DANE error: dane512ee.test.ex lookup not DNSSEC +1999-03-02 09:44:33 10HmbF-0005vi-00 t3@mxdaneinsecchain.test.ex: error ignored +1999-03-02 09:44:33 10HmbF-0005vi-00 Completed +1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for t4@mxdaneinsecchain.test.ex +1999-03-02 09:44:33 10HmbG-0005vi-00 => t4@mxdaneinsecchain.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no C="250 OK id=10HmbH-0005vi-00" +1999-03-02 09:44:33 10HmbG-0005vi-00 Completed +1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for t5@mxdanesecchain.test.ex t5@mxdaneinsecchain.test.ex +1999-03-02 09:44:33 10HmbI-0005vi-00 => t5@mxdanesecchain.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane C="250 OK id=10HmbJ-0005vi-00" +1999-03-02 09:44:33 10HmbI-0005vi-00 => t5@mxdaneinsecchain.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no C="250 OK id=10HmbK-0005vi-00" +1999-03-02 09:44:33 10HmbI-0005vi-00 Completed +1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for t6@mxdaneinsecchain.test.ex t6@mxdanesecchain.test.ex +1999-03-02 09:44:33 10HmbL-0005vi-00 => t6@mxdaneinsecchain.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no C="250 OK id=10HmbM-0005vi-00" +1999-03-02 09:44:33 10HmbL-0005vi-00 => t6@mxdanesecchain.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane C="250 OK id=10HmbN-0005vi-00" +1999-03-02 09:44:33 10HmbL-0005vi-00 Completed +1999-03-02 09:44:33 10HmbO-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for t7@mxdanesecchain.test.ex t7@mxdaneinsecchain.test.ex +1999-03-02 09:44:33 10HmbO-0005vi-00 => t7@mxdanesecchain.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane C="250 OK id=10HmbP-0005vi-00" +1999-03-02 09:44:33 10HmbO-0005vi-00 ** t7@mxdaneinsecchain.test.ex R=client T=send_to_server: DANE error: dane512ee.test.ex lookup not DNSSEC +1999-03-02 09:44:33 10HmbO-0005vi-00 t7@mxdaneinsecchain.test.ex: error ignored +1999-03-02 09:44:33 10HmbO-0005vi-00 Completed +1999-03-02 09:44:33 10HmbQ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for t8@mxdaneinsecchain.test.ex t8@mxdanesecchain.test.ex +1999-03-02 09:44:33 10HmbQ-0005vi-00 ** t8@mxdaneinsecchain.test.ex R=client T=send_to_server: DANE error: dane512ee.test.ex lookup not DNSSEC +1999-03-02 09:44:33 10HmbQ-0005vi-00 => t8@mxdanesecchain.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane C="250 OK id=10HmbR-0005vi-00" +1999-03-02 09:44:33 10HmbQ-0005vi-00 t8@mxdaneinsecchain.test.ex: error ignored +1999-03-02 09:44:33 10HmbQ-0005vi-00 Completed + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane512ee.test.ex S=sss id=E10HmaX-0005vi-00@myhost.test.ex for t0@mxdane512ee.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane512ee.test.ex S=sss id=E10HmaX-0005vi-00@myhost.test.ex for t0@mxdane512ee1.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane512ee.test.ex S=sss id=E10HmbA-0005vi-00@myhost.test.ex for t1@mxdane512ee.test.ex +1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbA-0005vi-00@myhost.test.ex for t1@mxnodane.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane512ee.test.ex S=sss id=E10HmbD-0005vi-00@myhost.test.ex for t2@mxdanesecchain.test.ex +1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbE-0005vi-00 Completed +1999-03-02 09:44:33 10HmbH-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbG-0005vi-00@myhost.test.ex for t4@mxdaneinsecchain.test.ex +1999-03-02 09:44:33 10HmbH-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbH-0005vi-00 Completed +1999-03-02 09:44:33 10HmbJ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane512ee.test.ex S=sss id=E10HmbI-0005vi-00@myhost.test.ex for t5@mxdanesecchain.test.ex +1999-03-02 09:44:33 10HmbJ-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbJ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbK-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbI-0005vi-00@myhost.test.ex for t5@mxdaneinsecchain.test.ex +1999-03-02 09:44:33 10HmbK-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbK-0005vi-00 Completed +1999-03-02 09:44:33 10HmbM-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbL-0005vi-00@myhost.test.ex for t6@mxdaneinsecchain.test.ex +1999-03-02 09:44:33 10HmbM-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbM-0005vi-00 Completed +1999-03-02 09:44:33 10HmbN-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane512ee.test.ex S=sss id=E10HmbL-0005vi-00@myhost.test.ex for t6@mxdanesecchain.test.ex +1999-03-02 09:44:33 10HmbN-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbN-0005vi-00 Completed +1999-03-02 09:44:33 10HmbP-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane512ee.test.ex S=sss id=E10HmbO-0005vi-00@myhost.test.ex for t7@mxdanesecchain.test.ex +1999-03-02 09:44:33 10HmbP-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbP-0005vi-00 Completed +1999-03-02 09:44:33 10HmbR-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane512ee.test.ex S=sss id=E10HmbQ-0005vi-00@myhost.test.ex for t8@mxdanesecchain.test.ex +1999-03-02 09:44:33 10HmbR-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbR-0005vi-00 Completed diff --git a/test/scripts/5800-DANE/5802 b/test/scripts/5800-DANE/5802 new file mode 100644 index 000000000..f07e9b2ae --- /dev/null +++ b/test/scripts/5800-DANE/5802 @@ -0,0 +1,52 @@ +# DANE client: SNI and Chains +exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D +**** + +# BASELINE + +### Routing +# They should have the same destination host, but should differ +# in their AD status. +exim -bt t@mxdanesecchain.test.ex t@mxdaneinsecchain.test.ex +**** + +### Two recipients, different domains through same DANE MX host +exim -odf t0@mxdane512ee.test.ex t0@mxdane512ee1.test.ex +**** + +### Two recipients: 1st: DANE, 2nd no-DANE, SNI is expected for the 1st only +exim -odf t1@mxdane512ee.test.ex t1@mxnodane.test.ex +**** + +### One recipient to MX whith a secure CNAME chain, SNI should use CNAME target +exim -DREQUIRE_DANE -odf t2@mxdanesecchain.test.ex +**** +### Same, but to MX whith a insecure CNAME chain, should fail, no SNI expected +exim -DREQUIRE_DANE -odf t3@mxdaneinsecchain.test.ex +**** +### Same, but to MX whith a insecure CNAME chain, should pass, no SNI expected +exim -odf t4@mxdaneinsecchain.test.ex +**** + +# multiple recipients +# try DANE + +### Two messages, 1st secure CHAIN, 2nd with insecure chain, 1st must use DANE, but 2nd +exim -odf t5@mxdanesecchain.test.ex t5@mxdaneinsecchain.test.ex +**** +### Two messages, 1st insecure CHAIN, 2nd with secure chain, 1st must not use DANE, but 2nd +exim -odf t6@mxdaneinsecchain.test.ex t6@mxdanesecchain.test.ex +**** + +# multiple recipients +# require DANE + +### Two messages, 1st secure CHAIN, 2nd with insecure chain, 1st must use DANE, 2nd fail +exim -DREQUIRE_DANE -odf t7@mxdanesecchain.test.ex t7@mxdaneinsecchain.test.ex +**** +### Two messages, 1st insecure CHAIN, 2nd with secure chain, 1st must fail, 2nd pass +exim -DREQUIRE_DANE -odf t8@mxdaneinsecchain.test.ex t8@mxdanesecchain.test.ex +**** + +killdaemon +no_msglog_check diff --git a/test/stderr/5802 b/test/stderr/5802 new file mode 100644 index 000000000..eefcc81f0 --- /dev/null +++ b/test/stderr/5802 @@ -0,0 +1,22 @@ +### Routing +### Two recipients, different domains through same DANE MX host +### Two recipients: 1st: DANE, 2nd no-DANE, SNI is expected for the 1st only +### One recipient to MX whith a secure CNAME chain, SNI should use CNAME target +### Same, but to MX whith a insecure CNAME chain, should fail, no SNI expected +### Same, but to MX whith a insecure CNAME chain, should pass, no SNI expected +### Two messages, 1st secure CHAIN, 2nd with insecure chain, 1st must use DANE, but 2nd +### Two messages, 1st insecure CHAIN, 2nd with secure chain, 1st must not use DANE, but 2nd +### Two messages, 1st secure CHAIN, 2nd with insecure chain, 1st must use DANE, 2nd fail +### Two messages, 1st insecure CHAIN, 2nd with secure chain, 1st must fail, 2nd pass + +******** SERVER ******** +### Routing +### Two recipients, different domains through same DANE MX host +### Two recipients: 1st: DANE, 2nd no-DANE, SNI is expected for the 1st only +### One recipient to MX whith a secure CNAME chain, SNI should use CNAME target +### Same, but to MX whith a insecure CNAME chain, should fail, no SNI expected +### Same, but to MX whith a insecure CNAME chain, should pass, no SNI expected +### Two messages, 1st secure CHAIN, 2nd with insecure chain, 1st must use DANE, but 2nd +### Two messages, 1st insecure CHAIN, 2nd with secure chain, 1st must not use DANE, but 2nd +### Two messages, 1st secure CHAIN, 2nd with insecure chain, 1st must use DANE, 2nd fail +### Two messages, 1st insecure CHAIN, 2nd with secure chain, 1st must fail, 2nd pass diff --git a/test/stdout/5802 b/test/stdout/5802 new file mode 100644 index 000000000..95ee2a65c --- /dev/null +++ b/test/stdout/5802 @@ -0,0 +1,28 @@ +### Routing +t@mxdanesecchain.test.ex + router = client, transport = send_to_server + host dane512ee.test.ex [ip4.ip4.ip4.ip4] MX=1 AD +t@mxdaneinsecchain.test.ex + router = client, transport = send_to_server + host dane512ee.test.ex [ip4.ip4.ip4.ip4] MX=1 +### Two recipients, different domains through same DANE MX host +### Two recipients: 1st: DANE, 2nd no-DANE, SNI is expected for the 1st only +### One recipient to MX whith a secure CNAME chain, SNI should use CNAME target +### Same, but to MX whith a insecure CNAME chain, should fail, no SNI expected +### Same, but to MX whith a insecure CNAME chain, should pass, no SNI expected +### Two messages, 1st secure CHAIN, 2nd with insecure chain, 1st must use DANE, but 2nd +### Two messages, 1st insecure CHAIN, 2nd with secure chain, 1st must not use DANE, but 2nd +### Two messages, 1st secure CHAIN, 2nd with insecure chain, 1st must use DANE, 2nd fail +### Two messages, 1st insecure CHAIN, 2nd with secure chain, 1st must fail, 2nd pass + +******** SERVER ******** +### Routing +### Two recipients, different domains through same DANE MX host +### Two recipients: 1st: DANE, 2nd no-DANE, SNI is expected for the 1st only +### One recipient to MX whith a secure CNAME chain, SNI should use CNAME target +### Same, but to MX whith a insecure CNAME chain, should fail, no SNI expected +### Same, but to MX whith a insecure CNAME chain, should pass, no SNI expected +### Two messages, 1st secure CHAIN, 2nd with insecure chain, 1st must use DANE, but 2nd +### Two messages, 1st insecure CHAIN, 2nd with secure chain, 1st must not use DANE, but 2nd +### Two messages, 1st secure CHAIN, 2nd with insecure chain, 1st must use DANE, 2nd fail +### Two messages, 1st insecure CHAIN, 2nd with secure chain, 1st must fail, 2nd pass