From: Jeremy Harris Date: Fri, 22 May 2015 17:32:04 +0000 (+0100) Subject: DANE: do not fail/defer message due to TLSA lookup but dane is only requested X-Git-Tag: exim-4_86_RC1~14 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/6aa849d3880096db053d1871e33a79e43571ab18?hp=4cea764f3d43217b9b7046310fc1567c4d63c01e DANE: do not fail/defer message due to TLSA lookup but dane is only requested --- diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 477e7b3bf..e6f4da8ca 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1198,10 +1198,7 @@ switch (dns_lookup(dnsa, buffer, T_TLSA, &fullname)) default: case DNS_FAIL: if (dane_required) - { - log_write(0, LOG_MAIN, "DANE error: TLSA lookup failed"); return FAIL; - } break; case DNS_SUCCEED: @@ -1467,6 +1464,7 @@ if (continue_hostname == NULL) || verify_check_given_host(&ob->hosts_try_dane, host) == OK ) && (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK + && dane_required ) { set_errno(addrlist, ERRNO_DNSDEFER, diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index 09e84fee0..fba09d850 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -403,41 +403,44 @@ mx-unsec-a-sec MX 5 a-sec DNSSEC mx-sec-a-unsec MX 5 a-unsec DNSSEC mx-sec-a-sec MX 5 a-sec DNSSEC mx-sec-a-aa MX 5 a-aa -AA mx-aa-a-sec MX 5 a-sec +AA mx-aa-a-sec MX 5 a-sec -a-unsec A V4NET.0.0.100 -DNSSEC a-sec A V4NET.0.0.100 -DNSSEC l-sec A 127.0.0.1 +a-unsec A V4NET.0.0.100 +DNSSEC a-sec A V4NET.0.0.100 +DNSSEC l-sec A 127.0.0.1 -AA a-aa A V4NET.0.0.100 +AA a-aa A V4NET.0.0.100 ; ------- Testing DANE ------------ ; full suite dns chain, sha512 -DNSSEC mxdane512ee MX 1 dane512ee -DNSSEC dane512ee A HOSTIPV4 +DNSSEC mxdane512ee MX 1 dane512ee +DNSSEC dane512ee A HOSTIPV4 DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d ; A-only, sha256 -DNSSEC dane256ee A HOSTIPV4 +DNSSEC dane256ee A HOSTIPV4 DNSSEC _1225._tcp.dane256ee TLSA 3 1 1 2bb55f418bb03411a5007cecbfcd3ec1c94404312c0d53a44bb2166b32654db3 ; full MX, sha256, TA-mode -DNSSEC mxdane256ta MX 1 dane256ta -DNSSEC dane256ta A HOSTIPV4 -DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 b2c6f27f2d16390b4f71cacc69742bf610d750534fab240516c0f2deb4042ad4 +DNSSEC mxdane256ta MX 1 dane256ta +DNSSEC dane256ta A HOSTIPV4 +DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 b2c6f27f2d16390b4f71cacc69742bf610d750534fab240516c0f2deb4042ad4 -; ------- Testing DANE ------------ -; full suite dns chain, sha512 -DNSSEC mxdanelazy MX 1 danelazy -DNSSEC mxdanelazy MX 2 danelazy2 +; A multiple-return MX where all TLSA lookups defer +DNSSEC mxdanelazy MX 1 danelazy +DNSSEC MX 2 danelazy2 + +DNSSEC danelazy A HOSTIPV4 +DNSSEC danelazy2 A 127.0.0.1 -DNSSEC danelazy A HOSTIPV4 -DNSSEC danelazy2 A 127.0.0.1 +DNSSEC _1225._tcp.danelazy CNAME test.again.dns. +DNSSEC _1225._tcp.danelazy2 CNAME test.again.dns. -DNSSEC _1225._tcp.danelazy CNAME test.again.dns. -DNSSEC _1225._tcp.danelazy2 CNAME test.again.dns. +; hosts with no TLSA +DNSSEC dane.no.1 A HOSTIPV4 +DNSSEC dane.no.2 A 127.0.0.1 ; ------- Testing delays ------------ diff --git a/test/log/5840 b/test/log/5840 index 30bed39fc..7823a2ae9 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -24,10 +24,23 @@ 1999-03-02 09:44:33 10HmbF-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdanelazy.test.ex +1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.1.test.ex +1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.2.test.ex 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy.test.ex [ip4.ip4.ip4.ip4]: DANE error: tlsa lookup DEFER -1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER -1999-03-02 09:44:33 10HmbH-0005vi-00 == CALLER@mxdanelazy.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbH-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmbH-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" +1999-03-02 09:44:33 10HmbH-0005vi-00 => CALLER@mxdanelazy.test.ex R=client T=send_to_server H=danelazy2.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbK-0005vi-00" +1999-03-02 09:44:33 10HmbH-0005vi-00 Completed +1999-03-02 09:44:33 10HmbI-0005vi-00 ** CALLER@dane.no.1.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL +1999-03-02 09:44:33 10HmbL-0005vi-00 <= <> R=10HmbI-0005vi-00 U=EXIMUSER P=local S=sss for CALLER@myhost.test.ex +1999-03-02 09:44:33 10HmbL-0005vi-00 H=myhost.test.ex [V4NET.10.10.10] Network Error +1999-03-02 09:44:33 10HmbL-0005vi-00 == CALLER@myhost.test.ex R=client T=send_to_server defer (dd): Network Error +1999-03-02 09:44:33 10HmbI-0005vi-00 Completed +1999-03-02 09:44:33 10HmbJ-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmbJ-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" +1999-03-02 09:44:33 10HmbJ-0005vi-00 => CALLER@dane.no.2.test.ex R=client T=send_to_server H=dane.no.2.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbM-0005vi-00" +1999-03-02 09:44:33 10HmbJ-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** @@ -51,3 +64,9 @@ 1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbG-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbH-0005vi-00@myhost.test.ex for CALLER@mxdanelazy.test.ex +1999-03-02 09:44:33 10HmbK-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbK-0005vi-00 Completed +1999-03-02 09:44:33 10HmbM-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbJ-0005vi-00@myhost.test.ex for CALLER@dane.no.2.test.ex +1999-03-02 09:44:33 10HmbM-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbM-0005vi-00 Completed diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840 index e031b5d8f..143bf615b 100644 --- a/test/scripts/5840-DANE-OpenSSL/5840 +++ b/test/scripts/5840-DANE-OpenSSL/5840 @@ -55,13 +55,20 @@ exim -DOPT=no_certname -qf killdaemon # # -# A server with two MXs for which both TLSA lookups return defer exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D **** -# TLSA (3 1 2) +# A server with two MXs for which both TLSA lookups return defer exim -odq CALLER@mxdanelazy.test.ex Testing **** +# A server lacking a TLSA, required +exim -odq CALLER@dane.no.1.test.ex +Testing +**** +# A server lacking a TLSA, requested only +exim -odq CALLER@dane.no.2.test.ex +Testing +**** exim -qf **** killdaemon diff --git a/test/src/fakens.c b/test/src/fakens.c index be3a148b8..bb8d4e206 100644 --- a/test/src/fakens.c +++ b/test/src/fakens.c @@ -51,14 +51,14 @@ and the domain is not found. It converts the the result to PASS_ON instead of HOST_NOT_FOUND. Any DNS record line in a zone file can be prefixed with "DELAY=" and -a number of milliseconds (followed by whitespace). +a number of milliseconds (followed by one space). -Any DNS record line in a zone file can be prefixed with "DNSSEC" and -at least one space; if all the records found by a lookup are marked +Any DNS record line in a zone file can be prefixed with "DNSSEC "; +if all the records found by a lookup are marked as such then the response will have the "AD" bit set. -Any DNS record line in a zone file can be prefixed with "AA" and -at least one space; if all the records found by a lookup are marked +Any DNS record line in a zone file can be prefixed with "AA " +if all the records found by a lookup are marked as such then the response will have the "AA" bit set. */ @@ -378,13 +378,13 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL) else if (Ustrncmp(p, US"DELAY=", 6) == 0) /* delay before response */ { for (p += 6; *p >= '0' && *p <= '9'; p++) delay = delay*10 + *p - '0'; - while (isspace(*p)) p++; + if (isspace(*p)) p++; } else break; } - if (!isspace(*p)) + if (!isspace(*p)) /* new domain name */ { uschar *pp = rrdomain; uschar *PP = RRdomain; @@ -403,7 +403,7 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL) pp[-1] = 0; PP[-1] = 0; } - } + } /* else use previous line's domain name */ /* Compare domain names; first check for a wildcard */