From: Jeremy Harris Date: Sun, 7 May 2017 14:37:18 +0000 (+0100) Subject: Testsuite: add DANE testcase for TLSA lookup SERVFAIL X-Git-Tag: exim-4_90_RC1~162 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/b7e4352c99fe3dee2af93f06ef0ac74ee355d5ea Testsuite: add DANE testcase for TLSA lookup SERVFAIL --- diff --git a/test/confs/5840 b/test/confs/5840 index ac3578dc9..01c114252 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -61,10 +61,10 @@ begin transports send_to_server: driver = smtp allow_localhost - port = PORT_D + port = ${if match {$host}{\Ntest.ex$\N} {PORT_D}{25}} hosts_try_dane = * - hosts_require_dane = !thishost.test.ex + hosts_require_dane = HOSTIPV4 tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} tls_try_verify_hosts = thishost.test.ex tls_verify_certificates = CDIR2/ca_chain.pem diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index 349fbd4d3..50bd6b073 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -465,6 +465,10 @@ DNSSEC _1225._tcp.danelazy2 CNAME test.again.dns. DNSSEC dane.no.1 A HOSTIPV4 DNSSEC dane.no.2 A 127.0.0.1 +; a broken dane config (or under attack) where the TLSA lookup fails (as opposed to there not being one) +DNSSEC danebroken1 A 127.0.0.1 +_1225._tcp.danebroken1 CNAME test.fail.dns. + ; ------- Testing delays ------------ DELAY=500 delay500 A HOSTIPV4 diff --git a/test/log/5840 b/test/log/5840 index 8d309e088..d02a4c7d7 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -26,6 +26,7 @@ 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdanelazy.test.ex 1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.1.test.ex 1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.2.test.ex +1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken1.test.ex 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy.test.ex [ip4.ip4.ip4.ip4]: DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER @@ -35,6 +36,8 @@ 1999-03-02 09:44:33 10HmbI-0005vi-00 Completed 1999-03-02 09:44:33 10HmbJ-0005vi-00 H=dane.no.2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 10HmbJ-0005vi-00 == CALLER@dane.no.2.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbK-0005vi-00 H=danebroken1.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbK-0005vi-00 == CALLER@danebroken1.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840 index d1da54913..fdff36119 100644 --- a/test/scripts/5840-DANE-OpenSSL/5840 +++ b/test/scripts/5840-DANE-OpenSSL/5840 @@ -61,14 +61,25 @@ exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D exim -odq CALLER@mxdanelazy.test.ex Testing **** -### A server lacking a TLSA, required +### A server lacking a TLSA, dane required (should fail) exim -odq CALLER@dane.no.1.test.ex Testing **** -### A server lacking a TLSA, requested only +### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) exim -odq CALLER@dane.no.2.test.ex Testing **** +### A server where the A is dnssec and the TLSA _fails_ +exim -odq CALLER@danebroken1.test.ex +Testing +**** +# ### A server securely saying "no TLSA records here", dane required (should fail) +# exim -odq CALLER@dane.no.3.test.ex +# Testing +# ### A server securely saying "no TLSA records here", dane requested only (should transmit) +# exim -odq CALLER@dane.no.4.test.ex +# Testing +# **** exim -qf **** killdaemon diff --git a/test/stderr/5840 b/test/stderr/5840 index e4cf15c51..75f938ab4 100644 --- a/test/stderr/5840 +++ b/test/stderr/5840 @@ -20,10 +20,7 @@ >>> Attempting full verification using callout >>> callout cache: no domain record found for dane256ee.test.ex >>> callout cache: no address record found for rcptuser@dane256ee.test.ex -MUNGED: ::1 will be omitted in what follows ->>> get[host|ipnode]byname[2] looked up these IP addresses: ->>> name=thishost.test.ex address=127.0.0.1 ->>> ip4.ip4.ip4.ip4 in hosts_require_dane? yes (end of list) +>>> ip4.ip4.ip4.ip4 in hosts_require_dane? yes (matched "ip4.ip4.ip4.ip4") >>> interface=NULL port=1225 >>> Connecting to dane256ee.test.ex [ip4.ip4.ip4.ip4]:1225 ... connected >>> SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 @@ -73,8 +70,9 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA ### A server with two MXs for which both TLSA lookups return defer -### A server lacking a TLSA, required -### A server lacking a TLSA, requested only +### A server lacking a TLSA, dane required (should fail) +### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA _fails_ ******** SERVER ******** ### TLSA (3 1 1) @@ -84,5 +82,6 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA ### A server with two MXs for which both TLSA lookups return defer -### A server lacking a TLSA, required -### A server lacking a TLSA, requested only +### A server lacking a TLSA, dane required (should fail) +### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA _fails_ diff --git a/test/stdout/5840 b/test/stdout/5840 index 1d94564ad..5071e7de5 100644 --- a/test/stdout/5840 +++ b/test/stdout/5840 @@ -14,8 +14,9 @@ ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA ### A server with two MXs for which both TLSA lookups return defer -### A server lacking a TLSA, required -### A server lacking a TLSA, requested only +### A server lacking a TLSA, dane required (should fail) +### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA _fails_ ******** SERVER ******** ### TLSA (3 1 1) @@ -25,5 +26,6 @@ ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA ### A server with two MXs for which both TLSA lookups return defer -### A server lacking a TLSA, required -### A server lacking a TLSA, requested only +### A server lacking a TLSA, dane required (should fail) +### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA _fails_