From: Todd Lyons Date: Wed, 28 May 2014 12:12:00 +0000 (-0700) Subject: Merge tag 'exim-4_82_1' X-Git-Tag: exim-4_83_RC1 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/exim-4_83_RC1?hp=5b7a7c051c9ab9ee7c924a611f90ef2be03e0ad0 Merge tag 'exim-4_82_1' Fix Conflicts: src/src/dmarc.c --- diff --git a/doc/doc-docbook/.gitignore b/doc/doc-docbook/.gitignore index fdcaf8b27..ae93d1875 100644 --- a/doc/doc-docbook/.gitignore +++ b/doc/doc-docbook/.gitignore @@ -6,4 +6,7 @@ spec.txt filter*.xml filter.ps filter.pdf +filter-txt.html +filter.txt local_params +exim.8 diff --git a/doc/doc-docbook/filter.xfpt b/doc/doc-docbook/filter.xfpt index 370ed6e54..8cac5d5c8 100644 --- a/doc/doc-docbook/filter.xfpt +++ b/doc/doc-docbook/filter.xfpt @@ -48,7 +48,7 @@ . Copyright year. Update this (only) when changing content. .macro copyyear -2010 +2014 .endmacro . =========================================================================== diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index c71dfda73..990df6241 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -52,7 +52,7 @@ .set I "    " .macro copyyear -2013 +2014 .endmacro . ///////////////////////////////////////////////////////////////////////////// @@ -553,11 +553,9 @@ key &'0x403043153903637F'&, although that key is expected to be replaced in 2013 A trust path from Nigel's key to Phil's can be observed at &url(https://www.security.spodhuis.org/exim-trustpath). -.new Releases have also been authorized to be performed by Todd Lyons who signs with key &'0xC4F4F94804D29EBA'&. A direct trust path exists between previous RE Phil Pennock and Todd Lyons through a common associate. -.wen The signatures for the tar bundles are in: .display @@ -871,14 +869,12 @@ SOFTWARE. .endblockquote .next -.new .cindex "opendmarc" "acknowledgment" The DMARC implementation uses the OpenDMARC library which is Copyrighted by The Trusted Domain Project. Portions of Exim source which use OpenDMARC derived code are indicated in the respective source files. The full OpenDMARC license is provided in the LICENSE.opendmarc file contained in the distributed source code. -.wen .next Many people have contributed code fragments, some large, some small, that were @@ -1382,7 +1378,7 @@ Setting the &%verify%& option actually sets two options, &%verify_sender%& and &%verify_recipient%&, which independently control the use of the router for sender and recipient verification. You can set these options directly if you want a router to be used for only one type of verification. -.new "Note that cutthrough delivery is classed as a recipient verification for this purpose." +Note that cutthrough delivery is classed as a recipient verification for this purpose. .next If the &%address_test%& option is set false, the router is skipped when Exim is run with the &%-bt%& option to test an address routing. This can be helpful @@ -1392,7 +1388,7 @@ having to simulate the effect of the scanner. .next Routers can be designated for use only when verifying an address, as opposed to routing it for delivery. The &%verify_only%& option controls this. -.new "Again, cutthrough delivery counts as a verification." +Again, cutthrough delivery counts as a verification. .next Individual routers can be explicitly skipped when running the routers to check an address given in the SMTP EXPN command (see the &%expn%& option). @@ -2714,14 +2710,12 @@ no arguments. This option is an alias for &%-bV%& and causes version information to be displayed. -.new .vitem &%-Ac%& &&& &%-Am%& .oindex "&%-Ac%&" .oindex "&%-Am%&" These options are used by Sendmail for selecting configuration files and are ignored by Exim. -.wen .vitem &%-B%&<&'type'&> .oindex "&%-B%&" @@ -2982,7 +2976,6 @@ use the &'exim_dbmbuild'& utility, or some other means, to rebuild alias files if this is required. If the &%bi_command%& option is not set, calling Exim with &%-bi%& is a no-op. -.new . // Keep :help first, then the rest in alphabetical order .vitem &%-bI:help%& .oindex "&%-bI:help%&" @@ -3008,7 +3001,6 @@ useful for ManageSieve (RFC 5804) implementations, in providing that protocol's &`SIEVE`& capability response line. As the precise list may depend upon compile-time build options, which this option will adapt to, this is the only way to guarantee a correct response. -.wen .vitem &%-bm%& .oindex "&%-bm%&" @@ -3123,11 +3115,9 @@ configuration file is output. If a list of configuration files was supplied, the value that is output here is the name of the file that was actually used. -.new .cindex "options" "hiding name of" If the &%-n%& flag is given, then for most modes of &%-bP%& operation the name will not be output. -.wen .cindex "daemon" "process id (pid)" .cindex "pid (process id)" "of daemon" @@ -3732,7 +3722,6 @@ if &%-f%& is also present, it overrides &"From&~"&. .vitem &%-G%& .oindex "&%-G%&" .cindex "submission fixups, suppressing (command-line)" -.new This option is equivalent to an ACL applying: .code control = suppress_local_fixups @@ -3743,7 +3732,6 @@ in future. As this affects audit information, the caller must be a trusted user to use this option. -.wen .vitem &%-h%&&~<&'number'&> .oindex "&%-h%&" @@ -3761,7 +3749,6 @@ line by itself should not terminate an incoming, non-SMTP message. I can find no documentation for this option in Solaris 2.4 Sendmail, but the &'mailx'& command in Solaris 2.4 uses it. See also &%-ti%&. -.new .vitem &%-L%&&~<&'tag'&> .oindex "&%-L%&" .cindex "syslog" "process name; set with flag" @@ -3772,7 +3759,6 @@ read and parsed, to determine access rights, before this is set and takes effect, so early configuration file errors will not honour this flag. The tag should not be longer than 32 characters. -.wen .vitem &%-M%&&~<&'message&~id'&>&~<&'message&~id'&>&~... .oindex "&%-M%&" @@ -4012,13 +3998,11 @@ routing problem. Once &%-N%& has been used for a delivery attempt, it sticks to the message, and applies to any subsequent delivery attempts that may happen for that message. -.new .vitem &%-n%& .oindex "&%-n%&" This option is interpreted by Sendmail to mean &"no aliasing"&. For normal modes of operation, it is ignored by Exim. When combined with &%-bP%& it suppresses the name of an option from being output. -.wen .vitem &%-O%&&~<&'data'&> .oindex "&%-O%&" @@ -4237,6 +4221,20 @@ option sets the IP interface address value. A port number may be included, using the same syntax as for &%-oMa%&. The interface address is placed in &$received_ip_address$& and the port number, if present, in &$received_port$&. +.vitem &%-oMm%&&~<&'message&~reference'&> +.oindex "&%-oMm%&" +.cindex "message reference" "message reference, specifying for local message" +See &%-oMa%& above for general remarks about the &%-oM%& options. The &%-oMm%& +option sets the message reference, e.g. message-id, and is logged during +delivery. This is useful when some kind of audit trail is required to tie +messages together. The format of the message reference is checked and will +abort if the format is invalid. The option will only be accepted if exim is +running in trusted mode, not as any regular user. + +The best example of a message reference is when Exim sends a bounce message. +The message reference is the message-id of the original message for which Exim +is sending the bounce. + .vitem &%-oMr%&&~<&'protocol&~name'&> .oindex "&%-oMr%&" .cindex "protocol, specifying for local message" @@ -4638,12 +4636,10 @@ National Language Support extended characters in the body of the mail item"&). It sets &%-x%& when calling the MTA from its &%mail%& command. Exim ignores this option. -.new .vitem &%-X%&&~<&'logfile'&> .oindex "&%-X%&" This option is interpreted by Sendmail to cause debug information to be sent to the named file. It is ignored by Exim. -.wen .endlist .ecindex IIDclo1 @@ -5561,16 +5557,21 @@ unreachable. The next two lines are concerned with &'ident'& callbacks, as defined by RFC 1413 (hence their names): .code -rfc1413_hosts = * -rfc1413_query_timeout = 5s +rfc1413_query_hosts = * +rfc1413_query_timeout = 0s +.endd +These settings cause Exim to avoid ident callbacks for all incoming SMTP calls. +Few hosts offer RFC1413 service these days; calls have to be +terminated by a timeout and this needlessly delays the startup +of an incoming SMTP connection. +If you have hosts for which you trust RFC1413 and need this +information, you can change this. + +This line enables an efficiency SMTP option. It is negociated by clients +and not expected to cause problems but can be disabled if needed. +.code +prdr_enable = true .endd -These settings cause Exim to make ident callbacks for all incoming SMTP calls. -You can limit the hosts to which these calls are made, or change the timeout -that is used. If you set the timeout to zero, all ident calls are disabled. -Although they are cheap and can provide useful information for tracing problem -messages, some hosts and firewalls have problems with ident calls. This can -result in a timeout instead of an immediate refused connection, leading to -delays on starting up an incoming SMTP session. When Exim receives messages over SMTP connections, it expects all addresses to be fully qualified with a domain, as required by the SMTP definition. However, @@ -6006,9 +6007,14 @@ One remote transport and four local transports are defined. .code remote_smtp: driver = smtp + hosts_try_prdr = * .endd -This transport is used for delivering messages over SMTP connections. All its -options are defaulted. The list of remote hosts comes from the router. +This transport is used for delivering messages over SMTP connections. +The list of remote hosts comes from the router. +The &%hosts_try_prdr%& option enables an efficiency SMTP option. +It is negotiated between client and server +and not expected to cause problems but can be disabled if needed. +All other options are defaulted. .code local_delivery: driver = appendfile @@ -6858,7 +6864,7 @@ is used on its own as the result. If the lookup does not succeed, the &`fail`& keyword causes a &'forced expansion failure'& &-- see section &<>& for an explanation of what this means. -The supported DNS record types are A, CNAME, MX, NS, PTR, SPF, SRV, and TXT, +The supported DNS record types are A, CNAME, MX, NS, PTR, SPF, SRV, TLSA and TXT, and, when Exim is compiled with IPv6 support, AAAA (and A6 if that is also configured). If no type is given, TXT is assumed. When the type is PTR, the data can be an IP address, written as normal; inversion and the addition of @@ -6949,7 +6955,6 @@ has two space-separated fields: an authorization code and a target host name. The authorization code can be &"Y"& for yes, &"N"& for no, &"X"& for explicit authorization required but absent, or &"?"& for unknown. -.new .cindex "A+" "in &(dnsdb)& lookup" The pseudo-type A+ performs an A6 lookup (if configured) followed by an AAAA and then an A lookup. All results are returned; defer processing @@ -6957,7 +6962,6 @@ and then an A lookup. All results are returned; defer processing .code ${lookup dnsdb {>; a+=$sender_helo_name}} .endd -.wen .section "Multiple dnsdb lookups" "SECID67" @@ -6979,11 +6983,16 @@ The data from each lookup is concatenated, with newline separators by default, in the same way that multiple DNS records for a single item are handled. A different separator can be specified, as described above. +Modifiers for &(dnsdb)& lookups are givien by optional keywords, +each followed by a comma, +that may appear before the record type. + The &(dnsdb)& lookup fails only if all the DNS lookups fail. If there is a temporary DNS error for any of them, the behaviour is controlled by -an optional keyword followed by a comma that may appear before the record -type. The possible keywords are &"defer_strict"&, &"defer_never"&, and -&"defer_lax"&. With &"strict"& behaviour, any temporary DNS error causes the +a defer-option modifier. +The possible keywords are +&"defer_strict"&, &"defer_never"&, and &"defer_lax"&. +With &"strict"& behaviour, any temporary DNS error causes the whole lookup to defer. With &"never"& behaviour, a temporary DNS error is ignored, and the behaviour is as if the DNS lookup failed to find anything. With &"lax"& behaviour, all the queries are attempted, but a temporary DNS @@ -6996,6 +7005,21 @@ ${lookup dnsdb{a=one.host.com:two.host.com}} Thus, in the default case, as long as at least one of the DNS lookups yields some data, the lookup succeeds. +.new +.cindex "DNSSEC" "dns lookup" +Use of &(DNSSEC)& is controlled by a dnssec modifier. +The possible keywords are +&"dnssec_strict"&, &"dnssec_lax"&, and &"dnssec_never"&. +With &"strict"& or &"lax"& DNSSEC information is requested +with the lookup. +With &"strict"& a response from the DNS resolver that +is not labelled as authenticated data +is treated as equivalent to a temporary DNS error. +The default is &"never"&. + +See also the &$lookup_dnssec_authenticated$& variable. +.wen + @@ -7060,6 +7084,18 @@ With sufficiently modern LDAP libraries, Exim supports forcing TLS over regular LDAP connections, rather than the SSL-on-connect &`ldaps`&. See the &%ldap_start_tls%& option. +.new +Starting with Exim 4.83, the initialization of LDAP with TLS is more tightly +controlled. Every part of the TLS configuration can be configured by settings in +&_exim.conf_&. Depending on the version of the client libraries installed on +your system, some of the initialization may have required setting options in +&_/etc/ldap.conf_& or &_~/.ldaprc_& to get TLS working with self-signed +certificates. This revealed a nuance where the current UID that exim was +running as could affect which config files it read. With Exim 4.83, these +methods become optional, only taking effect if not specifically set in +&_exim.conf_&. +.wen + .section "LDAP quoting" "SECID68" .cindex "LDAP" "quoting" @@ -7206,6 +7242,9 @@ them. The following names are recognized: &`USER `& set the DN, for authenticating the LDAP bind &`PASS `& set the password, likewise &`REFERRALS `& set the referrals parameter +.new +&`SERVERS `& set alternate server list for this query only +.wen &`SIZE `& set the limit for the number of entries returned &`TIME `& set the maximum waiting time for a query .endd @@ -7227,6 +7266,15 @@ Netscape SDK; for OpenLDAP no action is taken. The TIME parameter (also a number of seconds) is passed to the server to set a server-side limit on the time taken to complete a search. +.new +The SERVERS parameter allows you to specify an alternate list of ldap servers +to use for an individual lookup. The global ldap_servers option provides a +default list of ldap servers, and a single lookup can specify a single ldap +server to use. But when you need to do a lookup with a list of servers that is +different than the default list (maybe different order, maybe a completely +different set of servers), the SERVERS parameter allows you to specify this +alternate list. +.wen Here is an example of an LDAP query in an Exim lookup that uses some of these values. This is a single line, folded to fit on the page: @@ -8307,7 +8355,13 @@ list. The effect of each one lasts until the next, or until the end of the list. .new -To explain the host/ip processing logic a different way for the same ACL: +.section "Mixing wildcarded host names and addresses in host lists" &&& + "SECTmixwilhos" +.cindex "host list" "mixing names and addresses in" + +This section explains the host/ip processing logic with the same concepts +as the previous section, but specifically addresses what happens when a +wildcarded hostname is one of the items in the hostlist. .ilist If you have name lookups or wildcarded host names and @@ -8339,7 +8393,6 @@ this section. .wen - .section "Temporary DNS errors when looking up host information" &&& "SECTtemdnserr" .cindex "host" "lookup failures, temporary" @@ -8409,33 +8462,6 @@ See section &<>&.) -.section "Mixing wildcarded host names and addresses in host lists" &&& - "SECTmixwilhos" -.cindex "host list" "mixing names and addresses in" -If you have name lookups or wildcarded host names and IP addresses in the same -host list, you should normally put the IP addresses first. For example, in an -ACL you could have: -.code -accept hosts = 10.9.8.7 : *.friend.example -.endd -The reason for this lies in the left-to-right way that Exim processes lists. -It can test IP addresses without doing any DNS lookups, but when it reaches an -item that requires a host name, it fails if it cannot find a host name to -compare with the pattern. If the above list is given in the opposite order, the -&%accept%& statement fails for a host whose name cannot be found, even if its -IP address is 10.9.8.7. - -If you really do want to do the name check first, and still recognize the IP -address, you can rewrite the ACL like this: -.code -accept hosts = *.friend.example -accept hosts = 10.9.8.7 -.endd -If the first &%accept%& fails, Exim goes on to try the second one. See chapter -&<>& for details of ACLs. - - - .section "Address lists" "SECTaddresslist" @@ -8843,7 +8869,6 @@ This item inserts &"basic"& header lines. It is described with the &%header%& expansion item below. -.new .vitem "&*${acl{*&<&'name'&>&*}{*&<&'arg'&>&*}...}*&" .cindex "expansion" "calling an acl" .cindex "&%acl%&" "call from expansion" @@ -8858,9 +8883,73 @@ the result of the expansion. If no message is set and the ACL returns accept or deny the expansion result is an empty string. If the ACL returns defer the result is a forced-fail. Otherwise the expansion fails. -.wen +.new +.vitem "&*${certextract{*&<&'field'&>&*}{*&<&'certificate'&>&*}&&& + {*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&" +.cindex "expansion" "extracting cerificate fields" +.cindex "&%certextract%&" "certificate fields" +.cindex "certificate" "extracting fields" +The <&'certificate'&> must be a variable of type certificate. +The field name is expanded and used to retrive the relevant field from +the certificate. Supported fields are: +.display +&`version `& +&`serial_number `& +&`subject `& RFC4514 DN +&`issuer `& RFC4514 DN +&`notbefore `& time +&`notafter `& time +&`sig_algorithm `& +&`signature `& +&`subj_altname `& tagged list +&`ocsp_uri `& list +&`crl_uri `& list +.endd +If the field is found, +<&'string2'&> is expanded, and replaces the whole item; +otherwise <&'string3'&> is used. During the expansion of <&'string2'&> the +variable &$value$& contains the value that has been extracted. Afterwards, it +is restored to any previous value it might have had. + +If {<&'string3'&>} is omitted, the item is replaced by an empty string if the +key is not found. If {<&'string2'&>} is also omitted, the value that was +extracted is used. + +Some field names take optional modifiers, appended and separated by commas. + +The field selectors marked as "RFC4514" above +output a Distinguished Name string which is +not quite +parseable by Exim as a comma-separated tagged list +(the exceptions being elements containin commas). +RDN elements of a single type may be selected by +a modifier of the type label; if so the expansion +result is a list (newline-separated by default). +The separator may be changed by another modifer of +a right angle-bracket followed immediately by the new separator. +Recognised RDN type labels include "CN", "O", "OU" and "DC". + +The field selectors marked as "time" above +may output a number of seconds since epoch +if the modifier "int" is used. + +The field selectors marked as "list" above return a list, +newline-separated by default, +(embedded separator characters in elements are doubled). +The separator may be changed by a modifier of +a right angle-bracket followed immediately by the new separator. + +The field selectors marked as "tagged" above +prefix each list element with a type string and an equals sign. +Elements of only one type may be selected by a modifier +which is one of "dns", "uri" or "mail"; +if so the elenment tags are omitted. + +If not otherwise noted field values are presented in human-readable form. +.wen + .vitem "&*${dlfunc{*&<&'file'&>&*}{*&<&'function'&>&*}{*&<&'arg'&>&*}&&& {*&<&'arg'&>&*}...}*&" .cindex &%dlfunc%& @@ -9193,6 +9282,44 @@ of <&'string2'&>, whichever is the shorter. Do not confuse &%length%& with &%strlen%&, which gives the length of a string. +.vitem "&*${listextract{*&<&'number'&>&*}&&& + {*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&" +.cindex "expansion" "extracting list elements by number" +.cindex "&%listextract%&" "extract list elements by number" +.cindex "list" "extracting elements by number" +The <&'number'&> argument must consist entirely of decimal digits, +apart from an optional leading minus, +and leading and trailing white space (which is ignored). + +After expansion, <&'string1'&> is interpreted as a list, colon-separated by +default, but the separator can be changed in the usual way. + +The first field of the list is numbered one. +If the number is negative, the fields are +counted from the end of the list, with the rightmost one numbered -1. +The numbered element of the list is extracted and placed in &$value$&, +then <&'string2'&> is expanded as the result. + +If the modulus of the +number is zero or greater than the number of fields in the string, +the result is the expansion of <&'string3'&>. + +For example: +.code +${listextract{2}{x:42:99}} +.endd +yields &"42"&, and +.code +${listextract{-3}{<, x,42,99,& Mailer,,/bin/bash}{result: $value}} +.endd +yields &"result: 99"&. + +If {<&'string3'&>} is omitted, an empty string is used for string3. +If {<&'string2'&>} is also omitted, the value that was +extracted is used. +You can use &`fail`& instead of {<&'string3'&>} as in a string extract. + + .vitem "&*${lookup{*&<&'key'&>&*}&~*&<&'search&~type'&>&*&~&&& {*&<&'file'&>&*}&~{*&<&'string1'&>&*}&~{*&<&'string2'&>&*}}*&" This is the first of one of two different types of lookup item, which are both @@ -9491,7 +9618,6 @@ can be the word &"fail"& (not in braces) to force expansion failure if the command does not succeed. If both strings are omitted, the result is contents of the standard output/error on success, and nothing on failure. -.new .vindex "&$run_in_acl$&" The standard output/error of the command is put in the variable &$value$&. In this ACL example, the output of a command is logged for the admin to @@ -9505,7 +9631,6 @@ shell must be invoked directly, such as with: .code ${run{/bin/bash -c "/usr/bin/id >/tmp/id"}{yes}{yes}} .endd -.wen .vindex "&$runrc$&" The return code from the command is put in the variable &$runrc$&, and this @@ -9667,7 +9792,6 @@ expansion item, which extracts the working address from a single RFC2822 address. See the &*filter*&, &*map*&, and &*reduce*& items for ways of processing lists. -.new To clarify "list of addresses in RFC 2822 format" mentioned above, Exim follows a strict interpretation of header line formatting. Exim parses the bare, unquoted portion of an email address and if it finds a comma, treats it as an @@ -9691,7 +9815,6 @@ Last:user@example.com # exim -be '${addresses:From: "Last, First" }' user@example.com .endd -.wen .vitem &*${base62:*&<&'digits'&>&*}*& .cindex "&%base62%& expansion item" @@ -9847,7 +9970,6 @@ be useful for processing the output of the MD5 and SHA-1 hashing functions. -.new .vitem &*${hexquote:*&<&'string'&>&*}*& .cindex "quoting" "hex-encoded unprintable characters" .cindex "&%hexquote%& expansion item" @@ -9855,7 +9977,6 @@ This operator converts non-printable characters in a string into a hex escape form. Byte values between 33 (!) and 126 (~) inclusive are left as is, and other byte values are converted to &`\xNN`&, for example a byte value 127 is converted to &`\x7f`&. -.wen .vitem &*${lc:*&<&'string'&>&*}*& @@ -9883,7 +10004,6 @@ See the description of the general &%length%& item above for details. Note that when &%length%& is used as an operator. -.new .vitem &*${listcount:*&<&'string'&>&*}*& .cindex "expansion" "list item count" .cindex "list" "item count" @@ -9901,7 +10021,6 @@ If the optional type is given it must be one of "a", "d", "h" or "l" and selects address-, domain-, host- or localpart- lists to search among respectively. Otherwise all types are searched in an undefined order and the first matching list is returned. -.wen .vitem &*${local_part:*&<&'string'&>&*}*& @@ -9943,6 +10062,7 @@ Letters in IPv6 addresses are always output in lower case. .vitem &*${md5:*&<&'string'&>&*}*& .cindex "MD5 hash" .cindex "expansion" "MD5 hash" +.cindex "certificate fingerprint" .cindex "&%md5%& expansion item" The &%md5%& operator computes the MD5 hash value of the string, and returns it as a 32-digit hexadecimal number, in which any letters are in lower case. @@ -10080,11 +10200,24 @@ variables or headers inside regular expressions. .vitem &*${sha1:*&<&'string'&>&*}*& .cindex "SHA-1 hash" .cindex "expansion" "SHA-1 hashing" +.cindex "certificate fingerprint" .cindex "&%sha2%& expansion item" The &%sha1%& operator computes the SHA-1 hash value of the string, and returns it as a 40-digit hexadecimal number, in which any letters are in upper case. +.vitem &*${sha256:*&<&'certificate'&>&*}*& +.cindex "SHA-256 hash" +.cindex "certificate fingerprint" +.cindex "expansion" "SHA-256 hashing" +.cindex "&%sha256%& expansion item" +The &%sha256%& operator computes the SHA-256 hash fingerprint of the +certificate, +and returns +it as a 64-digit hexadecimal number, in which any letters are in upper case. +Only arguments which are a single variable of certificate type are supported. + + .vitem &*${stat:*&<&'string'&>&*}*& .cindex "expansion" "statting a file" .cindex "file" "extracting characteristics" @@ -10153,6 +10286,14 @@ number of larger units and output in Exim's normal time format, for example, .cindex "expansion" "case forcing" .cindex "&%uc%& expansion item" This forces the letters in the string into upper-case. + +.vitem &*${utf8clean:*&<&'string'&>&*}*& +.cindex "correction of invalid utf-8 sequences in strings" +.cindex "utf-8" "utf-8 sequences" +.cindex "incorrect utf-8" +.cindex "expansion" "utf-8 forcing" +.cindex "&%utf8clean%& expansion item" +This replaces any invalid utf-8 sequence in the string by the character &`?`&. .endlist @@ -10201,7 +10342,6 @@ In all cases, a relative comparator OP is testing if <&'string1'&> OP 10M, not if 10M is larger than &$message_size$&. -.new .vitem &*acl&~{{*&<&'name'&>&*}{*&<&'arg1'&>&*}&&& {*&<&'arg2'&>&*}...}*& .cindex "expansion" "calling an acl" @@ -10216,14 +10356,13 @@ a value using a "message =" modifier the variable $value becomes the result of the expansion, otherwise it is empty. If the ACL returns accept the condition is true; if deny, false. If the ACL returns defer the result is a forced-fail. -.wen .vitem &*bool&~{*&<&'string'&>&*}*& .cindex "expansion" "boolean parsing" .cindex "&%bool%& expansion condition" This condition turns a string holding a true or false representation into a boolean state. It parses &"true"&, &"false"&, &"yes"& and &"no"& -(case-insensitively); also positive integer numbers map to true if non-zero, +(case-insensitively); also integer numbers map to true if non-zero, false if zero. An empty string is treated as false. Leading and trailing whitespace is ignored; @@ -10412,7 +10551,7 @@ ${if forany{<, $recipients}{match{$item}{^user3@}}{yes}{no}} The value of &$item$& is saved and restored while &*forany*& or &*forall*& is being processed, to enable these expansion items to be nested. -.new "To scan a named list, expand it with the &*listnamed*& operator." +To scan a named list, expand it with the &*listnamed*& operator. .vitem &*ge&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& &&& @@ -10957,7 +11096,6 @@ the value of &$authenticated_id$& is normally the login name of the calling process. However, a trusted user can override this by means of the &%-oMai%& command line option. -.new .vitem &$authenticated_fail_id$& .cindex "authentication" "fail" "id" .vindex "&$authenticated_fail_id$&" @@ -10968,7 +11106,6 @@ available for processing in the ACL's, generally the quit or notquit ACL. A message to a local recipient could still be accepted without requiring authentication, which means this variable could also be visible in all of the ACL's as well. -.wen .vitem &$authenticated_sender$& @@ -11181,13 +11318,11 @@ inserting the message header line with the given name. Note that the name must be terminated by colon or white space, because it may contain a wide variety of characters. Note also that braces must &'not'& be used. -.new .vitem &$headers_added$& .vindex "&$headers_added$&" Within an ACL this variable contains the headers added so far by the ACL modifier add_header (section &<>&). The headers are a newline-separated list. -.wen .vitem &$home$& .vindex "&$home$&" @@ -11421,6 +11556,16 @@ ability to find the amount of free space (only true for experimental systems), the space value is -1. See also the &%check_log_space%& option. +.new +.vitem &$lookup_dnssec_authenticated$& +.vindex "&$lookup_dnssec_authenticated$&" +This variable is set after a DNS lookup done by +a dnsdb lookup expansion, dnslookup router or smtp transport. +It will be empty if &(DNSSEC)& was not requested, +&"no"& if the result was not labelled as authenticated data +and &"yes"& if it was. +.wen + .vitem &$mailstore_basename$& .vindex "&$mailstore_basename$&" This variable is set only when doing deliveries in &"mailstore"& format in the @@ -11859,13 +12004,11 @@ envelope sender. .vindex "&$return_size_limit$&" This is an obsolete name for &$bounce_return_size_limit$&. -.new .vitem &$router_name$& .cindex "router" "name" .cindex "name" "of router" .vindex "&$router_name$&" During the running of a router this variable contains its name. -.wen .vitem &$runrc$& .cindex "return code" "from &%run%& expansion" @@ -11958,7 +12101,6 @@ driver that successfully authenticated the client from which the message was received. It is empty if there was no successful authentication. See also &$authenticated_id$&. -.new .vitem &$sender_host_dnssec$& .vindex "&$sender_host_dnssec$&" If &$sender_host_name$& has been populated (by reference, &%hosts_lookup%& or @@ -11969,7 +12111,7 @@ other times, this variable is false. It is likely that you will need to coerce DNSSEC support on in the resolver library, by setting: .code -dns_use_dnssec = 1 +dns_dnssec_ok = 1 .endd Exim does not perform DNSSEC validation itself, instead leaving that to a @@ -11980,7 +12122,6 @@ with DNSSEC, only the reverse DNS. If you have changed &%host_lookup_order%& so that &`bydns`& is not the first mechanism in the list, then this variable will be false. -.wen .vitem &$sender_host_name$& @@ -12181,7 +12322,6 @@ command in a filter file. Its use is explained in the description of that command, which can be found in the separate document entitled &'Exim's interfaces to mail filtering'&. -.new .vitem &$tls_in_bits$& .vindex "&$tls_in_bits$&" Contains an approximation of the TLS cipher's bit-strength @@ -12202,6 +12342,44 @@ on an outbound SMTP connection; the meaning of this depends upon the TLS implementation used. If TLS has not been negotiated, the value will be 0. +.new +.vitem &$tls_in_ourcert$& +.vindex "&$tls_in_ourcert$&" +This variable refers to the certificate presented to the peer of an +inbound connection when the message was received. +It is only useful as the argument of a +&%certextract%& expansion item, &%md5%& or &%sha1%& operator, +or a &%def%& condition. +.wen + +.new +.vitem &$tls_in_peercert$& +.vindex "&$tls_in_peercert$&" +This variable refers to the certificate presented by the peer of an +inbound connection when the message was received. +It is only useful as the argument of a +&%certextract%& expansion item, &%md5%& or &%sha1%& operator, +or a &%def%& condition. +.wen + +.new +.vitem &$tls_out_ourcert$& +.vindex "&$tls_out_ourcert$&" +This variable refers to the certificate presented to the peer of an +outbound connection. It is only useful as the argument of a +&%certextract%& expansion item, &%md5%& or &%sha1%& operator, +or a &%def%& condition. +.wen + +.new +.vitem &$tls_out_peercert$& +.vindex "&$tls_out_peercert$&" +This variable refers to the certificate presented by the peer of an +outbound connection. It is only useful as the argument of a +&%certextract%& expansion item, &%md5%& or &%sha1%& operator, +or a &%def%& condition. +.wen + .vitem &$tls_in_certificate_verified$& .vindex "&$tls_in_certificate_verified$&" This variable is set to &"1"& if a TLS certificate was verified when the @@ -12280,7 +12458,6 @@ the outbound. During outbound SMTP deliveries, this variable reflects the value of the &%tls_sni%& option on the transport. -.wen .vitem &$tod_bsdinbox$& .vindex "&$tod_bsdinbox$&" @@ -12323,13 +12500,11 @@ This variable contains the numerical value of the local timezone, for example: This variable contains the UTC date and time in &"Zulu"& format, as specified by ISO 8601, for example: 20030221154023Z. -.new .vitem &$transport_name$& .cindex "transport" "name" .cindex "name" "of transport" .vindex "&$transport_name$&" During the running of a transport, this variable contains its name. -.wen .vitem &$value$& .vindex "&$value$&" @@ -12986,6 +13161,7 @@ listed in more than one group. .row &%acl_smtp_auth%& "ACL for AUTH" .row &%acl_smtp_connect%& "ACL for connection" .row &%acl_smtp_data%& "ACL for DATA" +.row &%acl_smtp_data_prdr%& "ACL for DATA, per-recipient" .row &%acl_smtp_dkim%& "ACL for DKIM verification" .row &%acl_smtp_etrn%& "ACL for ETRN" .row &%acl_smtp_expn%& "ACL for EXPN" @@ -13046,6 +13222,7 @@ listed in more than one group. .row &%tls_crl%& "certificate revocation list" .row &%tls_dh_max_bits%& "clamp D-H bit count suggestion" .row &%tls_dhparam%& "DH parameters for server" +.row &%tls_ocsp_file%& "location of server certificate status proof" .row &%tls_on_connect_ports%& "specify SSMTP (SMTPS) ports" .row &%tls_privatekey%& "location of server private key" .row &%tls_remember_esmtp%& "don't reset after starting TLS" @@ -13141,6 +13318,7 @@ See also the &'Policy controls'& section above. .row &%ignore_fromline_hosts%& "allow &""From ""& from these hosts" .row &%ignore_fromline_local%& "allow &""From ""& from local SMTP" .row &%pipelining_advertise_hosts%& "advertise pipelining to these hosts" +.row &%prdr_enable%& "advertise PRDR to all hosts" .row &%tls_advertise_hosts%& "advertise TLS to these hosts" .endtable @@ -13186,10 +13364,10 @@ See also the &'Policy controls'& section above. .row &%disable_ipv6%& "do no IPv6 processing" .row &%dns_again_means_nonexist%& "for broken domains" .row &%dns_check_names_pattern%& "pre-DNS syntax check" +.row &%dns_dnssec_ok%& "parameter for resolver" .row &%dns_ipv4_lookup%& "only v4 lookup for these domains" .row &%dns_retrans%& "parameter for resolver" .row &%dns_retry%& "parameter for resolver" -.row &%dns_use_dnssec%& "parameter for resolver" .row &%dns_use_edns0%& "parameter for resolver" .row &%hold_domains%& "hold delivery for these domains" .row &%local_interfaces%& "for routing checks" @@ -13252,12 +13430,10 @@ A more detailed analysis of the issues is provided by Dan Bernstein: &url(http://cr.yp.to/smtp/8bitmime.html) .endd -.new To log received 8BITMIME status use .code log_selector = +8bitmime .endd -.wen .option acl_not_smtp main string&!! unset .cindex "&ACL;" "for non-SMTP messages" @@ -13294,6 +13470,16 @@ This option defines the ACL that is run after an SMTP DATA command has been processed and the message itself has been received, but before the final acknowledgment is sent. See chapter &<>& for further details. +.option acl_smtp_data_prdr main string&!! unset +.cindex "DATA" "ACL for" +.cindex "&ACL;" "PRDR-related" +.cindex "&ACL;" "per-user data processing" +This option defines the ACL that, +if the PRDR feature has been negotiated, +is run for each recipient after an SMTP DATA command has been +processed and the message itself has been received, but before the +acknowledgment is sent. See chapter &<>& for further details. + .option acl_smtp_etrn main string&!! unset .cindex "ETRN" "ACL for" This option defines the ACL that is run when an SMTP ETRN command is @@ -13688,6 +13874,9 @@ a very large time at the end of the list. For example: .code delay_warning = 2h:12h:99d .endd +Note that the option is only evaluated at the time a delivery attempt fails, +which depends on retry and queue-runner configuration. +Typically retries will be configured more frequently than warning messages. .option delay_warning_condition main string&!! "see below" .vindex "&$domain$&" @@ -13809,6 +13998,17 @@ This option controls whether or not an IP address, given as a CSA domain, is reversed and looked up in the reverse DNS, as described in more detail in section &<>&. + +.option dns_dnssec_ok main integer -1 +.cindex "DNS" "resolver options" +.cindex "DNS" "DNSSEC" +If this option is set to a non-negative number then Exim will initialise the +DNS resolver library to either use or not use DNSSEC, overriding the system +default. A value of 0 coerces DNSSEC off, a value of 1 coerces DNSSEC on. + +If the resolver library does not support DNSSEC then this option has no effect. + + .option dns_ipv4_lookup main "domain list&!!" unset .cindex "IPv6" "DNS lookup for AAAA records" .cindex "DNS" "IPv6 lookup for AAAA records" @@ -13839,18 +14039,6 @@ to set in them. See &%dns_retrans%& above. -.new -.option dns_use_dnssec main integer -1 -.cindex "DNS" "resolver options" -.cindex "DNS" "DNSSEC" -If this option is set to a non-negative number then Exim will initialise the -DNS resolver library to either use or not use DNSSEC, overriding the system -default. A value of 0 coerces DNSSEC off, a value of 1 coerces DNSSEC on. - -If the resolver library does not support DNSSEC then this option has no effect. -.wen - - .option dns_use_edns0 main integer -1 .cindex "DNS" "resolver options" .cindex "DNS" "EDNS0" @@ -14076,7 +14264,6 @@ server. This reduces security slightly, but improves interworking with older implementations of TLS. -.new option gnutls_allow_auto_pkcs11 main boolean unset This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with the p11-kit configuration files in &_/etc/pkcs11/modules/_&. @@ -14084,7 +14271,6 @@ the p11-kit configuration files in &_/etc/pkcs11/modules/_&. See &url(http://www.gnutls.org/manual/gnutls.html#Smart-cards-and-HSMs) for documentation. -.wen @@ -14838,9 +15024,7 @@ Possible options may include: .next &`no_tlsv1_2`& .next -.new &`safari_ecdhe_ecdsa_bug`& -.wen .next &`single_dh_use`& .next @@ -14857,14 +15041,12 @@ Possible options may include: &`tls_rollback_bug`& .endlist -.new As an aside, the &`safari_ecdhe_ecdsa_bug`& item is a misnomer and affects all clients connecting using the MacOS SecureTransport TLS facility prior to MacOS 10.8.4, including email clients. If you see old MacOS clients failing to negotiate TLS then this option value might help, provided that your OpenSSL release is new enough to contain this work-around. This may be a situation where you have to upgrade OpenSSL to get buggy clients working. -.wen .option oracle_servers main "string list" unset @@ -14940,6 +15122,15 @@ that clients will use it; &"out of order"& commands that are &"expected"& do not count as protocol errors (see &%smtp_max_synprot_errors%&). +.option prdr_enable main boolean false +.cindex "PRDR" "enabling on server" +This option can be used to enable the Per-Recipient Data Response extension +to SMTP, defined by Eric Hall. +If the option is set, PRDR is advertised by Exim when operating as a server. +If the client requests PRDR, and more than one recipient, for a message +an additional ACL is called for each recipient after the message content +is recieved. See section &<>&. + .option preserve_message_logs main boolean false .cindex "message logs" "preserving" If this option is set, message log files are not deleted when messages are @@ -16135,7 +16326,6 @@ The available primes are: Some of these will be too small to be accepted by clients. Some may be too large to be accepted by clients. -.new The TLS protocol does not negotiate an acceptable size for this; clients tend to hard-drop connections if what is offered by the server is unacceptable, whether too large or too small, and there's no provision for the client to @@ -16150,7 +16340,13 @@ used to set its &`DH_MAX_P_BITS`& upper-bound to 2236. This affects many mail user agents (MUAs). The lower bound comes from Debian installs of Exim4 prior to the 4.80 release, as Debian used to patch Exim to raise the minimum acceptable bound from 1024 to 2048. -.wen + + +.option tls_ocsp_file main string&!! unset +This option +must if set expand to the absolute path to a file which contains a current +status proof for the server's certificate, as obtained from the +Certificate Authority. .option tls_on_connect_ports main "string list" unset @@ -16219,10 +16415,8 @@ use OpenSSL with a directory. See &<>& for discussion of when this option might be re-expanded. -.new A forced expansion failure or setting to an empty string is equivalent to being unset. -.wen .option tls_verify_hosts main "host list&!!" unset @@ -16745,11 +16939,12 @@ and the discussion in chapter &<>&. -.option headers_add routers string&!! unset +.option headers_add routers list&!! unset .cindex "header lines" "adding" .cindex "router" "adding header lines" -This option specifies a string of text that is expanded at routing time, and -associated with any addresses that are accepted by the router. However, this +This option specifies a list of text headers, newline-separated, +that is associated with any addresses that are accepted by the router. +Each item is separately expanded, at routing time. However, this option has no effect when an address is just being verified. The way in which the text is used to add header lines at transport time is described in section &<>&. New header lines are not actually added until the @@ -16758,14 +16953,12 @@ header lines in string expansions in the transport's configuration do not &"see"& the added header lines. The &%headers_add%& option is expanded after &%errors_to%&, but before -&%headers_remove%& and &%transport%&. If the expanded string is empty, or if -the expansion is forced to fail, the option has no effect. Other expansion +&%headers_remove%& and &%transport%&. If an item is empty, or if +an item expansion is forced to fail, the item has no effect. Other expansion failures are treated as configuration errors. -.new Unlike most options, &%headers_add%& can be specified multiple times for a router; all listed headers are added. -.wen &*Warning 1*&: The &%headers_add%& option cannot be used for a &(redirect)& router that has the &%one_time%& option set. @@ -16783,11 +16976,12 @@ avoided. The &%repeat_use%& option of the &%redirect%& router may be of help. -.option headers_remove routers string&!! unset +.option headers_remove routers list&!! unset .cindex "header lines" "removing" .cindex "router" "removing header lines" -This option specifies a string of text that is expanded at routing time, and -associated with any addresses that are accepted by the router. However, this +This option specifies a list of text headers, colon-separated, +that is associated with any addresses that are accepted by the router. +Each item is separately expanded, at routing time. However, this option has no effect when an address is just being verified. The way in which the text is used to remove header lines at transport time is described in section &<>&. Header lines are not actually removed until @@ -16796,8 +16990,8 @@ to header lines in string expansions in the transport's configuration still &"see"& the original header lines. The &%headers_remove%& option is expanded after &%errors_to%& and -&%headers_add%&, but before &%transport%&. If the expansion is forced to fail, -the option has no effect. Other expansion failures are treated as configuration +&%headers_add%&, but before &%transport%&. If an item expansion is forced to fail, +the item has no effect. Other expansion failures are treated as configuration errors. Unlike most options, &%headers_remove%& can be specified multiple times @@ -17440,7 +17634,7 @@ Setting this option has the effect of setting &%verify_sender%& and .oindex "&%-bv%&" .cindex "router" "used only when verifying" If this option is set, the router is used only when verifying an address, -.new "delivering in cutthrough mode or" +delivering in cutthrough mode or testing with the &%-bv%& option, not when actually doing a delivery, testing with the &%-bt%& option, or running the SMTP EXPN command. It can be further restricted to verifying only senders or recipients by means of @@ -17640,6 +17834,33 @@ when there is a DNS lookup error. +.new +.option dnssec_request_domains dnslookup "domain list&!!" unset +.cindex "MX record" "security" +.cindex "DNSSEC" "MX lookup" +.cindex "security" "MX lookup" +.cindex "DNS" "DNSSEC" +DNS lookups for domains matching &%dnssec_request_domains%& will be done with +the dnssec request bit set. +This applies to all of the SRV, MX A6, AAAA, A lookup sequence. +.wen + + + +.new +.option dnssec_require_domains dnslookup "domain list&!!" unset +.cindex "MX record" "security" +.cindex "DNSSEC" "MX lookup" +.cindex "security" "MX lookup" +.cindex "DNS" "DNSSEC" +DNS lookups for domains matching &%dnssec_request_domains%& will be done with +the dnssec request bit set. Any returns not having the Authenticated Data bit +(AD bit) set wil be ignored and logged as a host-lookup failure. +This applies to all of the SRV, MX A6, AAAA, A lookup sequence. +.wen + + + .option mx_domains dnslookup "domain list&!!" unset .cindex "MX record" "required to exist" .cindex "SRV record" "required to exist" @@ -18811,7 +19032,6 @@ quote just the command. An item such as .endd is interpreted as a pipe with a rather strange command name, and no arguments. -.new Note that the above example assumes that the text comes from a lookup source of some sort, so that the quotes are part of the data. If composing a redirect router with a &%data%& option directly specifying this command, the @@ -18821,7 +19041,6 @@ are two main approaches to get around this: escape quotes to be part of the data itself, or avoid using this mechanism and instead create a custom transport with the &%command%& option set and reference that transport from an &%accept%& router. -.wen .next .cindex "file" "in redirection list" @@ -19763,10 +19982,8 @@ so on when debugging driver configurations. For example, if a &%headers_add%& option is not working properly, &%debug_print%& could be used to output the variables it references. A newline is added to the text if it does not end with one. -.new The variables &$transport_name$& and &$router_name$& contain the name of the transport and the router that called it. -.wen .option delivery_date_add transports boolean false .cindex "&'Delivery-date:'& header line" @@ -19801,20 +20018,19 @@ value that the router supplies, and also overriding any value associated with &%user%& (see below). -.option headers_add transports string&!! unset +.option headers_add transports list&!! unset .cindex "header lines" "adding in transport" .cindex "transport" "header lines; adding" -This option specifies a string of text that is expanded and added to the header +This option specifies a list of text headers, newline-separated, +which are (separately) expanded and added to the header portion of a message as it is transported, as described in section &<>&. Additional header lines can also be specified by routers. If the result of the expansion is an empty string, or if the expansion is forced to fail, no action is taken. Other expansion failures are treated as errors and cause the delivery to be deferred. -.new Unlike most options, &%headers_add%& can be specified multiple times for a transport; all listed headers are added. -.wen .option headers_only transports boolean false @@ -19827,18 +20043,20 @@ transports, the settings of &%message_prefix%& and &%message_suffix%& should be checked, since this option does not automatically suppress them. -.option headers_remove transports string&!! unset +.option headers_remove transports list&!! unset .cindex "header lines" "removing" .cindex "transport" "header lines; removing" -This option specifies a string that is expanded into a list of header names; +This option specifies a list of header names, colon-separated; these headers are omitted from the message as it is transported, as described in section &<>&. Header removal can also be specified by -routers. If the result of the expansion is an empty string, or if the expansion +routers. +Each list item is separately expanded. +If the result of the expansion is an empty string, or if the expansion is forced to fail, no action is taken. Other expansion failures are treated as errors and cause the delivery to be deferred. Unlike most options, &%headers_remove%& can be specified multiple times -for a router; all listed headers are added. +for a router; all listed headers are removed. @@ -21871,7 +22089,6 @@ inserted in the argument list at that point &'as a separate argument'&. This avoids any problems with spaces or shell metacharacters, and is of use when a &(pipe)& transport is handling groups of addresses in a batch. -.new If &%force_command%& is enabled on the transport, Special handling takes place for an argument that consists of precisely the text &`$address_pipe`&. It is handled similarly to &$pipe_addresses$& above. It is expanded and each @@ -21880,7 +22097,6 @@ argument is inserted in the argument list at that point the only item in the argument; in fact, if it were then &%force_command%& should behave as a no-op. Rather, it should be used to adjust the command run while preserving the argument vector separation. -.wen After splitting up into arguments and expansion, the resulting command is run in a subprocess directly from the transport, &'not'& under a shell. The @@ -22034,7 +22250,6 @@ a bounce message is sent. If &%freeze_signal%& is set, the message will be frozen in Exim's queue instead. -.new .option force_command pipe boolean false .cindex "force command" .cindex "&(pipe)& transport", "force command" @@ -22051,7 +22266,6 @@ force_command Note that &$address_pipe$& is handled specially in &%command%& when &%force_command%& is set, expanding out to the original argument vector as separate items, similarly to a Unix shell &`"$@"`& construct. -.wen .option ignore_status pipe boolean false If this option is true, the status returned by the subprocess that is set up to @@ -22414,10 +22628,8 @@ appropriate values for the outgoing connection, and these are the values that are in force when any authenticators are run and when the &%authenticated_sender%& option is expanded. -.new These variables are deprecated in favour of &$tls_in_cipher$& et. al. and will be removed in a future release. -.wen .section "Private options for smtp" "SECID146" @@ -22553,6 +22765,32 @@ details. .new +.option dnssec_request_domains smtp "domain list&!!" unset +.cindex "MX record" "security" +.cindex "DNSSEC" "MX lookup" +.cindex "security" "MX lookup" +.cindex "DNS" "DNSSEC" +DNS lookups for domains matching &%dnssec_request_domains%& will be done with +the dnssec request bit set. +This applies to all of the SRV, MX A6, AAAA, A lookup sequence. +.wen + + + +.new +.option dnssec_require_domains smtp "domain list&!!" unset +.cindex "MX record" "security" +.cindex "DNSSEC" "MX lookup" +.cindex "security" "MX lookup" +.cindex "DNS" "DNSSEC" +DNS lookups for domains matching &%dnssec_request_domains%& will be done with +the dnssec request bit set. Any returns not having the Authenticated Data bit +(AD bit) set wil be ignored and logged as a host-lookup failure. +This applies to all of the SRV, MX A6, AAAA, A lookup sequence. +.wen + + + .option dscp smtp string&!! unset .cindex "DCSP" "outbound" This option causes the DSCP value associated with a socket to be set to one @@ -22566,7 +22804,6 @@ The outbound packets from Exim will be marked with this value in the header that these values will have any effect, not be stripped by networking equipment, or do much of anything without cooperation with your Network Engineer and those of all network operators between the source and destination. -.wen .option fallback_hosts smtp "string list" unset @@ -22701,14 +22938,12 @@ that matches this list, even if the server host advertises PIPELINING support. Exim will not try to start a TLS session when delivering to any host that matches this list. See chapter &<>& for details of TLS. -.new .option hosts_verify_avoid_tls smtp "host list&!!" * .cindex "TLS" "avoiding for certain hosts" Exim will not try to start a TLS session for a verify callout, or when delivering in cutthrough mode, to any host that matches this list. Note that the default is to not use TLS. -.wen .option hosts_max_try smtp integer 5 @@ -22778,6 +23013,18 @@ hard failure if required. See also &%hosts_try_auth%&, and chapter &<>& for details of authentication. +.option hosts_request_ocsp smtp "host list&!!" * +.cindex "TLS" "requiring for certain servers" +Exim will request a Certificate Status on a +TLS session for any host that matches this list. +&%tls_verify_certificates%& should also be set for the transport. + +.option hosts_require_ocsp smtp "host list&!!" unset +.cindex "TLS" "requiring for certain servers" +Exim will request, and check for a valid Certificate Status being given, on a +TLS session for any host that matches this list. +&%tls_verify_certificates%& should also be set for the transport. + .option hosts_require_tls smtp "host list&!!" unset .cindex "TLS" "requiring for certain servers" Exim will insist on using a TLS session when delivering to any host that @@ -22793,6 +23040,12 @@ connects. If authentication fails, Exim will try to transfer the message unauthenticated. See also &%hosts_require_auth%&, and chapter &<>& for details of authentication. +.option hosts_try_prdr smtp "host list&!!" unset +.cindex "PRDR" "enabling, optional in client" +This option provides a list of servers to which, provided they announce +PRDR support, Exim will attempt to negotiate PRDR +for multi-recipient messages. + .option interface smtp "string list&!!" unset .cindex "bind IP address" .cindex "IP address" "binding" @@ -22974,7 +23227,6 @@ This option specifies a certificate revocation list. The expanded value must be the name of a file that contains a CRL in PEM format. -.new .option tls_dh_min_bits smtp integer 1024 .cindex "TLS" "Diffie-Hellman minimum acceptable size" When establishing a TLS session, if a ciphersuite which uses Diffie-Hellman @@ -22984,7 +23236,6 @@ If the parameter offered by the server is too small, then the TLS handshake will fail. Only supported when using GnuTLS. -.wen .option tls_privatekey smtp string&!! unset @@ -23045,6 +23296,19 @@ unknown state), opens a new one to the same host, and then tries the delivery in clear. +.option tls_try_verify_hosts smtp "host list&!! unset +.cindex "TLS" "server certificate verification" +.cindex "certificate" "verification of server" +This option gives a list of hosts for which, on encrypted connections, +certificate verification will be tried but need not succeed. +The &%tls_verify_certificates%& option must also be set. +Note that unless the host is in this list +TLS connections will be denied to hosts using self-signed certificates +when &%tls_verify_certificates%& is set. +The &$tls_out_certificate_verified$& variable is set when +certificate verification succeeds. + + .option tls_verify_certificates smtp string&!! unset .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" @@ -23059,6 +23323,20 @@ single file if you are using GnuTLS. The values of &$host$& and &$host_address$& are set to the name and address of the server during the expansion of this option. See chapter &<>& for details of TLS. +For back-compatability, +if neither tls_verify_hosts nor tls_try_verify_hosts are set +and certificate verification fails the TLS connection is closed. + + +.option tls_verify_hosts smtp "host list&!! unset +.cindex "TLS" "server certificate verification" +.cindex "certificate" "verification of server" +This option gives a list of hosts for which. on encrypted connections, +certificate verification must succeed. +The &%tls_verify_certificates%& option must also be set. +If both this option and &%tls_try_verify_hosts%& are unset +operation is as if this option selected all hosts. + @@ -24295,12 +24573,10 @@ client_condition = ${if !eq{$tls_out_cipher}{}} .endd -.new .option client_set_id authenticators string&!! unset When client authentication succeeds, this condition is expanded; the result is used in the log lines for outbound messasges. Typically it will be the user name used for authentication. -.wen .option driver authenticators string unset @@ -24671,7 +24947,6 @@ expansion is &"1"&, &"yes"&, or &"true"&, authentication succeeds and the generic &%server_set_id%& option is expanded and saved in &$authenticated_id$&. For any other result, a temporary error code is returned, with the expanded string as the error text -.new ", and the failed id saved in &$authenticated_fail_id$&." &*Warning*&: If you use a lookup in the expansion to find the user's password, be sure to make the authentication fail if the user is unknown. @@ -25118,7 +25393,7 @@ dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client - server_set_id = $auth2 + server_set_id = $auth1 dovecot_ntlm: driver = dovecot @@ -25547,12 +25822,10 @@ option). The &%tls_require_ciphers%& options operate differently, as described in the sections &<>& and &<>&. .next -.new The &%tls_dh_min_bits%& SMTP transport option is only honoured by GnuTLS. When using OpenSSL, this option is ignored. (If an API is found to let OpenSSL be configured in this way, let the Exim Maintainers know and we'll likely use it). -.wen .next Some other recently added features may only be available in one or the other. This should be documented with the feature. If the documentation does not @@ -25855,10 +26128,8 @@ example, OpenSSL uses the name DES-CBC3-SHA for the cipher suite which in other contexts is known as TLS_RSA_WITH_3DES_EDE_CBC_SHA. Check the OpenSSL or GnuTLS documentation for more details. -.new For outgoing SMTP deliveries, &$tls_out_cipher$& is used and logged (again depending on the &%tls_cipher%& log selector). -.wen .section "Requesting and verifying client certificates" "SECID183" @@ -25913,12 +26184,79 @@ certificate is supplied, &$tls_in_peerdn$& is empty. .cindex "TLS" "revoked certificates" .cindex "revocation list" .cindex "certificate" "revocation list" +.cindex "OCSP" "stapling" Certificate issuing authorities issue Certificate Revocation Lists (CRLs) when certificates are revoked. If you have such a list, you can pass it to an Exim server using the global option called &%tls_crl%& and to an Exim client using an identically named option for the &(smtp)& transport. In each case, the value of the option is expanded and must then be the name of a file that contains a CRL in PEM format. +The downside is that clients have to periodically re-download a potentially huge +file from every certificate authority the know of. + +The way with most moving parts at query time is Online Certificate +Status Protocol (OCSP), where the client verifies the certificate +against an OCSP server run by the CA. This lets the CA track all +usage of the certs. It requires running software with access to the +private key of the CA, to sign the responses to the OCSP queries. OCSP +is based on HTTP and can be proxied accordingly. + +The only widespread OCSP server implementation (known to this writer) +comes as part of OpenSSL and aborts on an invalid request, such as +connecting to the port and then disconnecting. This requires +re-entering the passphrase each time some random client does this. + +The third way is OCSP Stapling; in this, the server using a certificate +issued by the CA periodically requests an OCSP proof of validity from +the OCSP server, then serves it up inline as part of the TLS +negotiation. This approach adds no extra round trips, does not let the +CA track users, scales well with number of certs issued by the CA and is +resilient to temporary OCSP server failures, as long as the server +starts retrying to fetch an OCSP proof some time before its current +proof expires. The downside is that it requires server support. + +Unless Exim is built with the support disabled, +or with GnuTLS earlier than version 3.1.3, +support for OCSP stapling is included. + +There is a global option called &%tls_ocsp_file%&. +The file specified therein is expected to be in DER format, and contain +an OCSP proof. Exim will serve it as part of the TLS handshake. This +option will be re-expanded for SNI, if the &%tls_certificate%& option +contains &`tls_in_sni`&, as per other TLS options. + +Exim does not at this time implement any support for fetching a new OCSP +proof. The burden is on the administrator to handle this, outside of +Exim. The file specified should be replaced atomically, so that the +contents are always valid. Exim will expand the &%tls_ocsp_file%& option +on each connection, so a new file will be handled transparently on the +next connection. + +When built with OpenSSL Exim will check for a valid next update timestamp +in the OCSP proof; if not present, or if the proof has expired, it will be +ignored. + +For the client to be able to verify the stapled OCSP the server must +also supply, in its stapled information, any intermediate +certificates for the chain leading to the OCSP proof from the signer +of the server certificate. There may be zero or one such. These +intermediate certificates should be added to the server OCSP stapling +file named by &%tls_ocsp_file%&. + +Note that the proof only covers the terminal server certificate, +not any of the chain from CA to it. + +.code + A helper script "ocsp_fetch.pl" for fetching a proof from a CA + OCSP server is supplied. The server URL may be included in the + server certificate, if the CA is helpful. + + One failure mode seen was the OCSP Signer cert expiring before the end + of validity of the OCSP proof. The checking done by Exim/OpenSSL + noted this as invalid overall, but the re-fetch script did not. +.endd + + .section "Configuring an Exim client to use TLS" "SECID185" @@ -25967,6 +26305,25 @@ for OpenSSL only (not GnuTLS), a directory, that contains a collection of expected server certificates. The client verifies the server's certificate against this collection, taking into account any revoked certificates that are in the list defined by &%tls_crl%&. +Failure to verify fails the TLS connection unless either of the +&%tls_verify_hosts%& or &%tls_try_verify_hosts%& options are set. + +The &%tls_verify_hosts%& and &%tls_try_verify_hosts%& options restrict +certificate verification to the listed servers. Verification either must +or need not succeed respectively. + +The &(smtp)& transport has two OCSP-related options: +&%hosts_require_ocsp%&; a host-list for which a Certificate Status +is requested and required for the connection to proceed. The default +value is empty. +&%hosts_request_ocsp%&; a host-list for which (additionally) +a Certificate Status is requested (but not necessarily verified). The default +value is "*" meaning that requests are made unless configured +otherwise. + +The host(s) should also be in &%hosts_require_tls%&, and +&%tls_verify_certificates%& configured for the transport, +for OCSP to be relevant. If &%tls_require_ciphers%& is set on the &(smtp)& transport, it must contain a @@ -26053,6 +26410,9 @@ during TLS session handshake, to permit alternative values to be chosen: .next .vindex "&%tls_verify_certificates%&" &%tls_verify_certificates%& +.next +.vindex "&%tls_ocsp_file%&" +&%tls_verify_certificates%& .endlist Great care should be taken to deal with matters of case, various injection @@ -26144,15 +26504,19 @@ validation to succeed, of course, but if it's not preinstalled, sending the root certificate along with the rest makes it available for the user to install if the receiving end is a client MUA that can interact with a user. +Note that certificates using MD5 are unlikely to work on today's Internet; +even if your libraries allow loading them for use in Exim when acting as a +server, increasingly clients will not accept such certificates. The error +diagnostics in such a case can be frustratingly vague. + + .section "Self-signed certificates" "SECID187" .cindex "certificate" "self-signed" You can create a self-signed certificate using the &'req'& command provided with OpenSSL, like this: -.new . ==== Do not shorten the duration here without reading and considering . ==== the text below. Please leave it at 9999 days. -.wen .code openssl req -x509 -newkey rsa:1024 -keyout file1 -out file2 \ -days 9999 -nodes @@ -26165,7 +26529,6 @@ that you are prompted for, and any use that is made of the key causes more prompting for the passphrase. This is not helpful if you are going to use this certificate and key in an MTA, where prompting is not possible. -.new . ==== I expect to still be working 26 years from now. The less technical . ==== debt I create, in terms of storing up trouble for my later years, the . ==== happier I will be then. We really have reached the point where we @@ -26181,7 +26544,6 @@ of the certificate or reconsider your platform deployment. (At time of writing, reducing the duration is the most likely choice, but the inexorable progression of time takes us steadily towards an era where this will not be a sensible resolution). -.wen A self-signed certificate made in this way is sufficient for testing, and may be adequate for all your requirements if you are mainly interested in @@ -26259,6 +26621,7 @@ options in the main part of the configuration. These options are: .cindex "SMTP" "connection, ACL for" .cindex "non-SMTP messages" "ACLs for" .cindex "MIME content scanning" "ACL for" +.cindex "PRDR" "ACL for" .table2 140pt .irow &%acl_not_smtp%& "ACL for non-SMTP messages" @@ -26267,6 +26630,7 @@ options in the main part of the configuration. These options are: .irow &%acl_smtp_auth%& "ACL for AUTH" .irow &%acl_smtp_connect%& "ACL for start of SMTP connection" .irow &%acl_smtp_data%& "ACL after DATA is complete" +.irow &%acl_smtp_data_prdr%& "ACL for each recipient, after DATA is complete" .irow &%acl_smtp_etrn%& "ACL for ETRN" .irow &%acl_smtp_expn%& "ACL for EXPN" .irow &%acl_smtp_helo%& "ACL for HELO or EHLO" @@ -26381,10 +26745,10 @@ before or after the data) correctly &-- they keep the message on their queues and try again later, but that is their problem, though it does waste some of your resources. -.new -The &%acl_smtp_data%& ACL is run after both the &%acl_smtp_dkim%& and -the &%acl_smtp_mime%& ACLs. -.wen +The &%acl_smtp_data%& ACL is run after +the &%acl_smtp_data_prdr%&, +the &%acl_smtp_dkim%& +and the &%acl_smtp_mime%& ACLs. .section "The SMTP DKIM ACL" "SECTDKIMACL" The &%acl_smtp_dkim%& ACL is available only when Exim is compiled with DKIM support @@ -26394,11 +26758,9 @@ The ACL test specified by &%acl_smtp_dkim%& happens after a message has been received, and is executed for each DKIM signature found in a message. If not otherwise specified, the default action is to accept. -.new This ACL is evaluated before &%acl_smtp_mime%& and &%acl_smtp_data%&. For details on the operation of DKIM, see chapter &<>&. -.wen .section "The SMTP MIME ACL" "SECID194" @@ -26408,6 +26770,36 @@ content-scanning extension. For details, see chapter &<>&. This ACL is evaluated after &%acl_smtp_dkim%& but before &%acl_smtp_data%&. +.section "The SMTP PRDR ACL" "SECTPRDRACL" +.oindex "&%prdr_enable%&" +The &%acl_smtp_data_prdr%& ACL is available only when Exim is compiled +with PRDR support enabled (which is the default). +It becomes active only when the PRDR feature is negotiated between +client and server for a message, and more than one recipient +has been accepted. + +The ACL test specfied by &%acl_smtp_data_prdr%& happens after a message +has been recieved, and is executed for each recipient of the message. +The test may accept or deny for inividual recipients. +The &%acl_smtp_data%& will still be called after this ACL and +can reject the message overall, even if this ACL has accepted it +for some or all recipients. + +PRDR may be used to support per-user content filtering. Without it +one must defer any recipient after the first that has a different +content-filter configuration. With PRDR, the RCPT-time check +for this can be disabled when the MAIL-time $smtp_command included +"PRDR". Any required difference in behaviour of the main DATA-time +ACL should however depend on the PRDR-time ACL having run, as Exim +will avoid doing so in some situations (eg. single-recipient mails). + +See also the &%prdr_enable%& global option +and the &%hosts_try_prdr%& smtp transport option. + +This ACL is evaluated after &%acl_smtp_dkim%& but before &%acl_smtp_data%&. +If the ACL is not defined, processing completes as if +the feature was not requested by the client. + .section "The QUIT ACL" "SECTQUITACL" .cindex "QUIT, ACL for" The ACL for the SMTP QUIT command is anomalous, in that the outcome of the ACL @@ -27234,12 +27626,10 @@ all the conditions are true, wherever it appears in an ACL command, whereas effect. -.new .vitem &*remove_header*&&~=&~<&'text'&> This modifier specifies one or more header names in a colon-separated list that are to be removed from an incoming message, assuming, of course, that the message is ultimately accepted. For details, see section &<>&. -.wen .vitem &*set*&&~<&'acl_name'&>&~=&~<&'value'&> @@ -27248,7 +27638,6 @@ This modifier puts a value into one of the ACL variables (see section &<>&). -.new .vitem &*udpsend*&&~=&~<&'parameters'&> This modifier sends a UDP packet, for purposes such as statistics collection or behaviour monitoring. The parameters are expanded, and @@ -27262,7 +27651,6 @@ when: udpsend = <; 2001:dB8::dead:beef ; 1234 ;\ $tod_zulu $sender_host_address .endd -.wen .endlist @@ -27324,7 +27712,6 @@ Notice that we put back the lower cased version afterwards, assuming that is what is wanted for subsequent tests. -.new .vitem &*control&~=&~cutthrough_delivery*& .cindex "&ACL;" "cutthrough routing" .cindex "cutthrough" "requesting" @@ -27333,7 +27720,16 @@ It is usable in the RCPT ACL and valid only for single-recipient mails forwarded from one SMTP connection to another. If a recipient-verify callout connection is requested in the same ACL it is held open and used for the data, otherwise one is made after the ACL completes. -.new "Note that routers are used in verify mode." + +Note that routers are used in verify mode, +and cannot depend on content of received headers. +Note also that headers cannot be +modified by any of the post-data ACLs (DATA, MIME and DKIM). +Headers may be modified by routers (subject to the above) and transports. + +Cutthrough delivery is not supported via transport-filters or when DKIM signing +of outgoing messages is done, because it sends data to the ultimate destination +before the entire message has been received from the source. Should the ultimate destination system positively accept or reject the mail, a corresponding indication is given to the source system and nothing is queued. @@ -27344,10 +27740,8 @@ line. Delivery in this mode avoids the generation of a bounce mail to a (possibly faked) sender when the destination system is doing content-scan based rejection. -.wen -.new .vitem &*control&~=&~debug/*&<&'options'&> .cindex "&ACL;" "enabling debug logging" .cindex "debugging" "enabling from an ACL" @@ -27364,7 +27758,6 @@ contexts): control = debug/opts=+expand+acl control = debug/tag=.$message_exim_id/opts=+expand .endd -.wen .vitem &*control&~=&~dkim_disable_verify*& @@ -27374,7 +27767,6 @@ This control turns off DKIM verification processing entirely. For details on the operation and configuration of DKIM, see chapter &<>&. -.new .vitem &*control&~=&~dscp/*&<&'value'&> .cindex "&ACL;" "setting DSCP value" .cindex "DSCP" "inbound" @@ -27390,7 +27782,6 @@ The outbound packets from Exim will be marked with this value in the header that these values will have any effect, not be stripped by networking equipment, or do much of anything without cooperation with your Network Engineer and those of all network operators between the source and destination. -.wen .vitem &*control&~=&~enforce_sync*& &&& @@ -27592,12 +27983,15 @@ warn dnslists = sbl.spamhaus.org : \ add_header = X-blacklisted-at: $dnslist_domain .endd The &%add_header%& modifier is permitted in the MAIL, RCPT, PREDATA, DATA, -MIME, and non-SMTP ACLs (in other words, those that are concerned with +MIME, DKIM, and non-SMTP ACLs (in other words, those that are concerned with receiving a message). The message must ultimately be accepted for &%add_header%& to have any significant effect. You can use &%add_header%& with any ACL verb, including &%deny%& (though this is potentially useful only in a RCPT ACL). +Headers will not be added to the message if the modifier is used in +DATA, MIME or DKIM ACLs for messages delivered by cutthrough routing. + Leading and trailing newlines are removed from the data for the &%add_header%& modifier; if it then contains one or more newlines that @@ -27629,9 +28023,7 @@ passing data between (for example) the MAIL and RCPT ACLs. If you want to do this, you can use ACL variables, as described in section &<>&. -.new The list of headers yet to be added is given by the &%$headers_added%& variable. -.wen The &%add_header%& modifier acts immediately as it is encountered during the processing of an ACL. Notice the difference between these two cases: @@ -27682,7 +28074,6 @@ system filter or in a router or transport. -.new .section "Removing header lines in ACLs" "SECTremoveheadacl" .cindex "header lines" "removing in an ACL" .cindex "header lines" "position of removed lines" @@ -27694,12 +28085,15 @@ warn message = Remove internal headers remove_header = x-route-mail1 : x-route-mail2 .endd The &%remove_header%& modifier is permitted in the MAIL, RCPT, PREDATA, DATA, -MIME, and non-SMTP ACLs (in other words, those that are concerned with +MIME, DKIM, and non-SMTP ACLs (in other words, those that are concerned with receiving a message). The message must ultimately be accepted for &%remove_header%& to have any significant effect. You can use &%remove_header%& with any ACL verb, including &%deny%&, though this is really not useful for any verb that doesn't result in a delivered message. +Headers will not be removed to the message if the modifier is used in +DATA, MIME or DKIM ACLs for messages delivered by cutthrough routing. + More than one header can be removed at the same time by using a colon separated list of header names. The header matching is case insensitive. Wildcards are not permitted, nor is list expansion performed, so you cannot use hostlists to @@ -27750,7 +28144,6 @@ are honoured. &*Warning*&: This facility currently applies only to header lines that are present during ACL processing. It does NOT remove header lines that are added in a system filter or in a router or transport. -.wen @@ -27785,13 +28178,11 @@ condition is on a &%warn%& verb. In that case, a &"defer"& return makes the condition false. This means that further processing of the &%warn%& verb ceases, but processing of the ACL continues. -.new If the argument is a named ACL, up to nine space-separated optional values can be appended; they appear within the called ACL in $acl_arg1 to $acl_arg9, and $acl_narg is set to the count of values. Previous values of these variables are restored after the call returns. The name and values are expanded separately. -.wen If the nested &%acl%& returns &"drop"& and the outer condition denies access, the connection is dropped. If it returns &"discard"&, the verb must be @@ -28023,6 +28414,23 @@ This condition checks whether the sending host (the client) is authorized to send email. Details of how this works are given in section &<>&. +.new +.vitem &*verify&~=&~header_names_ascii*& +.cindex "&%verify%& ACL condition" +.cindex "&ACL;" "verifying header names only ASCII" +.cindex "header lines" "verifying header names only ASCII" +.cindex "verifying" "header names only ASCII" +This condition is relevant only in an ACL that is run after a message has been +received, that is, in an ACL specified by &%acl_smtp_data%& or +&%acl_not_smtp%&. It checks all header names (not the content) to make sure +there are no non-ASCII characters, also excluding control characters. The +allowable characters are decimal ASCII values 33 through 126. + +Exim itself will handle headers with non-ASCII characters, but it can cause +problems for downstream applications, so this option will allow their +detection and rejection in the DATA ACL's. +.wen + .vitem &*verify&~=&~header_sender/*&<&'options'&> .cindex "&%verify%& ACL condition" .cindex "&ACL;" "verifying sender in the header" @@ -28634,6 +29042,13 @@ deny condition = ${if isip4{$sender_host_address}} dnslists = some.list.example .endd +If an explicit key is being used for a DNS lookup and it may be an IPv6 +address you should specify alternate list separators for both the outer +(DNS list name) list and inner (lookup keys) list: +.code + dnslists = <; dnsbl.example.com/<|$acl_m_addrslist +.endd + .section "Rate limiting incoming messages" "SECTratelimiting" .cindex "rate limiting" "client sending" .cindex "limiting client sending rates" @@ -29015,6 +29430,7 @@ router that does not set up hosts routes to an &(smtp)& transport with a &%hosts%& setting, the transport's hosts are used. If an &(smtp)& transport has &%hosts_override%& set, its hosts are always used, whether or not the router supplies a host list. +Callouts are only supported on &(smtp)& transports. The port that is used is taken from the transport, if it is specified and is a remote transport. (For routers that do verification only, no transport need be @@ -29036,10 +29452,8 @@ following SMTP commands are sent: LHLO is used instead of HELO if the transport's &%protocol%& option is set to &"lmtp"&. -.new The callout may use EHLO, AUTH and/or STARTTLS given appropriate option settings. -.wen A recipient callout check is similar. By default, it also uses an empty address for the sender. This default is chosen because most hosts do not make use of @@ -29721,7 +30135,6 @@ Exim does not assume that there is a common filesystem with the remote host. There is an option WITH_OLD_CLAMAV_STREAM in &_src/EDITME_& available, should you be running a version of ClamAV prior to 0.95. -.new The final example shows that multiple TCP targets can be specified. Exim will randomly use one for each incoming email (i.e. it load balances them). Note that only TCP targets may be used if specifying a list of scanners; a UNIX @@ -29736,7 +30149,6 @@ email that the down scanner gets chosen first (message wrapped to be readable): clamd: connection to localhost, port 3310 failed (Connection refused) .endd -.wen If the option is unset, the default is &_/tmp/clamd_&. Thanks to David Saez for contributing the code for this scanner. @@ -29822,6 +30234,24 @@ av_scanner = mksd:2 .endd You can safely omit this option (the default value is 1). +.vitem &%sock%& +.cindex "virus scanners" "simple socket-connected" +This is a general-purpose way of talking to simple scanner daemons +running on the local machine. +There are four options: +an address (which may be an IP addres and port, or the path of a Unix socket), +a commandline to send (may include a single %s which will be replaced with +the path to the mail file to be scanned), +an RE to trigger on from the returned data, +an RE to extract malware_name from the returned data. +For example: +.code +av_scanner = sock:127.0.0.1 6001:%s:(SPAM|VIRUS):(.*)\$ +.endd +Default for the socket specifier is &_/tmp/malware.sock_&. +Default for the commandline is &_%s\n_&. +Both regular-expressions are required. + .vitem &%sophie%& .cindex "virus scanners" "Sophos and Sophie" Sophie is a daemon that uses Sophos' &%libsavi%& library to scan for viruses. @@ -31944,7 +32374,7 @@ they do not affect the values of the variables that refer to header lines. the transport cannot refer to the modified header lines, because such expansions all occur before the message is actually transported. -For both routers and transports, the result of expanding a &%headers_add%& +For both routers and transports, the argument of a &%headers_add%& option must be in the form of one or more RFC 2822 header lines, separated by newlines (coded as &"\n"&). For example: .code @@ -31953,13 +32383,11 @@ headers_add = X-added-header: added by $primary_hostname\n\ .endd Exim does not check the syntax of these added header lines. -.new Multiple &%headers_add%& options for a single router or transport can be -specified; the values will be concatenated (with a separating newline -added) before expansion. -.wen +specified; the values will append to a single list of header lines. +Each header-line is separately expanded. -The result of expanding &%headers_remove%& must consist of a colon-separated +The argument of a &%headers_remove%& option must consist of a colon-separated list of header names. This is confusing, because header names themselves are often terminated by colons. In this case, the colons are the list separators, not part of the names. For example: @@ -31968,11 +32396,12 @@ headers_remove = return-receipt-to:acknowledge-to .endd Multiple &%headers_remove%& options for a single router or transport can be -specified; the values will be concatenated (with a separating colon -added) before expansion. +specified; the arguments will append to a single header-names list. +Each item is separately expanded. -When &%headers_add%& or &%headers_remove%& is specified on a router, its value -is expanded at routing time, and then associated with all addresses that are +When &%headers_add%& or &%headers_remove%& is specified on a router, +items are expanded at routing time, +and then associated with all addresses that are accepted by that router, and also with any new addresses that it generates. If an address passes through several routers as a result of aliasing or forwarding, the changes are cumulative. @@ -33834,9 +34263,7 @@ timestamp. The flags are: &`<=`& message arrival &`=>`& normal message delivery &`->`& additional address in same delivery -.new &`>>`& cutthrough message delivery -.wen &`*>`& delivery suppressed by &%-N%& &`**`& delivery failed; address bounced &`==`& delivery deferred; temporary problem @@ -33936,12 +34363,10 @@ intermediate address(es) exist between the original and the final address, the last of these is given in parentheses after the final address. The R and T fields record the router and transport that were used to process the address. -.new If SMTP AUTH was used for the delivery there is an additional item A= followed by the name of the authenticator that was used. If an authenticated identification was set up by the authenticator's &%client_set_id%& option, this is logged too, separated by a colon from the authenticator name. -.wen If a shadow transport was run after a successful local delivery, the log line for the successful delivery has an item added on the end, of the form @@ -33958,13 +34383,11 @@ flagged with &`->`& instead of &`=>`&. When two or more messages are delivered down a single SMTP connection, an asterisk follows the IP address in the log lines for the second and subsequent messages. -.new .cindex "delivery" "cutthrough; logging" .cindex "cutthrough" "logging" When delivery is done in cutthrough mode it is flagged with &`>>`& and the log line precedes the reception line, since cutthrough waits for a possible rejection from the destination in case it can reject the sourced item. -.wen The generation of a reply message by a filter file gets logged as a &"delivery"& to the addressee, preceded by &">"&. @@ -34076,6 +34499,7 @@ the following table: &`R `& on &`<=`& lines: reference for local bounce &` `& on &`=>`& &`**`& and &`==`& lines: router name &`S `& size of message +&`SNI `& server name indication from TLS client hello &`ST `& shadow transport name &`T `& on &`<=`& lines: message subject (topic) &` `& on &`=>`& &`**`& and &`==`& lines: transport name @@ -34142,9 +34566,7 @@ log_selector = +arguments -retry_defer The list of optional log items is in the following table, with the default selection marked by asterisks: .display -.new &` 8bitmime `& received 8BITMIME status -.wen &`*acl_warn_skipped `& skipped &%warn%& statement in ACL &` address_rewrite `& address rewriting &` all_parents `& all parents in => lines @@ -34174,14 +34596,10 @@ selection marked by asterisks: &`*sender_verify_fail `& sender verification failures &`*size_reject `& rejection because too big &`*skip_delivery `& delivery skipped in a queue run -.new &`*smtp_confirmation `& SMTP confirmation on => lines -.wen &` smtp_connection `& SMTP connections &` smtp_incomplete_transaction`& incomplete SMTP transactions -.new &` smtp_mailauth `& AUTH argument to MAIL commands -.wen &` smtp_no_mail `& session with no MAIL commands &` smtp_protocol_error `& SMTP protocol errors &` smtp_syntax_error `& SMTP syntax errors @@ -34197,7 +34615,6 @@ selection marked by asterisks: More details on each of these items follows: .ilist -.new .cindex "8BITMIME" .cindex "log" "8BITMIME" &%8bitmime%&: This causes Exim to log any 8BITMIME status of received messages, @@ -34205,7 +34622,6 @@ which may help in tracking down interoperability issues with ancient MTAs that are not 8bit clean. This is added to the &"<="& line, tagged with &`M8S=`& and a value of &`0`&, &`7`& or &`8`&, corresponding to "not given", &`7BIT`& and &`8BITMIME`& respectively. -.wen .next .cindex "&%warn%& ACL verb" "log when skipping" &%acl_warn_skipped%&: When an ACL &%warn%& statement is skipped because one of @@ -34393,7 +34809,8 @@ The message that is written is &"spool file is locked"&. .next .cindex "log" "smtp confirmation" .cindex "SMTP" "logging confirmation" -&%smtp_confirmation%&: The response to the final &"."& in the SMTP dialogue for +.cindex "LMTP" "logging confirmation" +&%smtp_confirmation%&: The response to the final &"."& in the SMTP or LMTP dialogue for outgoing messages is added to delivery log lines in the form &`C=`&<&'text'&>. A number of MTAs (including Exim) return an identifying string in this response. @@ -34452,12 +34869,10 @@ the last 20 are listed, preceded by &"..."&. However, with the default setting of 10 for &%smtp_accep_max_nonmail%&, the connection will in any case have been aborted before 20 non-mail commands are processed. .next -.new &%smtp_mailauth%&: A third subfield with the authenticated sender, colon-separated, is appended to the A= item for a message arrival or delivery log line, if an AUTH argument to the SMTP MAIL command (see &<>&) was accepted or used. -.wen .next .cindex "log" "SMTP protocol error" .cindex "SMTP" "logging protocol error" @@ -34624,9 +35039,17 @@ This utility is a Perl script contributed by Matt Hubbard. It runs .code exim -bpu .endd -to obtain a queue listing with undelivered recipients only, and then greps the -output to select messages that match given criteria. The following selection -options are available: +or (in case &*-a*& switch is specified) +.code +exim -bp +.endd +.new +The &*-C*& option is used to specify an alternate &_exim.conf_& which might +contain alternate exim configuration the queue management might be using. +.wen + +to obtain a queue listing, and then greps the output to select messages +that match given criteria. The following selection options are available: .vlist .vitem &*-f*&&~<&'regex'&> @@ -34673,6 +35096,9 @@ Brief format &-- one line per message. .vitem &*-R*& Display messages in reverse order. + +.vitem &*-a*& +Include delivered recipients in queue listing. .endlist There is one more option, &%-h%&, which outputs a list of options. @@ -35861,7 +36287,6 @@ are given in chapter &<>&. -.new .section "Running local commands" "SECTsecconslocalcmds" .cindex "security" "local commands" .cindex "security" "command injection attacks" @@ -35905,12 +36330,10 @@ real-world security vulnerabilities caused by its use with untrustworthy data injected in, for SQL injection attacks. Consider the use of the &%inlisti%& expansion condition instead. .endlist -.wen -.new .section "Trust in configuration data" "SECTsecconfdata" .cindex "security" "data sources" .cindex "security" "regular expressions" @@ -35939,7 +36362,6 @@ items to ensure that data is correctly constructed. Some lookups might return multiple results, even though normal usage is only expected to yield one result. .endlist -.wen @@ -36416,7 +36838,9 @@ disabled by setting DISABLE_DKIM=yes in Local/Makefile. Exim's DKIM implementation allows to .olist Sign outgoing messages: This function is implemented in the SMTP transport. -It can co-exist with all other Exim features, including transport filters. +It can co-exist with all other Exim features +(including transport filters) +except cutthrough delivery. .next Verify signatures in incoming messages: This is implemented by an additional ACL (acl_smtp_dkim), which can be called several times per message, with @@ -36507,6 +36931,10 @@ used. Verification of DKIM signatures in incoming email is implemented via the &%acl_smtp_dkim%& ACL. By default, this ACL is called once for each syntactically(!) correct signature in the incoming message. +A missing ACL definition defaults to accept. +If any ACL call does not acccept, the message is not accepted. +If a cutthrough delivery was in progress for the message it is +summarily dropped (having wasted the transmission effort). To evaluate the signature in the ACL a large number of expansion variables containing the signature status and its details are set up during the @@ -36698,13 +37126,11 @@ Add to &_src/config.h.defaults_& the line: Edit &_src/drtables.c_&, adding conditional code to pull in the private header and create a table entry as is done for all the other drivers and lookup types. .next -.new Edit &_scripts/lookups-Makefile_& if this is a new lookup; there is a for-loop near the bottom, ranging the &`name_mod`& variable over a list of all lookups. Add your &`NEWDRIVER`& to that list. As long as the dynamic module would be named &_newdriver.so_&, you can use the simple form that most lookups have. -.wen .next Edit &_Makefile_& in the appropriate sub-directory (&_src/routers_&, &_src/transports_&, &_src/auths_&, or &_src/lookups_&); add a line for the new diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 928f377b1..ee56623ad 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,6 +1,129 @@ Change log file for Exim from version 4.21 ------------------------------------------- + +Exim version 4.83 +----------------- + +TF/01 Correctly close the server side of TLS when forking for delivery. + + When a message was received over SMTP with TLS, Exim failed to clear up + the incoming connection properly after forking off the child process to + deliver the message. In some situations the subsequent outgoing + delivery connection happened to have the same fd number as the incoming + connection previously had. Exim would try to use TLS and fail, logging + a "Bad file descriptor" error. + +TF/02 Portability fix for building lookup modules on Solaris when the xpg4 + utilities have not been installed. + +JH/01 Fix memory-handling in use of acl as a conditional; avoid free of + temporary space as the ACL may create new global variables. + +TL/01 LDAP support uses per connection or global context settings, depending + upon the detected version of the libraries at build time. + +TL/02 Experimental Proxy Protocol support: allows a proxied SMTP connection + to extract and use the src ip:port in logging and expansions as if it + were a direct connection from the outside internet. PPv2 support was + updated based on HAProxy spec change in May 2014. + +JH/02 Add ${listextract {number}{list}{success}{fail}}. + +TL/03 Bugzilla 1433: Fix DMARC SEGV with specific From header contents. + Properly escape header and check for NULL return. + +PP/01 Continue incomplete 4.82 PP/19 by fixing docs too: use dns_dnssec_ok + not dns_use_dnssec. + +JH/03 Bugzilla 1157: support log_selector smtp_confirmation for lmtp. + +TL/04 Add verify = header_names_ascii check to reject email with non-ASCII + characters in header names, implemented as a verify condition. + Contributed by Michael Fischer v. Mollard. + +TL/05 Rename SPF condition results err_perm and err_temp to standardized + results permerror and temperror. Previous values are deprecated but + still accepted. In a future release, err_perm and err_temp will be + completely removed, which will be a backward incompatibility if the + ACL tests for either of these two old results. Patch contributed by + user bes-internal on the mailing list. + +JH/04 Add ${utf8clean:} operator. Contributed by Alex Rau. + +JH/05 Bugzilla 305: Log incoming-TLS details on rejects, subject to log + selectors, in both main and reject logs. + +JH/06 Log outbound-TLS and port details, subject to log selectors, for a + failed delivery. + +JH/07 Add malware type "sock" for talking to simple daemon. + +JH/08 Bugzilla 1371: Add tls_{,try_}verify_hosts to smtp transport. + +JH/09 Bugzilla 1431: Support (with limitations) headers_add/headers_remove in + routers/transports under cutthrough routing. + +JH/10 Bugzilla 1005: ACL "condition =" should accept values which are negative + numbers. Touch up "bool" conditional to keep the same definition. + +TL/06 Remove duplicated language in spec file from 4.82 TL/16. + +JH/11 Add dnsdb tlsa lookup. From Todd Lyons. + +JH/12 Expand items in router/transport headers_add or headers_remove lists + individually rather than the list as a whole. Bug 1452. + + Required for reasonable handling of multiple headers_ options when + they may be empty; requires that headers_remove items with embedded + colons must have them doubled (or the list-separator changed). + +TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly + view the policy declared in the DMARC record. Currently, $dmarc_status + is a combined value of both the record presence and the result of the + analysis. + +JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455. + +JH/14 New options dnssec_request_domains, dnssec_require_domains on the + dnslookup router and the smtp transport (applying to the forward + lookup). + +TL/08 Bugzilla 1453: New LDAP "SERVERS=" option allows admin to override list + of ldap servers used for a specific lookup. Patch provided by Heiko + Schlichting. + +JH/18 New options dnssec_lax, dnssec_strict on dnsdb lookups. + New variable $lookup_dnssec_authenticated for observability. + +TL/09 Bugzilla 609: Add -C option to exiqgrep, specify which exim.conf to use. + Patch submitted by Lars Timman. + +JH/19 EXPERIMENTAL_OCSP support under GnuTLS. Bug 1459. + +TL/10 Bugzilla 1454: New -oMm option to pass message reference to Exim. + Requires trusted mode and valid format message id, aborts otherwise. + Patch contributed by Heiko Schlichting. + +JH/20 New expansion variables tls_(in,out)_(our,peer)cert, and expansion item + certextract with support for various fields. Bug 1358. + +JH/21 Observability of OCSP via variables tls_(in,out)_ocsp. Stapling + is requested by default, modifiable by smtp transport option + hosts_request_ocsp. + +JH/22 Expansion operators ${md5:string} and ${sha1::string} can now + operate on certificate variables to give certificate fingerprints + Also new ${sha256:cert_variable}. + +JH/23 The PRDR feature is moved from being Experimental into the mainline. + +TL/11 Bug 1119: fix memory allocation in string_printing2(). Patch from + Christian Aistleitner. + +JH/24 The OCSP stapling feature is moved from Experimental into the mainline. + + Exim version 4.82 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index d308f0485..f3e2dc1eb 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -6,6 +6,57 @@ Before a formal release, there may be quite a lot of detail so that people can test from the snapshots or the CVS before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. +Version 4.83 +------------ + + 1. If built with the EXPERIMENTAL_PROXY feature enabled, Exim can be + configured to expect an initial header from a proxy that will make the + actual external source IP:host be used in exim instead of the IP of the + proxy that is connecting to it. + + 2. New verify option header_names_ascii, which will check to make sure + there are no non-ASCII characters in header names. Exim itself handles + those non-ASCII characters, but downstream apps may not, so Exim can + detect and reject if those characters are present. + + 3. New expansion operator ${utf8clean:string} to replace malformed UTF8 + codepoints with valid ones. + + 4. New malware type "sock". Talks over a Unix or TCP socket, sending one + command line and matching a regex against the return data for trigger + and a second regex to extract malware_name. The mail spoofile name can + be included in the command line. + + 5. The smtp transport now supports options "tls_verify_hosts" and + "tls_try_verify_hosts". If either is set the certificate verification + is split from the encryption operation. The default remains that a failed + verification cancels the encryption. + + 6. New SERVERS override of default ldap server list. In the ACLs, an ldap + lookup can now set a list of servers to use that is different from the + default list. + + 7. New command-line option -C for exiqgrep to specify alternate exim.conf + file when searching the queue. + + 8. OCSP now supports GnuTLS also, if you have version 3.1.3 or later of that. + + 9. Support for DNSSEC on outbound connections. + +10. New variables "tls_(in,out)_(our,peer)cert" and expansion item + "certextract" to extract fields from them. Hash operators md5 and sha1 + work over them for generating fingerprints, and a new sha256 operator + for them added. + +11. PRDR is now supported dy default. + +12. OCSP stapling is now supported by default. + +13. If built with the EXPERIMENTAL_DSN feature enabled, Exim will output + Delivery Status Notification messages in MIME format, and negociate + DSN features per RFC 3461. + + Version 4.82 ------------ diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index 9c909f2f8..ef6195600 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -180,12 +180,12 @@ dns_again_means_nonexist domain list unset main dns_check_names_pattern string + main 2.11 dns_csa_search_limit integer 5 main 4.60 dns_csa_use_reverse boolean true main 4.60 +dns_dnssec_ok integer -1 main 4.82 dns_ipv4_lookup boolean false main 3.20 dns_qualify_single boolean true smtp dns_retrans time 0s main 1.60 dns_retry integer 0 main 1.60 dns_search_parents boolean false smtp -dns_use_dnssec integer -1 main 4.82 dns_use_edns0 integer -1 main 4.76 domains domain list unset routers 4.00 driver string unset authenticators @@ -714,6 +714,7 @@ provide compatibility with Sendmail. -oMai # Supply authenticated id -oMas # Supply authenticated sender -oMi # Supply interface address +-oMm # Supply message reference -oMr # Supply protocol name -oMs # Supply host name -oMt # Supply ident string diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index b33612f43..6657f63c7 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -6,114 +6,6 @@ about experimental features, all of which are unstable and liable to incompatible change. -PRDR support --------------------------------------------------------------- - -Per-Recipient Data Reponse is an SMTP extension proposed by Eric Hall -in a (now-expired) IETF draft from 2007. It's not hit mainstream -use, but has apparently been implemented in the META1 MTA. - -There is mention at http://mail.aegee.org/intern/sendmail.html -of a patch to sendmail "to make it PRDR capable". - - ref: http://www.eric-a-hall.com/specs/draft-hall-prdr-00.txt - -If Exim is built with EXPERIMENTAL_PRDR there is a new config -boolean "prdr_enable" which controls whether PRDR is advertised -as part of an EHLO response, a new "acl_data_smtp_prdr" ACL -(called for each recipient, after data arrives but before the -data ACL), and a new smtp transport option "hosts_try_prdr". - -PRDR may be used to support per-user content filtering. Without it -one must defer any recipient after the first that has a different -content-filter configuration. With PRDR, the RCPT-time check -for this can be disabled when the MAIL-time $smtp_command included -"PRDR". Any required difference in behaviour of the main DATA-time -ACL should however depend on the PRDR-time ACL having run, as Exim -will avoid doing so in some situations (eg. single-recipient mails). - - - -OCSP Stapling support --------------------------------------------------------------- - -X.509 PKI certificates expire and can be revoked; to handle this, the -clients need some way to determine if a particular certificate, from a -particular Certificate Authority (CA), is still valid. There are three -main ways to do so. - -The simplest way is to serve up a Certificate Revocation List (CRL) with -an ordinary web-server, regenerating the CRL before it expires. The -downside is that clients have to periodically re-download a potentially -huge file from every certificate authority it knows of. - -The way with most moving parts at query time is Online Certificate -Status Protocol (OCSP), where the client verifies the certificate -against an OCSP server run by the CA. This lets the CA track all -usage of the certs. This requires running software with access to the -private key of the CA, to sign the responses to the OCSP queries. OCSP -is based on HTTP and can be proxied accordingly. - -The only widespread OCSP server implementation (known to this writer) -comes as part of OpenSSL and aborts on an invalid request, such as -connecting to the port and then disconnecting. This requires -re-entering the passphrase each time some random client does this. - -The third way is OCSP Stapling; in this, the server using a certificate -issued by the CA periodically requests an OCSP proof of validity from -the OCSP server, then serves it up inline as part of the TLS -negotiation. This approach adds no extra round trips, does not let the -CA track users, scales well with number of certs issued by the CA and is -resilient to temporary OCSP server failures, as long as the server -starts retrying to fetch an OCSP proof some time before its current -proof expires. The downside is that it requires server support. - -If Exim is built with EXPERIMENTAL_OCSP and it was built with OpenSSL, -then it gains a new global option: "tls_ocsp_file". - -The file specified therein is expected to be in DER format, and contain -an OCSP proof. Exim will serve it as part of the TLS handshake. This -option will be re-expanded for SNI, if the tls_certificate option -contains $tls_sni, as per other TLS options. - -Exim does not at this time implement any support for fetching a new OCSP -proof. The burden is on the administrator to handle this, outside of -Exim. The file specified should be replaced atomically, so that the -contents are always valid. Exim will expand the "tls_ocsp_file" option -on each connection, so a new file will be handled transparently on the -next connection. - -Exim will check for a valid next update timestamp in the OCSP proof; -if not present, or if the proof has expired, it will be ignored. - -Also, given EXPERIMENTAL_OCSP and OpenSSL, the smtp transport gains -a "hosts_require_ocsp" option; a host-list for which an OCSP Stapling -is requested and required for the connection to proceed. The host(s) -should also be in "hosts_require_tls", and "tls_verify_certificates" -configured for the transport. - -For the client to be able to verify the stapled OCSP the server must -also supply, in its stapled information, any intermediate -certificates for the chain leading to the OCSP proof from the signer -of the server certificate. There may be zero or one such. These -intermediate certificates should be added to the server OCSP stapling -file (named by tls_ocsp_file). - -At this point in time, we're gathering feedback on use, to determine if -it's worth adding complexity to the Exim daemon to periodically re-fetch -OCSP files and somehow handling multiple files. - - A helper script "ocsp_fetch.pl" for fetching a proof from a CA - OCSP server is supplied. The server URL may be included in the - server certificate, if the CA is helpful. - - One fail mode seen was the OCSP Signer cert expiring before the end - of vailidity of the OCSP proof. The checking done by Exim/OpenSSL - noted this as invalid overall, but the re-fetch script did not. - - - - Brightmail AntiSpam (BMI) suppport -------------------------------------------------------------- @@ -452,15 +344,21 @@ which the spf condition should succeed. Valid strings are: This means the queried domain has published a SPF record, but wants to allow outside servers to send mail under its domain as well. - o err_perm This indicates a syntax error in the SPF - record of the queried domain. This should be - treated like "none". - o err_temp This indicates a temporary error during all + This should be treated like "none". + o permerror This indicates a syntax error in the SPF + record of the queried domain. You may deny + messages when this occurs. (Changed in 4.83) + o temperror This indicates a temporary error during all processing, including Exim's SPF processing. You may defer messages when this occurs. + (Changed in 4.83) + o err_temp Same as permerror, deprecated in 4.83, will be + removed in a future release. + o err_perm Same as temperror, deprecated in 4.83, will be + removed in a future release. You can prefix each string with an exclamation mark to invert -is meaning, for example "!fail" will match all results but +its meaning, for example "!fail" will match all results but "fail". The string list is evaluated left-to-right, in a short-circuit fashion. When a string matches the outcome of the SPF check, the condition succeeds. If none of the listed @@ -510,8 +408,8 @@ variables. $spf_result This contains the outcome of the SPF check in string form, - one of pass, fail, softfail, none, neutral, err_perm or - err_temp. + one of pass, fail, softfail, none, neutral, permerror or + temperror. $spf_smtp_comment This contains a string that can be used in a SMTP response @@ -773,7 +671,7 @@ fails. Of course, you can also use any other lookup method that Exim supports, including LDAP, Postgres, MySQL, etc, as long as the -result is a list of colon-separated strings; +result is a list of colon-separated strings. Several expansion variables are set before the DATA ACL is processed, and you can use them in this ACL. The following @@ -781,7 +679,10 @@ expansion variables are available: o $dmarc_status This is a one word status indicating what the DMARC library - thinks of the email. + thinks of the email. It is a combination of the results of + DMARC record lookup and the SPF/DKIM/DMARC processing results + (if a DMARC record was found). The actual policy declared + in the DMARC record is in a separate expansion variable. o $dmarc_status_text This is a slightly longer, human readable status. @@ -790,6 +691,11 @@ expansion variables are available: This is the domain which DMARC used to look up the DMARC policy record. + o $dmarc_domain_policy + This is the policy declared in the DMARC record. Valid values + are "none", "reject" and "quarantine". It is blank when there + is any error, including no DMARC record. + o $dmarc_ar_header This is the entire Authentication-Results header which you can add using an add_header modifier. @@ -825,6 +731,9 @@ b. Configure, somewhere before the DATA ACL, the control option to warn !domains = +screwed_up_dmarc_records control = dmarc_enable_forensic + warn condition = (lookup if destined to mailing list) + set acl_m_mailing_list = 1 + (DATA ACL) warn dmarc_status = accept : none : off !authenticated = * @@ -840,6 +749,10 @@ b. Configure, somewhere before the DATA ACL, the control option to set $acl_m_quarantine = 1 # Do something in a transport with this flag variable + deny condition = ${if eq{$dmarc_domain_policy}{reject}} + condition = ${if eq{$acl_m_mailing_list}{1}} + message = Messages from $dmarc_used_domain break mailing lists + deny dmarc_status = reject !authenticated = * message = Message from $domain_used_domain failed sender's DMARC policy, REJECT @@ -1015,6 +928,226 @@ Where SPAMMER_SET is a macro and it is defined as set acl_c_spam_host = ${lookup redis{GET...}} +Proxy Protocol Support +-------------------------------------------------------------- + +Exim now has Experimental "Proxy Protocol" support. It was built on +specifications from: +http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt +Above URL revised May 2014 to change version 2 spec: +http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=afb768340c9d7e50d8e + +The purpose of this function is so that an application load balancer, +such as HAProxy, can sit in front of several Exim servers and Exim +will log the IP that is connecting to the proxy server instead of +the IP of the proxy server when it connects to Exim. It resets the +$sender_address_host and $sender_address_port to the IP:port of the +connection to the proxy. It also re-queries the DNS information for +this new IP address so that the original sender's hostname and IP +get logged in the Exim logfile. There is no logging if a host passes or +fails Proxy Protocol negotiation, but it can easily be determined and +recorded in an ACL (example is below). + +1. To compile Exim with Proxy Protocol support, put this in +Local/Makefile: + +EXPERIMENTAL_PROXY=yes + +2. Global configuration settings: + +proxy_required_hosts = HOSTLIST + +The proxy_required_hosts option will require any IP in that hostlist +to use Proxy Protocol. The specification of Proxy Protocol is very +strict, and if proxy negotiation fails, Exim will not allow any SMTP +command other than QUIT. (See end of this section for an example.) +The option is expanded when used, so it can be a hostlist as well as +string of IP addresses. Since it is expanded, specifying an alternate +separator is supported for ease of use with IPv6 addresses. + +To log the IP of the proxy in the incoming logline, add: + log_selector = +proxy + +A default incoming logline (wrapped for appearance) will look like this: + + 2013-11-04 09:25:06 1VdNti-0001OY-1V <= me@example.net + H=mail.example.net [1.2.3.4] P=esmtp S=433 + +With the log selector enabled, an email that was proxied through a +Proxy Protocol server at 192.168.1.2 will look like this: + + 2013-11-04 09:25:06 1VdNti-0001OY-1V <= me@example.net + H=mail.example.net [1.2.3.4] P=esmtp PRX=192.168.1.2 S=433 + +3. In the ACL's the following expansion variables are available. + +proxy_host_address The (internal) src IP of the proxy server + making the connection to the Exim server. +proxy_host_port The (internal) src port the proxy server is + using to connect to the Exim server. +proxy_target_address The dest (public) IP of the remote host to + the proxy server. +proxy_target_port The dest port the remote host is using to + connect to the proxy server. +proxy_session Boolean, yes/no, the connected host is required + to use Proxy Protocol. + +There is no expansion for a failed proxy session, however you can detect +it by checking if $proxy_session is true but $proxy_host is empty. As +an example, in my connect ACL, I have: + + warn condition = ${if and{ {bool{$proxy_session}} \ + {eq{$proxy_host_address}{}} } } + log_message = Failed required proxy protocol negotiation \ + from $sender_host_name [$sender_host_address] + + warn condition = ${if and{ {bool{$proxy_session}} \ + {!eq{$proxy_host_address}{}} } } + # But don't log health probes from the proxy itself + condition = ${if eq{$proxy_host_address}{$sender_host_address} \ + {false}{true}} + log_message = Successfully proxied from $sender_host_name \ + [$sender_host_address] through proxy protocol \ + host $proxy_host_address + + # Possibly more clear + warn logwrite = Remote Source Address: $sender_host_address:$sender_host_port + logwrite = Proxy Target Address: $proxy_target_address:$proxy_target_port + logwrite = Proxy Internal Address: $proxy_host_address:$proxy_host_port + logwrite = Internal Server Address: $received_ip_address:$received_port + + +4. Recommended ACL additions: + - Since the real connections are all coming from your proxy, and the + per host connection tracking is done before Proxy Protocol is + evaluated, smtp_accept_max_per_host must be set high enough to + handle all of the parallel volume you expect per inbound proxy. + - With the smtp_accept_max_per_host set so high, you lose the ability + to protect your server from massive numbers of inbound connections + from one IP. In order to prevent your server from being DOS'd, you + need to add a per connection ratelimit to your connect ACL. I + suggest something like this: + + # Set max number of connections per host + LIMIT = 5 + # Or do some kind of IP lookup in a flat file or database + # LIMIT = ${lookup{$sender_host_address}iplsearch{/etc/exim/proxy_limits}} + + defer message = Too many connections from this IP right now + ratelimit = LIMIT / 5s / per_conn / strict + + +5. Runtime issues to be aware of: + - The proxy has 3 seconds (hard-coded in the source code) to send the + required Proxy Protocol header after it connects. If it does not, + the response to any commands will be: + "503 Command refused, required Proxy negotiation failed" + - If the incoming connection is configured in Exim to be a Proxy + Protocol host, but the proxy is not sending the header, the banner + does not get sent until the timeout occurs. If the sending host + sent any input (before the banner), this causes a standard Exim + synchronization error (i.e. trying to pipeline before PIPELINING + was advertised). + - This is not advised, but is mentioned for completeness if you have + a specific internal configuration that you want this: If the Exim + server only has an internal IP address and no other machines in your + organization will connect to it to try to send email, you may + simply set the hostlist to "*", however, this will prevent local + mail programs from working because that would require mail from + localhost to use Proxy Protocol. Again, not advised! + +6. Example of a refused connection because the Proxy Protocol header was +not sent from a host configured to use Proxy Protocol. In the example, +the 3 second timeout occurred (when a Proxy Protocol banner should have +been sent), the banner was displayed to the user, but all commands are +rejected except for QUIT: + +# nc mail.example.net 25 +220-mail.example.net, ESMTP Exim 4.82+proxy, Mon, 04 Nov 2013 10:45:59 +220 -0800 RFC's enforced +EHLO localhost +503 Command refused, required Proxy negotiation failed +QUIT +221 mail.example.net closing connection + + +DSN Support +-------------------------------------------------------------- + +DSN Support tries to add RFC 3461 support to Exim. It adds support for +*) the additional parameters for MAIL FROM and RCPT TO +*) RFC complient MIME DSN messages for all of + success, failure and delay notifications +*) dsn_advertise_hosts main option to select which hosts are able + to use the extension +*) dsn_lasthop router switch to end DSN processing + +In case of failure reports this means that the last three parts, the message body +intro, size info and final text, of the defined template are ignored since there is no +logical place to put them in the MIME message. + +All the other changes are made without changing any defaults + +Building exim: +-------------- + +Define +EXPERIMENTAL_DSN=YES +in your Local/Makefile. + +Configuration: +-------------- +All DSNs are sent in MIME format if you built exim with EXPERIMENTAL_DSN=YES +No option needed to activate it, and no way to turn it off. + +Failure and delay DSNs are triggered as usual except a sender used NOTIFY=... +to prevent them. + +Support for Success DSNs is added and activated by NOTIFY=SUCCESS by clients. + +Add +dsn_advertise_hosts = * +or a more restrictive host_list to announce DSN in EHLO answers + +Those hosts can then use NOTIFY,ENVID,RET,ORCPT options. + +If a message is relayed to a DSN aware host without changing the envelope +recipient the options are passed along and no success DSN is generated. + +A redirect router will always trigger a success DSN if requested and the DSN +options are not passed any further. + +A success DSN always contains the recipient address as submitted by the +client as required by RFC. Rewritten addresses are never exposed. + +If you used DSN patch up to 1.3 before remove all "dsn_process" switches from +your routers since you don't need them anymore. There is no way to "gag" +success DSNs anymore. Announcing DSN means answering as requested. + +You can prevent Exim from passing DSN options along to other DSN aware hosts by defining +dsn_lasthop +in a router. Exim will then send the success DSN himself if requested as if +the next hop does not support DSN. +Adding it to a redirect router makes no difference. + +Certificate name checking +-------------------------------------------------------------- +The X509 certificates used for TLS are supposed be verified +that they are owned by the expected host. The coding of TLS +support to date has not made these checks. + +If built with EXPERIMENTAL_CERTNAMES defined, code is +included to do so, and a new smtp transport option +"tls_verify_cert_hostname" supported which takes a list of +names for which the checks must be made. The host must +also be in "tls_verify_hosts". + +Both Subject and Subject-Alternate-Name certificate fields +are supported, as are wildcard certificates (limited to +a single wildcard being the initial component of a 3-or-more +component FQDN). + + -------------------------------------------------------------- End of file diff --git a/release-process/scripts/mk_exim_release.pl b/release-process/scripts/mk_exim_release.pl index 81091fb9f..e3267fd3e 100755 --- a/release-process/scripts/mk_exim_release.pl +++ b/release-process/scripts/mk_exim_release.pl @@ -149,7 +149,8 @@ sub build_html_documentation { my @cmd = ( $genpath, '--spec', $spec, '--filter', $filter, '--latest', $context->{trelease}, '--tmpl', - $templates, '--docroot', $dir, '--localstatic' + $templates, '--docroot', $dir, '--localstatic', + (($verbose||$debug) ? '--verbose' : '') ); print "Executing ", join( ' ', @cmd ), "\n"; diff --git a/release-process/scripts/quickrelease b/release-process/scripts/quickrelease new file mode 100755 index 000000000..dd16fa0f5 --- /dev/null +++ b/release-process/scripts/quickrelease @@ -0,0 +1,30 @@ +#!/bin/sh +# +# A really dumb script for making a quick tarball of Exim + +set -e + +OWD=$(pwd -P) + +GWD=$(git rev-parse --git-dir) + +TWD=$(mktemp -d -t exim) || exit 1 +echo $TWD +cd $TWD + +git clone $GWD + +cd exim/src/src +../scripts/reversion +. version.sh +EXIM=exim-${EXIM_RELEASE_VERSION}${EXIM_VARIANT_VERSION} + +cd ../.. +mv src $EXIM +tar cfz $EXIM.tar.gz $EXIM +mv $EXIM src + +cd $OWD +mv $TWD/exim/$EXIM.tar.gz . +rm -rf $EXIM +echo $EXIM.tar.gz diff --git a/src/Makefile b/src/Makefile index b4f04b2e4..99f4ab308 100644 --- a/src/Makefile +++ b/src/Makefile @@ -2,7 +2,7 @@ # appropriate links, and then creating and running the main makefile in that # directory. -# Copyright (c) University of Cambridge, 1995 - 2007 +# Copyright (c) University of Cambridge, 1995 - 2014 # See the file NOTICE for conditions of use and distribution. # IRIX make uses the shell that is in the SHELL variable, which often defaults @@ -90,9 +90,11 @@ distclean:; $(RM_COMMAND) -rf build-* cscope* cscope.files: FRC echo "-q" > $@ echo "-p3" >> $@ - find src Local -name "*.[cshyl]" -print \ + find src Local OS -name "*.[cshyl]" -print \ + -o -name "os.h*" -print \ -o -name "*akefile*" -print \ -o -name EDITME -print >> $@ + ls OS/* >> $@ FRC: diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base index 1500e85ec..0caf8604b 100644 --- a/src/OS/Makefile-Base +++ b/src/OS/Makefile-Base @@ -106,8 +106,7 @@ allexim: config.h $(EXIM_MONITOR) exicyclog exinext exiwhat \ transport-filter.pl convert4r3 convert4r4 \ exim_checkaccess \ exim_dbmbuild exim_dumpdb exim_fixdb exim_tidydb exim_lock \ - buildlookups buildrouters buildtransports \ - buildauths buildpdkim exim + exim # Targets for special-purpose configuration header builders @@ -317,8 +316,8 @@ OBJ_EXIM = acl.o child.o crypt16.o daemon.o dbfn.o debug.o deliver.o \ local_scan.o $(EXIM_PERL) $(OBJ_WITH_CONTENT_SCAN) \ $(OBJ_WITH_OLD_DEMIME) $(OBJ_EXPERIMENTAL) -exim: lookups/lookups.a auths/auths.a pdkim/pdkim.a \ - routers/routers.a transports/transports.a \ +exim: buildlookups buildauths pdkim/pdkim.a \ + buildrouters buildtransports \ $(OBJ_EXIM) version.o @echo "$(LNCC) -o exim" $(FE)$(PURIFY) $(LNCC) -o exim $(LFLAGS) $(OBJ_EXIM) version.o \ @@ -355,7 +354,7 @@ exim_dumpdb: $(OBJ_DUMPDB) OBJ_FIXDB = exim_fixdb.o util-os.o util-store.o -exim_fixdb: $(OBJ_FIXDB) auths/auths.a +exim_fixdb: $(OBJ_FIXDB) buildauths @echo "$(LNCC) -o exim_fixdb" $(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_fixdb $(LFLAGS) $(OBJ_FIXDB) \ auths/auths.a $(LIBS) $(EXTRALIBS) $(DBMLIB) @@ -578,7 +577,7 @@ spool_out.o: $(HDRS) spool_out.c std-crypto.o: $(HDRS) std-crypto.c store.o: $(HDRS) store.c string.o: $(HDRS) string.c -tls.o: $(HDRS) tls.c tls-gnu.c tls-openssl.c +tls.o: $(HDRS) tls.c tls-gnu.c tlscert-gnu.c tls-openssl.c tlscert-openssl.c tod.o: $(HDRS) tod.c transport.o: $(HDRS) transport.c tree.o: $(HDRS) tree.c @@ -621,7 +620,7 @@ drtables.o: $(HDRS) drtables.c # When using parallel make, we don't have the dependency to force building # in the sub-directory unless we force that dependency: -$(OBJ_LOOKUPS): lookups/lookups.a +$(OBJ_LOOKUPS): buildlookups # The exim monitor's private modules - the sources live in a private # subdirectory. The final binary combines the private modules with some @@ -649,7 +648,7 @@ $(MONBIN): $(HDRS) # The lookups library. -buildlookups lookups/lookups.a: config.h version.h +buildlookups: @cd lookups && $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) CC="$(CC)" CFLAGS="$(CFLAGS)" \ CFLAGS_DYNAMIC="$(CFLAGS_DYNAMIC)" HDRS="../version.h $(PHDRS)" \ FE="$(FE)" RANLIB="$(RANLIB)" RM_COMMAND="$(RM_COMMAND)" \ @@ -658,7 +657,7 @@ buildlookups lookups/lookups.a: config.h version.h # The routers library. -buildrouters routers/routers.a: config.h +buildrouters: @cd routers && $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) CC="$(CC)" CFLAGS="$(CFLAGS)" \ FE="$(FE)" RANLIB="$(RANLIB)" RM_COMMAND="$(RM_COMMAND)" HDRS="$(PHDRS)" \ INCLUDE="$(INCLUDE) $(IPV6_INCLUDE) $(TLS_INCLUDE)" @@ -666,7 +665,7 @@ buildrouters routers/routers.a: config.h # The transports library. -buildtransports transports/transports.a: config.h +buildtransports: @cd transports && $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) CC="$(CC)" CFLAGS="$(CFLAGS)" \ FE="$(FE)" RANLIB="$(RANLIB)" RM_COMMAND="$(RM_COMMAND)" HDRS="$(PHDRS)" \ INCLUDE="$(INCLUDE) $(IPV6_INCLUDE) $(TLS_INCLUDE)" @@ -674,7 +673,7 @@ buildtransports transports/transports.a: config.h # The library of authorization modules -buildauths auths/auths.a: config.h +buildauths: @cd auths && $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) CC="$(CC)" CFLAGS="$(CFLAGS)" \ FE="$(FE)" RANLIB="$(RANLIB)" RM_COMMAND="$(RM_COMMAND)" HDRS="$(PHDRS)" \ INCLUDE="$(INCLUDE) $(IPV6_INCLUDE) $(TLS_INCLUDE)" @@ -682,7 +681,8 @@ buildauths auths/auths.a: config.h # The PDKIM library -buildpdkim pdkim/pdkim.a: config.h +buildpdkim: pdkim/pdkim.a +pdkim/pdkim.a: config.h @cd pdkim && $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) CC="$(CC)" CFLAGS="$(CFLAGS)" \ FE="$(FE)" RANLIB="$(RANLIB)" RM_COMMAND="$(RM_COMMAND)" HDRS="$(PHDRS)" \ INCLUDE="$(INCLUDE) $(IPV6_INCLUDE) $(TLS_INCLUDE)" diff --git a/src/OS/os.c-Linux b/src/OS/os.c-Linux index 1e8a6f47d..df0dff9db 100644 --- a/src/OS/os.c-Linux +++ b/src/OS/os.c-Linux @@ -94,7 +94,7 @@ ip_address_item *last = NULL; ip_address_item *next; char addr6p[8][5]; unsigned int plen, scope, dad_status, if_idx; -char devname[20]; +char devname[20+1]; FILE *f; #endif diff --git a/src/README.DSN b/src/README.DSN new file mode 100644 index 000000000..68d16415c --- /dev/null +++ b/src/README.DSN @@ -0,0 +1,141 @@ +Exim DSN Patch (4.82) +--------------------- + +This patch is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +This patch is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this patch; if not, write to the Free Software +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111 USA. + +Installation & Usage +-------------------- +See docs/experimental-spec.txt + +Credits +------- + +The original work for the patch was done by Philip Hazel in Exim 3 + +The extract was taken and re-applied to Exim 4 by the following :- +Phil Bingham (phil.bingham@cwipapps.net) +Steve Falla (steve.falla@cwipapps.net) +Ray Edah (ray.edah@cwipapps.net) +Andrew Johnson (andrew.johnson@cwippaps.net) +Adrian Hungate (adrian.hungate@cwipapps.net) + +Now Primarily maintained by :- +Andrew Johnson (andrew.johnson@cwippaps.net) + +Updated for 4.82, improved and submitted to +http://bugs.exim.org/show_bug.cgi?id=118 +by :- +Wolfgang Breyha (wbreyha@gmx.net) + +Contributions +------------- +Andrey J. Melnikoff (TEMHOTA) (temnota@kmv.ru) + + +ChangeLog +--------- +14-Apr-2006 : Changed subject to "Delivery Status Notification" + +17-May-2006 : debug_printf in spool-in.c were not wrapped with #ifndef COMPILE_UTILITY + thanks to Andrey J. Melnikoff for this information + +12-Sep-2006 : Now supports Exim 4.63 + +12-Sep-2006 : src/EDITME did not include the #define SUPPORT_DSN as stated + in the documentation, this has now been corrected + thanks to Robert Kehl for this information + +28-Jul-2008 : New version for exim 4.69 released. + +02-Jul-2010 : New version for exim 4.72 released. + +25-Apr-2014 : Version 1.4 + *) fix ENVID and ORCPT addition in SMTP transport + *) p was not moved to the end of the string. new content + added afterwards overwrites ENVID and/or ORCPT + *) change spool file format to be compatible with the + extensible format of exim 4 by prepending new values and + setting the extended bitmask accordingly + *) use SUPPORT_DSN_LEGACY=yes in Makefile to be able to read + the legacy format of older patches until all messages are out of queue. + *) change "dsn" boolean toggle to "dsn_advertise_hosts" to + be able to select who actually can use the extension + *) Add all RFC 3461 MUST fields to delivery-status section + *) convert xtext in ENVID + *) add all successful rcpts to ONE message instead of sending several messages + +26-Apr-2014 : Version 1.5 + fixes: + *) fixed wrong order for ENVID + *) fixed wrong Final-Recipient value + *) af_ignore_failure is ignored for success reports + *) fixed DSN_LEGACY switch + improvements: + *) added MIME "failure" reports + *) bounce_return_message is ignored (required by RFC) + *) in case RET= is defined we honor these values + otherwise bounce_return_body is honored. + *) bounce_return_size_limit is always honored. + *) message body intro and final text is ignored + *) do not send report if DSN flags say NO + *) added MIME "delay" reports + *) do not send report if DSN flags say NO + *) changed from SUPPORT_DSN to EXPERIMENTAL_DSN + *) updated documentation + +01-May-2014 : Version 1.6 + fixes: + *) code cleanup + *) use text/rfc822-headers were applicable + *) fix NOTIFY=FAILURE + + improvements: + *) do not truncated MIME messages + *) if bounce_return_size_limit is smaller then the actual message + only the header is returned + *) if bounce_return_body or bounce_return_size_limit prevents Exim + from returning the requested (RET=FULL) body this fact is added + as X-Exim-DSN-Information Header + *) this also means that all of the last three parts of the "failure" + template are not used anymore + + *) dsn_process switch removed + *) every router "processes" DSN by default + *) there is no possibilty to "gag" DSN anymore since this violates RFC + *) dsn_lasthop switch added for routers + *) if dsn_lasthop is set by a router it is handled as relaying to a + non DSN aware relay. success mails are sent if Exim successfully + delivers the message. + *) redirect routers always "act" as if dsn_lasthop is set + + *) address_item.dsn_aware changed from uschar to int for easier handling. + +02-May-2014 : fixes: + *) Reporting-MTA: use smtp_active_hostname instead of qualify_domain from + original patch. + +20-May-2014 : fixes: + *) removed support for EXPERIMENTAL_DSN_LEGACY for codebase inclusion + *) fixed build of exim_monitor tree + *) fixed late declaration of dsn_all_lasthop + +----------------- + +Support for this patch up to 1.3 (limited though it is) will only be provided through the SourceForge +project page (http://sourceforge.net/projects/eximdsn/) + +From 1.4 onward feel free to ask on the exim-users mailinglist or add comments to +http://bugs.exim.org/show_bug.cgi?id=118 + diff --git a/src/exim_monitor/em_globals.c b/src/exim_monitor/em_globals.c index b0a912e5f..d5205d08f 100644 --- a/src/exim_monitor/em_globals.c +++ b/src/exim_monitor/em_globals.c @@ -145,6 +145,11 @@ BOOL dkim_disable_verify = FALSE; BOOL dont_deliver = FALSE; +#ifdef EXPERIMENTAL_DSN +int dsn_ret = 0; +uschar *dsn_envid = NULL; +#endif + #ifdef WITH_CONTENT_SCAN int fake_response = OK; #endif diff --git a/src/exim_monitor/em_log.c b/src/exim_monitor/em_log.c index 0441edd2e..6efd9c0c9 100644 --- a/src/exim_monitor/em_log.c +++ b/src/exim_monitor/em_log.c @@ -2,7 +2,7 @@ * Exim Monitor * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* This module contains code for scanning the main log, diff --git a/src/scripts/Configure-Makefile b/src/scripts/Configure-Makefile index 5e8a72683..eeb26eeb1 100755 --- a/src/scripts/Configure-Makefile +++ b/src/scripts/Configure-Makefile @@ -142,6 +142,10 @@ then fi if [ ".$need_this" != "." ]; then tls_include=`pkg-config --cflags $pc_value` + if [ $? -ne 0 ]; then + echo >&2 "*** Missing pkg-config for package $pc_value (for Exim $var build option)" + exit 1 + fi tls_libs=`pkg-config --libs $pc_value` echo "TLS_INCLUDE=$tls_include" echo "TLS_LIBS=$tls_libs" @@ -161,6 +165,10 @@ then else # main binary cflags=`pkg-config --cflags $pc_value` + if [ $? -ne 0 ]; then + echo >&2 "*** Missing pkg-config for package $pc_value (for Exim $var build option)" + exit 1 + fi libs=`pkg-config --libs $pc_value` if [ "$var" != "${var#LOOKUP_}" ]; then echo "LOOKUP_INCLUDE += $cflags" @@ -178,6 +186,10 @@ then case $PCRE_CONFIG in yes|YES|y|Y) cflags=`pcre-config --cflags` + if [ $? -ne 0 ]; then + echo >&2 "*** Missing pcre-config for regular expression support" + exit 1 + fi libs=`pcre-config --libs` if [ ".$cflags" != "." ]; then echo "INCLUDE += $cflags" @@ -196,6 +208,10 @@ then echo "# End of pkg-config fixups" echo ) >> $mft + subexit=$? + if [ $subexit -ne 0 ]; then + exit $subexit + fi fi rm -f $mftt diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks index 2eb8a967e..01cd21f1c 100755 --- a/src/scripts/MakeLinks +++ b/src/scripts/MakeLinks @@ -233,6 +233,8 @@ ln -s ../src/std-crypto.c std-crypto.c ln -s ../src/store.c store.c ln -s ../src/string.c string.c ln -s ../src/tls.c tls.c +ln -s ../src/tlscert-gnu.c tlscert-gnu.c +ln -s ../src/tlscert-openssl.c tlscert-openssl.c ln -s ../src/tls-gnu.c tls-gnu.c ln -s ../src/tls-openssl.c tls-openssl.c ln -s ../src/tod.c tod.c diff --git a/src/scripts/lookups-Makefile b/src/scripts/lookups-Makefile index 51fbd944b..61493c632 100755 --- a/src/scripts/lookups-Makefile +++ b/src/scripts/lookups-Makefile @@ -24,6 +24,22 @@ then _XPG=1 export _XPG + # We need the _right_ tr, so must do that first; but if a shell which + # we're more confident is sane is available, let's try that. Mostly, + # the problem is that "local" is not actually in "the" standard, it's + # just in every not-insane shell. Though arguably, there are no shells + # with POSIX-ish syntax which qualify as "not insane". + for b in /bin/dash /bin/bash /usr/local/bin/bash + do + if [ -x "$b" ] + then + SHELL="$b" + break + fi + done + # if we get a report of a system with zsh but not bash, we can add that + # to the list, but be sure to enable sh_word_split in that case. + exec "$SHELL" "$0" "$@" fi @@ -41,6 +57,16 @@ tab=' ' LC_ALL=C export LC_ALL +if [ -f "$defs_source" ] +then + : + # we are happy +else + echo >&2 "$0: ERROR: MISSING FILE '${defs_source}'" + echo >&2 "$0: SHOULD HAVE BEEN CALLED FROM scripts/Configure-Makefile" + exit 1 +fi + # nb: do not permit leading whitespace for this, as CFLAGS_DYNAMIC is exported # to the lookups subdir via a line with leading whitespace which otherwise # matches @@ -95,7 +121,10 @@ emit_module_rule() { local mod_name pkgconf if [ "${lookup_name%:*}" = "$lookup_name" ] then - mod_name=$(echo $lookup_name | tr A-Z a-z) + # Square brackets are redundant but benign for POSIX compliant tr, + # however Solaris /usr/bin/tr requires them. Sometimes Solaris + # gets installed without a complete set of xpg4 tools, sigh. + mod_name=$(echo $lookup_name | tr [A-Z] [a-z]) else mod_name="${lookup_name#*:}" lookup_name="${lookup_name%:*}" diff --git a/src/src/EDITME b/src/src/EDITME index 3f818f355..d576fd7a3 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -410,6 +410,17 @@ EXIM_MONITOR=eximon.bin # DISABLE_DKIM=yes +#------------------------------------------------------------------------------ +# Uncomment the following line to remove Per-Recipient-Data-Response support. + +# DISABLE_PRDR=yes + +#------------------------------------------------------------------------------ +# Uncomment the following line to remove OCSP stapling support in TLS, +# from Exim. Note it can only be supported when built with +# GnuTLS 3.1.3 or later, or OpenSSL + +# DISABLE_OCSP=yes #------------------------------------------------------------------------------ # By default, Exim has support for checking the AD bit in a DNS response, to @@ -455,19 +466,12 @@ EXIM_MONITOR=eximon.bin # CFLAGS += -I/opt/brightmail/bsdk-6.0/include # LDFLAGS += -lxml2_single -lbmiclient_single -L/opt/brightmail/bsdk-6.0/lib -# Uncomment the following line to add OCSP stapling support in TLS, if Exim -# was built using OpenSSL. - -# EXPERIMENTAL_OCSP=yes - # Uncomment the following line to add DMARC checking capability, implemented # using libopendmarc libraries. # EXPERIMENTAL_DMARC=yes # CFLAGS += -I/usr/local/include # LDFLAGS += -lopendmarc -# Uncomment the following line to add Per-Recipient-Data-Response support. -# EXPERIMENTAL_PRDR=yes # Uncomment the following line to support Transport post-delivery actions, # eg. for logging to a database. @@ -480,6 +484,15 @@ EXIM_MONITOR=eximon.bin # CFLAGS += -I/usr/local/include # LDFLAGS += -lhiredis +# Uncomment the following line to enable Experimental Proxy Protocol +# EXPERIMENTAL_PROXY=yes + +# Uncomment the following line to enable support for checking certiticate +# ownership +# EXPERIMENTAL_CERTNAMES=yes + +# Uncomment the following line to add DSN support +# EXPERIMENTAL_DSN=yes ############################################################################### # THESE ARE THINGS YOU MIGHT WANT TO SPECIFY # diff --git a/src/src/acl.c b/src/src/acl.c index 520375ab4..6e635fbf1 100644 --- a/src/src/acl.c +++ b/src/src/acl.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Code for handling Access Control Lists (ACLs) */ @@ -397,7 +397,7 @@ static unsigned int cond_forbids[] = { (unsigned int) ~((1<value) *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr); return rc; + case VERIFY_HDR_NAMES_ASCII: + /* Check that all header names are true 7 bit strings + See RFC 5322, 2.2. and RFC 6532, 3. */ + + rc = verify_check_header_names_ascii(log_msgptr); + if (rc != OK && smtp_return_error_details && *log_msgptr != NULL) + *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr); + return rc; + case VERIFY_NOT_BLIND: /* Check that no recipient of this message is "blind", that is, every envelope recipient must be mentioned in either To: or Cc:. */ @@ -2202,8 +2214,8 @@ return rc; BAD_VERIFY: *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", " - "\"helo\", \"header_syntax\", \"header_sender\" or " - "\"reverse_host_lookup\" at start of ACL condition " + "\"helo\", \"header_syntax\", \"header_sender\", \"header_names_ascii\" " + "or \"reverse_host_lookup\" at start of ACL condition " "\"verify %s\"", arg); return ERROR; } @@ -2846,9 +2858,9 @@ uschar *portstr; uschar *portend; host_item *h; int portnum; -int host_af; int len; int r, s; +uschar * errstr; hostname = string_nextinlist(&arg, &sep, NULL, 0); portstr = string_nextinlist(&arg, &sep, NULL, 0); @@ -2895,14 +2907,18 @@ if (r == HOST_FIND_FAILED || r == HOST_FIND_AGAIN) HDEBUG(D_acl) debug_printf("udpsend [%s]:%d %s\n", h->address, portnum, arg); -host_af = (Ustrchr(h->address, ':') == NULL)? AF_INET:AF_INET6; -r = s = ip_socket(SOCK_DGRAM, host_af); -if (r < 0) goto defer; -r = ip_connect(s, host_af, h->address, portnum, 1); +r = s = ip_connectedsocket(SOCK_DGRAM, h->address, portnum, portnum, + 1, NULL, &errstr); if (r < 0) goto defer; len = Ustrlen(arg); r = send(s, arg, len, 0); -if (r < 0) goto defer; +if (r < 0) + { + errstr = US strerror(errno); + close(s); + goto defer; + } +close(s); if (r < len) { *log_msgptr = @@ -2916,7 +2932,7 @@ HDEBUG(D_acl) return OK; defer: -*log_msgptr = string_sprintf("\"udpsend\" failed: %s", strerror(errno)); +*log_msgptr = string_sprintf("\"udpsend\" failed: %s", errstr); return DEFER; } @@ -2976,12 +2992,14 @@ for (; cb != NULL; cb = cb->next) if (cb->type == ACLC_MESSAGE) { + HDEBUG(D_acl) debug_printf(" message: %s\n", cb->arg); user_message = cb->arg; continue; } if (cb->type == ACLC_LOG_MESSAGE) { + HDEBUG(D_acl) debug_printf("l_message: %s\n", cb->arg); log_message = cb->arg; continue; } @@ -3088,7 +3106,9 @@ for (; cb != NULL; cb = cb->next) /* The true/false parsing here should be kept in sync with that used in expand.c when dealing with ECOND_BOOL so that we don't have too many different definitions of what can be a boolean. */ - if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */ + if (*arg == '-' + ? Ustrspn(arg+1, "0123456789") == Ustrlen(arg+1) /* Negative number */ + : Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */ rc = (Uatoi(arg) == 0)? FAIL : OK; else rc = (strcmpic(arg, US"no") == 0 || @@ -3228,8 +3248,9 @@ for (; cb != NULL; cb = cb->next) disable_callout_flush = TRUE; break; - case CONTROL_FAKEDEFER: case CONTROL_FAKEREJECT: + cancel_cutthrough_connection("fakereject"); + case CONTROL_FAKEDEFER: fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL; if (*p == '/') { @@ -3259,10 +3280,12 @@ for (; cb != NULL; cb = cb->next) *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg); return ERROR; } + cancel_cutthrough_connection("item frozen"); break; case CONTROL_QUEUE_ONLY: queue_only_policy = TRUE; + cancel_cutthrough_connection("queueing forced"); break; case CONTROL_SUBMISSION: @@ -3329,17 +3352,19 @@ for (; cb != NULL; cb = cb->next) case CONTROL_CUTTHROUGH_DELIVERY: if (deliver_freeze) - { - *log_msgptr = string_sprintf("\"control=%s\" on frozen item", arg); - return ERROR; - } - if (queue_only_policy) - { - *log_msgptr = string_sprintf("\"control=%s\" on queue-only item", arg); - return ERROR; - } - cutthrough_delivery = TRUE; - break; + *log_msgptr = US"frozen"; + else if (queue_only_policy) + *log_msgptr = US"queue-only"; + else if (fake_response == FAIL) + *log_msgptr = US"fakereject"; + else + { + cutthrough_delivery = TRUE; + break; + } + *log_msgptr = string_sprintf("\"control=%s\" on %s item", + arg, *log_msgptr); + return ERROR; } break; @@ -4294,7 +4319,7 @@ sender_verified_failed = NULL; ratelimiters_cmd = NULL; log_reject_target = LOG_MAIN|LOG_REJECT; -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR if (where == ACL_WHERE_RCPT || where == ACL_WHERE_PRDR ) #else if (where == ACL_WHERE_RCPT ) @@ -4338,7 +4363,7 @@ If conn-failure, no action (and keep the spooled copy). switch (where) { case ACL_WHERE_RCPT: -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR case ACL_WHERE_PRDR: #endif if( rcpt_count > 1 ) @@ -4458,4 +4483,6 @@ FILE *f = (FILE *)ctx; fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value); } +/* vi: aw ai sw=2 +*/ /* End of acl.c */ diff --git a/src/src/auths/dovecot.c b/src/src/auths/dovecot.c index 94b315209..1874f3238 100644 --- a/src/src/auths/dovecot.c +++ b/src/src/auths/dovecot.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2004 Andrey Panin + * Copyright (c) 2006-2014 The Exim Maintainers * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index 8c1e799da..ba4615c11 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* The default settings for Exim configuration variables. A #define without @@ -41,6 +41,8 @@ it's a default value. */ #define DELIVER_IN_BUFFER_SIZE 8192 #define DELIVER_OUT_BUFFER_SIZE 8192 #define DISABLE_DKIM +#define DISABLE_PRDR +#define DISABLE_OCSP #define DISABLE_DNSSEC #define DISABLE_D_OPTION @@ -165,10 +167,11 @@ it's a default value. */ /* EXPERIMENTAL features */ #define EXPERIMENTAL_BRIGHTMAIL +#define EXPERIMENTAL_CERTNAMES #define EXPERIMENTAL_DCC #define EXPERIMENTAL_DMARC -#define EXPERIMENTAL_OCSP -#define EXPERIMENTAL_PRDR +#define EXPERIMENTAL_DSN +#define EXPERIMENTAL_PROXY #define EXPERIMENTAL_REDIS #define EXPERIMENTAL_SPF #define EXPERIMENTAL_SRS diff --git a/src/src/daemon.c b/src/src/daemon.c index 3467f14a7..66ed22440 100644 --- a/src/src/daemon.c +++ b/src/src/daemon.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions concerned with running Exim as a daemon */ @@ -639,7 +639,7 @@ if (pid == 0) the data structures if necessary. */ #ifdef SUPPORT_TLS - tls_close(FALSE, FALSE); + tls_close(TRUE, FALSE); #endif /* Reset SIGHUP and SIGCHLD in the child in both cases. */ diff --git a/src/src/deliver.c b/src/src/deliver.c index 8e1d17793..3f5800ded 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2009 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* The main code for delivering a message. */ @@ -63,6 +63,10 @@ static address_item *addr_new = NULL; static address_item *addr_remote = NULL; static address_item *addr_route = NULL; static address_item *addr_succeed = NULL; +#ifdef EXPERIMENTAL_DSN +static address_item *addr_dsntmp = NULL; +static address_item *addr_senddsn = NULL; +#endif static FILE *message_log = NULL; static BOOL update_spool; @@ -673,8 +677,36 @@ while (addr->parent != NULL) +static uschar * +d_hostlog(uschar * s, int * sizep, int * ptrp, address_item * addr) +{ + s = string_append(s, sizep, ptrp, 5, US" H=", addr->host_used->name, + US" [", addr->host_used->address, US"]"); + if ((log_extra_selector & LX_outgoing_port) != 0) + s = string_append(s, sizep, ptrp, 2, US":", string_sprintf("%d", + addr->host_used->port)); + return s; +} + +#ifdef SUPPORT_TLS +static uschar * +d_tlslog(uschar * s, int * sizep, int * ptrp, address_item * addr) +{ + if ((log_extra_selector & LX_tls_cipher) != 0 && addr->cipher != NULL) + s = string_append(s, sizep, ptrp, 2, US" X=", addr->cipher); + if ((log_extra_selector & LX_tls_certificate_verified) != 0 && + addr->cipher != NULL) + s = string_append(s, sizep, ptrp, 2, US" CV=", + testflag(addr, af_cert_verified)? "yes":"no"); + if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL) + s = string_append(s, sizep, ptrp, 3, US" DN=\"", + string_printing(addr->peerdn), US"\""); + return s; +} +#endif + /* If msg is NULL this is a delivery log and logchar is used. Otherwise -this is a nonstandard call; no two-characher delivery flag is written +this is a nonstandard call; no two-character delivery flag is written but sender-host and sender are prefixed and "msg" is inserted in the log line. Arguments: @@ -702,6 +734,7 @@ pointer to a single host item in their host list, for use by the transport. */ tpda_delivery_local_part = NULL; tpda_delivery_domain = NULL; tpda_delivery_confirmation = NULL; + lookup_dnssec_authenticated = NULL; #endif s = reset_point = store_get(size); @@ -765,13 +798,9 @@ if (addr->transport->info->local) else { - if (addr->host_used != NULL) + if (addr->host_used) { - s = string_append(s, &size, &ptr, 5, US" H=", addr->host_used->name, - US" [", addr->host_used->address, US"]"); - if ((log_extra_selector & LX_outgoing_port) != 0) - s = string_append(s, &size, &ptr, 2, US":", string_sprintf("%d", - addr->host_used->port)); + s = d_hostlog(s, &size, &ptr, addr); if (continue_sequence > 1) s = string_cat(s, &size, &ptr, US"*", 1); @@ -782,19 +811,16 @@ else tpda_delivery_local_part = addr->local_part; tpda_delivery_domain = addr->domain; tpda_delivery_confirmation = addr->message; + + /* DNS lookup status */ + lookup_dnssec_authenticated = addr->host_used->dnssec==DS_YES ? US"yes" + : addr->host_used->dnssec==DS_NO ? US"no" + : NULL; #endif } #ifdef SUPPORT_TLS - if ((log_extra_selector & LX_tls_cipher) != 0 && addr->cipher != NULL) - s = string_append(s, &size, &ptr, 2, US" X=", addr->cipher); - if ((log_extra_selector & LX_tls_certificate_verified) != 0 && - addr->cipher != NULL) - s = string_append(s, &size, &ptr, 2, US" CV=", - testflag(addr, af_cert_verified)? "yes":"no"); - if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL) - s = string_append(s, &size, &ptr, 3, US" DN=\"", - string_printing(addr->peerdn), US"\""); + s = d_tlslog(s, &size, &ptr, addr); #endif if (addr->authenticator) @@ -808,27 +834,30 @@ else } } - #ifdef EXPERIMENTAL_PRDR + #ifndef DISABLE_PRDR if (addr->flags & af_prdr_used) s = string_append(s, &size, &ptr, 1, US" PRDR"); #endif + } - if ((log_extra_selector & LX_smtp_confirmation) != 0 && - addr->message != NULL) - { - int i; - uschar *p = big_buffer; - uschar *ss = addr->message; - *p++ = '\"'; - for (i = 0; i < 100 && ss[i] != 0; i++) - { - if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\'; - *p++ = ss[i]; - } - *p++ = '\"'; - *p = 0; - s = string_append(s, &size, &ptr, 2, US" C=", big_buffer); - } +/* confirmation message (SMTP (host_used) and LMTP (driver_name)) */ + +if (log_extra_selector & LX_smtp_confirmation && + addr->message && + (addr->host_used || Ustrcmp(addr->transport->driver_name, "lmtp") == 0)) + { + int i; + uschar *p = big_buffer; + uschar *ss = addr->message; + *p++ = '\"'; + for (i = 0; i < 256 && ss[i] != 0; i++) /* limit logged amount */ + { + if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\'; /* quote \ and " */ + *p++ = ss[i]; + } + *p++ = '\"'; + *p = 0; + s = string_append(s, &size, &ptr, 2, US" C=", big_buffer); } /* Time on queue and actual time taken to deliver */ @@ -1038,7 +1067,7 @@ if (addr->return_file >= 0 && addr->return_filename != NULL) (void)close(addr->return_file); } -/* The sucess case happens only after delivery by a transport. */ +/* The success case happens only after delivery by a transport. */ if (result == OK) { @@ -1054,10 +1083,8 @@ if (result == OK) DEBUG(D_deliver) debug_printf("%s delivered\n", addr->address); if (addr->parent == NULL) - { deliver_msglog("%s %s: %s%s succeeded\n", now, addr->address, driver_name, driver_kind); - } else { deliver_msglog("%s %s <%s>: %s%s succeeded\n", now, addr->address, @@ -1065,7 +1092,35 @@ if (result == OK) child_done(addr, now); } + /* Certificates for logging (via TPDA) */ + #ifdef SUPPORT_TLS + tls_out.ourcert = addr->ourcert; + addr->ourcert = NULL; + tls_out.peercert = addr->peercert; + addr->peercert = NULL; + + tls_out.cipher = addr->cipher; + tls_out.peerdn = addr->peerdn; + tls_out.ocsp = addr->ocsp; + #endif + delivery_log(LOG_MAIN, addr, logchar, NULL); + + #ifdef SUPPORT_TLS + if (tls_out.ourcert) + { + tls_free_cert(tls_out.ourcert); + tls_out.ourcert = NULL; + } + if (tls_out.peercert) + { + tls_free_cert(tls_out.peercert); + tls_out.peercert = NULL; + } + tls_out.cipher = NULL; + tls_out.peerdn = NULL; + tls_out.ocsp = OCSP_NOT_REQ; + #endif } @@ -1236,9 +1291,7 @@ else if (used_return_path != NULL && (log_extra_selector & LX_return_path_on_delivery) != 0) - { s = string_append(s, &size, &ptr, 3, US" P=<", used_return_path, US">"); - } if (addr->router != NULL) s = string_append(s, &size, &ptr, 2, US" R=", addr->router->name); @@ -1246,8 +1299,11 @@ else s = string_append(s, &size, &ptr, 2, US" T=", addr->transport->name); if (addr->host_used != NULL) - s = string_append(s, &size, &ptr, 5, US" H=", addr->host_used->name, - US" [", addr->host_used->address, US"]"); + s = d_hostlog(s, &size, &ptr, addr); + + #ifdef SUPPORT_TLS + s = d_tlslog(s, &size, &ptr, addr); + #endif if (addr->basic_errno > 0) s = string_append(s, &size, &ptr, 2, US": ", @@ -2937,35 +2993,75 @@ while (!done) #ifdef SUPPORT_TLS case 'X': - if (addr == NULL) goto ADDR_MISMATCH; /* Below, in 'A' handler */ - addr->cipher = (*ptr)? string_copy(ptr) : NULL; - while (*ptr++); - addr->peerdn = (*ptr)? string_copy(ptr) : NULL; + if (addr == NULL) goto ADDR_MISMATCH; /* Below, in 'A' handler */ + switch (*ptr++) + { + case '1': + addr->cipher = NULL; + addr->peerdn = NULL; + + if (*ptr) + addr->cipher = string_copy(ptr); + while (*ptr++); + if (*ptr) + addr->peerdn = string_copy(ptr); + break; + + case '2': + addr->peercert = NULL; + if (*ptr) + (void) tls_import_cert(ptr, &addr->peercert); + break; + + case '3': + addr->ourcert = NULL; + if (*ptr) + (void) tls_import_cert(ptr, &addr->ourcert); + break; + + #ifndef DISABLE_OCSP + case '4': + addr->ocsp = OCSP_NOT_REQ; + if (*ptr) + addr->ocsp = *ptr - '0'; + break; + #endif + } while (*ptr++); break; - #endif + #endif /*SUPPORT_TLS*/ case 'C': /* client authenticator information */ switch (*ptr++) - { - case '1': - addr->authenticator = (*ptr)? string_copy(ptr) : NULL; - break; - case '2': - addr->auth_id = (*ptr)? string_copy(ptr) : NULL; - break; - case '3': - addr->auth_sndr = (*ptr)? string_copy(ptr) : NULL; - break; - } + { + case '1': + addr->authenticator = (*ptr)? string_copy(ptr) : NULL; + break; + case '2': + addr->auth_id = (*ptr)? string_copy(ptr) : NULL; + break; + case '3': + addr->auth_sndr = (*ptr)? string_copy(ptr) : NULL; + break; + } while (*ptr++); break; -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR case 'P': - addr->flags |= af_prdr_used; break; + addr->flags |= af_prdr_used; + break; #endif + #ifdef EXPERIMENTAL_DSN + case 'D': + if (addr == NULL) break; + memcpy(&(addr->dsn_aware), ptr, sizeof(addr->dsn_aware)); + ptr += sizeof(addr->dsn_aware); + DEBUG(D_deliver) debug_printf("DSN read: addr->dsn_aware = %d\n", addr->dsn_aware); + break; + #endif + case 'A': if (addr == NULL) { @@ -2990,7 +3086,7 @@ while (!done) addr->user_message = (*ptr)? string_copy(ptr) : NULL; while(*ptr++); - /* Always two strings for host information, followed by the port number */ + /* Always two strings for host information, followed by the port number and DNSSEC mark */ if (*ptr != 0) { @@ -3001,6 +3097,10 @@ while (!done) while(*ptr++); memcpy(&(h->port), ptr, sizeof(h->port)); ptr += sizeof(h->port); + h->dnssec = *ptr == '2' ? DS_YES + : *ptr == '1' ? DS_NO + : DS_UNK; + ptr++; addr->host_used = h; } else ptr++; @@ -4028,25 +4128,55 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++) retry_item *r; /* The certificate verification status goes into the flags */ - if (tls_out.certificate_verified) setflag(addr, af_cert_verified); /* Use an X item only if there's something to send */ - #ifdef SUPPORT_TLS - if (addr->cipher != NULL) + if (addr->cipher) { ptr = big_buffer; - sprintf(CS ptr, "X%.128s", addr->cipher); + sprintf(CS ptr, "X1%.128s", addr->cipher); while(*ptr++); - if (addr->peerdn == NULL) *ptr++ = 0; else + if (!addr->peerdn) + *ptr++ = 0; + else { sprintf(CS ptr, "%.512s", addr->peerdn); while(*ptr++); } + rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer); } - #endif + if (addr->peercert) + { + ptr = big_buffer; + *ptr++ = 'X'; *ptr++ = '2'; + if (!tls_export_cert(ptr, big_buffer_size-2, addr->peercert)) + while(*ptr++); + else + *ptr++ = 0; + rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer); + } + if (addr->ourcert) + { + ptr = big_buffer; + *ptr++ = 'X'; *ptr++ = '3'; + if (!tls_export_cert(ptr, big_buffer_size-2, addr->ourcert)) + while(*ptr++); + else + *ptr++ = 0; + rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer); + } + #ifndef DISABLE_OCSP + if (addr->ocsp > OCSP_NOT_REQ) + { + ptr = big_buffer; + sprintf(CS ptr, "X4%c", addr->ocsp + '0'); + while(*ptr++); + rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer); + } + # endif + #endif /*SUPPORT_TLS*/ if (client_authenticator) { @@ -4070,8 +4200,16 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++) rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer); } - #ifdef EXPERIMENTAL_PRDR - if (addr->flags & af_prdr_used) rmt_dlv_checked_write(fd, "P", 1); + #ifndef DISABLE_PRDR + if (addr->flags & af_prdr_used) + rmt_dlv_checked_write(fd, "P", 1); + #endif + + #ifdef EXPERIMENTAL_DSN + big_buffer[0] = 'D'; + memcpy(big_buffer+1, &addr->dsn_aware, sizeof(addr->dsn_aware)); + rmt_dlv_checked_write(fd, big_buffer, sizeof(addr->dsn_aware) + 1); + DEBUG(D_deliver) debug_printf("DSN write: addr->dsn_aware = %d\n", addr->dsn_aware); #endif /* Retry information: for most success cases this will be null. */ @@ -4125,6 +4263,11 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++) while(*ptr++); memcpy(ptr, &(addr->host_used->port), sizeof(addr->host_used->port)); ptr += sizeof(addr->host_used->port); + + /* DNS lookup status */ + *ptr++ = addr->host_used->dnssec==DS_YES ? '2' + : addr->host_used->dnssec==DS_NO ? '1' : '0'; + } rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer); } @@ -5219,6 +5362,14 @@ if (process_recipients != RECIP_IGNORE) if (r->pno >= 0) new->onetime_parent = recipients_list[r->pno].address; + #ifdef EXPERIMENTAL_DSN + /* If DSN support is enabled, set the dsn flags and the original receipt + to be passed on to other DSN enabled MTAs */ + new->dsn_flags = r->dsn_flags & rf_dsnflags; + new->dsn_orcpt = r->orcpt; + DEBUG(D_deliver) debug_printf("DSN: set orcpt: %s flags: %d\n", new->dsn_orcpt, new->dsn_flags); + #endif + switch (process_recipients) { /* RECIP_DEFER is set when a system filter freezes a message. */ @@ -6158,11 +6309,17 @@ if (addr_remote != NULL) regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE); #endif - #ifdef EXPERIMENTAL_PRDR + #ifndef DISABLE_PRDR if (regex_PRDR == NULL) regex_PRDR = regex_must_compile(US"\\n250[\\s\\-]PRDR(\\s|\\n|$)", FALSE, TRUE); #endif + #ifdef EXPERIMENTAL_DSN + /* Set the regex to check for DSN support on remote MTA */ + if (regex_DSN == NULL) regex_DSN = + regex_must_compile(US"\\n250[\\s\\-]DSN(\\s|\\n|$)", FALSE, TRUE); + #endif + /* Now sort the addresses if required, and do the deliveries. The yield of do_remote_deliveries is FALSE when mua_wrapper is set and all addresses cannot be delivered in one transaction. */ @@ -6267,6 +6424,166 @@ prevents actual delivery. */ else if (!dont_deliver) retry_update(&addr_defer, &addr_failed, &addr_succeed); +#ifdef EXPERIMENTAL_DSN +/* Send DSN for successful messages */ +addr_dsntmp = addr_succeed; +addr_senddsn = NULL; + +while(addr_dsntmp != NULL) + { + DEBUG(D_deliver) + debug_printf("DSN: processing router : %s\n", addr_dsntmp->router->name); + + DEBUG(D_deliver) + debug_printf("DSN: processing successful delivery address: %s\n", addr_dsntmp->address); + + /* af_ignore_error not honored here. it's not an error */ + + DEBUG(D_deliver) debug_printf("DSN: Sender_address: %s\n", sender_address); + DEBUG(D_deliver) debug_printf("DSN: orcpt: %s flags: %d\n", addr_dsntmp->dsn_orcpt, addr_dsntmp->dsn_flags); + DEBUG(D_deliver) debug_printf("DSN: envid: %s ret: %d\n", dsn_envid, dsn_ret); + DEBUG(D_deliver) debug_printf("DSN: Final recipient: %s\n", addr_dsntmp->address); + DEBUG(D_deliver) debug_printf("DSN: Remote SMTP server supports DSN: %d\n", addr_dsntmp->dsn_aware); + + /* send report if next hop not DSN aware or a router flagged "last DSN hop" + and a report was requested */ + if (((addr_dsntmp->dsn_aware != dsn_support_yes) || + ((addr_dsntmp->dsn_flags & rf_dsnlasthop) != 0)) + && + (((addr_dsntmp->dsn_flags & rf_dsnflags) != 0) && + ((addr_dsntmp->dsn_flags & rf_notify_success) != 0))) + { + /* copy and relink address_item and send report with all of them at once later */ + address_item *addr_next; + addr_next = addr_senddsn; + addr_senddsn = store_get(sizeof(address_item)); + memcpy(addr_senddsn, addr_dsntmp, sizeof(address_item)); + addr_senddsn->next = addr_next; + } + else + { + DEBUG(D_deliver) debug_printf("DSN: *** NOT SENDING DSN SUCCESS Message ***\n"); + } + + addr_dsntmp = addr_dsntmp->next; + } + +if (addr_senddsn != NULL) + { + pid_t pid; + int fd; + + /* create exim process to send message */ + pid = child_open_exim(&fd); + + DEBUG(D_deliver) debug_printf("DSN: child_open_exim returns: %d\n", pid); + + if (pid < 0) /* Creation of child failed */ + { + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Process %d (parent %d) failed to " + "create child process to send failure message: %s", getpid(), + getppid(), strerror(errno)); + + DEBUG(D_deliver) debug_printf("DSN: child_open_exim failed\n"); + + } + else /* Creation of child succeeded */ + { + FILE *f = fdopen(fd, "wb"); + /* header only as required by RFC. only failure DSN needs to honor RET=FULL */ + int topt = topt_add_return_path | topt_no_body; + uschar boundaryStr[64]; + + DEBUG(D_deliver) debug_printf("sending error message to: %s\n", sender_address); + + /* build unique id for MIME boundary */ + snprintf(boundaryStr, 63, "%d-eximdsn-%d", time(NULL), rand()); + DEBUG(D_deliver) debug_printf("DSN: MIME boundary: %s\n", boundaryStr); + + if (errors_reply_to != NULL) fprintf(f,"Reply-To: %s\n", errors_reply_to); + + fprintf(f,"Auto-Submitted: auto-generated\n"); + fprintf(f,"From: Mail Delivery System \n", qualify_domain_sender); + fprintf(f,"To: %s\n", sender_address); + fprintf(f,"Subject: Delivery Status Notification\n"); + fprintf(f,"Content-Type: multipart/report; report-type=delivery-status; boundary=%s\n", boundaryStr); + fprintf(f,"MIME-Version: 1.0\n\n"); + + fprintf(f,"--%s\n", boundaryStr); + fprintf(f,"Content-type: text/plain; charset=us-ascii\n\n"); + + fprintf(f,"This message was created automatically by mail delivery software.\n"); + fprintf(f," ----- The following addresses had successful delivery notifications -----\n"); + + addr_dsntmp = addr_senddsn; + while(addr_dsntmp != NULL) + { + if ((addr_dsntmp->dsn_flags & rf_dsnlasthop) == 1) { + fprintf(f,"<%s> (relayed via non DSN router)\n\n", addr_dsntmp->address); + } + else if (addr_dsntmp->dsn_aware == dsn_support_no) { + fprintf(f,"<%s> (relayed to non-DSN-aware mailer)\n\n", addr_dsntmp->address); + } + else { + fprintf(f,"<%s> (relayed via non \"Remote SMTP\" router)\n\n", addr_dsntmp->address); + } + addr_dsntmp = addr_dsntmp->next; + } + fprintf(f,"--%s\n", boundaryStr); + fprintf(f,"Content-type: message/delivery-status\n\n"); + + fprintf(f,"Reporting-MTA: dns; %s\n", smtp_active_hostname); + if (dsn_envid != NULL) { + /* must be decoded from xtext: see RFC 3461:6.3a */ + uschar *xdec_envid; + if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0) + fprintf(f,"Original-Envelope-ID: %s\n", dsn_envid); + else + fprintf(f,"X-Original-Envelope-ID: error decoding xtext formated ENVID\n"); + } + fprintf(f,"\n"); + + addr_dsntmp = addr_senddsn; + while(addr_dsntmp != NULL) + { + if (addr_dsntmp->dsn_orcpt != NULL) { + fprintf(f,"Original-Recipient: %s\n", addr_dsntmp->dsn_orcpt); + } + fprintf(f,"Action: delivered\n"); + fprintf(f,"Final-Recipient: rfc822;%s\n", addr_dsntmp->address); + fprintf(f,"Status: 2.0.0\n"); + if ((addr_dsntmp->host_used != NULL) && (addr_dsntmp->host_used->name != NULL)) + fprintf(f,"Remote-MTA: dns; %s\nDiagnostic-Code: smtp; 250 Ok\n", addr_dsntmp->host_used->name); + else + if ((addr_dsntmp->dsn_flags & rf_dsnlasthop) == 1) + fprintf(f,"Diagnostic-Code: X-Exim; relayed via non DSN router\n"); + else + fprintf(f,"Diagnostic-Code: X-Exim; relayed via non SMTP router\n"); + fprintf(f,"\n"); + addr_dsntmp = addr_dsntmp->next; + } + + fprintf(f,"--%s\n", boundaryStr); + fprintf(f,"Content-type: text/rfc822-headers\n\n"); + + fflush(f); + transport_filter_argv = NULL; /* Just in case */ + return_path = sender_address; /* In case not previously set */ + + /* Write the original email out */ + transport_write_message(NULL, fileno(f), topt, 0, NULL, NULL, NULL, NULL, NULL, 0); + fflush(f); + + fprintf(f,"\n"); + fprintf(f,"--%s--\n", boundaryStr); + + fflush(f); + fclose(f); + rc = child_close(pid, 0); /* Waits for child to close, no timeout */ + } + } +#endif + /* If any addresses failed, we must send a message to somebody, unless af_ignore_error is set, in which case no action is taken. It is possible for several messages to get sent if there are addresses with different @@ -6324,8 +6641,13 @@ while (addr_failed != NULL) it from the list, throw away any saved message file, log it, and mark the recipient done. */ - if (testflag(addr_failed, af_ignore_error)) - { + if (testflag(addr_failed, af_ignore_error) +#ifdef EXPERIMENTAL_DSN + || (((addr_failed->dsn_flags & rf_dsnflags) != 0) + && ((addr_failed->dsn_flags & rf_notify_failure) != rf_notify_failure)) +#endif + ) + { addr = addr_failed; addr_failed = addr->next; if (addr->return_filename != NULL) Uunlink(addr->return_filename); @@ -6430,6 +6752,14 @@ while (addr_failed != NULL) moan_write_from(f); fprintf(f, "To: %s\n", bounce_recipient); +#ifdef EXPERIMENTAL_DSN + /* generate boundary string and output MIME-Headers */ + uschar boundaryStr[64]; + snprintf(boundaryStr, 63, "%d-eximdsn-%d", time(NULL), rand()); + fprintf(f,"Content-Type: multipart/report; report-type=delivery-status; boundary=%s\n", boundaryStr); + fprintf(f,"MIME-Version: 1.0\n"); +#endif + /* Open a template file if one is provided. Log failure to open, but carry on - default texts will be used. */ @@ -6457,6 +6787,12 @@ while (addr_failed != NULL) to_sender? ": returning message to sender" : ""); } +#ifdef EXPERIMENTAL_DSN + /* output human readable part as text/plain section */ + fprintf(f,"--%s\n", boundaryStr); + fprintf(f,"Content-type: text/plain; charset=us-ascii\n\n"); +#endif + emf_text = next_emf(emf, US"intro"); if (emf_text != NULL) fprintf(f, "%s", CS emf_text); else { @@ -6581,6 +6917,32 @@ wording. */ fprintf(f, "\n"); } +#ifdef EXPERIMENTAL_DSN + /* output machine readable part */ + fprintf(f,"--%s\n", boundaryStr); + fprintf(f,"Content-type: message/delivery-status\n\n"); + + fprintf(f,"Reporting-MTA: dns; %s\n", smtp_active_hostname); + if (dsn_envid != NULL) { + /* must be decoded from xtext: see RFC 3461:6.3a */ + uschar *xdec_envid; + if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0) + fprintf(f,"Original-Envelope-ID: %s\n", dsn_envid); + else + fprintf(f,"X-Original-Envelope-ID: error decoding xtext formated ENVID\n"); + } + fprintf(f,"\n"); + + for (addr = handled_addr; addr != NULL; addr = addr->next) + { + fprintf(f,"Action: failed\n"); + fprintf(f,"Final-Recipient: rfc822;%s\n", addr->address); + fprintf(f,"Status: 5.0.0\n"); + if ((addr->host_used != NULL) && (addr->host_used->name != NULL)) + fprintf(f,"Remote-MTA: dns; %s\nDiagnostic-Code: smtp; %d\n", addr->host_used->name, addr->basic_errno); + } +#endif + /* Now copy the message, trying to give an intelligible comment if it is too long for it all to be copied. The limit isn't strictly applied because of the buffering. There is, however, an option @@ -6588,6 +6950,7 @@ wording. */ emf_text = next_emf(emf, US"copy"); +#ifndef EXPERIMENTAL_DSN if (bounce_return_message) { int topt = topt_add_return_path; @@ -6642,6 +7005,65 @@ wording. */ if (emf_text != NULL) fprintf(f, "%s", CS emf_text); (void)fclose(emf); } +#else + /* add message body + we ignore the intro text from template and add + the text for bounce_return_size_limit at the end. + + bounce_return_message is ignored + in case RET= is defined we honor these values + otherwise bounce_return_body is honored. + + bounce_return_size_limit is always honored. + */ + + fprintf(f,"\n--%s\n", boundaryStr); + + uschar *dsnlimitmsg = US"X-Exim-DSN-Information: Due to administrative limits only headers are returned"; + uschar *dsnnotifyhdr = NULL; + int topt = topt_add_return_path; + /* RET=HDRS? top priority */ + if (dsn_ret == dsn_ret_hdrs) + topt |= topt_no_body; + else + /* no full body return at all? */ + if (!bounce_return_body) + { + topt |= topt_no_body; + /* add header if we overrule RET=FULL */ + if (dsn_ret == dsn_ret_full) + dsnnotifyhdr = dsnlimitmsg; + } + /* size limited ... return headers only if limit reached */ + else if (bounce_return_size_limit > 0) + { + struct stat statbuf; + if (fstat(deliver_datafile, &statbuf) == 0 && statbuf.st_size > max) + { + topt |= topt_no_body; + dsnnotifyhdr = dsnlimitmsg; + } + } + + if (topt & topt_no_body) + fprintf(f,"Content-type: text/rfc822-headers\n\n"); + else + fprintf(f,"Content-type: message/rfc822\n\n"); + + fflush(f); + transport_filter_argv = NULL; /* Just in case */ + return_path = sender_address; /* In case not previously set */ + transport_write_message(NULL, fileno(f), topt, + 0, dsnnotifyhdr, NULL, NULL, NULL, NULL, 0); + fflush(f); + + /* we never add the final text. close the file */ + if (emf != NULL) + (void)fclose(emf); + + fprintf(f,"\n"); + fprintf(f,"--%s--\n", boundaryStr); +#endif /* Close the file, which should send an EOF to the child process that is receiving the message. Wait for it to finish. */ @@ -6873,6 +7295,10 @@ else if (addr_defer != (address_item *)(+1)) it also defers). */ if (!queue_2stage && delivery_attempted && +#ifdef EXPERIMENTAL_DSN + (((addr_defer->dsn_flags & rf_dsnflags) == 0) || + (addr_defer->dsn_flags & rf_notify_delay) == rf_notify_delay) && +#endif delay_warning[1] > 0 && sender_address[0] != 0 && (delay_warning_condition == NULL || expand_check_condition(delay_warning_condition, @@ -6957,6 +7383,14 @@ else if (addr_defer != (address_item *)(+1)) moan_write_from(f); fprintf(f, "To: %s\n", recipients); +#ifdef EXPERIMENTAL_DSN + /* generated boundary string and output MIME-Headers */ + uschar boundaryStr[64]; + snprintf(boundaryStr, 63, "%d-eximdsn-%d", time(NULL), rand()); + fprintf(f,"Content-Type: multipart/report; report-type=delivery-status; boundary=%s\n", boundaryStr); + fprintf(f,"MIME-Version: 1.0\n"); +#endif + wmf_text = next_emf(wmf, US"header"); if (wmf_text != NULL) fprintf(f, "%s\n", wmf_text); @@ -6964,6 +7398,12 @@ else if (addr_defer != (address_item *)(+1)) fprintf(f, "Subject: Warning: message %s delayed %s\n\n", message_id, warnmsg_delay); +#ifdef EXPERIMENTAL_DSN + /* output human readable part as text/plain section */ + fprintf(f,"--%s\n", boundaryStr); + fprintf(f,"Content-type: text/plain; charset=us-ascii\n\n"); +#endif + wmf_text = next_emf(wmf, US"intro"); if (wmf_text != NULL) fprintf(f, "%s", CS wmf_text); else { @@ -7001,6 +7441,10 @@ else if (addr_defer != (address_item *)(+1)) /* List the addresses, with error information if allowed */ +#ifdef EXPERIMENTAL_DSN + /* store addr_defer for machine readable part */ + address_item *addr_dsndefer = addr_defer; +#endif fprintf(f, "\n"); while (addr_defer != NULL) { @@ -7029,6 +7473,54 @@ else if (addr_defer != (address_item *)(+1)) "and when that happens, the message will be returned to you.\n"); } +#ifdef EXPERIMENTAL_DSN + /* output machine readable part */ + fprintf(f,"\n--%s\n", boundaryStr); + fprintf(f,"Content-type: message/delivery-status\n\n"); + + fprintf(f,"Reporting-MTA: dns; %s\n", smtp_active_hostname); + if (dsn_envid != NULL) { + /* must be decoded from xtext: see RFC 3461:6.3a */ + uschar *xdec_envid; + if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0) + fprintf(f,"Original-Envelope-ID: %s\n", dsn_envid); + else + fprintf(f,"X-Original-Envelope-ID: error decoding xtext formated ENVID\n"); + } + fprintf(f,"\n"); + + while (addr_dsndefer != NULL) + { + if (addr_dsndefer->dsn_orcpt != NULL) { + fprintf(f,"Original-Recipient: %s\n", addr_dsndefer->dsn_orcpt); + } + fprintf(f,"Action: delayed\n"); + fprintf(f,"Final-Recipient: rfc822;%s\n", addr_dsndefer->address); + fprintf(f,"Status: 4.0.0\n"); + if ((addr_dsndefer->host_used != NULL) && (addr_dsndefer->host_used->name != NULL)) + fprintf(f,"Remote-MTA: dns; %s\nDiagnostic-Code: smtp; %d\n", + addr_dsndefer->host_used->name, addr_dsndefer->basic_errno); + addr_dsndefer = addr_dsndefer->next; + } + + fprintf(f,"\n--%s\n", boundaryStr); + fprintf(f,"Content-type: text/rfc822-headers\n\n"); + + fflush(f); + /* header only as required by RFC. only failure DSN needs to honor RET=FULL */ + int topt = topt_add_return_path | topt_no_body; + transport_filter_argv = NULL; /* Just in case */ + return_path = sender_address; /* In case not previously set */ + /* Write the original email out */ + transport_write_message(NULL, fileno(f), topt, 0, NULL, NULL, NULL, NULL, NULL, 0); + fflush(f); + + fprintf(f,"\n"); + fprintf(f,"--%s--\n", boundaryStr); + + fflush(f); +#endif + /* Close and wait for child process to complete, without a timeout. If there's an error, don't update the count. */ @@ -7165,4 +7657,6 @@ acl_where = ACL_WHERE_UNKNOWN; return final_yield; } +/* vi: aw ai sw=2 +*/ /* End of deliver.c */ diff --git a/src/src/dkim.c b/src/src/dkim.c index cb7fc7065..171fcccdb 100644 --- a/src/src/dkim.c +++ b/src/src/dkim.c @@ -23,6 +23,7 @@ int dkim_exim_query_dns_txt(char *name, char *answer) { dns_scan dnss; dns_record *rr; + lookup_dnssec_authenticated = NULL; if (dns_lookup(&dnsa, (uschar *)name, T_TXT, NULL) != DNS_SUCCEED) return PDKIM_FAIL; /* Search for TXT record */ diff --git a/src/src/dmarc.c b/src/src/dmarc.c index c6190613e..ca1c29bbb 100644 --- a/src/src/dmarc.c +++ b/src/src/dmarc.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ /* Experimental DMARC support. - Copyright (c) Todd Lyons 2012, 2013 + Copyright (c) Todd Lyons 2012 - 2014 License: GPL */ /* Portions Copyright (c) 2012, 2013, The Trusted Domain Project; @@ -38,6 +38,18 @@ u_char *header_from_sender = NULL; int history_file_status = DMARC_HIST_OK; uschar *dkim_history_buffer= NULL; +typedef struct dmarc_exim_p { + uschar *name; + int value; +} dmarc_exim_p; + +static dmarc_exim_p dmarc_policy_description[] = { + { US"", DMARC_RECORD_P_UNSPECIFIED }, + { US"none", DMARC_RECORD_P_NONE }, + { US"quarantine", DMARC_RECORD_P_QUARANTINE }, + { US"reject", DMARC_RECORD_P_REJECT }, + { NULL, 0 } +}; /* Accept an error_block struct, initialize if empty, parse to the * end, and append the two strings passed to it. Used for adding * variable amounts of value:pair data to the forensic emails. */ @@ -147,6 +159,7 @@ int dmarc_store_data(header_line *hdr) { int dmarc_process() { int sr, origin; /* used in SPF section */ int dmarc_spf_result = 0; /* stores spf into dmarc conn ctx */ + int tmp_ans, c; pdkim_signature *sig = NULL; BOOL has_dmarc_record = TRUE; u_char **ruf; /* forensic report addressees, if called for */ @@ -168,27 +181,27 @@ int dmarc_process() { dmarc_abort = TRUE; else { - uschar * errormsg; - int dummy, domain; - uschar * p; - uschar saveend; - - parse_allow_group = TRUE; - p = parse_find_address_end(from_header->text, FALSE); - saveend = *p; *p = '\0'; - if ((header_from_sender = parse_extract_address(from_header->text, &errormsg, - &dummy, &dummy, &domain, FALSE))) - header_from_sender += domain; - *p = saveend; - - /* The opendmarc library extracts the domain from the email address, but - * only try to store it if it's not empty. Otherwise, skip out of DMARC. */ - if (!header_from_sender || (strcmp( CCS header_from_sender, "") == 0)) - dmarc_abort = TRUE; - libdm_status = dmarc_abort ? - DMARC_PARSE_OKAY : - opendmarc_policy_store_from_domain(dmarc_pctx, header_from_sender); - if (libdm_status != DMARC_PARSE_OKAY) + uschar * errormsg; + int dummy, domain; + uschar * p; + uschar saveend; + + parse_allow_group = TRUE; + p = parse_find_address_end(from_header->text, FALSE); + saveend = *p; *p = '\0'; + if ((header_from_sender = parse_extract_address(from_header->text, &errormsg, + &dummy, &dummy, &domain, FALSE))) + header_from_sender += domain; + *p = saveend; + + /* The opendmarc library extracts the domain from the email address, but + * only try to store it if it's not empty. Otherwise, skip out of DMARC. */ + if (!header_from_sender || (strcmp( CCS header_from_sender, "") == 0)) + dmarc_abort = TRUE; + libdm_status = dmarc_abort ? + DMARC_PARSE_OKAY : + opendmarc_policy_store_from_domain(dmarc_pctx, header_from_sender); + if (libdm_status != DMARC_PARSE_OKAY) { log_write(0, LOG_MAIN|LOG_PANIC, "failure to store header From: in DMARC: %s, header was '%s'", @@ -266,24 +279,24 @@ int dmarc_process() { ( vs == PDKIM_VERIFY_INVALID ) ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL : DMARC_POLICY_DKIM_OUTCOME_NONE; libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, (uschar *)sig->domain, - dkim_result, US""); + dkim_result, US""); DEBUG(D_receive) debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain); if (libdm_status != DMARC_PARSE_OKAY) log_write(0, LOG_MAIN|LOG_PANIC, "failure to store dkim (%s) for DMARC: %s", - sig->domain, opendmarc_policy_status_to_str(libdm_status)); + sig->domain, opendmarc_policy_status_to_str(libdm_status)); dkim_ares_result = ( vs == PDKIM_VERIFY_PASS ) ? ARES_RESULT_PASS : - ( vs == PDKIM_VERIFY_FAIL ) ? ARES_RESULT_FAIL : - ( vs == PDKIM_VERIFY_NONE ) ? ARES_RESULT_NONE : - ( vs == PDKIM_VERIFY_INVALID ) ? + ( vs == PDKIM_VERIFY_FAIL ) ? ARES_RESULT_FAIL : + ( vs == PDKIM_VERIFY_NONE ) ? ARES_RESULT_NONE : + ( vs == PDKIM_VERIFY_INVALID ) ? ( ves == PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE ? ARES_RESULT_PERMERROR : ves == PDKIM_VERIFY_INVALID_BUFFER_SIZE ? ARES_RESULT_PERMERROR : ves == PDKIM_VERIFY_INVALID_PUBKEY_PARSING ? ARES_RESULT_PERMERROR : ARES_RESULT_UNKNOWN ) : ARES_RESULT_UNKNOWN; dkim_history_buffer = string_sprintf("%sdkim %s %d\n", dkim_history_buffer, - sig->domain, dkim_ares_result); + sig->domain, dkim_ares_result); sig = sig->next; } libdm_status = opendmarc_policy_query_dmarc(dmarc_pctx, US""); @@ -312,11 +325,21 @@ int dmarc_process() { has_dmarc_record = FALSE; break; } + + /* Store the policy string in an expandable variable. */ + libdm_status = opendmarc_policy_fetch_p(dmarc_pctx, &tmp_ans); + for (c=0; dmarc_policy_description[c].name != NULL; c++) { + if (tmp_ans == dmarc_policy_description[c].value) { + dmarc_domain_policy = string_sprintf("%s",dmarc_policy_description[c].name); + break; + } + } + /* Can't use exim's string manipulation functions so allocate memory * for libopendmarc using its max hostname length definition. */ uschar *dmarc_domain = (uschar *)calloc(DMARC_MAXHOSTNAMELEN, sizeof(uschar)); libdm_status = opendmarc_policy_fetch_utilized_domain(dmarc_pctx, dmarc_domain, - DMARC_MAXHOSTNAMELEN-1); + DMARC_MAXHOSTNAMELEN-1); dmarc_used_domain = string_copy(dmarc_domain); free(dmarc_domain); if (libdm_status != DMARC_PARSE_OKAY) @@ -436,7 +459,7 @@ int dmarc_write_history_file() if (spf_response != NULL) history_buffer = string_sprintf("%sspf %d\n", history_buffer, dmarc_spf_ares_result); - // history_buffer = string_sprintf("%sspf -1\n", history_buffer); + /* history_buffer = string_sprintf("%sspf -1\n", history_buffer); */ history_buffer = string_sprintf("%s%s", history_buffer, dkim_history_buffer); history_buffer = string_sprintf("%spdomain %s\n", history_buffer, dmarc_used_domain); @@ -614,5 +637,3 @@ uschar *dmarc_auth_results_header(header_line *from_header, uschar *hostname) #endif /* EXPERIMENTAL_SPF */ #endif /* EXPERIMENTAL_DMARC */ - -// vim:sw=2 expandtab diff --git a/src/src/dmarc.h b/src/src/dmarc.h index 356a8e423..ee78450a6 100644 --- a/src/src/dmarc.h +++ b/src/src/dmarc.h @@ -3,7 +3,7 @@ *************************************************/ /* Experimental DMARC support. - Copyright (c) Todd Lyons 2012, 2013 + Copyright (c) Todd Lyons 2012 - 2014 License: GPL */ /* Portions Copyright (c) 2012, 2013, The Trusted Domain Project; @@ -60,5 +60,3 @@ void dmarc_send_forensic_report(u_char **); #define ARES_RESULT_DISCARD 12 #endif /* EXPERIMENTAL_DMARC */ - -// vim:sw=2 expandtab diff --git a/src/src/dns.c b/src/src/dns.c index 820adff01..6efb88d58 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions for interfacing with the DNS. */ @@ -159,12 +159,13 @@ the first time we have been here, and set the resolver options. Arguments: qualify_single TRUE to set the RES_DEFNAMES option search_parents TRUE to set the RES_DNSRCH option + use_dnssec TRUE to set the RES_USE_DNSSEC option Returns: nothing */ void -dns_init(BOOL qualify_single, BOOL search_parents) +dns_init(BOOL qualify_single, BOOL search_parents, BOOL use_dnssec) { res_state resp = os_get_dns_resolver_res(); @@ -206,6 +207,8 @@ if (dns_use_edns0 >= 0) # ifndef RES_USE_EDNS0 # error Have RES_USE_DNSSEC but not RES_USE_EDNS0? Something hinky ... # endif +if (use_dnssec) + resp->options |= RES_USE_DNSSEC; if (dns_dnssec_ok >= 0) { if (dns_use_edns0 == 0 && dns_dnssec_ok != 0) @@ -228,6 +231,9 @@ if (dns_dnssec_ok >= 0) DEBUG(D_resolver) debug_printf("Unable to %sset DNSSEC without resolver support.\n", dns_dnssec_ok ? "" : "un"); +if (use_dnssec) + DEBUG(D_resolver) + debug_printf("Unable to set DNSSEC without resolver support.\n"); # endif #endif /* DISABLE_DNSSEC */ @@ -479,6 +485,7 @@ switch(t) case T_SRV: return US"SRV"; case T_NS: return US"NS"; case T_CNAME: return US"CNAME"; + case T_TLSA: return US"TLSA"; default: return US"?"; } } @@ -1248,4 +1255,6 @@ else return yield; } +/* vi: aw ai sw=2 +*/ /* End of dns.c */ diff --git a/src/src/drtables.c b/src/src/drtables.c index 699f32762..c2d866850 100644 --- a/src/src/drtables.c +++ b/src/src/drtables.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ diff --git a/src/src/exigrep.src b/src/src/exigrep.src index 0950b58f1..2d3b40cbf 100644 --- a/src/src/exigrep.src +++ b/src/src/exigrep.src @@ -2,7 +2,7 @@ use strict; -# Copyright (c) 2007 University of Cambridge. +# Copyright (c) 2007-2014 University of Cambridge. # See the file NOTICE for conditions of use and distribution. # Except when they appear in comments, the following placeholders in this @@ -124,6 +124,54 @@ elsif ( ($invert && (($insensitive && !/$pattern/io) || !/$pattern/o)) || { print "$_\n"; } } +# Rotated log files are frequently compressed and there are a variety of +# formats it could be compressed with. Rather than use just one that is +# detected and hardcoded at Exim compile time, detect and use what the +# logfile is compressed with on the fly. +# +# List of known compression extensions and their associated commands: +my $compressors = { + gz => { cmd => 'zcat', args => '' }, + bz2 => { cmd => 'bzcat', args => '' }, + xz => { cmd => 'xzcat', args => '' }, + lzma => { cmd => 'lzma', args => '-dc' } +}; +my $csearch = 0; + +sub detect_compressor_bin + { + my $ext = shift(); + my $c = $compressors->{$ext}->{cmd}; + $compressors->{$ext}->{bin} = `which $c 2>/dev/null`; + chomp($compressors->{$ext}->{bin}); + } + +sub detect_compressor_capable + { + my $filename = shift(); + map { &detect_compressor_bin($_) } keys %$compressors + if (!$csearch); + $csearch = 1; + return undef + unless (grep {$filename =~ /\.(?:$_)$/} keys %$compressors); + # Loop through them, figure out which one it detected, + # and build the commandline. + my $cmdline = undef; + foreach my $ext (keys %$compressors) + { + if ($filename =~ /\.(?:$ext)$/) + { + # Just die if compressor not found; if this occurrs in the middle of + # two valid files with a lot of matches, error could easily be missed. + die("Didn't find $ext decompressor for $filename\n") + if ($compressors->{$ext}->{bin} eq ''); + $cmdline = $compressors->{$ext}->{bin} ." ". + $compressors->{$ext}->{args}; + last; + } + } + return $cmdline; + } # The main program. Extract the pattern and make sure any relevant characters # are quoted if the -l flag is given. The -t flag gives a time-on-queue value @@ -154,6 +202,11 @@ if (@ARGV) open(LOG, "ZCAT_COMMAND $filename |") || die "Unable to zcat $filename: $!\n"; } + elsif (my $cmdline = &detect_compressor_capable($filename)) + { + open(LOG, "$cmdline $filename |") || + die "Unable to decompress $filename: $!\n"; + } else { open(LOG, "<$filename") || die "Unable to open $filename: $!\n"; diff --git a/src/src/exim.c b/src/src/exim.c index a715c0b39..517b5435e 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ @@ -399,9 +399,10 @@ if (exim_tvcmp(&now_tv, then_tv) <= 0) if (!running_in_test_harness) { debug_printf("tick check: %lu.%06lu %lu.%06lu\n", - then_tv->tv_sec, then_tv->tv_usec, now_tv.tv_sec, now_tv.tv_usec); + then_tv->tv_sec, (long) then_tv->tv_usec, + now_tv.tv_sec, (long) now_tv.tv_usec); debug_printf("waiting %lu.%06lu\n", itval.it_value.tv_sec, - itval.it_value.tv_usec); + (long) itval.it_value.tv_usec); } } @@ -526,7 +527,7 @@ close_unwanted(void) if (smtp_input) { #ifdef SUPPORT_TLS - tls_close(FALSE, FALSE); /* Shut down the TLS library */ + tls_close(TRUE, FALSE); /* Shut down the TLS library */ #endif (void)close(fileno(smtp_in)); (void)close(fileno(smtp_out)); @@ -804,6 +805,12 @@ fprintf(f, "Support for:"); #ifdef WITH_OLD_DEMIME fprintf(f, " Old_Demime"); #endif +#ifndef DISABLE_PRDR + fprintf(f, " PRDR"); +#endif +#ifndef DISABLE_OCSP + fprintf(f, " OCSP"); +#endif #ifdef EXPERIMENTAL_SPF fprintf(f, " Experimental_SPF"); #endif @@ -819,11 +826,8 @@ fprintf(f, "Support for:"); #ifdef EXPERIMENTAL_DMARC fprintf(f, " Experimental_DMARC"); #endif -#ifdef EXPERIMENTAL_OCSP - fprintf(f, " Experimental_OCSP"); -#endif -#ifdef EXPERIMENTAL_PRDR - fprintf(f, " Experimental_PRDR"); +#ifdef EXPERIMENTAL_PROXY + fprintf(f, " Experimental_Proxy"); #endif #ifdef EXPERIMENTAL_TPDA fprintf(f, " Experimental_TPDA"); @@ -831,6 +835,12 @@ fprintf(f, "Support for:"); #ifdef EXPERIMENTAL_REDIS fprintf(f, " Experimental_Redis"); #endif +#ifdef EXPERIMENTAL_CERTNAMES + fprintf(f, " Experimental_Certnames"); +#endif +#ifdef EXPERIMENTAL_DSN + fprintf(f, " Experimental_DSN"); +#endif fprintf(f, "\n"); fprintf(f, "Lookups (built-in):"); @@ -2653,6 +2663,16 @@ for (i = 1; i < argc; i++) break; } + #ifdef EXPERIMENTAL_DSN + /* -MCD: set the smtp_use_dsn flag; this indicates that the host + that exim is connected to supports the esmtp extension DSN */ + else if (strcmp(argrest, "CD") == 0) + { + smtp_use_dsn = TRUE; + break; + } + #endif + /* -MCP: set the smtp_use_pipelining flag; this is useful only when it preceded -MC (see above) */ @@ -2986,6 +3006,23 @@ for (i = 1; i < argc; i++) else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i]; + /* -oMm: Message reference */ + + else if (Ustrcmp(argrest, "Mm") == 0) + { + if (!mac_ismsgid(argv[i+1])) + { + fprintf(stderr,"-oMm must be a valid message ID\n"); + exit(EXIT_FAILURE); + } + if (!trusted_config) + { + fprintf(stderr,"-oMm must be called by a trusted user/config\n"); + exit(EXIT_FAILURE); + } + message_reference = argv[++i]; + } + /* -oMr: Received protocol */ else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i]; diff --git a/src/src/exim.h b/src/src/exim.h index ec809d6b7..b824b48f3 100644 --- a/src/src/exim.h +++ b/src/src/exim.h @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ @@ -321,6 +321,12 @@ header files. I don't suppose they have T_SRV either. */ #define T_SPF 99 #endif +/* New TLSA record for DANE */ +#ifndef T_TLSA +#define T_TLSA 52 +#endif +#define MAX_TLSA_EXPANDED_SIZE 8192 + /* It seems that some versions of arpa/nameser.h don't define *any* of the T_xxx macros, which seem to be non-standard nowadays. Just to be on the safe side, put in definitions for all the ones that Exim uses. */ diff --git a/src/src/eximstats.src b/src/src/eximstats.src index 56721ed62..4370b4eab 100644 --- a/src/src/eximstats.src +++ b/src/src/eximstats.src @@ -1,6 +1,6 @@ #!PERL_COMMAND -w -# Copyright (c) 2001 University of Cambridge. +# Copyright (c) 2001-2014 University of Cambridge. # See the file NOTICE for conditions of use and distribution. # Perl script to generate statistics from one or more Exim log files. diff --git a/src/src/exiqgrep.src b/src/src/exiqgrep.src index e05589073..94b17f58b 100644 --- a/src/src/exiqgrep.src +++ b/src/src/exiqgrep.src @@ -43,8 +43,10 @@ if ($^O eq 'darwin') { # aka MacOS X $base = 62; }; -getopts('hf:r:y:o:s:zxlibRc',\%opt); +getopts('hf:r:y:o:s:C:zxlibRca',\%opt); if ($opt{h}) { &help; exit;} +if ($opt{a}) { $eargs = '-bp'; } +if ($opt{C}) { $eargs .= ' -C '.$opt{C}; } # Read message queue output into hash &collect(); @@ -60,6 +62,7 @@ sub help() { Exim message queue display utility. -h This help message. + -C Specify which exim.conf to use. Selection criteria: -f Match sender address sender (field is "< >" wrapped) @@ -78,6 +81,7 @@ Display options: -i Message IDs only -b Brief Format -R Reverse order + -a All recipients (including delivered) EOF } diff --git a/src/src/expand.c b/src/src/expand.c index 5a764d3df..ff30996a9 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ @@ -13,7 +13,7 @@ /* Recursively called function */ -static uschar *expand_string_internal(uschar *, BOOL, uschar **, BOOL, BOOL); +static uschar *expand_string_internal(uschar *, BOOL, uschar **, BOOL, BOOL, BOOL *); #ifdef STAND_ALONE #ifndef SUPPORT_CRYPTEQ @@ -93,6 +93,9 @@ bcrypt ({CRYPT}$2a$). +#ifndef nelements +# define nelements(arr) (sizeof(arr) / sizeof(*arr)) +#endif /************************************************* * Local statics and tables * @@ -103,6 +106,7 @@ alphabetical order. */ static uschar *item_table[] = { US"acl", + US"certextract", US"dlfunc", US"extract", US"filter", @@ -110,6 +114,7 @@ static uschar *item_table[] = { US"hmac", US"if", US"length", + US"listextract", US"lookup", US"map", US"nhash", @@ -126,6 +131,7 @@ static uschar *item_table[] = { enum { EITEM_ACL, + EITEM_CERTEXTRACT, EITEM_DLFUNC, EITEM_EXTRACT, EITEM_FILTER, @@ -133,6 +139,7 @@ enum { EITEM_HMAC, EITEM_IF, EITEM_LENGTH, + EITEM_LISTEXTRACT, EITEM_LOOKUP, EITEM_MAP, EITEM_NHASH, @@ -198,11 +205,13 @@ static uschar *op_table_main[] = { US"rxquote", US"s", US"sha1", + US"sha256", US"stat", US"str2b64", US"strlen", US"substr", - US"uc" }; + US"uc", + US"utf8clean" }; enum { EOP_ADDRESS = sizeof(op_table_underscore)/sizeof(uschar *), @@ -234,11 +243,13 @@ enum { EOP_RXQUOTE, EOP_S, EOP_SHA1, + EOP_SHA256, EOP_STAT, EOP_STR2B64, EOP_STRLEN, EOP_SUBSTR, - EOP_UC }; + EOP_UC, + EOP_UTF8CLEAN }; /* Table of condition names, and corresponding switch numbers. The names must @@ -383,7 +394,8 @@ enum { vtype_host_lookup, /* value not used; get host name */ vtype_load_avg, /* value not used; result is int from os_getloadavg */ vtype_pspace, /* partition space; value is T/F for spool/log */ - vtype_pinodes /* partition inodes; value is T/F for spool/log */ + vtype_pinodes, /* partition inodes; value is T/F for spool/log */ + vtype_cert /* SSL certificate */ #ifndef DISABLE_DKIM ,vtype_dkim /* Lookup of value in DKIM signature */ #endif @@ -464,6 +476,7 @@ static var_entry var_table[] = { #endif #ifdef EXPERIMENTAL_DMARC { "dmarc_ar_header", vtype_stringptr, &dmarc_ar_header }, + { "dmarc_domain_policy", vtype_stringptr, &dmarc_domain_policy }, { "dmarc_status", vtype_stringptr, &dmarc_status }, { "dmarc_status_text", vtype_stringptr, &dmarc_status_text }, { "dmarc_used_domain", vtype_stringptr, &dmarc_used_domain }, @@ -505,6 +518,7 @@ static var_entry var_table[] = { { "localhost_number", vtype_int, &host_number }, { "log_inodes", vtype_pinodes, (void *)FALSE }, { "log_space", vtype_pspace, (void *)FALSE }, + { "lookup_dnssec_authenticated",vtype_stringptr,&lookup_dnssec_authenticated}, { "mailstore_basename", vtype_stringptr, &mailstore_basename }, #ifdef WITH_CONTENT_SCAN { "malware_name", vtype_stringptr, &malware_name }, @@ -556,6 +570,13 @@ static var_entry var_table[] = { { "parent_local_part", vtype_stringptr, &deliver_localpart_parent }, { "pid", vtype_pid, NULL }, { "primary_hostname", vtype_stringptr, &primary_hostname }, +#ifdef EXPERIMENTAL_PROXY + { "proxy_host_address", vtype_stringptr, &proxy_host_address }, + { "proxy_host_port", vtype_int, &proxy_host_port }, + { "proxy_session", vtype_bool, &proxy_session }, + { "proxy_target_address",vtype_stringptr, &proxy_target_address }, + { "proxy_target_port", vtype_int, &proxy_target_port }, +#endif { "prvscheck_address", vtype_stringptr, &prvscheck_address }, { "prvscheck_keynum", vtype_stringptr, &prvscheck_keynum }, { "prvscheck_result", vtype_stringptr, &prvscheck_result }, @@ -652,6 +673,9 @@ static var_entry var_table[] = { { "tls_in_bits", vtype_int, &tls_in.bits }, { "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified }, { "tls_in_cipher", vtype_stringptr, &tls_in.cipher }, + { "tls_in_ocsp", vtype_int, &tls_in.ocsp }, + { "tls_in_ourcert", vtype_cert, &tls_in.ourcert }, + { "tls_in_peercert", vtype_cert, &tls_in.peercert }, { "tls_in_peerdn", vtype_stringptr, &tls_in.peerdn }, #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) { "tls_in_sni", vtype_stringptr, &tls_in.sni }, @@ -659,6 +683,9 @@ static var_entry var_table[] = { { "tls_out_bits", vtype_int, &tls_out.bits }, { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified }, { "tls_out_cipher", vtype_stringptr, &tls_out.cipher }, + { "tls_out_ocsp", vtype_int, &tls_out.ocsp }, + { "tls_out_ourcert", vtype_cert, &tls_out.ourcert }, + { "tls_out_peercert", vtype_cert, &tls_out.peercert }, { "tls_out_peerdn", vtype_stringptr, &tls_out.peerdn }, #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) { "tls_out_sni", vtype_stringptr, &tls_out.sni }, @@ -1052,6 +1079,23 @@ return NULL; +static var_entry * +find_var_ent(uschar * name) +{ +int first = 0; +int last = var_table_size; + +while (last > first) + { + int middle = (first + last)/2; + int c = Ustrcmp(name, var_table[middle].name); + + if (c > 0) { first = middle + 1; continue; } + if (c < 0) { last = middle; continue; } + return &var_table[middle]; + } +return NULL; +} /************************************************* * Extract numbered subfield from string * @@ -1126,6 +1170,90 @@ return fieldtext; } +static uschar * +expand_getlistele(int field, uschar * list) +{ +uschar * tlist= list; +int sep= 0; +uschar dummy; + +if(field<0) +{ + for(field++; string_nextinlist(&tlist, &sep, &dummy, 1); ) field++; + sep= 0; +} +if(field==0) return NULL; +while(--field>0 && (string_nextinlist(&list, &sep, &dummy, 1))) ; +return string_nextinlist(&list, &sep, NULL, 0); +} + + +/* Certificate fields, by name. Worry about by-OID later */ +/* Names are chosen to not have common prefixes */ + +#ifdef SUPPORT_TLS +typedef struct +{ +uschar * name; +int namelen; +uschar * (*getfn)(void * cert, uschar * mod); +} certfield; +static certfield certfields[] = +{ /* linear search; no special order */ + { US"version", 7, &tls_cert_version }, + { US"serial_number", 13, &tls_cert_serial_number }, + { US"subject", 7, &tls_cert_subject }, + { US"notbefore", 9, &tls_cert_not_before }, + { US"notafter", 8, &tls_cert_not_after }, + { US"issuer", 6, &tls_cert_issuer }, + { US"signature", 9, &tls_cert_signature }, + { US"sig_algorithm", 13, &tls_cert_signature_algorithm }, + { US"subj_altname", 12, &tls_cert_subject_altname }, + { US"ocsp_uri", 8, &tls_cert_ocsp_uri }, + { US"crl_uri", 7, &tls_cert_crl_uri }, +}; + +static uschar * +expand_getcertele(uschar * field, uschar * certvar) +{ +var_entry * vp; +certfield * cp; + +if (!(vp = find_var_ent(certvar))) + { + expand_string_message = + string_sprintf("no variable named \"%s\"", certvar); + return NULL; /* Unknown variable name */ + } +/* NB this stops us passing certs around in variable. Might +want to do that in future */ +if (vp->type != vtype_cert) + { + expand_string_message = + string_sprintf("\"%s\" is not a certificate", certvar); + return NULL; /* Unknown variable name */ + } +if (!*(void **)vp->value) + return NULL; + +if (*field >= '0' && *field <= '9') + return tls_cert_ext_by_oid(*(void **)vp->value, field, 0); + +for(cp = certfields; + cp < certfields + nelements(certfields); + cp++) + if (Ustrncmp(cp->name, field, cp->namelen) == 0) + { + uschar * modifier = *(field += cp->namelen) == ',' + ? ++field : NULL; + return (*cp->getfn)( *(void **)vp->value, modifier ); + } + +expand_string_message = + string_sprintf("bad field selector \"%s\" for certextract", field); +return NULL; +} +#endif /*SUPPORT_TLS*/ /************************************************* * Extract a substring from a string * @@ -1522,8 +1650,10 @@ Returns: NULL if the variable does not exist, or static uschar * find_variable(uschar *name, BOOL exists_only, BOOL skipping, int *newsize) { -int first = 0; -int last = var_table_size; +var_entry * vp; +uschar *s, *domain; +uschar **ss; +void * val; /* Handle ACL variables, whose names are of the form acl_cxxx or acl_mxxx. Originally, xxx had to be a number in the range 0-9 (later 0-19), but from @@ -1556,203 +1686,198 @@ if (Ustrncmp(name, "auth", 4) == 0) /* For all other variables, search the table */ -while (last > first) - { - uschar *s, *domain; - uschar **ss; - int middle = (first + last)/2; - int c = Ustrcmp(name, var_table[middle].name); - - if (c > 0) { first = middle + 1; continue; } - if (c < 0) { last = middle; continue; } +if (!(vp = find_var_ent(name))) + return NULL; /* Unknown variable name */ - /* Found an existing variable. If in skipping state, the value isn't needed, - and we want to avoid processing (such as looking up the host name). */ +/* Found an existing variable. If in skipping state, the value isn't needed, +and we want to avoid processing (such as looking up the host name). */ - if (skipping) return US""; +if (skipping) + return US""; - switch (var_table[middle].type) +val = vp->value; +switch (vp->type) + { + case vtype_filter_int: + if (!filter_running) return NULL; + /* Fall through */ + /* VVVVVVVVVVVV */ + case vtype_int: + sprintf(CS var_buffer, "%d", *(int *)(val)); /* Integer */ + return var_buffer; + + case vtype_ino: + sprintf(CS var_buffer, "%ld", (long int)(*(ino_t *)(val))); /* Inode */ + return var_buffer; + + case vtype_gid: + sprintf(CS var_buffer, "%ld", (long int)(*(gid_t *)(val))); /* gid */ + return var_buffer; + + case vtype_uid: + sprintf(CS var_buffer, "%ld", (long int)(*(uid_t *)(val))); /* uid */ + return var_buffer; + + case vtype_bool: + sprintf(CS var_buffer, "%s", *(BOOL *)(val) ? "yes" : "no"); /* bool */ + return var_buffer; + + case vtype_stringptr: /* Pointer to string */ + s = *((uschar **)(val)); + return (s == NULL)? US"" : s; + + case vtype_pid: + sprintf(CS var_buffer, "%d", (int)getpid()); /* pid */ + return var_buffer; + + case vtype_load_avg: + sprintf(CS var_buffer, "%d", OS_GETLOADAVG()); /* load_average */ + return var_buffer; + + case vtype_host_lookup: /* Lookup if not done so */ + if (sender_host_name == NULL && sender_host_address != NULL && + !host_lookup_failed && host_name_lookup() == OK) + host_build_sender_fullhost(); + return (sender_host_name == NULL)? US"" : sender_host_name; + + case vtype_localpart: /* Get local part from address */ + s = *((uschar **)(val)); + if (s == NULL) return US""; + domain = Ustrrchr(s, '@'); + if (domain == NULL) return s; + if (domain - s > sizeof(var_buffer) - 1) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "local part longer than " SIZE_T_FMT + " in string expansion", sizeof(var_buffer)); + Ustrncpy(var_buffer, s, domain - s); + var_buffer[domain - s] = 0; + return var_buffer; + + case vtype_domain: /* Get domain from address */ + s = *((uschar **)(val)); + if (s == NULL) return US""; + domain = Ustrrchr(s, '@'); + return (domain == NULL)? US"" : domain + 1; + + case vtype_msgheaders: + return find_header(NULL, exists_only, newsize, FALSE, NULL); + + case vtype_msgheaders_raw: + return find_header(NULL, exists_only, newsize, TRUE, NULL); + + case vtype_msgbody: /* Pointer to msgbody string */ + case vtype_msgbody_end: /* Ditto, the end of the msg */ + ss = (uschar **)(val); + if (*ss == NULL && deliver_datafile >= 0) /* Read body when needed */ { - case vtype_filter_int: - if (!filter_running) return NULL; - /* Fall through */ - /* VVVVVVVVVVVV */ - case vtype_int: - sprintf(CS var_buffer, "%d", *(int *)(var_table[middle].value)); /* Integer */ - return var_buffer; - - case vtype_ino: - sprintf(CS var_buffer, "%ld", (long int)(*(ino_t *)(var_table[middle].value))); /* Inode */ - return var_buffer; - - case vtype_gid: - sprintf(CS var_buffer, "%ld", (long int)(*(gid_t *)(var_table[middle].value))); /* gid */ - return var_buffer; - - case vtype_uid: - sprintf(CS var_buffer, "%ld", (long int)(*(uid_t *)(var_table[middle].value))); /* uid */ - return var_buffer; - - case vtype_bool: - sprintf(CS var_buffer, "%s", *(BOOL *)(var_table[middle].value) ? "yes" : "no"); /* bool */ - return var_buffer; - - case vtype_stringptr: /* Pointer to string */ - s = *((uschar **)(var_table[middle].value)); - return (s == NULL)? US"" : s; - - case vtype_pid: - sprintf(CS var_buffer, "%d", (int)getpid()); /* pid */ - return var_buffer; - - case vtype_load_avg: - sprintf(CS var_buffer, "%d", OS_GETLOADAVG()); /* load_average */ - return var_buffer; - - case vtype_host_lookup: /* Lookup if not done so */ - if (sender_host_name == NULL && sender_host_address != NULL && - !host_lookup_failed && host_name_lookup() == OK) - host_build_sender_fullhost(); - return (sender_host_name == NULL)? US"" : sender_host_name; - - case vtype_localpart: /* Get local part from address */ - s = *((uschar **)(var_table[middle].value)); - if (s == NULL) return US""; - domain = Ustrrchr(s, '@'); - if (domain == NULL) return s; - if (domain - s > sizeof(var_buffer) - 1) - log_write(0, LOG_MAIN|LOG_PANIC_DIE, "local part longer than " SIZE_T_FMT - " in string expansion", sizeof(var_buffer)); - Ustrncpy(var_buffer, s, domain - s); - var_buffer[domain - s] = 0; - return var_buffer; - - case vtype_domain: /* Get domain from address */ - s = *((uschar **)(var_table[middle].value)); - if (s == NULL) return US""; - domain = Ustrrchr(s, '@'); - return (domain == NULL)? US"" : domain + 1; - - case vtype_msgheaders: - return find_header(NULL, exists_only, newsize, FALSE, NULL); - - case vtype_msgheaders_raw: - return find_header(NULL, exists_only, newsize, TRUE, NULL); - - case vtype_msgbody: /* Pointer to msgbody string */ - case vtype_msgbody_end: /* Ditto, the end of the msg */ - ss = (uschar **)(var_table[middle].value); - if (*ss == NULL && deliver_datafile >= 0) /* Read body when needed */ + uschar *body; + off_t start_offset = SPOOL_DATA_START_OFFSET; + int len = message_body_visible; + if (len > message_size) len = message_size; + *ss = body = store_malloc(len+1); + body[0] = 0; + if (vp->type == vtype_msgbody_end) { - uschar *body; - off_t start_offset = SPOOL_DATA_START_OFFSET; - int len = message_body_visible; - if (len > message_size) len = message_size; - *ss = body = store_malloc(len+1); - body[0] = 0; - if (var_table[middle].type == vtype_msgbody_end) - { - struct stat statbuf; - if (fstat(deliver_datafile, &statbuf) == 0) - { - start_offset = statbuf.st_size - len; - if (start_offset < SPOOL_DATA_START_OFFSET) - start_offset = SPOOL_DATA_START_OFFSET; - } - } - lseek(deliver_datafile, start_offset, SEEK_SET); - len = read(deliver_datafile, body, len); - if (len > 0) - { - body[len] = 0; - if (message_body_newlines) /* Separate loops for efficiency */ - { - while (len > 0) - { if (body[--len] == 0) body[len] = ' '; } - } - else - { - while (len > 0) - { if (body[--len] == '\n' || body[len] == 0) body[len] = ' '; } - } - } + struct stat statbuf; + if (fstat(deliver_datafile, &statbuf) == 0) + { + start_offset = statbuf.st_size - len; + if (start_offset < SPOOL_DATA_START_OFFSET) + start_offset = SPOOL_DATA_START_OFFSET; + } + } + lseek(deliver_datafile, start_offset, SEEK_SET); + len = read(deliver_datafile, body, len); + if (len > 0) + { + body[len] = 0; + if (message_body_newlines) /* Separate loops for efficiency */ + { + while (len > 0) + { if (body[--len] == 0) body[len] = ' '; } + } + else + { + while (len > 0) + { if (body[--len] == '\n' || body[len] == 0) body[len] = ' '; } + } } - return (*ss == NULL)? US"" : *ss; + } + return (*ss == NULL)? US"" : *ss; - case vtype_todbsdin: /* BSD inbox time of day */ - return tod_stamp(tod_bsdin); + case vtype_todbsdin: /* BSD inbox time of day */ + return tod_stamp(tod_bsdin); - case vtype_tode: /* Unix epoch time of day */ - return tod_stamp(tod_epoch); + case vtype_tode: /* Unix epoch time of day */ + return tod_stamp(tod_epoch); - case vtype_todel: /* Unix epoch/usec time of day */ - return tod_stamp(tod_epoch_l); + case vtype_todel: /* Unix epoch/usec time of day */ + return tod_stamp(tod_epoch_l); - case vtype_todf: /* Full time of day */ - return tod_stamp(tod_full); + case vtype_todf: /* Full time of day */ + return tod_stamp(tod_full); - case vtype_todl: /* Log format time of day */ - return tod_stamp(tod_log_bare); /* (without timezone) */ + case vtype_todl: /* Log format time of day */ + return tod_stamp(tod_log_bare); /* (without timezone) */ - case vtype_todzone: /* Time zone offset only */ - return tod_stamp(tod_zone); + case vtype_todzone: /* Time zone offset only */ + return tod_stamp(tod_zone); - case vtype_todzulu: /* Zulu time */ - return tod_stamp(tod_zulu); + case vtype_todzulu: /* Zulu time */ + return tod_stamp(tod_zulu); - case vtype_todlf: /* Log file datestamp tod */ - return tod_stamp(tod_log_datestamp_daily); + case vtype_todlf: /* Log file datestamp tod */ + return tod_stamp(tod_log_datestamp_daily); - case vtype_reply: /* Get reply address */ - s = find_header(US"reply-to:", exists_only, newsize, TRUE, - headers_charset); - if (s != NULL) while (isspace(*s)) s++; - if (s == NULL || *s == 0) - { - *newsize = 0; /* For the *s==0 case */ - s = find_header(US"from:", exists_only, newsize, TRUE, headers_charset); - } - if (s != NULL) - { - uschar *t; - while (isspace(*s)) s++; - for (t = s; *t != 0; t++) if (*t == '\n') *t = ' '; - while (t > s && isspace(t[-1])) t--; - *t = 0; - } - return (s == NULL)? US"" : s; + case vtype_reply: /* Get reply address */ + s = find_header(US"reply-to:", exists_only, newsize, TRUE, + headers_charset); + if (s != NULL) while (isspace(*s)) s++; + if (s == NULL || *s == 0) + { + *newsize = 0; /* For the *s==0 case */ + s = find_header(US"from:", exists_only, newsize, TRUE, headers_charset); + } + if (s != NULL) + { + uschar *t; + while (isspace(*s)) s++; + for (t = s; *t != 0; t++) if (*t == '\n') *t = ' '; + while (t > s && isspace(t[-1])) t--; + *t = 0; + } + return (s == NULL)? US"" : s; - case vtype_string_func: - { - uschar * (*fn)() = var_table[middle].value; - return fn(); - } + case vtype_string_func: + { + uschar * (*fn)() = val; + return fn(); + } - case vtype_pspace: - { - int inodes; - sprintf(CS var_buffer, "%d", - receive_statvfs(var_table[middle].value == (void *)TRUE, &inodes)); - } - return var_buffer; + case vtype_pspace: + { + int inodes; + sprintf(CS var_buffer, "%d", + receive_statvfs(val == (void *)TRUE, &inodes)); + } + return var_buffer; - case vtype_pinodes: - { - int inodes; - (void) receive_statvfs(var_table[middle].value == (void *)TRUE, &inodes); - sprintf(CS var_buffer, "%d", inodes); - } - return var_buffer; + case vtype_pinodes: + { + int inodes; + (void) receive_statvfs(val == (void *)TRUE, &inodes); + sprintf(CS var_buffer, "%d", inodes); + } + return var_buffer; - #ifndef DISABLE_DKIM - case vtype_dkim: - return dkim_exim_expand_query((int)(long)var_table[middle].value); - #endif + case vtype_cert: + return *(void **)val ? US"" : US""; - } - } + #ifndef DISABLE_DKIM + case vtype_dkim: + return dkim_exim_expand_query((int)(long)val); + #endif -return NULL; /* Unknown variable name */ + } } @@ -1761,21 +1886,8 @@ return NULL; /* Unknown variable name */ void modify_variable(uschar *name, void * value) { -int first = 0; -int last = var_table_size; - -while (last > first) - { - int middle = (first + last)/2; - int c = Ustrcmp(name, var_table[middle].name); - - if (c > 0) { first = middle + 1; continue; } - if (c < 0) { last = middle; continue; } - - /* Found an existing variable; change the item it refers to */ - var_table[middle].value = value; - return; - } +var_entry * vp; +if ((vp = find_var_ent(name))) vp->value = value; return; /* Unknown variable name, fail silently */ } @@ -1799,6 +1911,8 @@ Arguments: skipping the skipping flag check_end if TRUE, check for final '}' name name of item, for error message + resetok if not NULL, pointer to flag - write FALSE if unsafe to reset + the store. Returns: 0 OK; string pointer updated 1 curly bracketing error (too few arguments) @@ -1808,7 +1922,7 @@ Returns: 0 OK; string pointer updated static int read_subs(uschar **sub, int n, int m, uschar **sptr, BOOL skipping, - BOOL check_end, uschar *name) + BOOL check_end, uschar *name, BOOL *resetok) { int i; uschar *s = *sptr; @@ -1822,7 +1936,7 @@ for (i = 0; i < n; i++) sub[i] = NULL; break; } - sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE); + sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, resetok); if (sub[i] == NULL) return 3; if (*s++ != '}') return 1; while (isspace(*s)) s++; @@ -1931,6 +2045,9 @@ return ret; /* Arguments: s points to the start of the condition text + resetok points to a BOOL which is written false if it is unsafe to + free memory. Certain condition types (acl) may have side-effect + allocation which must be preserved. yield points to a BOOL to hold the result of the condition test; if NULL, we are just reading through a condition that is part of an "or" combination to check syntax, or in a state @@ -1941,7 +2058,7 @@ Returns: a pointer to the first character after the condition, or */ static uschar * -eval_condition(uschar *s, BOOL *yield) +eval_condition(uschar *s, BOOL *resetok, BOOL *yield) { BOOL testfor = TRUE; BOOL tempcond, combined_cond; @@ -2080,7 +2197,7 @@ switch(cond_type) while (isspace(*s)) s++; if (*s != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */ - sub[0] = expand_string_internal(s+1, TRUE, &s, yield == NULL, TRUE); + sub[0] = expand_string_internal(s+1, TRUE, &s, yield == NULL, TRUE, resetok); if (sub[0] == NULL) return NULL; /* {-for-text-editors */ if (*s++ != '}') goto COND_FAILED_CURLY_END; @@ -2164,6 +2281,8 @@ switch(cond_type) like the saslauthd condition does, to permit a variable number of args. See also the expansion-item version EITEM_ACL and the traditional acl modifier ACLC_ACL. + Since the ACL may allocate new global variables, tell our caller to not + reclaim memory. */ case ECOND_ACL: @@ -2178,7 +2297,7 @@ switch(cond_type) if (*s++ != '{') goto COND_FAILED_CURLY_START; /*}*/ switch(read_subs(sub, sizeof(sub)/sizeof(*sub), 1, - &s, yield == NULL, TRUE, US"acl")) + &s, yield == NULL, TRUE, US"acl", resetok)) { case 1: expand_string_message = US"too few arguments or bracketing " "error for acl"; @@ -2186,6 +2305,7 @@ switch(cond_type) case 3: return NULL; } + *resetok = FALSE; if (yield != NULL) switch(eval_acl(sub, sizeof(sub)/sizeof(*sub), &user_msg)) { case OK: @@ -2212,7 +2332,7 @@ switch(cond_type) /* saslauthd: does Cyrus saslauthd authentication. Four parameters are used: - ${if saslauthd {{username}{password}{service}{realm}} {yes}[no}} + ${if saslauthd {{username}{password}{service}{realm}} {yes}{no}} However, the last two are optional. That is why the whole set is enclosed in their own set of braces. */ @@ -2223,7 +2343,7 @@ switch(cond_type) #else while (isspace(*s)) s++; if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */ - switch(read_subs(sub, 4, 2, &s, yield == NULL, TRUE, US"saslauthd")) + switch(read_subs(sub, 4, 2, &s, yield == NULL, TRUE, US"saslauthd", resetok)) { case 1: expand_string_message = US"too few arguments or bracketing " "error for saslauthd"; @@ -2307,7 +2427,7 @@ switch(cond_type) return NULL; } sub[i] = expand_string_internal(s+1, TRUE, &s, yield == NULL, - honour_dollar); + honour_dollar, resetok); if (sub[i] == NULL) return NULL; if (*s++ != '}') goto COND_FAILED_CURLY_END; @@ -2665,8 +2785,7 @@ switch(cond_type) return NULL; } - s = eval_condition(s+1, subcondptr); - if (s == NULL) + if (!(s = eval_condition(s+1, resetok, subcondptr))) { expand_string_message = string_sprintf("%s inside \"%s{...}\" condition", expand_string_message, name); @@ -2712,7 +2831,7 @@ switch(cond_type) while (isspace(*s)) s++; if (*s++ != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */ - sub[0] = expand_string_internal(s, TRUE, &s, (yield == NULL), TRUE); + sub[0] = expand_string_internal(s, TRUE, &s, (yield == NULL), TRUE, resetok); if (sub[0] == NULL) return NULL; /* {-for-text-editors */ if (*s++ != '}') goto COND_FAILED_CURLY_END; @@ -2726,8 +2845,7 @@ switch(cond_type) "false" part). This allows us to find the end of the condition, because if the list it empty, we won't actually evaluate the condition for real. */ - s = eval_condition(sub[1], NULL); - if (s == NULL) + if (!(s = eval_condition(sub[1], resetok, NULL))) { expand_string_message = string_sprintf("%s inside \"%s\" condition", expand_string_message, name); @@ -2748,7 +2866,7 @@ switch(cond_type) while ((iterate_item = string_nextinlist(&sub[0], &sep, NULL, 0)) != NULL) { DEBUG(D_expand) debug_printf("%s: $item = \"%s\"\n", name, iterate_item); - if (eval_condition(sub[1], &tempcond) == NULL) + if (!eval_condition(sub[1], resetok, &tempcond)) { expand_string_message = string_sprintf("%s inside \"%s\" condition", expand_string_message, name); @@ -2788,7 +2906,7 @@ switch(cond_type) while (isspace(*s)) s++; if (*s != '{') goto COND_FAILED_CURLY_START; /* }-for-text-editors */ ourname = cond_type == ECOND_BOOL_LAX ? US"bool_lax" : US"bool"; - switch(read_subs(sub_arg, 1, 1, &s, yield == NULL, FALSE, ourname)) + switch(read_subs(sub_arg, 1, 1, &s, yield == NULL, FALSE, ourname, resetok)) { case 1: expand_string_message = string_sprintf( "too few arguments or bracketing error for %s", @@ -2818,7 +2936,9 @@ switch(cond_type) be no maintenance burden from replicating it. */ if (len == 0) boolvalue = FALSE; - else if (Ustrspn(t, "0123456789") == len) + else if (*t == '-' + ? Ustrspn(t+1, "0123456789") == len-1 + : Ustrspn(t, "0123456789") == len) { boolvalue = (Uatoi(t) == 0) ? FALSE : TRUE; /* expand_check_condition only does a literal string "0" check */ @@ -2952,6 +3072,8 @@ Arguments: sizeptr points to the output string size ptrptr points to the output string pointer type "lookup" or "if" or "extract" or "run", for error message + resetok if not NULL, pointer to flag - write FALSE if unsafe to reset + the store. Returns: 0 OK; lookup_value has been reset to save_lookup 1 expansion failed @@ -2960,7 +3082,7 @@ Returns: 0 OK; lookup_value has been reset to save_lookup static int process_yesno(BOOL skipping, BOOL yes, uschar *save_lookup, uschar **sptr, - uschar **yieldptr, int *sizeptr, int *ptrptr, uschar *type) + uschar **yieldptr, int *sizeptr, int *ptrptr, uschar *type, BOOL *resetok) { int rc = 0; uschar *s = *sptr; /* Local value */ @@ -2997,7 +3119,7 @@ if (*s++ != '{') goto FAILED_CURLY; want this string. Set skipping in the call in the fail case (this will always be the case if we were already skipping). */ -sub1 = expand_string_internal(s, TRUE, &s, !yes, TRUE); +sub1 = expand_string_internal(s, TRUE, &s, !yes, TRUE, resetok); if (sub1 == NULL && (yes || !expand_string_forcedfail)) goto FAILED; expand_string_forcedfail = FALSE; if (*s++ != '}') goto FAILED_CURLY; @@ -3022,7 +3144,7 @@ already skipping. */ while (isspace(*s)) s++; if (*s == '{') { - sub2 = expand_string_internal(s+1, TRUE, &s, yes || skipping, TRUE); + sub2 = expand_string_internal(s+1, TRUE, &s, yes || skipping, TRUE, resetok); if (sub2 == NULL && (!yes || !expand_string_forcedfail)) goto FAILED; expand_string_forcedfail = FALSE; if (*s++ != '}') goto FAILED_CURLY; @@ -3587,8 +3709,9 @@ $message_headers which can get very long. There's a problem if a ${dlfunc item has side-effects that cause allocation, since resetting the store at the end of the expansion will free store that was allocated by the plugin code as well as the slop after the expanded string. So -we skip any resets if ${dlfunc has been used. The same applies for ${acl. This -is an unfortunate consequence of string expansion becoming too powerful. +we skip any resets if ${dlfunc } has been used. The same applies for ${acl } +and, given the acl condition, ${if }. This is an unfortunate consequence of +string expansion becoming too powerful. Arguments: string the string to be expanded @@ -3599,6 +3722,8 @@ Arguments: to be used (to allow for optimisation) honour_dollar TRUE if $ is to be expanded, FALSE if it's just another character + resetok_p if not NULL, pointer to flag - write FALSE if unsafe to reset + the store. Returns: NULL if expansion fails: expand_string_forcedfail is set TRUE if failure was forced @@ -3608,7 +3733,7 @@ Returns: NULL if expansion fails: static uschar * expand_string_internal(uschar *string, BOOL ket_ends, uschar **left, - BOOL skipping, BOOL honour_dollar) + BOOL skipping, BOOL honour_dollar, BOOL *resetok_p) { int ptr = 0; int size = Ustrlen(string)+ 64; @@ -3659,9 +3784,11 @@ while (*s != 0) continue; } + /*{*/ /* Anything other than $ is just copied verbatim, unless we are looking for a terminating } character. */ + /*{*/ if (ket_ends && *s == '}') break; if (*s != '$' || !honour_dollar) @@ -3676,7 +3803,7 @@ while (*s != 0) names can contain any printing characters except space and colon. For those that don't like typing this much, "$h_" is a synonym for "$header_". A non-existent header yields a NULL value; nothing is - inserted. */ + inserted. */ /*}*/ if (isalpha((*(++s)))) { @@ -3763,11 +3890,11 @@ while (*s != 0) continue; } - /* Otherwise, if there's no '{' after $ it's an error. */ + /* Otherwise, if there's no '{' after $ it's an error. */ /*}*/ - if (*s != '{') + if (*s != '{') /*}*/ { - expand_string_message = US"$ not followed by letter, digit, or {"; + expand_string_message = US"$ not followed by letter, digit, or {"; /*}*/ goto EXPAND_FAILED; } @@ -3777,9 +3904,9 @@ while (*s != 0) if (isdigit((*(++s)))) { int n; - s = read_number(&n, s); + s = read_number(&n, s); /*{*/ if (*s++ != '}') - { + { /*{*/ expand_string_message = US"} expected after number"; goto EXPAND_FAILED; } @@ -3791,7 +3918,7 @@ while (*s != 0) if (!isalpha(*s)) { - expand_string_message = US"letter or digit expected after ${"; + expand_string_message = US"letter or digit expected after ${"; /*}*/ goto EXPAND_FAILED; } @@ -3819,7 +3946,7 @@ while (*s != 0) uschar *sub[10]; /* name + arg1-arg9 (which must match number of acl_arg[]) */ uschar *user_msg; - switch(read_subs(sub, 10, 1, &s, skipping, TRUE, US"acl")) + switch(read_subs(sub, 10, 1, &s, skipping, TRUE, US"acl", &resetok)) { case 1: goto EXPAND_FAILED_CURLY; case 2: @@ -3832,6 +3959,8 @@ while (*s != 0) { case OK: case FAIL: + DEBUG(D_expand) + debug_printf("acl expansion yield: %s\n", user_msg); if (user_msg) yield = string_cat(yield, &size, &ptr, user_msg, Ustrlen(user_msg)); continue; @@ -3857,7 +3986,7 @@ while (*s != 0) save_expand_strings(save_expand_nstring, save_expand_nlength); while (isspace(*s)) s++; - next_s = eval_condition(s, skipping? NULL : &cond); + next_s = eval_condition(s, &resetok, skipping? NULL : &cond); if (next_s == NULL) goto EXPAND_FAILED; /* message already set */ DEBUG(D_expand) @@ -3877,7 +4006,8 @@ while (*s != 0) &yield, /* output pointer */ &size, /* output size */ &ptr, /* output current point */ - US"if")) /* condition type */ + US"if", /* condition type */ + &resetok)) { case 1: goto EXPAND_FAILED; /* when all is well, the */ case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */ @@ -3918,10 +4048,10 @@ while (*s != 0) Otherwise set the key NULL pro-tem. */ while (isspace(*s)) s++; - if (*s == '{') + if (*s == '{') /*}*/ { - key = expand_string_internal(s+1, TRUE, &s, skipping, TRUE); - if (key == NULL) goto EXPAND_FAILED; + key = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok); + if (key == NULL) goto EXPAND_FAILED; /*{*/ if (*s++ != '}') goto EXPAND_FAILED_CURLY; while (isspace(*s)) s++; } @@ -3937,9 +4067,9 @@ while (*s != 0) /* The type is a string that may contain special characters of various kinds. Allow everything except space or { to appear; the actual content - is checked by search_findtype_partial. */ + is checked by search_findtype_partial. */ /*}*/ - while (*s != 0 && *s != '{' && !isspace(*s)) + while (*s != 0 && *s != '{' && !isspace(*s)) /*}*/ { if (nameptr < sizeof(name) - 1) name[nameptr++] = *s; s++; @@ -3986,7 +4116,7 @@ while (*s != 0) first. */ if (*s != '{') goto EXPAND_FAILED_CURLY; - filename = expand_string_internal(s+1, TRUE, &s, skipping, TRUE); + filename = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok); if (filename == NULL) goto EXPAND_FAILED; if (*s++ != '}') goto EXPAND_FAILED_CURLY; while (isspace(*s)) s++; @@ -4064,7 +4194,8 @@ while (*s != 0) &yield, /* output pointer */ &size, /* output size */ &ptr, /* output current point */ - US"lookup")) /* condition type */ + US"lookup", /* condition type */ + &resetok)) { case 1: goto EXPAND_FAILED; /* when all is well, the */ case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */ @@ -4087,7 +4218,7 @@ while (*s != 0) case EITEM_PERL: #ifndef EXIM_PERL - expand_string_message = US"\"${perl\" encountered, but this facility " + expand_string_message = US"\"${perl\" encountered, but this facility " /*}*/ "is not included in this binary"; goto EXPAND_FAILED; @@ -4103,7 +4234,7 @@ while (*s != 0) } switch(read_subs(sub_arg, EXIM_PERL_MAX_ARGS + 1, 1, &s, skipping, TRUE, - US"perl")) + US"perl", &resetok)) { case 1: goto EXPAND_FAILED_CURLY; case 2: @@ -4175,7 +4306,7 @@ while (*s != 0) uschar *sub_arg[3]; uschar *p,*domain; - switch(read_subs(sub_arg, 3, 2, &s, skipping, TRUE, US"prvs")) + switch(read_subs(sub_arg, 3, 2, &s, skipping, TRUE, US"prvs", &resetok)) { case 1: goto EXPAND_FAILED_CURLY; case 2: @@ -4249,7 +4380,7 @@ while (*s != 0) prvscheck_address = NULL; prvscheck_keynum = NULL; - switch(read_subs(sub_arg, 1, 1, &s, skipping, FALSE, US"prvs")) + switch(read_subs(sub_arg, 1, 1, &s, skipping, FALSE, US"prvs", &resetok)) { case 1: goto EXPAND_FAILED_CURLY; case 2: @@ -4281,7 +4412,7 @@ while (*s != 0) prvscheck_keynum = string_copy(key_num); /* Now expand the second argument */ - switch(read_subs(sub_arg, 1, 1, &s, skipping, FALSE, US"prvs")) + switch(read_subs(sub_arg, 1, 1, &s, skipping, FALSE, US"prvs", &resetok)) { case 1: goto EXPAND_FAILED_CURLY; case 2: @@ -4335,7 +4466,7 @@ while (*s != 0) /* Now expand the final argument. We leave this till now so that it can include $prvscheck_result. */ - switch(read_subs(sub_arg, 1, 0, &s, skipping, TRUE, US"prvs")) + switch(read_subs(sub_arg, 1, 0, &s, skipping, TRUE, US"prvs", &resetok)) { case 1: goto EXPAND_FAILED_CURLY; case 2: @@ -4359,7 +4490,7 @@ while (*s != 0) We need to make sure all subs are expanded first, so as to skip over the entire item. */ - switch(read_subs(sub_arg, 2, 1, &s, skipping, TRUE, US"prvs")) + switch(read_subs(sub_arg, 2, 1, &s, skipping, TRUE, US"prvs", &resetok)) { case 1: goto EXPAND_FAILED_CURLY; case 2: @@ -4383,7 +4514,7 @@ while (*s != 0) goto EXPAND_FAILED; } - switch(read_subs(sub_arg, 2, 1, &s, skipping, TRUE, US"readfile")) + switch(read_subs(sub_arg, 2, 1, &s, skipping, TRUE, US"readfile", &resetok)) { case 1: goto EXPAND_FAILED_CURLY; case 2: @@ -4429,7 +4560,7 @@ while (*s != 0) /* Read up to 4 arguments, but don't do the end of item check afterwards, because there may be a string for expansion on failure. */ - switch(read_subs(sub_arg, 4, 2, &s, skipping, FALSE, US"readsocket")) + switch(read_subs(sub_arg, 4, 2, &s, skipping, FALSE, US"readsocket", &resetok)) { case 1: goto EXPAND_FAILED_CURLY; case 2: /* Won't occur: no end check */ @@ -4459,10 +4590,7 @@ while (*s != 0) if (Ustrncmp(sub_arg[0], "inet:", 5) == 0) { - BOOL connected = FALSE; - int namelen, port; - host_item shost; - host_item *h; + int port; uschar *server_name = sub_arg[0] + 5; uschar *port_name = Ustrrchr(server_name, ':'); @@ -4499,76 +4627,9 @@ while (*s != 0) port = ntohs(service_info->s_port); } - /* Sort out the server. */ - - shost.next = NULL; - shost.address = NULL; - shost.port = port; - shost.mx = -1; - - namelen = Ustrlen(server_name); - - /* Anything enclosed in [] must be an IP address. */ - - if (server_name[0] == '[' && - server_name[namelen - 1] == ']') - { - server_name[namelen - 1] = 0; - server_name++; - if (string_is_ip_address(server_name, NULL) == 0) - { - expand_string_message = - string_sprintf("malformed IP address \"%s\"", server_name); - goto EXPAND_FAILED; - } - shost.name = shost.address = server_name; - } - - /* Otherwise check for an unadorned IP address */ - - else if (string_is_ip_address(server_name, NULL) != 0) - shost.name = shost.address = server_name; - - /* Otherwise lookup IP address(es) from the name */ - - else - { - shost.name = server_name; - if (host_find_byname(&shost, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, - FALSE) != HOST_FOUND) - { - expand_string_message = - string_sprintf("no IP address found for host %s", shost.name); - goto EXPAND_FAILED; - } - } - - /* Try to connect to the server - test each IP till one works */ - - for (h = &shost; h != NULL; h = h->next) - { - int af = (Ustrchr(h->address, ':') != 0)? AF_INET6 : AF_INET; - if ((fd = ip_socket(SOCK_STREAM, af)) == -1) - { - expand_string_message = string_sprintf("failed to create socket: " - "%s", strerror(errno)); + if ((fd = ip_connectedsocket(SOCK_STREAM, server_name, port, port, + timeout, NULL, &expand_string_message)) < 0) goto SOCK_FAIL; - } - - if (ip_connect(fd, af, h->address, port, timeout) == 0) - { - connected = TRUE; - break; - } - } - - if (!connected) - { - expand_string_message = string_sprintf("failed to connect to " - "socket %s: couldn't connect to any host", sub_arg[0], - strerror(errno)); - goto SOCK_FAIL; - } } /* Handle a Unix domain socket */ @@ -4655,7 +4716,7 @@ while (*s != 0) if (*s == '{') { - if (expand_string_internal(s+1, TRUE, &s, TRUE, TRUE) == NULL) + if (expand_string_internal(s+1, TRUE, &s, TRUE, TRUE, &resetok) == NULL) goto EXPAND_FAILED; if (*s++ != '}') goto EXPAND_FAILED_CURLY; while (isspace(*s)) s++; @@ -4670,7 +4731,7 @@ while (*s != 0) SOCK_FAIL: if (*s != '{') goto EXPAND_FAILED; DEBUG(D_any) debug_printf("%s\n", expand_string_message); - arg = expand_string_internal(s+1, TRUE, &s, FALSE, TRUE); + arg = expand_string_internal(s+1, TRUE, &s, FALSE, TRUE, &resetok); if (arg == NULL) goto EXPAND_FAILED; yield = string_cat(yield, &size, &ptr, arg, Ustrlen(arg)); if (*s++ != '}') goto EXPAND_FAILED_CURLY; @@ -4699,7 +4760,7 @@ while (*s != 0) while (isspace(*s)) s++; if (*s != '{') goto EXPAND_FAILED_CURLY; - arg = expand_string_internal(s+1, TRUE, &s, skipping, TRUE); + arg = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok); if (arg == NULL) goto EXPAND_FAILED; while (isspace(*s)) s++; if (*s++ != '}') goto EXPAND_FAILED_CURLY; @@ -4781,7 +4842,8 @@ while (*s != 0) &yield, /* output pointer */ &size, /* output size */ &ptr, /* output current point */ - US"run")) /* condition type */ + US"run", /* condition type */ + &resetok)) { case 1: goto EXPAND_FAILED; /* when all is well, the */ case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */ @@ -4798,7 +4860,7 @@ while (*s != 0) int o2m; uschar *sub[3]; - switch(read_subs(sub, 3, 3, &s, skipping, TRUE, US"tr")) + switch(read_subs(sub, 3, 3, &s, skipping, TRUE, US"tr", &resetok)) { case 1: goto EXPAND_FAILED_CURLY; case 2: @@ -4836,11 +4898,11 @@ while (*s != 0) uschar *sub[3]; /* "length" takes only 2 arguments whereas the others take 2 or 3. - Ensure that sub[2] is set in the ${length case. */ + Ensure that sub[2] is set in the ${length } case. */ sub[2] = NULL; switch(read_subs(sub, (item_type == EITEM_LENGTH)? 2:3, 2, &s, skipping, - TRUE, name)) + TRUE, name, &resetok)) { case 1: goto EXPAND_FAILED_CURLY; case 2: @@ -4915,7 +4977,7 @@ while (*s != 0) uschar innerkey[MAX_HASHBLOCKLEN]; uschar outerkey[MAX_HASHBLOCKLEN]; - switch (read_subs(sub, 3, 3, &s, skipping, TRUE, name)) + switch (read_subs(sub, 3, 3, &s, skipping, TRUE, name, &resetok)) { case 1: goto EXPAND_FAILED_CURLY; case 2: @@ -5010,7 +5072,7 @@ while (*s != 0) int save_expand_nmax = save_expand_strings(save_expand_nstring, save_expand_nlength); - switch(read_subs(sub, 3, 3, &s, skipping, TRUE, US"sg")) + switch(read_subs(sub, 3, 3, &s, skipping, TRUE, US"sg", &resetok)) { case 1: goto EXPAND_FAILED_CURLY; case 2: @@ -5128,10 +5190,10 @@ while (*s != 0) for (i = 0; i < j; i++) { while (isspace(*s)) s++; - if (*s == '{') + if (*s == '{') /*}*/ { - sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE); - if (sub[i] == NULL) goto EXPAND_FAILED; + sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok); + if (sub[i] == NULL) goto EXPAND_FAILED; /*{*/ if (*s++ != '}') goto EXPAND_FAILED_CURLY; /* After removal of leading and trailing white space, the first @@ -5194,7 +5256,8 @@ while (*s != 0) &yield, /* output pointer */ &size, /* output size */ &ptr, /* output current point */ - US"extract")) /* condition type */ + US"extract", /* condition type */ + &resetok)) { case 1: goto EXPAND_FAILED; /* when all is well, the */ case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */ @@ -5208,6 +5271,168 @@ while (*s != 0) continue; } + /* return the Nth item from a list */ + + case EITEM_LISTEXTRACT: + { + int i; + int field_number = 1; + uschar *save_lookup_value = lookup_value; + uschar *sub[2]; + int save_expand_nmax = + save_expand_strings(save_expand_nstring, save_expand_nlength); + + /* Read the field & list arguments */ + + for (i = 0; i < 2; i++) + { + while (isspace(*s)) s++; + if (*s != '{') /*}*/ + goto EXPAND_FAILED_CURLY; + + sub[i] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok); + if (!sub[i]) goto EXPAND_FAILED; /*{*/ + if (*s++ != '}') goto EXPAND_FAILED_CURLY; + + /* After removal of leading and trailing white space, the first + argument must be numeric and nonempty. */ + + if (i == 0) + { + int len; + int x = 0; + uschar *p = sub[0]; + + while (isspace(*p)) p++; + sub[0] = p; + + len = Ustrlen(p); + while (len > 0 && isspace(p[len-1])) len--; + p[len] = 0; + + if (!*p && !skipping) + { + expand_string_message = US"first argument of \"listextract\" must " + "not be empty"; + goto EXPAND_FAILED; + } + + if (*p == '-') + { + field_number = -1; + p++; + } + while (*p && isdigit(*p)) x = x * 10 + *p++ - '0'; + if (*p) + { + expand_string_message = US"first argument of \"listextract\" must " + "be numeric"; + goto EXPAND_FAILED; + } + field_number *= x; + } + } + + /* Extract the numbered element into $value. If + skipping, just pretend the extraction failed. */ + + lookup_value = skipping? NULL : expand_getlistele(field_number, sub[1]); + + /* If no string follows, $value gets substituted; otherwise there can + be yes/no strings, as for lookup or if. */ + + switch(process_yesno( + skipping, /* were previously skipping */ + lookup_value != NULL, /* success/failure indicator */ + save_lookup_value, /* value to reset for string2 */ + &s, /* input pointer */ + &yield, /* output pointer */ + &size, /* output size */ + &ptr, /* output current point */ + US"extract", /* condition type */ + &resetok)) + { + case 1: goto EXPAND_FAILED; /* when all is well, the */ + case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */ + } + + /* All done - restore numerical variables. */ + + restore_expand_strings(save_expand_nmax, save_expand_nstring, + save_expand_nlength); + + continue; + } + +#ifdef SUPPORT_TLS + case EITEM_CERTEXTRACT: + { + uschar *save_lookup_value = lookup_value; + uschar *sub[2]; + int save_expand_nmax = + save_expand_strings(save_expand_nstring, save_expand_nlength); + + /* Read the field argument */ + while (isspace(*s)) s++; + if (*s != '{') /*}*/ + goto EXPAND_FAILED_CURLY; + sub[0] = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok); + if (!sub[0]) goto EXPAND_FAILED; /*{*/ + if (*s++ != '}') goto EXPAND_FAILED_CURLY; + /* strip spaces fore & aft */ + { + int len; + uschar *p = sub[0]; + + while (isspace(*p)) p++; + sub[0] = p; + + len = Ustrlen(p); + while (len > 0 && isspace(p[len-1])) len--; + p[len] = 0; + } + + /* inspect the cert argument */ + while (isspace(*s)) s++; + if (*s != '{') /*}*/ + goto EXPAND_FAILED_CURLY; + if (*++s != '$') + { + expand_string_message = US"second argument of \"certextract\" must " + "be a certificate variable"; + goto EXPAND_FAILED; + } + sub[1] = expand_string_internal(s+1, TRUE, &s, skipping, FALSE, &resetok); + if (!sub[1]) goto EXPAND_FAILED; /*{*/ + if (*s++ != '}') goto EXPAND_FAILED_CURLY; + + if (skipping) + lookup_value = NULL; + else + { + lookup_value = expand_getcertele(sub[0], sub[1]); + if (*expand_string_message) goto EXPAND_FAILED; + } + switch(process_yesno( + skipping, /* were previously skipping */ + lookup_value != NULL, /* success/failure indicator */ + save_lookup_value, /* value to reset for string2 */ + &s, /* input pointer */ + &yield, /* output pointer */ + &size, /* output size */ + &ptr, /* output current point */ + US"extract", /* condition type */ + &resetok)) + { + case 1: goto EXPAND_FAILED; /* when all is well, the */ + case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */ + } + + restore_expand_strings(save_expand_nmax, save_expand_nstring, + save_expand_nlength); + continue; + } +#endif /*SUPPORT_TLS*/ /* Handle list operations */ @@ -5225,7 +5450,7 @@ while (*s != 0) while (isspace(*s)) s++; if (*s++ != '{') goto EXPAND_FAILED_CURLY; - list = expand_string_internal(s, TRUE, &s, skipping, TRUE); + list = expand_string_internal(s, TRUE, &s, skipping, TRUE, &resetok); if (list == NULL) goto EXPAND_FAILED; if (*s++ != '}') goto EXPAND_FAILED_CURLY; @@ -5233,7 +5458,7 @@ while (*s != 0) { while (isspace(*s)) s++; if (*s++ != '{') goto EXPAND_FAILED_CURLY; - temp = expand_string_internal(s, TRUE, &s, skipping, TRUE); + temp = expand_string_internal(s, TRUE, &s, skipping, TRUE, &resetok); if (temp == NULL) goto EXPAND_FAILED; lookup_value = temp; if (*s++ != '}') goto EXPAND_FAILED_CURLY; @@ -5252,12 +5477,12 @@ while (*s != 0) if (item_type == EITEM_FILTER) { - temp = eval_condition(expr, NULL); + temp = eval_condition(expr, &resetok, NULL); if (temp != NULL) s = temp; } else { - temp = expand_string_internal(s, TRUE, &s, TRUE, TRUE); + temp = expand_string_internal(s, TRUE, &s, TRUE, TRUE, &resetok); } if (temp == NULL) @@ -5269,15 +5494,15 @@ while (*s != 0) while (isspace(*s)) s++; if (*s++ != '}') - { + { /*{*/ expand_string_message = string_sprintf("missing } at end of condition " "or expression inside \"%s\"", name); goto EXPAND_FAILED; } - while (isspace(*s)) s++; + while (isspace(*s)) s++; /*{*/ if (*s++ != '}') - { + { /*{*/ expand_string_message = string_sprintf("missing } at end of \"%s\"", name); goto EXPAND_FAILED; @@ -5296,7 +5521,7 @@ while (*s != 0) if (item_type == EITEM_FILTER) { BOOL condresult; - if (eval_condition(expr, &condresult) == NULL) + if (eval_condition(expr, &resetok, &condresult) == NULL) { iterate_item = save_iterate_item; lookup_value = save_lookup_value; @@ -5316,7 +5541,7 @@ while (*s != 0) else { - temp = expand_string_internal(expr, TRUE, NULL, skipping, TRUE); + temp = expand_string_internal(expr, TRUE, NULL, skipping, TRUE, &resetok); if (temp == NULL) { iterate_item = save_iterate_item; @@ -5387,7 +5612,7 @@ while (*s != 0) } - /* If ${dlfunc support is configured, handle calling dynamically-loaded + /* If ${dlfunc } support is configured, handle calling dynamically-loaded functions, unless locked out at this time. Syntax is ${dlfunc{file}{func}} or ${dlfunc{file}{func}{arg}} or ${dlfunc{file}{func}{arg1}{arg2}} or up to a maximum of EXPAND_DLFUNC_MAX_ARGS arguments (defined below). */ @@ -5396,7 +5621,7 @@ while (*s != 0) case EITEM_DLFUNC: #ifndef EXPAND_DLFUNC - expand_string_message = US"\"${dlfunc\" encountered, but this facility " + expand_string_message = US"\"${dlfunc\" encountered, but this facility " /*}*/ "is not included in this binary"; goto EXPAND_FAILED; @@ -5416,7 +5641,7 @@ while (*s != 0) } switch(read_subs(argv, EXPAND_DLFUNC_MAX_ARGS + 2, 2, &s, skipping, - TRUE, US"dlfunc")) + TRUE, US"dlfunc", &resetok)) { case 1: goto EXPAND_FAILED_CURLY; case 2: @@ -5487,7 +5712,7 @@ while (*s != 0) } } #endif /* EXPAND_DLFUNC */ - } + } /* EITEM_* switch */ /* Control reaches here if the name is not recognized as one of the more complicated expansion items. Check for the "operator" syntax (name terminated @@ -5498,19 +5723,16 @@ while (*s != 0) { int c; uschar *arg = NULL; - uschar *sub = expand_string_internal(s+1, TRUE, &s, skipping, TRUE); - if (sub == NULL) goto EXPAND_FAILED; - s++; + uschar *sub; + var_entry *vp = NULL; /* Owing to an historical mis-design, an underscore may be part of the operator name, or it may introduce arguments. We therefore first scan the table of names that contain underscores. If there is no match, we cut off the arguments and then scan the main table. */ - c = chop_match(name, op_table_underscore, - sizeof(op_table_underscore)/sizeof(uschar *)); - - if (c < 0) + if ((c = chop_match(name, op_table_underscore, + sizeof(op_table_underscore)/sizeof(uschar *))) < 0) { arg = Ustrchr(name, '_'); if (arg != NULL) *arg = 0; @@ -5520,6 +5742,37 @@ while (*s != 0) if (arg != NULL) *arg++ = '_'; /* Put back for error messages */ } + /* Deal specially with operators that might take a certificate variable + as we do not want to do the usual expansion. For most, expand the string.*/ + switch(c) + { +#ifdef SUPPORT_TLS + case EOP_MD5: + case EOP_SHA1: + case EOP_SHA256: + if (s[1] == '$') + { + uschar * s1 = s; + sub = expand_string_internal(s+2, TRUE, &s1, skipping, + FALSE, &resetok); + if (!sub) goto EXPAND_FAILED; /*{*/ + if (*s1 != '}') goto EXPAND_FAILED_CURLY; + if ((vp = find_var_ent(sub)) && vp->type == vtype_cert) + { + s = s1+1; + break; + } + vp = NULL; + } + /*FALLTHROUGH*/ +#endif + default: + sub = expand_string_internal(s+1, TRUE, &s, skipping, TRUE, &resetok); + if (!sub) goto EXPAND_FAILED; + s++; + break; + } + /* If we are skipping, we don't need to perform the operation at all. This matters for operations like "mask", because the data may not be in the correct format when skipping. For example, the expression may test @@ -5573,7 +5826,7 @@ while (*s != 0) case EOP_EXPAND: { - uschar *expanded = expand_string_internal(sub, FALSE, NULL, skipping, TRUE); + uschar *expanded = expand_string_internal(sub, FALSE, NULL, skipping, TRUE, &resetok); if (expanded == NULL) { expand_string_message = @@ -5604,30 +5857,58 @@ while (*s != 0) } case EOP_MD5: - { - md5 base; - uschar digest[16]; - int j; - char st[33]; - md5_start(&base); - md5_end(&base, sub, Ustrlen(sub), digest); - for(j = 0; j < 16; j++) sprintf(st+2*j, "%02x", digest[j]); - yield = string_cat(yield, &size, &ptr, US st, (int)strlen(st)); +#ifdef SUPPORT_TLS + if (vp && *(void **)vp->value) + { + uschar * cp = tls_cert_fprt_md5(*(void **)vp->value); + yield = string_cat(yield, &size, &ptr, cp, Ustrlen(cp)); + } + else +#endif + { + md5 base; + uschar digest[16]; + int j; + char st[33]; + md5_start(&base); + md5_end(&base, sub, Ustrlen(sub), digest); + for(j = 0; j < 16; j++) sprintf(st+2*j, "%02x", digest[j]); + yield = string_cat(yield, &size, &ptr, US st, (int)strlen(st)); + } continue; - } case EOP_SHA1: - { - sha1 base; - uschar digest[20]; - int j; - char st[41]; - sha1_start(&base); - sha1_end(&base, sub, Ustrlen(sub), digest); - for(j = 0; j < 20; j++) sprintf(st+2*j, "%02X", digest[j]); - yield = string_cat(yield, &size, &ptr, US st, (int)strlen(st)); +#ifdef SUPPORT_TLS + if (vp && *(void **)vp->value) + { + uschar * cp = tls_cert_fprt_sha1(*(void **)vp->value); + yield = string_cat(yield, &size, &ptr, cp, Ustrlen(cp)); + } + else +#endif + { + sha1 base; + uschar digest[20]; + int j; + char st[41]; + sha1_start(&base); + sha1_end(&base, sub, Ustrlen(sub), digest); + for(j = 0; j < 20; j++) sprintf(st+2*j, "%02X", digest[j]); + yield = string_cat(yield, &size, &ptr, US st, (int)strlen(st)); + } + continue; + + case EOP_SHA256: +#ifdef SUPPORT_TLS + if (vp && *(void **)vp->value) + { + uschar * cp = tls_cert_fprt_sha256(*(void **)vp->value); + yield = string_cat(yield, &size, &ptr, cp, (int)strlen(cp)); + } + else +#endif + expand_string_message = US"sha256 only supported for certificates"; continue; - } /* Convert hex encoding to base64 encoding */ @@ -5765,7 +6046,7 @@ while (*s != 0) if (*item == '+') /* list item is itself a named list */ { uschar * sub = string_sprintf("${listnamed%s:%s}", suffix, item); - item = expand_string_internal(sub, FALSE, NULL, FALSE, TRUE); + item = expand_string_internal(sub, FALSE, NULL, FALSE, TRUE, &resetok); } else if (sep != ':') /* item from non-colon-sep list, re-quote for colon list-separator */ { @@ -6073,6 +6354,94 @@ while (*s != 0) continue; } + /* replace illegal UTF-8 sequences by replacement character */ + + #define UTF8_REPLACEMENT_CHAR US"?" + + case EOP_UTF8CLEAN: + { + int seq_len, index = 0; + int bytes_left = 0; + uschar seq_buff[4]; /* accumulate utf-8 here */ + + while (*sub != 0) + { + int complete; + long codepoint; + uschar c; + + complete = 0; + c = *sub++; + if (bytes_left) + { + if ((c & 0xc0) != 0x80) + { + /* wrong continuation byte; invalidate all bytes */ + complete = 1; /* error */ + } + else + { + codepoint = (codepoint << 6) | (c & 0x3f); + seq_buff[index++] = c; + if (--bytes_left == 0) /* codepoint complete */ + { + if(codepoint > 0x10FFFF) /* is it too large? */ + complete = -1; /* error */ + else + { /* finished; output utf-8 sequence */ + yield = string_cat(yield, &size, &ptr, seq_buff, seq_len); + index = 0; + } + } + } + } + else /* no bytes left: new sequence */ + { + if((c & 0x80) == 0) /* 1-byte sequence, US-ASCII, keep it */ + { + yield = string_cat(yield, &size, &ptr, &c, 1); + continue; + } + if((c & 0xe0) == 0xc0) /* 2-byte sequence */ + { + if(c == 0xc0 || c == 0xc1) /* 0xc0 and 0xc1 are illegal */ + complete = -1; + else + { + bytes_left = 1; + codepoint = c & 0x1f; + } + } + else if((c & 0xf0) == 0xe0) /* 3-byte sequence */ + { + bytes_left = 2; + codepoint = c & 0x0f; + } + else if((c & 0xf8) == 0xf0) /* 4-byte sequence */ + { + bytes_left = 3; + codepoint = c & 0x07; + } + else /* invalid or too long (RFC3629 allows only 4 bytes) */ + complete = -1; + + seq_buff[index++] = c; + seq_len = bytes_left + 1; + } /* if(bytes_left) */ + + if (complete != 0) + { + bytes_left = index = 0; + yield = string_cat(yield, &size, &ptr, UTF8_REPLACEMENT_CHAR, 1); + } + if ((complete == 1) && ((c & 0x80) == 0)) + { /* ASCII character follows incomplete sequence */ + yield = string_cat(yield, &size, &ptr, &c, 1); + } + } + continue; + } + /* escape turns all non-printing characters into escape sequences. */ case EOP_ESCAPE: @@ -6347,7 +6716,7 @@ while (*s != 0) store instead of copying. Many expansion strings contain just one reference, so this is a useful optimization, especially for humungous headers ($message_headers). */ - + /*{*/ if (*s++ == '}') { int len; @@ -6410,6 +6779,8 @@ In many cases the final string will be the first one that was got and so there will be optimal store usage. */ if (resetok) store_reset(yield + ptr + 1); +else if (resetok_p) *resetok_p = FALSE; + DEBUG(D_expand) { debug_printf("expanding: %.*s\n result: %s\n", (int)(s - string), string, @@ -6439,6 +6810,7 @@ DEBUG(D_expand) debug_printf(" error message: %s\n", expand_string_message); if (expand_string_forcedfail) debug_printf("failure was forced\n"); } +if (resetok_p) *resetok_p = resetok; return NULL; } @@ -6457,7 +6829,7 @@ expand_string(uschar *string) search_find_defer = FALSE; malformed_header = FALSE; return (Ustrpbrk(string, "$\\") == NULL)? string : - expand_string_internal(string, FALSE, NULL, FALSE, TRUE); + expand_string_internal(string, FALSE, NULL, FALSE, TRUE, NULL); } @@ -6698,4 +7070,6 @@ return 0; #endif +/* vi: aw ai sw=2 +*/ /* End of expand.c */ diff --git a/src/src/functions.h b/src/src/functions.h index d381b569a..a6257a913 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ @@ -25,16 +25,33 @@ extern const char * std_dh_prime_default(void); extern const char * std_dh_prime_named(const uschar *); + +extern uschar * tls_cert_crl_uri(void *, uschar * mod); +extern uschar * tls_cert_ext_by_oid(void *, uschar *, int); +extern uschar * tls_cert_issuer(void *, uschar * mod); +extern uschar * tls_cert_not_before(void *, uschar * mod); +extern uschar * tls_cert_not_after(void *, uschar * mod); +extern uschar * tls_cert_ocsp_uri(void *, uschar * mod); +extern uschar * tls_cert_serial_number(void *, uschar * mod); +extern uschar * tls_cert_signature(void *, uschar * mod); +extern uschar * tls_cert_signature_algorithm(void *, uschar * mod); +extern uschar * tls_cert_subject(void *, uschar * mod); +extern uschar * tls_cert_subject_altname(void *, uschar * mod); +extern uschar * tls_cert_version(void *, uschar * mod); + +extern uschar * tls_cert_fprt_md5(void *); +extern uschar * tls_cert_fprt_sha1(void *); +extern uschar * tls_cert_fprt_sha256(void *); + extern int tls_client_start(int, host_item *, address_item *, - uschar *, uschar *, uschar *, uschar *, uschar *, uschar *, -# ifdef EXPERIMENTAL_OCSP - uschar *, -# endif - int, int); + void *); extern void tls_close(BOOL, BOOL); +extern int tls_export_cert(uschar *, size_t, void *); extern int tls_feof(void); extern int tls_ferror(void); +extern void tls_free_cert(void *); extern int tls_getc(void); +extern int tls_import_cert(const uschar *, void **); extern int tls_read(BOOL, uschar *, size_t); extern int tls_server_start(const uschar *); extern BOOL tls_smtp_buffered(void); @@ -42,10 +59,14 @@ extern int tls_ungetc(int); extern int tls_write(BOOL, const uschar *, size_t); extern uschar *tls_validate_require_cipher(void); extern void tls_version_report(FILE *); -#ifndef USE_GNUTLS +# ifndef USE_GNUTLS extern BOOL tls_openssl_options_parse(uschar *, long *); -#endif -#endif +# endif +extern uschar * tls_field_from_dn(uschar *, uschar *); +# ifdef EXPERIMENTAL_CERTNAMES +extern BOOL tls_is_name_for_cert(uschar *, void *); +# endif +#endif /*SUPPORT_TLS*/ /* Everything else... */ @@ -115,7 +136,7 @@ extern BOOL dkim_transport_write_message(address_item *, int, int, #endif extern dns_address *dns_address_from_rr(dns_answer *, dns_record *); extern void dns_build_reverse(uschar *, uschar *); -extern void dns_init(BOOL, BOOL); +extern void dns_init(BOOL, BOOL, BOOL); extern int dns_basic_lookup(dns_answer *, uschar *, int); extern BOOL dns_is_secure(dns_answer *); extern int dns_lookup(dns_answer *, uschar *, int, uschar **); @@ -157,7 +178,7 @@ extern void host_build_log_info(void); extern void host_build_sender_fullhost(void); extern BOOL host_find_byname(host_item *, uschar *, int, uschar **, BOOL); extern int host_find_bydns(host_item *, uschar *, int, uschar *, uschar *, - uschar *,uschar **, BOOL *); + uschar *, uschar *, uschar *, uschar **, BOOL *); extern ip_address_item *host_find_interfaces(void); extern BOOL host_is_in_net(uschar *, uschar *, int); extern BOOL host_is_tls_on_connect_port(int); @@ -171,6 +192,8 @@ extern int host_scan_for_local_hosts(host_item *, host_item **, BOOL *); extern void invert_address(uschar *, uschar *); extern int ip_bind(int, int, uschar *, int); extern int ip_connect(int, int, uschar *, int, int); +extern int ip_connectedsocket(int, const uschar *, int, int, + int, host_item *, uschar **); extern int ip_get_address_family(int); extern void ip_keepalive(int, uschar *, BOOL); extern int ip_recv(int, uschar *, int, int); @@ -348,6 +371,7 @@ extern int stdin_feof(void); extern int stdin_ferror(void); extern int stdin_ungetc(int); extern uschar *string_append(uschar *, int *, int *, int, ...); +extern uschar *string_append_listele(uschar *, uschar, const uschar *); extern uschar *string_base62(unsigned long int); extern uschar *string_cat(uschar *, int *, int *, const uschar *, int); extern uschar *string_copy_dnsdomain(uschar *); @@ -358,7 +382,7 @@ extern uschar *string_dequote(uschar **); extern BOOL string_format(uschar *, int, const char *, ...) ALMOST_PRINTF(3,4); extern uschar *string_format_size(int, uschar *); extern int string_interpret_escape(uschar **); -extern int string_is_ip_address(uschar *, int *); +extern int string_is_ip_address(const uschar *, int *); extern uschar *string_log_address(address_item *, BOOL, BOOL); extern uschar *string_nextinlist(uschar **, int *, uschar *, int); extern uschar *string_open_failed(int, const char *, ...) PRINTF_FUNCTION(2,3); @@ -371,6 +395,7 @@ extern int strncmpic(const uschar *, const uschar *, int); extern uschar *strstric(uschar *, uschar *, BOOL); extern uschar *tod_stamp(int); +extern void tls_modify_variables(tls_support *); extern BOOL transport_check_waiting(uschar *, uschar *, int, uschar *, BOOL *); extern void transport_init(void); @@ -382,6 +407,8 @@ extern BOOL transport_set_up_command(uschar ***, uschar *, BOOL, int, extern void transport_update_waiting(host_item *, uschar *); extern BOOL transport_write_block(int, uschar *, int); extern BOOL transport_write_string(int, const char *, ...); +extern BOOL transport_headers_send(address_item *, int, uschar *, uschar *, + BOOL (*)(int, uschar *, int, BOOL), BOOL, rewrite_rule *, int); extern BOOL transport_write_message(address_item *, int, int, int, uschar *, uschar *, uschar *, uschar *, rewrite_rule *, int); extern void tree_add_duplicate(uschar *, address_item *); @@ -402,6 +429,7 @@ extern int verify_check_dnsbl(uschar **); extern int verify_check_header_address(uschar **, uschar **, int, int, int, uschar *, uschar *, int, int *); extern int verify_check_headers(uschar **); +extern int verify_check_header_names_ascii(uschar **); extern int verify_check_host(uschar **); extern int verify_check_notblind(void); extern int verify_check_this_host(uschar **, unsigned int *, uschar*, @@ -414,4 +442,6 @@ extern void version_init(void); extern ssize_t write_to_fd_buf(int, const uschar *, size_t); +/* vi: aw +*/ /* End of functions.h */ diff --git a/src/src/globals.c b/src/src/globals.c index 133a7bf74..761db6181 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* All the global variables are defined together in this one module, so @@ -106,8 +106,11 @@ tls_support tls_in = { NULL, /* tls_cipher */ FALSE,/* tls_on_connect */ NULL, /* tls_on_connect_ports */ + NULL, /* tls_ourcert */ + NULL, /* tls_peercert */ NULL, /* tls_peerdn */ - NULL /* tls_sni */ + NULL, /* tls_sni */ + 0 /* tls_ocsp */ }; tls_support tls_out = { -1, /* tls_active */ @@ -116,10 +119,20 @@ tls_support tls_out = { NULL, /* tls_cipher */ FALSE,/* tls_on_connect */ NULL, /* tls_on_connect_ports */ + NULL, /* tls_ourcert */ + NULL, /* tls_peercert */ NULL, /* tls_peerdn */ - NULL /* tls_sni */ + NULL, /* tls_sni */ + 0 /* tls_ocsp */ }; +#ifdef EXPERIMENTAL_DSN +uschar *dsn_envid = NULL; +int dsn_ret = 0; +const pcre *regex_DSN = NULL; +BOOL smtp_use_dsn = FALSE; +uschar *dsn_advertise_hosts = NULL; +#endif #ifdef SUPPORT_TLS BOOL gnutls_compat_mode = FALSE; @@ -137,7 +150,7 @@ that's the interop problem which has been observed: GnuTLS suggesting a higher bit-count as "NORMAL" (2432) and Thunderbird dropping connection. */ int tls_dh_max_bits = 2236; uschar *tls_dhparam = NULL; -#if defined(EXPERIMENTAL_OCSP) && !defined(USE_GNUTLS) +#ifndef DISABLE_OCSP uschar *tls_ocsp_file = NULL; #endif BOOL tls_offered = FALSE; @@ -149,7 +162,7 @@ uschar *tls_verify_certificates= NULL; uschar *tls_verify_hosts = NULL; #endif -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR /* Per Recipient Data Response variables */ BOOL prdr_enable = FALSE; BOOL prdr_requested = FALSE; @@ -212,7 +225,7 @@ uschar *acl_removed_headers = NULL; uschar *acl_smtp_auth = NULL; uschar *acl_smtp_connect = NULL; uschar *acl_smtp_data = NULL; -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR uschar *acl_smtp_data_prdr = NULL; #endif #ifndef DISABLE_DKIM @@ -248,7 +261,7 @@ uschar *acl_wherenames[] = { US"RCPT", US"MIME", US"DKIM", US"DATA", -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR US"PRDR", #endif US"non-SMTP", @@ -273,7 +286,7 @@ uschar *acl_wherecodes[] = { US"550", /* RCPT */ US"550", /* MIME */ US"550", /* DKIM */ US"550", /* DATA */ -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR US"550", /* RCPT PRDR */ #endif US"0", /* not SMTP; not relevant */ @@ -332,11 +345,19 @@ address_item address_defaults = { NULL, /* shadow_message */ #ifdef SUPPORT_TLS NULL, /* cipher */ + NULL, /* ourcert */ + NULL, /* peercert */ NULL, /* peerdn */ + OCSP_NOT_REQ, /* ocsp */ #endif NULL, /* authenticator */ NULL, /* auth_id */ NULL, /* auth_sndr */ + #ifdef EXPERIMENTAL_DSN + NULL, /* dsn_orcpt */ + 0, /* dsn_flags */ + 0, /* dsn_aware */ + #endif (uid_t)(-1), /* uid */ (gid_t)(-1), /* gid */ 0, /* flags */ @@ -598,6 +619,7 @@ BOOL dkim_disable_verify = FALSE; #ifdef EXPERIMENTAL_DMARC BOOL dmarc_has_been_checked = FALSE; uschar *dmarc_ar_header = NULL; +uschar *dmarc_domain_policy = NULL; uschar *dmarc_forensic_sender = NULL; uschar *dmarc_history_file = NULL; uschar *dmarc_status = NULL; @@ -797,6 +819,9 @@ bit_table log_options[] = { { US"lost_incoming_connection", L_lost_incoming_connection }, { US"outgoing_port", LX_outgoing_port }, { US"pid", LX_pid }, +#ifdef EXPERIMENTAL_PROXY + { US"proxy", LX_proxy }, +#endif { US"queue_run", L_queue_run }, { US"queue_time", LX_queue_time }, { US"queue_time_overall", LX_queue_time_overall }, @@ -833,6 +858,7 @@ BOOL log_testing_mode = FALSE; BOOL log_timezone = FALSE; unsigned int log_write_selector= L_default; uschar *login_sender_address = NULL; +uschar *lookup_dnssec_authenticated = NULL; int lookup_open_max = 25; uschar *lookup_value = NULL; @@ -914,6 +940,17 @@ uschar process_info[PROCESS_INFO_SIZE]; int process_info_len = 0; uschar *process_log_path = NULL; BOOL prod_requires_admin = TRUE; + +#ifdef EXPERIMENTAL_PROXY +uschar *proxy_host_address = US""; +int proxy_host_port = 0; +uschar *proxy_required_hosts = US""; +BOOL proxy_session = FALSE; +BOOL proxy_session_failed = FALSE; +uschar *proxy_target_address = US""; +int proxy_target_port = 0; +#endif + uschar *prvscheck_address = NULL; uschar *prvscheck_keynum = NULL; uschar *prvscheck_result = NULL; @@ -1092,6 +1129,9 @@ router_instance router_defaults = { TRUE, /* verify_sender */ FALSE, /* uid_set */ FALSE, /* unseen */ +#ifdef EXPERIMENTAL_DSN + FALSE, /* dsn_lasthop */ +#endif self_freeze, /* self_code */ (uid_t)(-1), /* uid */ @@ -1347,6 +1387,9 @@ transport_instance transport_defaults = { FALSE, /* log_defer_output */ TRUE_UNSET /* retry_use_local_part: BOOL, but set neither 1 nor 0 so can detect unset */ +#ifdef EXPERIMENTAL_TPDA + ,NULL /* tpda_delivery_action */ +#endif }; int transport_count; @@ -1403,8 +1446,8 @@ uschar *warnmsg_recipients = NULL; BOOL write_rejectlog = TRUE; uschar *version_copyright = - US"Copyright (c) University of Cambridge, 1995 - 2013\n" - "(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2013"; + US"Copyright (c) University of Cambridge, 1995 - 2014\n" + "(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014"; uschar *version_date = US"?"; uschar *version_cnumber = US"????"; uschar *version_string = US"?"; diff --git a/src/src/globals.h b/src/src/globals.h index 265f94e60..cf9b61eff 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Almost all the global variables are defined together in this one header, so @@ -85,8 +85,17 @@ typedef struct { uschar *cipher; /* Cipher used */ BOOL on_connect; /* For older MTAs that don't STARTTLS */ uschar *on_connect_ports; /* Ports always tls-on-connect */ + void *ourcert; /* Certificate we presented, binary */ + void *peercert; /* Certificate of peer, binary */ uschar *peerdn; /* DN from peer */ uschar *sni; /* Server Name Indication */ + enum { + OCSP_NOT_REQ=0, /* not requested */ + OCSP_NOT_RESP, /* no response to request */ + OCSP_VFY_NOT_TRIED, /* response not verified */ + OCSP_FAILED, /* verify failed */ + OCSP_VFIED /* verified */ + } ocsp; /* Stapled OCSP status */ } tls_support; extern tls_support tls_in; extern tls_support tls_out; @@ -105,7 +114,7 @@ extern uschar *tls_channelbinding_b64; /* string of base64 channel binding */ extern uschar *tls_crl; /* CRL File */ extern int tls_dh_max_bits; /* don't accept higher lib suggestions */ extern uschar *tls_dhparam; /* DH param file */ -#if defined(EXPERIMENTAL_OCSP) && !defined(USE_GNUTLS) +#ifndef DISABLE_OCSP extern uschar *tls_ocsp_file; /* OCSP stapling proof file */ #endif extern BOOL tls_offered; /* Server offered TLS */ @@ -117,6 +126,13 @@ extern uschar *tls_verify_certificates;/* Path for certificates to check */ extern uschar *tls_verify_hosts; /* Mandatory client verification */ #endif +#ifdef EXPERIMENTAL_DSN +extern uschar *dsn_envid; /* DSN envid string */ +extern int dsn_ret; /* DSN ret type*/ +extern const pcre *regex_DSN; /* For recognizing DSN settings */ +extern BOOL smtp_use_dsn; /* Global for passed connections */ +extern uschar *dsn_advertise_hosts; /* host for which TLS is advertised */ +#endif /* Input-reading functions for messages, so we can use special ones for incoming TCP/IP. */ @@ -151,7 +167,7 @@ extern uschar *acl_removed_headers; /* Headers deleted by an ACL */ extern uschar *acl_smtp_auth; /* ACL run for AUTH */ extern uschar *acl_smtp_connect; /* ACL run on SMTP connection */ extern uschar *acl_smtp_data; /* ACL run after DATA received */ -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR extern uschar *acl_smtp_data_prdr; /* ACL run after DATA received if in PRDR mode*/ const extern pcre *regex_PRDR; /* For recognizing PRDR settings */ #endif @@ -354,6 +370,7 @@ extern BOOL dkim_disable_verify; /* Set via ACL control statement. When se #ifdef EXPERIMENTAL_DMARC extern BOOL dmarc_has_been_checked; /* Global variable to check if test has been called yet */ extern uschar *dmarc_ar_header; /* Expansion variable, suggested header for dmarc auth results */ +extern uschar *dmarc_domain_policy; /* Expansion for declared policy of used domain */ extern uschar *dmarc_forensic_sender; /* Set sender address for forensic reports */ extern uschar *dmarc_history_file; /* Expansion variable, file to store dmarc results */ extern uschar *dmarc_status; /* Expansion variable, one word value */ @@ -502,6 +519,7 @@ extern unsigned int log_write_selector;/* Bit map of logging options for log_wri extern uschar *login_sender_address; /* The actual sender address */ extern lookup_info **lookup_list; /* Array of pointers to available lookups */ extern int lookup_list_count; /* Number of entries in the list */ +extern uschar *lookup_dnssec_authenticated; /* AD status of dns lookup */ extern int lookup_open_max; /* Max lookup files to cache */ extern uschar *lookup_value; /* Value looked up from file */ @@ -581,7 +599,7 @@ extern uschar *percent_hack_domains; /* Local domains for which '% operates */ extern uschar *pid_file_path; /* For writing daemon pids */ extern uschar *pipelining_advertise_hosts; /* As it says */ extern BOOL pipelining_enable; /* As it says */ -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR extern BOOL prdr_enable; /* As it says */ extern BOOL prdr_requested; /* Connecting mail server wants PRDR */ #endif @@ -592,6 +610,17 @@ extern uschar process_info[]; /* For SIGUSR1 output */ extern int process_info_len; extern uschar *process_log_path; /* Alternate path */ extern BOOL prod_requires_admin; /* TRUE if prodding requires admin */ + +#ifdef EXPERIMENTAL_PROXY +extern uschar *proxy_host_address; /* IP of host being proxied */ +extern int proxy_host_port; /* Port of host being proxied */ +extern uschar *proxy_required_hosts; /* Hostlist which (require) use proxy protocol */ +extern BOOL proxy_session; /* TRUE if receiving mail from valid proxy */ +extern BOOL proxy_session_failed; /* TRUE if required proxy negotiation failed */ +extern uschar *proxy_target_address; /* IP of proxy server inbound */ +extern int proxy_target_port; /* Port of proxy server inbound */ +#endif + extern uschar *prvscheck_address; /* Set during prvscheck expansion item */ extern uschar *prvscheck_keynum; /* Set during prvscheck expansion item */ extern uschar *prvscheck_result; /* Set during prvscheck expansion item */ diff --git a/src/src/host.c b/src/src/host.c index 785eea412..a59c4381b 100644 --- a/src/src/host.c +++ b/src/src/host.c @@ -220,6 +220,8 @@ else int rc = dns_lookup(&dnsa, lname, type, NULL); int count = 0; + lookup_dnssec_authenticated = NULL; + switch(rc) { case DNS_SUCCEED: break; @@ -1622,7 +1624,7 @@ while ((ordername = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) { if (strcmpic(ordername, US"bydns") == 0) { - dns_init(FALSE, FALSE); + dns_init(FALSE, FALSE, FALSE); /* dnssec ctrl by dns_dnssec_ok glbl */ dns_build_reverse(sender_host_address, buffer); rc = dns_lookup(&dnsa, buffer, T_PTR, NULL); @@ -1919,7 +1921,8 @@ if (running_in_test_harness) some circumstances when the get..byname() function actually calls the DNS. */ dns_init((flags & HOST_FIND_QUALIFY_SINGLE) != 0, - (flags & HOST_FIND_SEARCH_PARENTS) != 0); + (flags & HOST_FIND_SEARCH_PARENTS) != 0, + FALSE); /*XXX dnssec? */ /* In an IPv6 world, unless IPv6 has been disabled, we need to scan for both kinds of address, so go round the loop twice. Note that we have ensured that @@ -2062,6 +2065,7 @@ for (i = 1; i <= times; host->port = PORT_NONE; host->status = hstatus_unknown; host->why = hwhy_unknown; + host->dnssec = DS_UNK; last = host; } @@ -2077,6 +2081,7 @@ for (i = 1; i <= times; next->port = PORT_NONE; next->status = hstatus_unknown; next->why = hwhy_unknown; + next->dnssec = DS_UNK; next->last_try = 0; next->next = last->next; last->next = next; @@ -2195,6 +2200,7 @@ Arguments: fully_qualified_name if not NULL, return fully qualified name here if the contents are different (i.e. it must be preset to something) + dnnssec_require if TRUE check the DNS result AD bit Returns: HOST_FIND_FAILED couldn't find A record HOST_FIND_AGAIN try again later @@ -2204,7 +2210,8 @@ Returns: HOST_FIND_FAILED couldn't find A record static int set_address_from_dns(host_item *host, host_item **lastptr, - uschar *ignore_target_hosts, BOOL allow_ip, uschar **fully_qualified_name) + uschar *ignore_target_hosts, BOOL allow_ip, uschar **fully_qualified_name, + BOOL dnssec_requested, BOOL dnssec_require) { dns_record *rr; host_item *thishostlast = NULL; /* Indicates not yet filled in anything */ @@ -2265,6 +2272,8 @@ for (; i >= 0; i--) dns_scan dnss; int rc = dns_lookup(&dnsa, host->name, type, fully_qualified_name); + lookup_dnssec_authenticated = !dnssec_requested ? NULL + : dns_is_secure(&dnsa) ? US"yes" : US"no"; /* We want to return HOST_FIND_AGAIN if one of the A, A6, or AAAA lookups fails or times out, but not if another one succeeds. (In the early @@ -2287,6 +2296,12 @@ for (; i >= 0; i--) if (rc != DNS_NOMATCH && rc != DNS_NODATA) v6_find_again = TRUE; continue; } + if (dnssec_require && !dns_is_secure(&dnsa)) + { + log_write(L_host_lookup_failed, LOG_MAIN, "dnssec fail on %s for %.256s", + i>1 ? "A6" : i>0 ? "AAAA" : "A", host->name); + continue; + } /* Lookup succeeded: fill in the given host item with the first non-ignored address found; create additional items for any others. A single A6 record @@ -2433,6 +2448,8 @@ Arguments: srv_service when SRV used, the service name srv_fail_domains DNS errors for these domains => assume nonexist mx_fail_domains DNS errors for these domains => assume nonexist + dnssec_request_domains => make dnssec request + dnssec_require_domains => ditto and nonexist failures fully_qualified_name if not NULL, return fully-qualified name removed set TRUE if local host was removed from the list @@ -2450,6 +2467,7 @@ Returns: HOST_FIND_FAILED Failed to find the host or domain; int host_find_bydns(host_item *host, uschar *ignore_target_hosts, int whichrrs, uschar *srv_service, uschar *srv_fail_domains, uschar *mx_fail_domains, + uschar *dnssec_request_domains, uschar *dnssec_require_domains, uschar **fully_qualified_name, BOOL *removed) { host_item *h, *last; @@ -2459,6 +2477,12 @@ int ind_type = 0; int yield; dns_answer dnsa; dns_scan dnss; +BOOL dnssec_require = match_isinlist(host->name, &dnssec_require_domains, + 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK; +BOOL dnssec_request = dnssec_require + || match_isinlist(host->name, &dnssec_request_domains, + 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK; +dnssec_status_t dnssec; /* Set the default fully qualified name to the incoming name, initialize the resolver if necessary, set up the relevant options, and initialize the flag @@ -2466,7 +2490,9 @@ that gets set for DNS syntax check errors. */ if (fully_qualified_name != NULL) *fully_qualified_name = host->name; dns_init((whichrrs & HOST_FIND_QUALIFY_SINGLE) != 0, - (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0); + (whichrrs & HOST_FIND_SEARCH_PARENTS) != 0, + dnssec_request + ); host_find_failed_syntax = FALSE; /* First, if requested, look for SRV records. The service name is given; we @@ -2487,20 +2513,37 @@ if ((whichrrs & HOST_FIND_BY_SRV) != 0) the input name, pass back the new original domain, without the prepended magic. */ + dnssec = DS_UNK; + lookup_dnssec_authenticated = NULL; rc = dns_lookup(&dnsa, buffer, ind_type, &temp_fully_qualified_name); + + if (dnssec_request) + { + if (dns_is_secure(&dnsa)) + { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; } + else + { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; } + } + if (temp_fully_qualified_name != buffer && fully_qualified_name != NULL) *fully_qualified_name = temp_fully_qualified_name + prefix_length; /* On DNS failures, we give the "try again" error unless the domain is listed as one for which we continue. */ + if (rc == DNS_SUCCEED && dnssec_require && !dns_is_secure(&dnsa)) + { + log_write(L_host_lookup_failed, LOG_MAIN, + "dnssec fail on SRV for %.256s", host->name); + rc = DNS_FAIL; + } if (rc == DNS_FAIL || rc == DNS_AGAIN) { #ifndef STAND_ALONE if (match_isinlist(host->name, &srv_fail_domains, 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) != OK) #endif - return HOST_FIND_AGAIN; + { yield = HOST_FIND_AGAIN; goto out; } DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA " "(domain in srv_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN"); } @@ -2516,17 +2559,41 @@ listed as one for which we continue. */ if (rc != DNS_SUCCEED && (whichrrs & HOST_FIND_BY_MX) != 0) { ind_type = T_MX; + dnssec = DS_UNK; + lookup_dnssec_authenticated = NULL; rc = dns_lookup(&dnsa, host->name, ind_type, fully_qualified_name); - if (rc == DNS_NOMATCH) return HOST_FIND_FAILED; - if (rc == DNS_FAIL || rc == DNS_AGAIN) + + if (dnssec_request) { - #ifndef STAND_ALONE - if (match_isinlist(host->name, &mx_fail_domains, 0, NULL, NULL, MCL_DOMAIN, - TRUE, NULL) != OK) - #endif - return HOST_FIND_AGAIN; - DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA " - "(domain in mx_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN"); + if (dns_is_secure(&dnsa)) + { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; } + else + { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; } + } + + switch (rc) + { + case DNS_NOMATCH: + yield = HOST_FIND_FAILED; goto out; + + case DNS_SUCCEED: + if (!dnssec_require || dns_is_secure(&dnsa)) + break; + log_write(L_host_lookup_failed, LOG_MAIN, + "dnssec fail on MX for %.256s", host->name); + rc = DNS_FAIL; + /*FALLTRHOUGH*/ + + case DNS_FAIL: + case DNS_AGAIN: + #ifndef STAND_ALONE + if (match_isinlist(host->name, &mx_fail_domains, 0, NULL, NULL, MCL_DOMAIN, + TRUE, NULL) != OK) + #endif + { yield = HOST_FIND_AGAIN; goto out; } + DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA " + "(domain in mx_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN"); + break; } } @@ -2539,14 +2606,25 @@ if (rc != DNS_SUCCEED) if ((whichrrs & HOST_FIND_BY_A) == 0) { DEBUG(D_host_lookup) debug_printf("Address records are not being sought\n"); - return HOST_FIND_FAILED; + yield = HOST_FIND_FAILED; + goto out; } last = host; /* End of local chainlet */ host->mx = MX_NONE; host->port = PORT_NONE; + dnssec = DS_UNK; + lookup_dnssec_authenticated = NULL; rc = set_address_from_dns(host, &last, ignore_target_hosts, FALSE, - fully_qualified_name); + fully_qualified_name, dnssec_request, dnssec_require); + + if (dnssec_request) + { + if (dns_is_secure(&dnsa)) + { dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; } + else + { dnssec = DS_NO; lookup_dnssec_authenticated = US"no"; } + } /* If one or more address records have been found, check that none of them are local. Since we know the host items all have their IP addresses @@ -2573,7 +2651,8 @@ if (rc != DNS_SUCCEED) } } - return rc; + yield = rc; + goto out; } /* We have found one or more MX or SRV records. Sort them according to @@ -2616,9 +2695,7 @@ for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); the same precedence to sort randomly. */ if (ind_type == T_MX) - { weight = random_number(500); - } /* SRV records are specified with a port and a weight. The weight is used in a special algorithm. However, to start with, we just use it to order the @@ -2682,6 +2759,7 @@ for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); host->sort_key = precedence * 1000 + weight; host->status = hstatus_unknown; host->why = hwhy_unknown; + host->dnssec = dnssec; last = host; } @@ -2698,6 +2776,7 @@ for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); next->sort_key = sort_key; next->status = hstatus_unknown; next->why = hwhy_unknown; + next->dnssec = dnssec; next->last_try = 0; /* Handle the case when we have to insert before the first item. */ @@ -2757,7 +2836,8 @@ if (ind_type == T_SRV) if (host == last && host->name[0] == 0) { DEBUG(D_host_lookup) debug_printf("the single SRV record is \".\"\n"); - return HOST_FIND_FAILED; + yield = HOST_FIND_FAILED; + goto out; } DEBUG(D_host_lookup) @@ -2867,12 +2947,14 @@ otherwise invalid host names obtained from MX or SRV records can cause trouble if they happen to match something local. */ yield = HOST_FIND_FAILED; /* Default yield */ -dns_init(FALSE, FALSE); /* Disable qualify_single and search_parents */ +dns_init(FALSE, FALSE, /* Disable qualify_single and search_parents */ + dnssec_request || dnssec_require); for (h = host; h != last->next; h = h->next) { if (h->address != NULL) continue; /* Inserted by a multihomed host */ - rc = set_address_from_dns(h, &last, ignore_target_hosts, allow_mx_to_ip, NULL); + rc = set_address_from_dns(h, &last, ignore_target_hosts, allow_mx_to_ip, + NULL, dnssec_request, dnssec_require); if (rc != HOST_FOUND) { h->status = hstatus_unusable; @@ -2981,6 +3063,9 @@ DEBUG(D_host_lookup) } } +out: + +dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */ return yield; } @@ -3002,6 +3087,8 @@ int whichrrs = HOST_FIND_BY_MX | HOST_FIND_BY_A; BOOL byname = FALSE; BOOL qualify_single = TRUE; BOOL search_parents = FALSE; +BOOL request_dnssec = FALSE; +BOOL require_dnssec = FALSE; uschar **argv = USS cargv; uschar buffer[256]; @@ -3021,7 +3108,7 @@ if (argc > 1) primary_hostname = argv[1]; /* So that debug level changes can be done first */ -dns_init(qualify_single, search_parents); +dns_init(qualify_single, search_parents, FALSE); printf("Testing host lookup\n"); printf("> "); @@ -3047,10 +3134,14 @@ while (Ufgets(buffer, 256, stdin) != NULL) whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX; else if (Ustrcmp(buffer, "srv+mx+a") == 0) whichrrs = HOST_FIND_BY_SRV | HOST_FIND_BY_MX | HOST_FIND_BY_A; - else if (Ustrcmp(buffer, "qualify_single") == 0) qualify_single = TRUE; + else if (Ustrcmp(buffer, "qualify_single") == 0) qualify_single = TRUE; else if (Ustrcmp(buffer, "no_qualify_single") == 0) qualify_single = FALSE; - else if (Ustrcmp(buffer, "search_parents") == 0) search_parents = TRUE; + else if (Ustrcmp(buffer, "search_parents") == 0) search_parents = TRUE; else if (Ustrcmp(buffer, "no_search_parents") == 0) search_parents = FALSE; + else if (Ustrcmp(buffer, "request_dnssec") == 0) request_dnssec = TRUE; + else if (Ustrcmp(buffer, "no_request_dnssec") == 0) request_dnssec = FALSE; + else if (Ustrcmp(buffer, "require_dnssec") == 0) require_dnssec = TRUE; + else if (Ustrcmp(buffer, "no_reqiret_dnssec") == 0) require_dnssec = FALSE; else if (Ustrcmp(buffer, "test_harness") == 0) running_in_test_harness = !running_in_test_harness; else if (Ustrcmp(buffer, "ipv6") == 0) disable_ipv6 = !disable_ipv6; @@ -3083,11 +3174,12 @@ while (Ufgets(buffer, 256, stdin) != NULL) if (qualify_single) flags |= HOST_FIND_QUALIFY_SINGLE; if (search_parents) flags |= HOST_FIND_SEARCH_PARENTS; - rc = byname? - host_find_byname(&h, NULL, flags, &fully_qualified_name, TRUE) - : - host_find_bydns(&h, NULL, flags, US"smtp", NULL, NULL, - &fully_qualified_name, NULL); + rc = byname + ? host_find_byname(&h, NULL, flags, &fully_qualified_name, TRUE) + : host_find_bydns(&h, NULL, flags, US"smtp", NULL, NULL, + request_dnssec ? &h.name : NULL, + require_dnssec ? &h.name : NULL, + &fully_qualified_name, NULL); if (rc == HOST_FIND_FAILED) printf("Failed\n"); else if (rc == HOST_FIND_AGAIN) printf("Again\n"); @@ -3146,4 +3238,6 @@ return 0; } #endif /* STAND_ALONE */ +/* vi: aw ai sw=2 +*/ /* End of host.c */ diff --git a/src/src/ip.c b/src/src/ip.c index 98eed1b93..0211adc1e 100644 --- a/src/src/ip.c +++ b/src/src/ip.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2009 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions for doing things with sockets. With the advent of IPv6 this has @@ -172,7 +172,7 @@ Arguments: af AF_INET6 or AF_INET for the socket type address the remote address, in text form port the remote port - timeout a timeout + timeout a timeout (zero for indefinite timeout) Returns: 0 on success; -1 on failure, with errno set */ @@ -248,6 +248,105 @@ return -1; } +/* Create a socket and connect to host (name or number, ipv6 ok) + at one of port-range. +Arguments: + type SOCK_DGRAM or SOCK_STREAM + af AF_INET6 or AF_INET for the socket type + address the remote address, in text form + portlo,porthi the remote port range + timeout a timeout + connhost if not NULL, host_item filled in with connection details + errstr pointer for allocated string on error + +Return: + socket fd, or -1 on failure (having allocated an error string) +*/ +int +ip_connectedsocket(int type, const uschar * hostname, int portlo, int porthi, + int timeout, host_item * connhost, uschar ** errstr) +{ +int namelen, port; +host_item shost; +host_item *h; +int af = 0, fd, fd4 = -1, fd6 = -1; + +shost.next = NULL; +shost.address = NULL; +shost.port = portlo; +shost.mx = -1; + +namelen = Ustrlen(hostname); + +/* Anything enclosed in [] must be an IP address. */ + +if (hostname[0] == '[' && + hostname[namelen - 1] == ']') + { + uschar * host = string_copy(hostname); + host[namelen - 1] = 0; + host++; + if (string_is_ip_address(host, NULL) == 0) + { + *errstr = string_sprintf("malformed IP address \"%s\"", hostname); + return -1; + } + shost.name = shost.address = host; + } + +/* Otherwise check for an unadorned IP address */ + +else if (string_is_ip_address(hostname, NULL) != 0) + shost.name = shost.address = string_copy(hostname); + +/* Otherwise lookup IP address(es) from the name */ + +else + { + shost.name = string_copy(hostname); + if (host_find_byname(&shost, NULL, HOST_FIND_QUALIFY_SINGLE, NULL, + FALSE) != HOST_FOUND) + { + *errstr = string_sprintf("no IP address found for host %s", shost.name); + return -1; + } + } + +/* Try to connect to the server - test each IP till one works */ + +for (h = &shost; h != NULL; h = h->next) + { + fd = (Ustrchr(h->address, ':') != 0) + ? (fd6 < 0) ? (fd6 = ip_socket(SOCK_STREAM, af = AF_INET6)) : fd6 + : (fd4 < 0) ? (fd4 = ip_socket(SOCK_STREAM, af = AF_INET )) : fd4; + + if (fd < 0) + { + *errstr = string_sprintf("failed to create socket: %s", strerror(errno)); + goto bad; + } + + for(port = portlo; port <= porthi; port++) + if (ip_connect(fd, af, h->address, port, timeout) == 0) + { + if (fd != fd6) close(fd6); + if (fd != fd4) close(fd4); + if (connhost) { + h->port = port; + *connhost = *h; + connhost->next = NULL; + } + return fd; + } + } + +*errstr = string_sprintf("failed to connect to " + "%s: couldn't connect to any host", hostname, strerror(errno)); + +bad: + close(fd4); close(fd6); return -1; +} + /************************************************* * Set keepalive on a socket * @@ -464,7 +563,7 @@ if (af == AF_INET) *level = IPPROTO_IP; *optname = IP_TOS; } -#if HAVE_IPV6 +#if HAVE_IPV6 && defined(IPV6_TCLASS) else if (af == AF_INET6) { *level = IPPROTO_IPV6; diff --git a/src/src/local_scan.h b/src/src/local_scan.h index 057e4d428..770348a9b 100644 --- a/src/src/local_scan.h +++ b/src/src/local_scan.h @@ -128,6 +128,10 @@ typedef struct recipient_item { uschar *address; /* the recipient address */ int pno; /* parent number for "one_time" alias, or -1 */ uschar *errors_to; /* the errors_to address or NULL */ +#ifdef EXPERIMENTAL_DSN + uschar *orcpt; /* DSN orcpt */ + int dsn_flags; /* DSN flags */ +#endif #ifdef EXPERIMENTAL_BRIGHTMAIL uschar *bmi_optin; #endif diff --git a/src/src/log.c b/src/src/log.c index 1523874d9..c80c34751 100644 --- a/src/src/log.c +++ b/src/src/log.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions for writing log files. The code for maintaining datestamped diff --git a/src/src/lookups/dnsdb.c b/src/src/lookups/dnsdb.c index a8eab2e47..5c077fb31 100644 --- a/src/src/lookups/dnsdb.c +++ b/src/src/lookups/dnsdb.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ #include "../exim.h" @@ -22,6 +22,11 @@ header files. */ #define T_SPF 99 #endif +/* New TLSA record for DANE */ +#ifndef T_TLSA +#define T_TLSA 52 +#endif + /* Table of recognized DNS record types and their integer values. */ static const char *type_names[] = { @@ -41,6 +46,7 @@ static const char *type_names[] = { "ptr", "spf", "srv", + "tlsa", "txt", "zns" }; @@ -62,6 +68,7 @@ static int type_values[] = { T_PTR, T_SPF, T_SRV, + T_TLSA, T_TXT, T_ZNS /* Private type for "zone nameservers" */ }; @@ -107,11 +114,15 @@ any defer causes the whole lookup to defer; 'lax', where a defer causes the whole lookup to defer only if none of the DNS queries succeeds; and 'never', where all defers are as if the lookup failed. The default is 'lax'. -(d) If the next sequence of characters is a sequence of letters and digits +(d) Another optional comma-sep field: 'dnssec_FOO', with 'strict', 'lax' +and 'never' (default); can appear before or after (c). The meanings are +require, try and don't-try dnssec respectively. + +(e) If the next sequence of characters is a sequence of letters and digits followed by '=', it is interpreted as the name of the DNS record type. The default is "TXT". -(e) Then there follows list of domain names. This is a generalized Exim list, +(f) Then there follows list of domain names. This is a generalized Exim list, which may start with '<' in order to set a specific separator. The default separator, as always, is colon. */ @@ -124,6 +135,7 @@ int size = 256; int ptr = 0; int sep = 0; int defer_mode = PASS; +int dnssec_mode = OK; int type; int failrc = FAIL; uschar *outsep = US"\n"; @@ -166,35 +178,64 @@ if (*keystring == '>') while (isspace(*keystring)) keystring++; } -/* Check for a defer behaviour keyword. */ +/* Check for a modifier keyword. */ -if (strncmpic(keystring, US"defer_", 6) == 0) +while ( strncmpic(keystring, US"defer_", 6) == 0 + || strncmpic(keystring, US"dnssec_", 7) == 0 + ) { - keystring += 6; - if (strncmpic(keystring, US"strict", 6) == 0) + if (strncmpic(keystring, US"defer_", 6) == 0) { - defer_mode = DEFER; keystring += 6; - } - else if (strncmpic(keystring, US"lax", 3) == 0) - { - defer_mode = PASS; - keystring += 3; - } - else if (strncmpic(keystring, US"never", 5) == 0) - { - defer_mode = OK; - keystring += 5; + if (strncmpic(keystring, US"strict", 6) == 0) + { + defer_mode = DEFER; + keystring += 6; + } + else if (strncmpic(keystring, US"lax", 3) == 0) + { + defer_mode = PASS; + keystring += 3; + } + else if (strncmpic(keystring, US"never", 5) == 0) + { + defer_mode = OK; + keystring += 5; + } + else + { + *errmsg = US"unsupported dnsdb defer behaviour"; + return DEFER; + } } else { - *errmsg = US"unsupported dnsdb defer behaviour"; - return DEFER; + keystring += 7; + if (strncmpic(keystring, US"strict", 6) == 0) + { + dnssec_mode = DEFER; + keystring += 6; + } + else if (strncmpic(keystring, US"lax", 3) == 0) + { + dnssec_mode = PASS; + keystring += 3; + } + else if (strncmpic(keystring, US"never", 5) == 0) + { + dnssec_mode = OK; + keystring += 5; + } + else + { + *errmsg = US"unsupported dnsdb dnssec behaviour"; + return DEFER; + } } while (isspace(*keystring)) keystring++; if (*keystring++ != ',') { - *errmsg = US"dnsdb defer behaviour syntax error"; + *errmsg = US"dnsdb modifier syntax error"; return DEFER; } while (isspace(*keystring)) keystring++; @@ -234,7 +275,7 @@ if ((equals = Ustrchr(keystring, '=')) != NULL) /* Initialize the resolver in case this is the first time it has been used. */ -dns_init(FALSE, FALSE); +dns_init(FALSE, FALSE, dnssec_mode != OK); /* The remainder of the string must be a list of domains. As long as the lookup for at least one of them succeeds, we return success. Failure means that none @@ -313,13 +354,26 @@ while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer))) #endif rc = dns_special_lookup(&dnsa, domain, type, &found); + lookup_dnssec_authenticated = dnssec_mode==OK ? NULL + : dns_is_secure(&dnsa) ? US"yes" : US"no"; + if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue; if (rc != DNS_SUCCEED) { - if (defer_mode == DEFER) return DEFER; /* always defer */ + if (defer_mode == DEFER) + { + dns_init(FALSE, FALSE, FALSE); /* clr dnssec bit */ + return DEFER; /* always defer */ + } if (defer_mode == PASS) failrc = DEFER; /* defer only if all do */ continue; /* treat defer as fail */ } + if (dnssec_mode == DEFER && !dns_is_secure(&dnsa)) + { + failrc = DEFER; + continue; + } + /* Search the returned records */ @@ -378,6 +432,29 @@ while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer))) } } } + else if (type == T_TLSA) + { + uint8_t usage, selector, matching_type; + uint16_t i, payload_length; + uschar s[MAX_TLSA_EXPANDED_SIZE]; + uschar * sp = s; + uschar *p = (uschar *)(rr->data); + + usage = *p++; + selector = *p++; + matching_type = *p++; + /* What's left after removing the first 3 bytes above */ + payload_length = rr->size - 3; + sp += sprintf(CS s, "%d %d %d ", usage, selector, matching_type); + /* Now append the cert/identifier, one hex char at a time */ + for (i=0; + i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4); + i++) + { + sp += sprintf(CS sp, "%02x", (unsigned char)p[i]); + } + yield = string_cat(yield, &size, &ptr, s, Ustrlen(s)); + } else /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */ { int priority, weight, port; @@ -464,6 +541,8 @@ store_reset(yield + ptr + 1); /* If ptr == 0 we have not found anything. Otherwise, insert the terminating zero and return the result. */ +dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */ + if (ptr == 0) return failrc; yield[ptr] = 0; *result = yield; @@ -508,4 +587,6 @@ static lookup_info _lookup_info = { static lookup_info *_lookup_list[] = { &_lookup_info }; lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 }; +/* vi: aw ai sw=2 +*/ /* End of lookups/dnsdb.c */ diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c index bb29b43af..f77229ded 100644 --- a/src/src/lookups/ldap.c +++ b/src/src/lookups/ldap.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Many thanks to Stuart Lynne for contributing the original code for this @@ -280,6 +280,13 @@ if (lcp == NULL) { LDAP *ld; + #ifdef LDAP_OPT_X_TLS_NEWCTX + int am_server = 0; + LDAP *ldsetctx; + #else + LDAP *ldsetctx = NULL; + #endif + /* --------------------------- OpenLDAP ------------------------ */ @@ -365,6 +372,10 @@ if (lcp == NULL) goto RETURN_ERROR; } + #ifdef LDAP_OPT_X_TLS_NEWCTX + ldsetctx = ld; + #endif + /* Set the TCP connect time limit if available. This is something that is in Netscape SDK v4.1; I don't know about other libraries. */ @@ -461,31 +472,31 @@ if (lcp == NULL) #ifdef LDAP_OPT_X_TLS_CACERTFILE if (eldap_ca_cert_file != NULL) { - ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file); + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file); } #endif #ifdef LDAP_OPT_X_TLS_CACERTDIR if (eldap_ca_cert_dir != NULL) { - ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir); + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir); } #endif #ifdef LDAP_OPT_X_TLS_CERTFILE if (eldap_cert_file != NULL) { - ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file); + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file); } #endif #ifdef LDAP_OPT_X_TLS_KEYFILE if (eldap_cert_key != NULL) { - ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key); + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key); } #endif #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE if (eldap_cipher_suite != NULL) { - ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite); + ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite); } #endif #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT @@ -508,8 +519,26 @@ if (lcp == NULL) { cert_option = LDAP_OPT_X_TLS_TRY; } - /* Use NULL ldap handle because is a global option */ - ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option); + /* This ldap handle is set at compile time based on client libs. Older + * versions want it to be global and newer versions can force a reload + * of the TLS context (to reload these settings we are changing from the + * default that loaded at instantiation). */ + rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option); + if (rc) + { + DEBUG(D_lookup) + debug_printf("Unable to set TLS require cert_option(%d) globally: %s\n", + cert_option, ldap_err2string(rc)); + } + } + #endif + #ifdef LDAP_OPT_X_TLS_NEWCTX + rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server); + if (rc) + { + DEBUG(D_lookup) + debug_printf("Unable to reload TLS context %d: %s\n", + rc, ldap_err2string(rc)); } #endif @@ -1104,6 +1133,7 @@ uschar *url = ldap_url; uschar *p; uschar *user = NULL; uschar *password = NULL; +uschar *local_servers = NULL; uschar *server, *list; uschar buffer[512]; @@ -1132,6 +1162,7 @@ while (strncmpic(url, US"ldap", 4) != 0) else if (strncmpic(name, US"TIME=", namelen) == 0) timelimit = Uatoi(value); else if (strncmpic(name, US"CONNECT=", namelen) == 0) tcplimit = Uatoi(value); else if (strncmpic(name, US"NETTIME=", namelen) == 0) tcplimit = Uatoi(value); + else if (strncmpic(name, US"SERVERS=", namelen) == 0) local_servers = value; /* Don't know if all LDAP libraries have LDAP_OPT_DEREF */ @@ -1259,16 +1290,16 @@ if (Ustrncmp(p, "://", 3) != 0) /* No default servers, or URL contains a server name: just one attempt */ -if (eldap_default_servers == NULL || p[3] != '/') +if ((eldap_default_servers == NULL && local_servers == NULL) || p[3] != '/') { return perform_ldap_search(url, NULL, 0, search_type, res, errmsg, &defer_break, user, password, sizelimit, timelimit, tcplimit, dereference, referrals); } -/* Loop through the default servers until OK or FAIL */ - -list = eldap_default_servers; +/* Loop through the default servers until OK or FAIL. Use local_servers list + * if defined in the lookup, otherwise use the global default list */ +list = (local_servers == NULL) ? eldap_default_servers : local_servers; while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL) { int rc; @@ -1367,7 +1398,8 @@ while ((lcp = ldap_connections) != NULL) { DEBUG(D_lookup) debug_printf("unbind LDAP connection to %s:%d\n", lcp->host, lcp->port); - ldap_unbind(lcp->ld); + if(lcp->bound == TRUE) + ldap_unbind(lcp->ld); ldap_connections = lcp->next; } } diff --git a/src/src/macros.h b/src/src/macros.h index a73bb0ba6..b7dd337e4 100644 --- a/src/src/macros.h +++ b/src/src/macros.h @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ @@ -177,6 +177,14 @@ record. */ #define WAIT_NAME_MAX 50 +/* Wait this long before determining that a Proxy Protocol configured +host isn't speaking the protocol, and so is disallowed. Can be moved to +runtime configuration if per site settings become needed. */ +#ifdef EXPERIMENTAL_PROXY +#define PROXY_NEGOTIATION_TIMEOUT_SEC 3 +#define PROXY_NEGOTIATION_TIMEOUT_USEC 0 +#endif + /* Fixed option values for all PCRE functions */ #define PCRE_COPT 0 /* compile */ @@ -414,6 +422,7 @@ set all the bits in a multi-word selector. */ #define LX_unknown_in_list 0x81000000 #define LX_8bitmime 0x82000000 #define LX_smtp_mailauth 0x84000000 +#define LX_proxy 0x88000000 #define L_default (L_connection_reject | \ L_delay_delivery | \ @@ -481,6 +490,7 @@ to conflict with system errno values. */ #define ERRNO_RCPT4XX (-44) /* RCPT gave 4xx error */ #define ERRNO_MAIL4XX (-45) /* MAIL gave 4xx error */ #define ERRNO_DATA4XX (-46) /* DATA gave 4xx error */ +#define ERRNO_PROXYFAIL (-47) /* Negotiation failed for proxy configured host */ /* These must be last, so all retry deferments can easily be identified */ @@ -778,6 +788,29 @@ enum { #define topt_no_body 0x040 /* Omit body */ #define topt_escape_headers 0x080 /* Apply escape check to headers */ +#ifdef EXPERIMENTAL_DSN +/* Flags for recipient_block, used in DSN support */ + +#define rf_dsnlasthop 0x01 /* Do not propagate DSN any further */ +#define rf_notify_never 0x02 /* NOTIFY= settings */ +#define rf_notify_success 0x04 +#define rf_notify_failure 0x08 +#define rf_notify_delay 0x10 + +#define rf_dsnflags (rf_notify_never | rf_notify_success | \ + rf_notify_failure | rf_notify_delay) + +/* DSN RET types */ + +#define dsn_ret_full 1 +#define dsn_ret_hdrs 2 + +#define dsn_support_unknown 0 +#define dsn_support_yes 1 +#define dsn_support_no 2 + +#endif + /* Codes for the host_find_failed and host_all_ignored options. */ #define hff_freeze 0 @@ -816,7 +849,7 @@ enum { ACL_WHERE_RCPT, /* Some controls are for RCPT only */ ACL_WHERE_MIME, /* ) implemented by <= WHERE_NOTSMTP */ ACL_WHERE_DKIM, /* ) */ ACL_WHERE_DATA, /* ) */ -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR ACL_WHERE_PRDR, /* ) */ #endif ACL_WHERE_NOTSMTP, /* ) */ diff --git a/src/src/malware.c b/src/src/malware.c index 3660476d2..7685554ae 100644 --- a/src/src/malware.c +++ b/src/src/malware.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) Tom Kistner 2003-???? */ +/* Copyright (c) Tom Kistner 2003-2014 */ /* License: GPL */ /* Code for calling virus (malware) scanners. Called from acl.c. */ @@ -10,6 +10,30 @@ #include "exim.h" #ifdef WITH_CONTENT_SCAN +typedef enum {M_FPROTD, M_DRWEB, M_AVES, M_FSEC, M_KAVD, M_CMDL, + M_SOPHIE, M_CLAMD, M_SOCK, M_MKSD} scanner_t; +typedef enum {MC_NONE, MC_TCP, MC_UNIX, MC_STRM} contype_t; +static struct scan +{ + scanner_t scancode; + const uschar * name; + const uschar * options_default; + contype_t conn; +} m_scans[] = +{ + { M_FPROTD, US"f-protd", US"localhost 10200-10204", MC_TCP }, + { M_DRWEB, US"drweb", US"/usr/local/drweb/run/drwebd.sock", MC_STRM }, + { M_AVES, US"aveserver", US"/var/run/aveserver", MC_UNIX }, + { M_FSEC, US"fsecure", US"/var/run/.fsav", MC_UNIX }, + { M_KAVD, US"kavdaemon", US"/var/run/AvpCtl", MC_UNIX }, + { M_CMDL, US"cmdline", NULL, MC_NONE }, + { M_SOPHIE, US"sophie", US"/var/run/sophie", MC_UNIX }, + { M_CLAMD, US"clamd", US"/tmp/clamd", MC_NONE }, + { M_SOCK, US"sock", US"/tmp/malware.sock", MC_STRM }, + { M_MKSD, US"mksd", NULL, MC_NONE }, + { -1, NULL, NULL, MC_NONE } /* end-marker */ +}; + /* The maximum number of clamd servers that are supported in the configuration */ #define MAX_CLAMD_SERVERS 32 #define MAX_CLAMD_SERVERS_S "32" @@ -18,17 +42,16 @@ #define MAX_CLAMD_ADDRESS_LENGTH_S "64" typedef struct clamd_address_container { - uschar tcp_addr[MAX_CLAMD_ADDRESS_LENGTH]; + uschar tcp_addr[MAX_CLAMD_ADDRESS_LENGTH+1]; unsigned int tcp_port; } clamd_address_container; /* declaration of private routines */ -static int mksd_scan_packed(int sock, uschar *scan_filename); +static int mksd_scan_packed(struct scan * scanent, int sock, uschar *scan_filename); static int malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking); -/* SHUT_WR seems to be undefined on Unixware? */ -#ifndef SHUT_WR -#define SHUT_WR 1 +#ifndef nelements +# define nelements(arr) (sizeof(arr) / sizeof(arr[0])) #endif @@ -44,20 +67,21 @@ static int malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) #define DERR_TIMEOUT (1<<9) /* scan timeout has run out */ #define DERR_BAD_CALL (1<<15) /* wrong command */ -/* Routine to check whether a system is big- or litte-endian. +/* Routine to check whether a system is big- or little-endian. Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html Needed for proper kavdaemon implementation. Sigh. */ #define BIG_MY_ENDIAN 0 #define LITTLE_MY_ENDIAN 1 -int test_byte_order(void); -int test_byte_order() { - short int word = 0x0001; - char *byte = (char *) &word; - return(byte[0] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN); +static int test_byte_order(void); +static inline int +test_byte_order() +{ + short int word = 0x0001; + char *byte = (char *) &word; + return(byte[0] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN); } -uschar malware_name_buffer[256]; -int malware_ok = 0; +BOOL malware_ok = FALSE; /* Gross hacks for the -bmalware option; perhaps we should just create the scan directory normally for that case, but look into rigging up the @@ -78,21 +102,14 @@ Arguments: Returns: Exim message processing code (OK, FAIL, DEFER, ...) where true means malware was found (condition applies) */ -int malware(uschar **listptr) { - uschar scan_filename[1024]; - BOOL fits; +int +malware(uschar **listptr) +{ + uschar * scan_filename; int ret; - fits = string_format(scan_filename, sizeof(scan_filename), - CS"%s/scan/%s/%s.eml", spool_directory, message_id, message_id); - if (!fits) - { - av_failed = TRUE; - log_write(0, LOG_MAIN|LOG_PANIC, - "malware filename does not fit in buffer [malware()]"); - return DEFER; - } - + scan_filename = string_sprintf("%s/scan/%s/%s.eml", + spool_directory, message_id, message_id); ret = malware_internal(listptr, scan_filename, FALSE); if (ret == DEFER) av_failed = TRUE; @@ -116,7 +133,8 @@ Returns: Exim message processing code (OK, FAIL, DEFER, ...) where true means malware was found (condition applies) */ int -malware_in_file(uschar *eml_filename) { +malware_in_file(uschar *eml_filename) +{ uschar *scan_options[2]; uschar message_id_buf[64]; int ret; @@ -150,6 +168,142 @@ malware_in_file(uschar *eml_filename) { } +static inline int +malware_errlog_defer(const uschar * str) +{ + log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: %s", str); + return DEFER; +} + +static int +m_errlog_defer(struct scan * scanent, const uschar * str) +{ + return malware_errlog_defer(string_sprintf("%s: %s", scanent->name, str)); +} +static int +m_errlog_defer_3(struct scan * scanent, const uschar * str, + int fd_to_close) +{ + (void) close(fd_to_close); + return m_errlog_defer(scanent, str); +} + +/*************************************************/ + +/* Only used by the Clamav code, which is working from a list of servers and +uses the returned in_addr to get a second connection to the same system. +*/ +static inline int +m_tcpsocket(const uschar * hostname, unsigned int port, + host_item * host, uschar ** errstr) +{ + return ip_connectedsocket(SOCK_STREAM, hostname, port, port, 5, host, errstr); +} + +static int +m_tcpsocket_fromdef(const uschar * hostport, uschar ** errstr) +{ + int scan; + uschar hostname[256]; + unsigned int portlow, porthigh; + + /* extract host and port part */ + scan = sscanf(CS hostport, "%255s %u-%u", hostname, &portlow, &porthigh); + if ( scan != 3 ) { + if ( scan != 2 ) { + *errstr = string_sprintf("invalid socket '%s'", hostport); + return -1; + } + porthigh = portlow; + } + + return ip_connectedsocket(SOCK_STREAM, hostname, portlow, porthigh, + 5, NULL, errstr); +} + +static int +m_unixsocket(const uschar * path, uschar ** errstr) +{ + int sock; + struct sockaddr_un server; + + if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { + *errstr = US"can't open UNIX socket."; + return -1; + } + + server.sun_family = AF_UNIX; + Ustrncpy(server.sun_path, path, sizeof(server.sun_path)-1); + server.sun_path[sizeof(server.sun_path)-1] = '\0'; + if (connect(sock, (struct sockaddr *) &server, sizeof(server)) < 0) { + int err = errno; + (void)close(sock); + *errstr = string_sprintf("unable to connect to UNIX socket (%s): %s", + path, strerror(err)); + return -1; + } + return sock; +} + +static inline int +m_streamsocket(const uschar * spec, uschar ** errstr) +{ + return *spec == '/' + ? m_unixsocket(spec, errstr) : m_tcpsocket_fromdef(spec, errstr); +} + +static int +m_sock_send(int sock, uschar * buf, int cnt, uschar ** errstr) +{ + if (send(sock, buf, cnt, 0) < 0) { + int err = errno; + (void)close(sock); + *errstr = string_sprintf("unable to send to socket (%s): %s", + buf, strerror(err)); + return -1; + } + return sock; +} + +static const pcre * +m_pcre_compile(const uschar * re, uschar ** errstr) +{ + const uschar * rerror; + int roffset; + const pcre * cre; + + cre = pcre_compile(CS re, PCRE_COPT, (const char **)&rerror, &roffset, NULL); + if (!cre) + *errstr= string_sprintf("regular expression error in '%s': %s at offset %d", + re, rerror, roffset); + return cre; +} + +uschar * +m_pcre_exec(const pcre * cre, uschar * text) +{ + int ovector[10*3]; + int i = pcre_exec(cre, NULL, CS text, Ustrlen(text), 0, 0, + ovector, nelements(ovector)); + uschar * substr = NULL; + if (i >= 2) /* Got it */ + pcre_get_substring(CS text, ovector, i, 1, (const char **) &substr); + return substr; +} + +static const pcre * +m_pcre_nextinlist(uschar ** list, int * sep, char * listerr, uschar ** errstr) +{ + const uschar * list_ele; + const pcre * cre = NULL; + + if (!(list_ele = string_nextinlist(list, sep, NULL, 0))) + *errstr = US listerr; + else + cre = m_pcre_compile(CUS list_ele, errstr); + return cre; +} + /************************************************* * Scan content for malware * *************************************************/ @@ -165,1728 +319,1217 @@ Arguments: Returns: Exim message processing code (OK, FAIL, DEFER, ...) where true means malware was found (condition applies) */ -static int malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) { +static int +malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) +{ int sep = 0; uschar *list = *listptr; uschar *av_scanner_work = av_scanner; uschar *scanner_name; - uschar scanner_name_buffer[16]; uschar *malware_regex; - uschar malware_regex_buffer[64]; uschar malware_regex_default[] = ".+"; unsigned long mbox_size; FILE *mbox_file; - int roffset; const pcre *re; - const uschar *rerror; + uschar * errstr; + struct scan * scanent; + const uschar * scanner_options; + int sock = -1; /* make sure the eml mbox file is spooled up */ - mbox_file = spool_mbox(&mbox_size, faking ? eml_filename : NULL); - if (mbox_file == NULL) { - /* error while spooling */ - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: error while creating mbox spool file"); - return DEFER; - }; + if (!(mbox_file = spool_mbox(&mbox_size, faking ? eml_filename : NULL))) + return malware_errlog_defer(US"error while creating mbox spool file"); + /* none of our current scanners need the mbox file as a stream, so we can close it right away */ (void)fclose(mbox_file); /* extract the malware regex to match against from the option list */ - if ((malware_regex = string_nextinlist(&list, &sep, - malware_regex_buffer, - sizeof(malware_regex_buffer))) != NULL) { + if (!(malware_regex = string_nextinlist(&list, &sep, NULL, 0))) + return FAIL; /* empty means "don't match anything" */ - /* parse 1st option */ + /* parse 1st option */ if ( (strcmpic(malware_regex,US"false") == 0) || - (Ustrcmp(malware_regex,"0") == 0) ) { - /* explicitly no matching */ - return FAIL; - }; - - /* special cases (match anything except empty) */ - if ( (strcmpic(malware_regex,US"true") == 0) || - (Ustrcmp(malware_regex,"*") == 0) || - (Ustrcmp(malware_regex,"1") == 0) ) { - malware_regex = malware_regex_default; - }; - } - else { - /* empty means "don't match anything" */ - return FAIL; - }; + (Ustrcmp(malware_regex,"0") == 0) ) + return FAIL; /* explicitly no matching */ + + /* special cases (match anything except empty) */ + if ( (strcmpic(malware_regex,US"true") == 0) || + (Ustrcmp(malware_regex,"*") == 0) || + (Ustrcmp(malware_regex,"1") == 0) ) + malware_regex = malware_regex_default; /* Reset sep that is set by previous string_nextinlist() call */ sep = 0; /* compile the regex, see if it works */ - re = pcre_compile(CS malware_regex, PCRE_COPT, (const char **)&rerror, &roffset, NULL); - if (re == NULL) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: regular expression error in '%s': %s at offset %d", malware_regex, rerror, roffset); - return DEFER; - }; + if (!(re = m_pcre_compile(malware_regex, &errstr))) + return malware_errlog_defer(errstr); /* if av_scanner starts with a dollar, expand it first */ if (*av_scanner == '$') { - av_scanner_work = expand_string(av_scanner); - if (av_scanner_work == NULL) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: av_scanner starts with $, but expansion failed: %s", expand_string_message); - return DEFER; - } - else { - debug_printf("Expanded av_scanner global: %s\n", av_scanner_work); - /* disable result caching in this case */ - malware_name = NULL; - malware_ok = 0; - }; + if (!(av_scanner_work = expand_string(av_scanner))) + return malware_errlog_defer( + string_sprintf("av_scanner starts with $, but expansion failed: %s", + expand_string_message)); + + debug_printf("Expanded av_scanner global: %s\n", av_scanner_work); + /* disable result caching in this case */ + malware_name = NULL; + malware_ok = FALSE; } - /* Do not scan twice. */ - if (malware_ok == 0) { + /* Do not scan twice (unless av_scanner is dynamic). */ + if (!malware_ok) { /* find the scanner type from the av_scanner option */ - if ((scanner_name = string_nextinlist(&av_scanner_work, &sep, - scanner_name_buffer, - sizeof(scanner_name_buffer))) == NULL) { - /* no scanner given */ - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: av_scanner configuration variable is empty"); - return DEFER; - }; - - /* "f-protd" scanner type ----------------------------------------------- */ - if (strcmpic(scanner_name, US"f-protd") == 0) { - uschar *fp_options, *fp_scan_option; - uschar fp_scan_option_buffer[1024]; - uschar fp_options_buffer[1024]; - uschar fp_options_default[] = "localhost 10200-10204"; - uschar hostname[256]; - unsigned int port, portlow, porthigh, connect_ok=0, detected=0, par_count = 0; - struct hostent *he; - struct in_addr in; - int sock; - uschar scanrequest[2048], buf[32768], *strhelper, *strhelper2; - - if ((fp_options = string_nextinlist(&av_scanner_work, &sep, - fp_options_buffer, sizeof(fp_options_buffer))) == NULL) { - /* no options supplied, use default options */ - fp_options = fp_options_default; - }; - - /* extract host and port part */ - if ( sscanf(CS fp_options, "%s %u-%u", hostname, &portlow, &porthigh) != 3 ) { - if ( sscanf(CS fp_options, "%s %u", hostname, &portlow) != 2 ) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: f-protd: invalid socket '%s'", fp_options); - return DEFER; - } - porthigh = portlow; - } - - /* Lookup the host */ - if((he = gethostbyname(CS hostname)) == 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: f-protd: failed to lookup host '%s'", hostname); - return DEFER; - } - - in = *(struct in_addr *) he->h_addr_list[0]; - port = portlow; - - - /* Open the f-protd TCP socket */ - if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: f-protd: unable to acquire socket (%s)", - strerror(errno)); - return DEFER; - } - - /* Try to connect to all portslow-high until connection is established */ - for (port = portlow; !connect_ok && port < porthigh; port++) { - if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) >= 0) { - connect_ok = 1; - } - } - - if ( !connect_ok ) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: f-protd: connection to %s, port %u-%u failed (%s)", - inet_ntoa(in), portlow, porthigh, strerror(errno)); - (void)close(sock); - return DEFER; - } - - DEBUG(D_acl) debug_printf("Malware scan: issuing %s GET\n", scanner_name); - (void)string_format(scanrequest, 1024, CS"GET %s", eml_filename); - - while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep, - fp_scan_option_buffer, sizeof(fp_scan_option_buffer))) != NULL) { - if ( par_count ) { - Ustrcat(scanrequest, "%20"); - } else { - Ustrcat(scanrequest, "?"); - } - Ustrcat(scanrequest, fp_scan_option); - par_count++; - } - Ustrcat(scanrequest, " HTTP/1.0\r\n\r\n"); - - /* send scan request */ - if (send(sock, &scanrequest, Ustrlen(scanrequest)+1, 0) < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: f-protd: unable to send command to socket (%s)", scanrequest); - return DEFER; - } - - /* We get a lot of empty lines, so we need this hack to check for any data at all */ - while( recv(sock, buf, 1, MSG_PEEK) > 0 ) { - if ( recv_line(sock, buf, 32768) > 0) { - if ( Ustrstr(buf, US"")) ) { - if ((strhelper2 = Ustrstr(buf, US"")) != NULL) { - *strhelper2 = '\0'; - Ustrcpy(malware_name_buffer, strhelper + 6); - } - } else if ( Ustrstr(buf, US"") ) { - malware_name = malware_name_buffer; - } else { - malware_name = NULL; - } - } - } - } - (void)close(sock); - } - /* "drweb" scanner type ----------------------------------------------- */ - /* v0.1 - added support for tcp sockets */ - /* v0.0 - initial release -- support for unix sockets */ - else if (strcmpic(scanner_name,US"drweb") == 0) { - uschar *drweb_options; - uschar drweb_options_buffer[1024]; - uschar drweb_options_default[] = "/usr/local/drweb/run/drwebd.sock"; - struct sockaddr_un server; - int sock, result, ovector[30]; - unsigned int port, fsize; - uschar tmpbuf[1024], *drweb_fbuf; - uschar drweb_match_string[128]; - int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd, - drweb_vnum, drweb_slen, drweb_fin = 0x0000; - unsigned long bread; - uschar hostname[256]; - struct hostent *he; - struct in_addr in; - pcre *drweb_re; - - if ((drweb_options = string_nextinlist(&av_scanner_work, &sep, - drweb_options_buffer, sizeof(drweb_options_buffer))) == NULL) { - /* no options supplied, use default options */ - drweb_options = drweb_options_default; - }; - - if (*drweb_options != '/') { - - /* extract host and port part */ - if( sscanf(CS drweb_options, "%s %u", hostname, &port) != 2 ) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: invalid socket '%s'", drweb_options); - return DEFER; - } - - /* Lookup the host */ - if((he = gethostbyname(CS hostname)) == 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: failed to lookup host '%s'", hostname); - return DEFER; - } - - in = *(struct in_addr *) he->h_addr_list[0]; - - /* Open the drwebd TCP socket */ - if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to acquire socket (%s)", - strerror(errno)); - return DEFER; - } - - if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: connection to %s, port %u failed (%s)", - inet_ntoa(in), port, strerror(errno)); - return DEFER; - } - - /* prepare variables */ - drweb_cmd = htonl(DRWEBD_SCAN_CMD); - drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL); - - /* calc file size */ - drweb_fd = open(CS eml_filename, O_RDONLY); - if (drweb_fd == -1) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: can't open spool file %s: %s", - eml_filename, strerror(errno)); - return DEFER; - } - fsize = lseek(drweb_fd, 0, SEEK_END); - if (fsize == -1) { - (void)close(sock); - (void)close(drweb_fd); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: can't seek spool file %s: %s", - eml_filename, strerror(errno)); - return DEFER; - } - drweb_slen = htonl(fsize); - lseek(drweb_fd, 0, SEEK_SET); - - DEBUG(D_acl) debug_printf("Malware scan: issuing %s remote scan [%s %u]\n", - scanner_name, hostname, port); - - /* send scan request */ - if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) || - (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) || - (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) || - (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0)) { - (void)close(sock); - (void)close(drweb_fd); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to send commands to socket (%s)", drweb_options); - return DEFER; - } - - drweb_fbuf = (uschar *) malloc (fsize); - if (!drweb_fbuf) { - (void)close(sock); - (void)close(drweb_fd); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to allocate memory %u for file (%s)", - fsize, eml_filename); - return DEFER; - } - - result = read (drweb_fd, drweb_fbuf, fsize); - if (result == -1) { - (void)close(sock); - (void)close(drweb_fd); - free(drweb_fbuf); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: can't read spool file %s: %s", - eml_filename, strerror(errno)); - return DEFER; - } - (void)close(drweb_fd); - - /* send file body to socket */ - if (send(sock, drweb_fbuf, fsize, 0) < 0) { - (void)close(sock); - free(drweb_fbuf); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to send file body to socket (%s)", drweb_options); - return DEFER; - } - (void)close(drweb_fd); - } - else { - /* open the drwebd UNIX socket */ - sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: can't open UNIX socket"); - return DEFER; - } - server.sun_family = AF_UNIX; - Ustrcpy(server.sun_path, drweb_options); - if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to connect to socket (%s). errno=%d", drweb_options, errno); - return DEFER; - } - - /* prepare variables */ - drweb_cmd = htonl(DRWEBD_SCAN_CMD); - drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL); - drweb_slen = htonl(Ustrlen(eml_filename)); - - DEBUG(D_acl) debug_printf("Malware scan: issuing %s local scan [%s]\n", - scanner_name, drweb_options); - - /* send scan request */ - if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) || - (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) || - (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) || - (send(sock, eml_filename, Ustrlen(eml_filename), 0) < 0) || - (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0)) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to send commands to socket (%s)", drweb_options); - return DEFER; - } - } - - /* wait for result */ - if ((bread = recv(sock, &drweb_rc, sizeof(drweb_rc), 0) != sizeof(drweb_rc))) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to read return code"); - return DEFER; - } - drweb_rc = ntohl(drweb_rc); - - if ((bread = recv(sock, &drweb_vnum, sizeof(drweb_vnum), 0) != sizeof(drweb_vnum))) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to read the number of viruses"); - return DEFER; - } - drweb_vnum = ntohl(drweb_vnum); - - /* "virus(es) found" if virus number is > 0 */ - if (drweb_vnum) - { - int i; - uschar pre_malware_nb[256]; - - malware_name = malware_name_buffer; - - /* setup default virus name */ - Ustrcpy(malware_name_buffer,"unknown"); - - /* read and concatenate virus names into one string */ - for (i=0;iname) + return malware_errlog_defer(string_sprintf("unknown scanner type '%s'", + scanner_name)); + if (strcmpic(scanner_name, US scanent->name) != 0) + continue; + if (!(scanner_options = string_nextinlist(&av_scanner_work, &sep, NULL, 0))) + scanner_options = scanent->options_default; + if (scanent->conn == MC_NONE) + break; + switch(scanent->conn) { - /* read the size of report */ - if ((bread = recv(sock, &drweb_slen, sizeof(drweb_slen), 0) != sizeof(drweb_slen))) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: cannot read report size"); - return DEFER; - }; - drweb_slen = ntohl(drweb_slen); - - /* read report body */ - if ((bread = recv(sock, tmpbuf, drweb_slen, 0)) != drweb_slen) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: cannot read report string"); - return DEFER; - }; - tmpbuf[drweb_slen] = '\0'; - - /* set up match regex, depends on retcode */ - Ustrcpy(drweb_match_string, "infected\\swith\\s*(.+?)$"); - - drweb_re = pcre_compile( CS drweb_match_string, - PCRE_COPT, - (const char **)&rerror, - &roffset, - NULL ); - - /* try matcher on the line, grab substring */ - result = pcre_exec(drweb_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0, ovector, 30); - if (result >= 2) { - pcre_copy_substring(CS tmpbuf, ovector, result, 1, CS pre_malware_nb, 255); - } - /* the first name we just copy to malware_name */ - if (i==0) - Ustrcpy(CS malware_name_buffer, CS pre_malware_nb); - else { - /* concatenate each new virus name to previous */ - int slen = Ustrlen(malware_name_buffer); - if (slen < (slen+Ustrlen(pre_malware_nb))) { - Ustrcat(malware_name_buffer, "/"); - Ustrcat(malware_name_buffer, pre_malware_nb); - } - } + case MC_TCP: sock = m_tcpsocket_fromdef(scanner_options, &errstr); break; + case MC_UNIX: sock = m_unixsocket(scanner_options, &errstr); break; + case MC_STRM: sock = m_streamsocket(scanner_options, &errstr); break; + default: /* compiler quietening */ break; } + if (sock < 0) + return m_errlog_defer(scanent, errstr); + break; } - else { - const char *drweb_s = NULL; - - if (drweb_rc & DERR_READ_ERR) drweb_s = "read error"; - if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory"; - if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout"; - if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command"; - /* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED. - * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM, - * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR - * and others are ignored */ - if (drweb_s) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s); - (void)close(sock); - return DEFER; - } - /* no virus found */ - malware_name = NULL; - }; - (void)close(sock); - } - /* ----------------------------------------------------------------------- */ - else if (strcmpic(scanner_name,US"aveserver") == 0) { - uschar *kav_options; - uschar kav_options_buffer[1024]; - uschar kav_options_default[] = "/var/run/aveserver"; - uschar buf[32768]; - struct sockaddr_un server; - int sock; - int result; - - if ((kav_options = string_nextinlist(&av_scanner_work, &sep, - kav_options_buffer, - sizeof(kav_options_buffer))) == NULL) { - /* no options supplied, use default options */ - kav_options = kav_options_default; - }; - - /* open the aveserver socket */ - sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: can't open UNIX socket."); - return DEFER; - } - server.sun_family = AF_UNIX; - Ustrcpy(server.sun_path, kav_options); - if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to connect to aveserver UNIX socket (%s). errno=%d", kav_options, errno); - return DEFER; - } - - /* read aveserver's greeting and see if it is ready (2xx greeting) */ - recv_line(sock, buf, 32768); - - if (buf[0] != '2') { - /* aveserver is having problems */ - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: aveserver is unavailable (Responded: %s).", ((buf[0] != 0) ? buf : (uschar *)"nothing") ); - return DEFER; - }; + DEBUG(D_lookup) debug_printf("Malware scan: %s\n", scanner_name); - /* prepare our command */ - (void)string_format(buf, 32768, "SCAN bPQRSTUW %s\r\n", eml_filename); - - DEBUG(D_acl) debug_printf("Malware scan: issuing %s SCAN\n", scanner_name); - - /* and send it */ - if (send(sock, buf, Ustrlen(buf), 0) < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to write to aveserver UNIX socket (%s)", kav_options); - return DEFER; - } - - malware_name = NULL; - result = 0; - /* read response lines, find malware name and final response */ - while (recv_line(sock, buf, 32768) > 0) { - debug_printf("aveserver: %s\n", buf); - if (buf[0] == '2') { - break; - } else if (buf[0] == '5') { - /* aveserver is having problems */ - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to scan file %s (Responded: %s).", - eml_filename, buf); - result = DEFER; - break; - } else if (Ustrncmp(buf,"322",3) == 0) { - uschar *p = Ustrchr(&buf[4],' '); - *p = '\0'; - Ustrcpy(malware_name_buffer,&buf[4]); - malware_name = malware_name_buffer; - }; - } - - /* prepare our command */ - (void)string_format(buf, 32768, "quit\r\n"); - - /* and send it */ - if (send(sock, buf, Ustrlen(buf), 0) < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to write to aveserver UNIX socket (%s)", kav_options); - return DEFER; - } - - /* read aveserver's greeting and see if it is ready (2xx greeting) */ - recv_line(sock, buf, 32768); - - if (buf[0] != '2') { - /* aveserver is having problems */ - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to quit aveserver dialogue (Responded: %s).", ((buf[0] != 0) ? buf : (uschar *)"nothing") ); - return DEFER; - }; - - (void)close(sock); + switch (scanent->scancode) { + case M_FPROTD: /* "f-protd" scanner type -------------------------------- */ + { + uschar *fp_scan_option; + unsigned int detected=0, par_count=0; + uschar * scanrequest; + uschar buf[32768], *strhelper, *strhelper2; + uschar * malware_name_internal = NULL; + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s GET\n", scanner_name); + scanrequest = string_sprintf("GET %s", eml_filename); + + while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep, + NULL, 0))) { + scanrequest = string_sprintf("%s%s%s", scanrequest, + par_count ? "%20" : "?", fp_scan_option); + par_count++; + } + scanrequest = string_sprintf("%s HTTP/1.0\r\n\r\n", scanrequest); + + /* send scan request */ + if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0) + return m_errlog_defer(scanent, errstr); + + /* We get a lot of empty lines, so we need this hack to check for any data at all */ + while( recv(sock, buf, 1, MSG_PEEK) > 0 ) { + if ( recv_line(sock, buf, sizeof(buf)) > 0) { + if ( Ustrstr(buf, US"")) ) { + if ((strhelper2 = Ustrstr(buf, US"")) != NULL) { + *strhelper2 = '\0'; + malware_name_internal = string_copy(strhelper+6); + } + } else if ( Ustrstr(buf, US"") + ? malware_name_internal : NULL; + } + } + break; + } /* f-protd */ - if (result == DEFER) return DEFER; - } - /* "fsecure" scanner type ------------------------------------------------- */ - else if (strcmpic(scanner_name,US"fsecure") == 0) { - uschar *fsecure_options; - uschar fsecure_options_buffer[1024]; - uschar fsecure_options_default[] = "/var/run/.fsav"; - struct sockaddr_un server; - int sock, i, j, bread = 0; - uschar file_name[1024]; - uschar av_buffer[1024]; - pcre *fs_inf; - static uschar *cmdoptions[] = { US"CONFIGURE\tARCHIVE\t1\n", - US"CONFIGURE\tTIMEOUT\t0\n", - US"CONFIGURE\tMAXARCH\t5\n", - US"CONFIGURE\tMIME\t1\n" }; - - malware_name = NULL; - if ((fsecure_options = string_nextinlist(&av_scanner_work, &sep, - fsecure_options_buffer, - sizeof(fsecure_options_buffer))) == NULL) { - /* no options supplied, use default options */ - fsecure_options = fsecure_options_default; - }; - - /* open the fsecure socket */ - sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to open fsecure socket %s (%s)", - fsecure_options, strerror(errno)); - return DEFER; - } - server.sun_family = AF_UNIX; - Ustrcpy(server.sun_path, fsecure_options); - if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to connect to fsecure socket %s (%s)", - fsecure_options, strerror(errno)); - return DEFER; - } + case M_DRWEB: /* "drweb" scanner type ----------------------------------- */ + /* v0.1 - added support for tcp sockets */ + /* v0.0 - initial release -- support for unix sockets */ + { + int result; + unsigned int fsize; + uschar * tmpbuf, *drweb_fbuf; + int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd, + drweb_vnum, drweb_slen, drweb_fin = 0x0000; + unsigned long bread; + const pcre *drweb_re; + + /* prepare variables */ + drweb_cmd = htonl(DRWEBD_SCAN_CMD); + drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL); + + if (*scanner_options != '/') { + + /* calc file size */ + if ((drweb_fd = open(CS eml_filename, O_RDONLY)) == -1) + return m_errlog_defer_3(scanent, + string_sprintf("can't open spool file %s: %s", + eml_filename, strerror(errno)), + sock); + + if ((fsize = lseek(drweb_fd, 0, SEEK_END)) == -1) { + int err = errno; + (void)close(drweb_fd); + return m_errlog_defer_3(scanent, + string_sprintf("can't seek spool file %s: %s", + eml_filename, strerror(err)), + sock); + } + drweb_slen = htonl(fsize); + lseek(drweb_fd, 0, SEEK_SET); + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s remote scan [%s]\n", + scanner_name, scanner_options); + + /* send scan request */ + if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) || + (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) || + (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) || + (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0)) { + (void)close(drweb_fd); + return m_errlog_defer_3(scanent, + string_sprintf("unable to send commands to socket (%s)", scanner_options), + sock); + } + + if (!(drweb_fbuf = (uschar *) malloc (fsize))) { + (void)close(drweb_fd); + return m_errlog_defer_3(scanent, + string_sprintf("unable to allocate memory %u for file (%s)", + fsize, eml_filename), + sock); + } + + if ((result = read (drweb_fd, drweb_fbuf, fsize)) == -1) { + int err = errno; + (void)close(drweb_fd); + free(drweb_fbuf); + return m_errlog_defer_3(scanent, + string_sprintf("can't read spool file %s: %s", + eml_filename, strerror(err)), + sock); + } + (void)close(drweb_fd); + + /* send file body to socket */ + if (send(sock, drweb_fbuf, fsize, 0) < 0) { + free(drweb_fbuf); + return m_errlog_defer_3(scanent, + string_sprintf("unable to send file body to socket (%s)", scanner_options), + sock); + } + (void)close(drweb_fd); + + } else { + + drweb_slen = htonl(Ustrlen(eml_filename)); + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s local scan [%s]\n", + scanner_name, scanner_options); + + /* send scan request */ + if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) || + (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) || + (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) || + (send(sock, eml_filename, Ustrlen(eml_filename), 0) < 0) || + (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0)) + return m_errlog_defer_3(scanent, + string_sprintf("unable to send commands to socket (%s)", scanner_options), + sock); + } - DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", - scanner_name, fsecure_options); - - /* pass options */ - memset(av_buffer, 0, sizeof(av_buffer)); - for (i=0; i != 4; i++) { - /* debug_printf("send option \"%s\"",cmdoptions[i]); */ - if (write(sock, cmdoptions[i], Ustrlen(cmdoptions[i])) < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to write fsecure option %d to %s (%s)", - i, fsecure_options, strerror(errno)); - return DEFER; - }; - - bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT); - if (bread >0) av_buffer[bread]='\0'; - if (bread < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to read fsecure answer %d (%s)", i, strerror(errno)); - return DEFER; - }; - for (j=0;j= 2) { - /* Got it */ - pcre_copy_substring(CS av_buffer, ovector, i, 1, CS malware_name_buffer, 255); - malware_name = malware_name_buffer; - }; - }; - } - while (Ustrstr(av_buffer, "OK\tScan ok.") == NULL); - (void)close(sock); - } - /* ----------------------------------------------------------------------- */ - - /* "kavdaemon" scanner type ------------------------------------------------ */ - else if (strcmpic(scanner_name,US"kavdaemon") == 0) { - uschar *kav_options; - uschar kav_options_buffer[1024]; - uschar kav_options_default[] = "/var/run/AvpCtl"; - struct sockaddr_un server; - int sock; - time_t t; - uschar tmpbuf[1024]; - uschar scanrequest[1024]; - uschar kav_match_string[128]; - int kav_rc; - unsigned long kav_reportlen, bread; - pcre *kav_re; - uschar *p; - int fits; - - if ((kav_options = string_nextinlist(&av_scanner_work, &sep, - kav_options_buffer, - sizeof(kav_options_buffer))) == NULL) { - /* no options supplied, use default options */ - kav_options = kav_options_default; - }; - - /* open the kavdaemon socket */ - sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: can't open UNIX socket."); - return DEFER; - } - server.sun_family = AF_UNIX; - Ustrcpy(server.sun_path, kav_options); - if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to connect to kavdaemon UNIX socket (%s). errno=%d", kav_options, errno); - return DEFER; - } + /* wait for result */ + if ((bread = recv(sock, &drweb_rc, sizeof(drweb_rc), 0) != sizeof(drweb_rc))) + return m_errlog_defer_3(scanent, + US"unable to read return code", sock); + drweb_rc = ntohl(drweb_rc); + + if ((bread = recv(sock, &drweb_vnum, sizeof(drweb_vnum), 0) != sizeof(drweb_vnum))) + return m_errlog_defer_3(scanent, + US"unable to read the number of viruses", sock); + drweb_vnum = ntohl(drweb_vnum); + + /* "virus(es) found" if virus number is > 0 */ + if (drweb_vnum) { + int i; + + /* setup default virus name */ + malware_name = US"unknown"; + + /* set up match regex */ + drweb_re = m_pcre_compile(US"infected\\swith\\s*(.+?)$", &errstr); + + /* read and concatenate virus names into one string */ + for (i=0;i= 2) { + const char * pre_malware_nb; + + pcre_get_substring(CS tmpbuf, ovector, result, 1, &pre_malware_nb); + + if (i==0) /* the first name we just copy to malware_name */ + malware_name = string_append(NULL, &size, &off, + 1, pre_malware_nb); + + else /* concatenate each new virus name to previous */ + malware_name = string_append(malware_name, &size, &off, + 2, "/", pre_malware_nb); + + pcre_free_substring(pre_malware_nb); + } + } + } + else { + const char *drweb_s = NULL; + + if (drweb_rc & DERR_READ_ERR) drweb_s = "read error"; + if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory"; + if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout"; + if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command"; + /* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED. + * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM, + * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR + * and others are ignored */ + if (drweb_s) + return m_errlog_defer_3(scanent, + string_sprintf("drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s), + sock); + + /* no virus found */ + malware_name = NULL; + } + break; + } /* drweb */ - /* get current date and time, build scan request */ - time(&t); - /* pdp note: before the eml_filename parameter, this scanned the - directory; not finding documentation, so we'll strip off the directory. - The side-effect is that the test framework scanning may end up in - scanning more than was requested, but for the normal interface, this is - fine. */ - strftime(CS tmpbuf, sizeof(tmpbuf), "<0>%d %b %H:%M:%S:%%s", localtime(&t)); - fits = string_format(scanrequest, 1024,CS tmpbuf, eml_filename); - if (!fits) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware filename does not fit in buffer [malware_internal() kavdaemon]"); - } - p = Ustrrchr(scanrequest, '/'); - if (p) - *p = '\0'; + case M_AVES: /* "aveserver" scanner type -------------------------------- */ + { + uschar buf[32768]; + int result; - DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", - scanner_name, kav_options); + /* read aveserver's greeting and see if it is ready (2xx greeting) */ + recv_line(sock, buf, sizeof(buf)); - /* send scan request */ - if (send(sock, scanrequest, Ustrlen(scanrequest)+1, 0) < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to write to kavdaemon UNIX socket (%s)", kav_options); - return DEFER; - } + if (buf[0] != '2') /* aveserver is having problems */ + return m_errlog_defer_3(scanent, + string_sprintf("unavailable (Responded: %s).", + ((buf[0] != 0) ? buf : (uschar *)"nothing") ), + sock); - /* wait for result */ - if ((bread = recv(sock, tmpbuf, 2, 0) != 2)) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to read 2 bytes from kavdaemon socket."); - return DEFER; - } + /* prepare our command */ + (void)string_format(buf, sizeof(buf), "SCAN bPQRSTUW %s\r\n", + eml_filename); - /* get errorcode from one nibble */ - if (test_byte_order() == LITTLE_MY_ENDIAN) { - kav_rc = tmpbuf[0] & 0x0F; - } - else { - kav_rc = tmpbuf[1] & 0x0F; - }; - - /* improper kavdaemon configuration */ - if ( (kav_rc == 5) || (kav_rc == 6) ) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: please reconfigure kavdaemon to NOT disinfect or remove infected files."); - return DEFER; - }; - - if (kav_rc == 1) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: kavdaemon reported 'scanning not completed' (code 1)."); - return DEFER; - }; - - if (kav_rc == 7) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: kavdaemon reported 'kavdaemon damaged' (code 7)."); - return DEFER; - }; - - /* code 8 is not handled, since it is ambigous. It appears mostly on - bounces where part of a file has been cut off */ - - /* "virus found" return codes (2-4) */ - if ((kav_rc > 1) && (kav_rc < 5)) { - int report_flag = 0; - - /* setup default virus name */ - Ustrcpy(malware_name_buffer,"unknown"); - malware_name = malware_name_buffer; - - if (test_byte_order() == LITTLE_MY_ENDIAN) { - report_flag = tmpbuf[1]; - } - else { - report_flag = tmpbuf[0]; - }; - - /* read the report, if available */ - if( report_flag == 1 ) { - /* read report size */ - if ((bread = recv(sock, &kav_reportlen, 4, 0)) != 4) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: cannot read report size from kavdaemon"); - return DEFER; - }; - - /* it's possible that avp returns av_buffer[1] == 1 but the - reportsize is 0 (!?) */ - if (kav_reportlen > 0) { - /* set up match regex, depends on retcode */ - if( kav_rc == 3 ) - Ustrcpy(kav_match_string, "suspicion:\\s*(.+?)\\s*$"); - else - Ustrcpy(kav_match_string, "infected:\\s*(.+?)\\s*$"); - - kav_re = pcre_compile( CS kav_match_string, - PCRE_COPT, - (const char **)&rerror, - &roffset, - NULL ); - - /* read report, linewise */ - while (kav_reportlen > 0) { - int result = 0; - int ovector[30]; - - bread = 0; - while ( recv(sock, &tmpbuf[bread], 1, 0) == 1 ) { - kav_reportlen--; - if ( (tmpbuf[bread] == '\n') || (bread > 1021) ) break; - bread++; - }; - bread++; - tmpbuf[bread] = '\0'; - - /* try matcher on the line, grab substring */ - result = pcre_exec(kav_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0, ovector, 30); - if (result >= 2) { - pcre_copy_substring(CS tmpbuf, ovector, result, 1, CS malware_name_buffer, 255); - break; - }; - }; - }; - }; - } - else { - /* no virus found */ - malware_name = NULL; - }; + DEBUG(D_acl) debug_printf("Malware scan: issuing %s SCAN\n", scanner_name); - (void)close(sock); - } - /* ----------------------------------------------------------------------- */ - - - /* "cmdline" scanner type ------------------------------------------------ */ - else if (strcmpic(scanner_name,US"cmdline") == 0) { - uschar *cmdline_scanner; - uschar cmdline_scanner_buffer[1024]; - uschar *cmdline_trigger; - uschar cmdline_trigger_buffer[1024]; - const pcre *cmdline_trigger_re; - uschar *cmdline_regex; - uschar cmdline_regex_buffer[1024]; - const pcre *cmdline_regex_re; - uschar file_name[1024]; - uschar commandline[1024]; - void (*eximsigchld)(int); - void (*eximsigpipe)(int); - FILE *scanner_out = NULL; - FILE *scanner_record = NULL; - uschar linebuffer[32767]; - int trigger = 0; - int result; - int ovector[30]; - uschar *p; - BOOL fits; - - /* find scanner command line */ - if ((cmdline_scanner = string_nextinlist(&av_scanner_work, &sep, - cmdline_scanner_buffer, - sizeof(cmdline_scanner_buffer))) == NULL) { - /* no command line supplied */ - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: missing commandline specification for cmdline scanner type."); - return DEFER; - }; - - /* find scanner output trigger */ - if ((cmdline_trigger = string_nextinlist(&av_scanner_work, &sep, - cmdline_trigger_buffer, - sizeof(cmdline_trigger_buffer))) == NULL) { - /* no trigger regex supplied */ - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: missing trigger specification for cmdline scanner type."); - return DEFER; - }; - - /* precompile trigger regex */ - cmdline_trigger_re = pcre_compile(CS cmdline_trigger, PCRE_COPT, (const char **)&rerror, &roffset, NULL); - if (cmdline_trigger_re == NULL) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: regular expression error in '%s': %s at offset %d", cmdline_trigger, rerror, roffset); - return DEFER; - }; - - /* find scanner name regex */ - if ((cmdline_regex = string_nextinlist(&av_scanner_work, &sep, - cmdline_regex_buffer, - sizeof(cmdline_regex_buffer))) == NULL) { - /* no name regex supplied */ - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: missing virus name regex specification for cmdline scanner type."); - return DEFER; - }; - - /* precompile name regex */ - cmdline_regex_re = pcre_compile(CS cmdline_regex, PCRE_COPT, (const char **)&rerror, &roffset, NULL); - if (cmdline_regex_re == NULL) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: regular expression error in '%s': %s at offset %d", cmdline_regex, rerror, roffset); - return DEFER; - }; - - /* prepare scanner call; despite the naming, file_name holds a directory - name which is documented as the value given to %s. */ - if (Ustrlen(eml_filename) > sizeof(file_name) - 1) - { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware filename does not fit in buffer [malware_internal() cmdline]"); - return DEFER; - } - Ustrcpy(file_name, eml_filename); - p = Ustrrchr(file_name, '/'); - if (p) - *p = '\0'; - fits = string_format(commandline, sizeof(commandline), CS cmdline_scanner, file_name); - if (!fits) - { - log_write(0, LOG_MAIN|LOG_PANIC, - "cmdline scanner command-line does not fit in buffer"); - return DEFER; - } - - /* redirect STDERR too */ - if (Ustrlen(commandline) + 5 > sizeof(commandline)) - { - log_write(0, LOG_MAIN|LOG_PANIC, - "cmdline scanner command-line does not fit in buffer (STDERR redirect)"); - return DEFER; - } - Ustrcat(commandline," 2>&1"); - - DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", scanner_name, commandline); - - /* store exims signal handlers */ - eximsigchld = signal(SIGCHLD,SIG_DFL); - eximsigpipe = signal(SIGPIPE,SIG_DFL); - - scanner_out = popen(CS commandline,"r"); - if (scanner_out == NULL) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: calling cmdline scanner (%s) failed: %s.", commandline, strerror(errno)); - signal(SIGCHLD,eximsigchld); - signal(SIGPIPE,eximsigpipe); - return DEFER; - }; - - (void)string_format(file_name,1024,"%s/scan/%s/%s_scanner_output", spool_directory, message_id, message_id); - scanner_record = modefopen(file_name,"wb",SPOOL_MODE); - - if (scanner_record == NULL) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: opening scanner output file (%s) failed: %s.", file_name, strerror(errno)); - pclose(scanner_out); - signal(SIGCHLD,eximsigchld); - signal(SIGPIPE,eximsigpipe); - return DEFER; - }; - - /* look for trigger while recording output */ - while(fgets(CS linebuffer,32767,scanner_out) != NULL) { - if ( Ustrlen(linebuffer) > fwrite(linebuffer, 1, Ustrlen(linebuffer), scanner_record) ) { - /* short write */ - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: short write on scanner output file (%s).", file_name); - pclose(scanner_out); - signal(SIGCHLD,eximsigchld); - signal(SIGPIPE,eximsigpipe); - return DEFER; - }; - /* try trigger match */ - if (!trigger && regex_match_and_setup(cmdline_trigger_re, linebuffer, 0, -1)) - trigger = 1; - }; - - (void)fclose(scanner_record); - pclose(scanner_out); - signal(SIGCHLD,eximsigchld); - signal(SIGPIPE,eximsigpipe); - - if (trigger) { - /* setup default virus name */ - Ustrcpy(malware_name_buffer,"unknown"); - malware_name = malware_name_buffer; - - /* re-open the scanner output file, look for name match */ - scanner_record = fopen(CS file_name,"rb"); - while(fgets(CS linebuffer,32767,scanner_record) != NULL) { - /* try match */ - result = pcre_exec(cmdline_regex_re, NULL, CS linebuffer, Ustrlen(linebuffer), 0, 0, ovector, 30); - if (result >= 2) { - pcre_copy_substring(CS linebuffer, ovector, result, 1, CS malware_name_buffer, 255); - }; - }; - (void)fclose(scanner_record); - } - else { - /* no virus found */ - malware_name = NULL; - }; - } - /* ----------------------------------------------------------------------- */ - - - /* "sophie" scanner type ------------------------------------------------- */ - else if (strcmpic(scanner_name,US"sophie") == 0) { - uschar *sophie_options; - uschar sophie_options_buffer[1024]; - uschar sophie_options_default[] = "/var/run/sophie"; - int bread = 0; - struct sockaddr_un server; - int sock, len; - uschar *p; - uschar file_name[1024]; - uschar av_buffer[1024]; - - if ((sophie_options = string_nextinlist(&av_scanner_work, &sep, - sophie_options_buffer, - sizeof(sophie_options_buffer))) == NULL) { - /* no options supplied, use default options */ - sophie_options = sophie_options_default; - } + /* and send it */ + if (m_sock_send(sock, buf, Ustrlen(buf), &errstr) < 0) + return m_errlog_defer(scanent, errstr); - /* open the sophie socket */ - sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: can't open UNIX socket."); - return DEFER; - } - server.sun_family = AF_UNIX; - Ustrcpy(server.sun_path, sophie_options); - if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to connect to sophie UNIX socket (%s). errno=%d", sophie_options, errno); - return DEFER; - } + malware_name = NULL; + result = 0; + /* read response lines, find malware name and final response */ + while (recv_line(sock, buf, sizeof(buf)) > 0) { + debug_printf("aveserver: %s\n", buf); + if (buf[0] == '2') + break; + if (buf[0] == '5') { /* aveserver is having problems */ + result = m_errlog_defer(scanent, + string_sprintf("unable to scan file %s (Responded: %s).", + eml_filename, buf)); + break; + } else if (Ustrncmp(buf,"322",3) == 0) { + uschar *p = Ustrchr(&buf[4],' '); + *p = '\0'; + malware_name = string_copy(&buf[4]); + } + } - /* pass the scan directory to sophie */ - len = Ustrlen(eml_filename) + 1; - if (len > sizeof(file_name)) - { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware filename does not fit in buffer [malware_internal() sophie]"); - return DEFER; - } - memcpy(file_name, eml_filename, len); - p = Ustrrchr(file_name, '/'); - if (p) - *p = '\0'; + /* and send it */ + if (m_sock_send(sock, US"quit\r\n", 6, &errstr) < 0) + return m_errlog_defer(scanent, errstr); - DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", - scanner_name, sophie_options); + /* read aveserver's greeting and see if it is ready (2xx greeting) */ + recv_line(sock, buf, sizeof(buf)); - if ( write(sock, file_name, Ustrlen(file_name)) < 0 - || write(sock, "\n", 1) != 1 - ) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to write to sophie UNIX socket (%s)", sophie_options); - return DEFER; - } + if (buf[0] != '2') /* aveserver is having problems */ + return m_errlog_defer_3(scanent, + string_sprintf("unable to quit dialogue (Responded: %s).", + ((buf[0] != 0) ? buf : (uschar *)"nothing") ), + sock); - /* wait for result */ - memset(av_buffer, 0, sizeof(av_buffer)); - if ((!(bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT)) > 0)) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to read from sophie UNIX socket (%s)", sophie_options); - return DEFER; - } + if (result == DEFER) { + (void)close(sock); + return DEFER; + } + break; + } /* aveserver */ - (void)close(sock); + case M_FSEC: /* "fsecure" scanner type ---------------------------------- */ + { + int i, j, bread = 0; + uschar * file_name; + uschar av_buffer[1024]; + const pcre * fs_inf; + static uschar *cmdopt[] = { US"CONFIGURE\tARCHIVE\t1\n", + US"CONFIGURE\tTIMEOUT\t0\n", + US"CONFIGURE\tMAXARCH\t5\n", + US"CONFIGURE\tMIME\t1\n" }; - /* infected ? */ - if (av_buffer[0] == '1') { - if (Ustrchr(av_buffer, '\n')) *Ustrchr(av_buffer, '\n') = '\0'; - Ustrcpy(malware_name_buffer,&av_buffer[2]); - malware_name = malware_name_buffer; - } - else if (!strncmp(CS av_buffer, "-1", 2)) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: malware acl condition: sophie reported error"); - return DEFER; - } - else { - /* all ok, no virus */ - malware_name = NULL; - } - } - /* ----------------------------------------------------------------------- */ - - - /* "clamd" scanner type ------------------------------------------------- */ - /* This code was originally contributed by David Saez */ - /* There are three scanning methods available to us: - * (1) Use the SCAN command, pointing to a file in the filesystem - * (2) Use the STREAM command, send the data on a separate port - * (3) Use the zINSTREAM command, send the data inline - * The zINSTREAM command was introduced with ClamAV 0.95, which marked - * STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095 - * In Exim, we use SCAN if using a Unix-domain socket or explicitly told that - * the TCP-connected daemon is actually local; otherwise we use zINSTREAM unless - * WITH_OLD_CLAMAV_STREAM is defined. - * See Exim bug 926 for details. */ - else if (strcmpic(scanner_name,US"clamd") == 0) { - uschar *clamd_options = NULL; - uschar clamd_options_buffer[1024]; - uschar clamd_options_default[] = "/tmp/clamd"; - uschar *p, *vname, *result_tag, *response_end; - struct sockaddr_un server; - int sock,bread=0; - unsigned int port; - uschar file_name[1024]; - uschar av_buffer[1024]; - uschar *hostname = ""; - struct hostent *he; - struct in_addr in; - uschar *clamav_fbuf; - int clam_fd, result; - unsigned int fsize; - BOOL use_scan_command = FALSE, fits; - clamd_address_container * clamd_address_vector[MAX_CLAMD_SERVERS]; - int current_server; - int num_servers = 0; -#ifdef WITH_OLD_CLAMAV_STREAM - uschar av_buffer2[1024]; - int sockData; -#else - uint32_t send_size, send_final_zeroblock; -#endif + malware_name = NULL; - if ((clamd_options = string_nextinlist(&av_scanner_work, &sep, - clamd_options_buffer, - sizeof(clamd_options_buffer))) == NULL) { - /* no options supplied, use default options */ - clamd_options = clamd_options_default; - } + DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", + scanner_name, scanner_options); + + /* pass options */ + memset(av_buffer, 0, sizeof(av_buffer)); + for (i=0; i != nelements(cmdopt); i++) { + + if (m_sock_send(sock, cmdopt[i], Ustrlen(cmdopt[i]), &errstr) < 0) + return m_errlog_defer(scanent, errstr); + + bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT); + if (bread >0) av_buffer[bread]='\0'; + if (bread < 0) + return m_errlog_defer_3(scanent, + string_sprintf("unable to read answer %d (%s)", i, strerror(errno)), + sock); + for (j=0;j%s:%s", CS tmpbuf, eml_filename); + p = Ustrrchr(scanrequest, '/'); + if (p) + *p = '\0'; + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", + scanner_name, scanner_options); + + /* send scan request */ + if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0) + return m_errlog_defer(scanent, errstr); + + /* wait for result */ + if ((bread = recv(sock, tmpbuf, 2, 0) != 2)) + return m_errlog_defer_3(scanent, + US"unable to read 2 bytes from socket.", sock); + + /* get errorcode from one nibble */ + kav_rc = tmpbuf[ test_byte_order()==LITTLE_MY_ENDIAN ? 0 : 1 ] & 0x0F; + switch(kav_rc) + { + case 5: case 6: /* improper kavdaemon configuration */ + return m_errlog_defer_3(scanent, + US"please reconfigure kavdaemon to NOT disinfect or remove infected files.", + sock); + case 1: + return m_errlog_defer_3(scanent, + US"reported 'scanning not completed' (code 1).", sock); + case 7: + return m_errlog_defer_3(scanent, + US"reported 'kavdaemon damaged' (code 7).", sock); + } - /* extract host and port part */ - if( sscanf(CS address, "%" MAX_CLAMD_ADDRESS_LENGTH_S "s %u", this_clamd->tcp_addr, - &(this_clamd->tcp_port)) != 2 ) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: invalid address '%s'", address); - continue; - } + /* code 8 is not handled, since it is ambigous. It appears mostly on + bounces where part of a file has been cut off */ + + /* "virus found" return codes (2-4) */ + if ((kav_rc > 1) && (kav_rc < 5)) { + int report_flag = 0; + + /* setup default virus name */ + malware_name = US"unknown"; + + report_flag = tmpbuf[ test_byte_order() == LITTLE_MY_ENDIAN ? 1 : 0 ]; + + /* read the report, if available */ + if( report_flag == 1 ) { + /* read report size */ + if ((bread = recv(sock, &kav_reportlen, 4, 0)) != 4) + return m_errlog_defer_3(scanent, + US"cannot read report size", sock); + + /* it's possible that avp returns av_buffer[1] == 1 but the + reportsize is 0 (!?) */ + if (kav_reportlen > 0) { + /* set up match regex, depends on retcode */ + kav_re = m_pcre_compile( kav_rc == 3 + ? US"suspicion:\\s*(.+?)\\s*$" + : US"infected:\\s*(.+?)\\s*$", + &errstr ); + + /* read report, linewise */ + while (kav_reportlen > 0) { + bread = 0; + while ( recv(sock, &tmpbuf[bread], 1, 0) == 1 ) { + kav_reportlen--; + if ( (tmpbuf[bread] == '\n') || (bread > 1021) ) break; + bread++; + } + bread++; + tmpbuf[bread] = '\0'; + + /* try matcher on the line, grab substring */ + if ((malware_name = m_pcre_exec(kav_re, tmpbuf))) + break; + } + } + } + } + else /* no virus found */ + malware_name = NULL; - clamd_address_vector[num_servers] = this_clamd; - num_servers++; - if (num_servers >= MAX_CLAMD_SERVERS) { - log_write(0, LOG_MAIN|LOG_PANIC, - "More than " MAX_CLAMD_SERVERS_S " clamd servers specified; " - "only using the first " MAX_CLAMD_SERVERS_S ); - break; - } - } while ((address = string_nextinlist(&av_scanner_work, &sep, - address_buffer, - sizeof(address_buffer))) != NULL); - - /* check if we have at least one server */ - if (!num_servers) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: no useable clamd server addresses in malware configuration option."); - return DEFER; - } + break; } - /* See the discussion of response formats below to see why we really don't - like colons in filenames when passing filenames to ClamAV. */ - if (use_scan_command && Ustrchr(eml_filename, ':')) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: local/SCAN mode incompatible with" \ - " : in path to email filename [%s]", eml_filename); - return DEFER; - } + case M_CMDL: /* "cmdline" scanner type ---------------------------------- */ + { + const uschar *cmdline_scanner = scanner_options; + const pcre *cmdline_trigger_re; + const pcre *cmdline_regex_re; + uschar * file_name; + uschar * commandline; + void (*eximsigchld)(int); + void (*eximsigpipe)(int); + FILE *scanner_out = NULL; + FILE *scanner_record = NULL; + uschar linebuffer[32767]; + int trigger = 0; + uschar *p; + + if (!cmdline_scanner) + return m_errlog_defer(scanent, errstr); + + /* find scanner output trigger */ + cmdline_trigger_re = m_pcre_nextinlist(&av_scanner_work, &sep, + "missing trigger specification", &errstr); + if (!cmdline_trigger_re) + return m_errlog_defer(scanent, errstr); + + /* find scanner name regex */ + cmdline_regex_re = m_pcre_nextinlist(&av_scanner_work, &sep, + "missing virus name regex specification", &errstr); + if (!cmdline_regex_re) + return m_errlog_defer(scanent, errstr); + + /* prepare scanner call; despite the naming, file_name holds a directory + name which is documented as the value given to %s. */ + + file_name = string_copy(eml_filename); + p = Ustrrchr(file_name, '/'); + if (p) + *p = '\0'; + commandline = string_sprintf(CS cmdline_scanner, file_name); + + /* redirect STDERR too */ + commandline = string_sprintf("%s 2>&1", commandline); + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", scanner_name, commandline); + + /* store exims signal handlers */ + eximsigchld = signal(SIGCHLD,SIG_DFL); + eximsigpipe = signal(SIGPIPE,SIG_DFL); + + if (!(scanner_out = popen(CS commandline,"r"))) { + int err = errno; + signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe); + return m_errlog_defer(scanent, + string_sprintf("call (%s) failed: %s.", commandline, strerror(err))); + } - /* We have some network servers specified */ - if (num_servers) { - - /* Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd - * only supports AF_INET, but we should probably be looking to the - * future and rewriting this to be protocol-independent anyway. */ - - while ( num_servers > 0 ) { - /* Randomly pick a server to start with */ - current_server = random_number( num_servers ); - - debug_printf("trying server name %s, port %u\n", - clamd_address_vector[current_server]->tcp_addr, - clamd_address_vector[current_server]->tcp_port); - - /* Lookup the host. This is to ensure that we connect to the same IP - * on both connections (as one host could resolve to multiple ips) */ - if((he = gethostbyname(CS clamd_address_vector[current_server]->tcp_addr)) - == 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: failed to lookup host '%s'", - clamd_address_vector[current_server]->tcp_addr - ); - goto try_next_server; - } + file_name = string_sprintf("%s/scan/%s/%s_scanner_output", + spool_directory, message_id, message_id); + scanner_record = modefopen(file_name, "wb", SPOOL_MODE); + + if (scanner_record == NULL) { + int err = errno; + (void) pclose(scanner_out); + signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe); + return m_errlog_defer(scanent, + string_sprintf("opening scanner output file (%s) failed: %s.", + file_name, strerror(err))); + } - in = *(struct in_addr *) he->h_addr_list[0]; + /* look for trigger while recording output */ + while(fgets(CS linebuffer, sizeof(linebuffer), scanner_out)) { + if ( Ustrlen(linebuffer) > fwrite(linebuffer, 1, Ustrlen(linebuffer), scanner_record) ) { + /* short write */ + (void) pclose(scanner_out); + signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe); + return m_errlog_defer(scanent, + string_sprintf("short write on scanner output file (%s).", file_name)); + } + /* try trigger match */ + if (!trigger && regex_match_and_setup(cmdline_trigger_re, linebuffer, 0, -1)) + trigger = 1; + } - /* Open the ClamAV Socket */ - if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unable to acquire socket (%s)", - strerror(errno)); - goto try_next_server; - } + (void)fclose(scanner_record); + sep = pclose(scanner_out); + signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe); + if (sep != 0) + return m_errlog_defer(scanent, + sep == -1 + ? string_sprintf("running scanner failed: %s", strerror(sep)) + : string_sprintf("scanner returned error code: %d", sep)); + + if (trigger) { + uschar * s; + /* setup default virus name */ + malware_name = US"unknown"; + + /* re-open the scanner output file, look for name match */ + scanner_record = fopen(CS file_name, "rb"); + while(fgets(CS linebuffer, sizeof(linebuffer), scanner_record)) { + /* try match */ + if ((s = m_pcre_exec(cmdline_regex_re, linebuffer))) + malware_name = s; + } + (void)fclose(scanner_record); + } + else /* no virus found */ + malware_name = NULL; + break; + } /* cmdline */ - if (ip_connect( sock, - AF_INET, - (uschar*)inet_ntoa(in), - clamd_address_vector[current_server]->tcp_port, - 5 ) > -1) { - /* Connection successfully established with a server */ - hostname = clamd_address_vector[current_server]->tcp_addr; - break; - } else { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: connection to %s, port %u failed (%s)", - clamd_address_vector[current_server]->tcp_addr, - clamd_address_vector[current_server]->tcp_port, - strerror(errno)); - - (void)close(sock); - } + case M_SOPHIE: /* "sophie" scanner type --------------------------------- */ + { + int bread = 0; + uschar *p; + uschar * file_name; + uschar av_buffer[1024]; + + /* pass the scan directory to sophie */ + file_name = string_copy(eml_filename); + if ((p = Ustrrchr(file_name, '/'))) + *p = '\0'; + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", + scanner_name, scanner_options); + + if ( write(sock, file_name, Ustrlen(file_name)) < 0 + || write(sock, "\n", 1) != 1 + ) + return m_errlog_defer_3(scanent, + string_sprintf("unable to write to UNIX socket (%s)", scanner_options), + sock); + + /* wait for result */ + memset(av_buffer, 0, sizeof(av_buffer)); + if ((!(bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT)) > 0)) + return m_errlog_defer_3(scanent, + string_sprintf("unable to read from UNIX socket (%s)", scanner_options), + sock); + + /* infected ? */ + if (av_buffer[0] == '1') { + uschar * s = Ustrchr(av_buffer, '\n'); + if (s) + *s = '\0'; + malware_name = string_copy(&av_buffer[2]); + } + else if (!strncmp(CS av_buffer, "-1", 2)) + return m_errlog_defer_3(scanent, US"scanner reported error", sock); + else /* all ok, no virus */ + malware_name = NULL; -try_next_server: - /* Remove the server from the list. XXX We should free the memory */ - num_servers--; - int i; - for( i = current_server; i < num_servers; i++ ) - clamd_address_vector[i] = clamd_address_vector[i+1]; - } - - if ( num_servers == 0 ) { - log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: all clamd servers failed"); - return DEFER; - } - } else { - /* open the local socket */ - if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unable to acquire socket (%s)", - strerror(errno)); - return DEFER; - } - - server.sun_family = AF_UNIX; - Ustrcpy(server.sun_path, clamd_options); - - if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unable to connect to UNIX socket %s (%s)", - clamd_options, strerror(errno) ); - return DEFER; - } + break; } - /* have socket in variable "sock"; command to use is semi-independent of - * the socket protocol. We use SCAN if is local (either Unix/local - * domain socket, or explicitly told local) else we stream the data. - * How we stream the data depends upon how we were built. */ - - if (!use_scan_command) { - -#ifdef WITH_OLD_CLAMAV_STREAM - /* "STREAM\n" command, get back a "PORT \n" response, send data to - * that port on a second connection; then in the scan-method-neutral - * part, read the response back on the original connection. */ - - DEBUG(D_acl) debug_printf("Malware scan: issuing %s old-style remote scan (PORT)\n", - scanner_name); - - /* Pass the string to ClamAV (7 = "STREAM\n") */ - if (send(sock, "STREAM\n", 7, 0) < 0) { - log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)", - strerror(errno)); - (void)close(sock); - return DEFER; - } - memset(av_buffer2, 0, sizeof(av_buffer2)); - bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), MALWARE_TIMEOUT); - - if (bread < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unable to read PORT from socket (%s)", - strerror(errno)); - (void)close(sock); - return DEFER; - } - - if (bread == sizeof(av_buffer)) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: buffer too small"); - (void)close(sock); - return DEFER; - } - - if (!(*av_buffer2)) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: ClamAV returned null"); - (void)close(sock); - return DEFER; - } - - av_buffer2[bread] = '\0'; - if( sscanf(CS av_buffer2, "PORT %u\n", &port) != 1 ) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: Expected port information from clamd, got '%s'", av_buffer2); - (void)close(sock); - return DEFER; - }; - - if ( (sockData = ip_socket(SOCK_STREAM, AF_INET)) < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unable to acquire socket (%s)", - strerror(errno)); - (void)close(sock); - return DEFER; - } - - if (ip_connect(sockData, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: connection to %s, port %u failed (%s)", - inet_ntoa(in), port, strerror(errno)); - (void)close(sockData); (void)close(sock); - return DEFER; - } - -#define CLOSE_SOCKDATA (void)close(sockData) -#else /* WITH_OLD_CLAMAV_STREAM not defined */ - /* New protocol: "zINSTREAM\n" followed by a sequence of - chunks, a 4-byte number (network order), terminated by a zero-length - chunk. */ - - DEBUG(D_acl) debug_printf("Malware scan: issuing %s new-style remote scan (zINSTREAM)\n", - scanner_name); - - /* Pass the string to ClamAV (10 = "zINSTREAM\0") */ - if (send(sock, "zINSTREAM", 10, 0) < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unable to send zINSTREAM to socket (%s)", - strerror(errno)); - (void)close(sock); - return DEFER; - } - -#define CLOSE_SOCKDATA /**/ -#endif - - /* calc file size */ - clam_fd = open(CS eml_filename, O_RDONLY); - if (clam_fd == -1) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: can't open spool file %s: %s", - eml_filename, strerror(errno)); - CLOSE_SOCKDATA; (void)close(sock); - return DEFER; - } - fsize = lseek(clam_fd, 0, SEEK_END); - if (fsize == -1) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: can't seek spool file %s: %s", - eml_filename, strerror(errno)); - CLOSE_SOCKDATA; (void)close(sock); - return DEFER; - } - lseek(clam_fd, 0, SEEK_SET); - - clamav_fbuf = (uschar *) malloc (fsize); - if (!clamav_fbuf) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unable to allocate memory %u for file (%s)", - fsize, eml_filename); - CLOSE_SOCKDATA; (void)close(sock); (void)close(clam_fd); - return DEFER; - } - - result = read (clam_fd, clamav_fbuf, fsize); - if (result == -1) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: can't read spool file %s: %s", - eml_filename, strerror(errno)); - CLOSE_SOCKDATA; (void)close(sock); (void)close(clam_fd); - free(clamav_fbuf); - return DEFER; - } - (void)close(clam_fd); - - /* send file body to socket */ -#ifdef WITH_OLD_CLAMAV_STREAM - if (send(sockData, clamav_fbuf, fsize, 0) < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port); - CLOSE_SOCKDATA; (void)close(sock); - free(clamav_fbuf); - return DEFER; - } -#else - send_size = htonl(fsize); - send_final_zeroblock = 0; - if ((send(sock, &send_size, sizeof(send_size), 0) < 0) || - (send(sock, clamav_fbuf, fsize, 0) < 0) || - (send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0)) - { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port); - (void)close(sock); - free(clamav_fbuf); - return DEFER; - } -#endif + case M_CLAMD: /* "clamd" scanner type ----------------------------------- */ + { + /* This code was originally contributed by David Saez */ + /* There are three scanning methods available to us: + * (1) Use the SCAN command, pointing to a file in the filesystem + * (2) Use the STREAM command, send the data on a separate port + * (3) Use the zINSTREAM command, send the data inline + * The zINSTREAM command was introduced with ClamAV 0.95, which marked + * STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095 + * In Exim, we use SCAN if using a Unix-domain socket or explicitly told that + * the TCP-connected daemon is actually local; otherwise we use zINSTREAM unless + * WITH_OLD_CLAMAV_STREAM is defined. + * See Exim bug 926 for details. */ + + uschar *p, *vname, *result_tag, *response_end; + int bread=0; + uschar * file_name; + uschar av_buffer[1024]; + uschar *hostname = US""; + host_item connhost; + uschar *clamav_fbuf; + int clam_fd, result; + unsigned int fsize; + BOOL use_scan_command = FALSE; + clamd_address_container * clamd_address_vector[MAX_CLAMD_SERVERS]; + int current_server; + int num_servers = 0; + #ifdef WITH_OLD_CLAMAV_STREAM + unsigned int port; + uschar av_buffer2[1024]; + int sockData; + #else + uint32_t send_size, send_final_zeroblock; + #endif + + if (*scanner_options == '/') + /* Local file; so we def want to use_scan_command and don't want to try + * passing IP/port combinations */ + use_scan_command = TRUE; + else { + const uschar *address = scanner_options; + uschar address_buffer[MAX_CLAMD_ADDRESS_LENGTH + 20]; + + /* Go through the rest of the list of host/port and construct an array + * of servers to try. The first one is the bit we just passed from + * scanner_options so process that first and then scan the remainder of + * the address buffer */ + do { + clamd_address_container *this_clamd; + + /* The 'local' option means use the SCAN command over the network + * socket (ie common file storage in use) */ + if (strcmpic(address,US"local") == 0) { + use_scan_command = TRUE; + continue; + } + + /* XXX: If unsuccessful we should free this memory */ + this_clamd = + (clamd_address_container *)store_get(sizeof(clamd_address_container)); + + /* extract host and port part */ + if( sscanf(CS address, "%" MAX_CLAMD_ADDRESS_LENGTH_S "s %u", + this_clamd->tcp_addr, &(this_clamd->tcp_port)) != 2 ) { + (void) m_errlog_defer(scanent, + string_sprintf("invalid address '%s'", address)); + continue; + } + + clamd_address_vector[num_servers] = this_clamd; + num_servers++; + if (num_servers >= MAX_CLAMD_SERVERS) { + (void) m_errlog_defer(scanent, + US"More than " MAX_CLAMD_SERVERS_S " clamd servers " + "specified; only using the first " MAX_CLAMD_SERVERS_S ); + break; + } + } while ((address = string_nextinlist(&av_scanner_work, &sep, + address_buffer, + sizeof(address_buffer))) != NULL); + + /* check if we have at least one server */ + if (!num_servers) + return m_errlog_defer(scanent, + US"no useable server addresses in malware configuration option."); + } - free(clamav_fbuf); - - CLOSE_SOCKDATA; -#undef CLOSE_SOCKDATA - - } else { /* use scan command */ - /* Send a SCAN command pointing to a filename; then in the then in the - * scan-method-neutral part, read the response back */ - -/* ================================================================= */ - - /* Prior to the reworking post-Exim-4.72, this scanned a directory, - which dates to when ClamAV needed us to break apart the email into the - MIME parts (eg, with the now deprecated demime condition coming first). - Some time back, ClamAV gained the ability to deconstruct the emails, so - doing this would actually have resulted in the mail attachments being - scanned twice, in the broken out files and from the original .eml. - Since ClamAV now handles emails (and has for quite some time) we can - just use the email file itself. */ - /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */ - fits = string_format(file_name, sizeof(file_name), "SCAN %s\n", - eml_filename); - if (!fits) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware filename does not fit in buffer [malware_internal() clamd]"); - } - - DEBUG(D_acl) debug_printf("Malware scan: issuing %s local-path scan [%s]\n", - scanner_name, clamd_options); - - if (send(sock, file_name, Ustrlen(file_name), 0) < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)", - strerror(errno)); - return DEFER; - } - - /* Do not shut down the socket for writing; a user report noted that - * clamd 0.70 does not react well to this. */ - } - /* Commands have been sent, no matter which scan method or connection - * type we're using; now just read the result, independent of method. */ - - /* Read the result */ - memset(av_buffer, 0, sizeof(av_buffer)); - bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT); - (void)close(sock); - - if (!(bread > 0)) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unable to read from socket (%s)", - strerror(errno)); - return DEFER; - } + /* See the discussion of response formats below to see why we really don't + like colons in filenames when passing filenames to ClamAV. */ + if (use_scan_command && Ustrchr(eml_filename, ':')) + return m_errlog_defer(scanent, + string_sprintf("local/SCAN mode incompatible with" \ + " : in path to email filename [%s]", eml_filename)); + + /* We have some network servers specified */ + if (num_servers) { + + /* Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd + * only supports AF_INET, but we should probably be looking to the + * future and rewriting this to be protocol-independent anyway. */ + + while ( num_servers > 0 ) { + /* Randomly pick a server to start with */ + current_server = random_number( num_servers ); + + debug_printf("trying server name %s, port %u\n", + clamd_address_vector[current_server]->tcp_addr, + clamd_address_vector[current_server]->tcp_port); + + /* Lookup the host. This is to ensure that we connect to the same IP + * on both connections (as one host could resolve to multiple ips) */ + sock= m_tcpsocket(clamd_address_vector[current_server]->tcp_addr, + clamd_address_vector[current_server]->tcp_port, + &connhost, &errstr); + if (sock >= 0) { + /* Connection successfully established with a server */ + hostname = clamd_address_vector[current_server]->tcp_addr; + break; + } + + (void) m_errlog_defer(scanent, errstr); + + /* Remove the server from the list. XXX We should free the memory */ + num_servers--; + int i; + for( i = current_server; i < num_servers; i++ ) + clamd_address_vector[i] = clamd_address_vector[i+1]; + } + + if ( num_servers == 0 ) + return m_errlog_defer(scanent, US"all servers failed"); + + } else { + if ((sock = m_unixsocket(scanner_options, &errstr)) < 0) + return m_errlog_defer(scanent, errstr); + } - if (bread == sizeof(av_buffer)) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: buffer too small"); - return DEFER; + /* have socket in variable "sock"; command to use is semi-independent of + * the socket protocol. We use SCAN if is local (either Unix/local + * domain socket, or explicitly told local) else we stream the data. + * How we stream the data depends upon how we were built. */ + + if (!use_scan_command) { + + #ifdef WITH_OLD_CLAMAV_STREAM + /* "STREAM\n" command, get back a "PORT \n" response, send data to + * that port on a second connection; then in the scan-method-neutral + * part, read the response back on the original connection. */ + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s old-style remote scan (PORT)\n", + scanner_name); + + /* Pass the string to ClamAV (7 = "STREAM\n") */ + if (m_sock_send(sock, US"STREAM\n", 7, &errstr) < 0) + return m_errlog_defer(scanent, errstr); + + memset(av_buffer2, 0, sizeof(av_buffer2)); + bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), MALWARE_TIMEOUT); + + if (bread < 0) + return m_errlog_defer_3(scanent, + string_sprintf("unable to read PORT from socket (%s)", + strerror(errno)), + sock); + + if (bread == sizeof(av_buffer2)) + return m_errlog_defer_3(scanent, "buffer too small", sock); + + if (!(*av_buffer2)) + return m_errlog_defer_3(scanent, "ClamAV returned null", sock); + + av_buffer2[bread] = '\0'; + if( sscanf(CS av_buffer2, "PORT %u\n", &port) != 1 ) + return m_errlog_defer_3(scanent, + string_sprintf("Expected port information from clamd, got '%s'", + av_buffer2), + sock); + + sockData = m_tcpsocket(connhost.address, port, NULL, &errstr); + if (sockData < 0) + return m_errlog_defer_3(scanent, errstr, sock); + + #define CLOSE_SOCKDATA (void)close(sockData) + #else /* WITH_OLD_CLAMAV_STREAM not defined */ + /* New protocol: "zINSTREAM\n" followed by a sequence of + chunks, a 4-byte number (network order), terminated by a zero-length + chunk. */ + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s new-style remote scan (zINSTREAM)\n", + scanner_name); + + /* Pass the string to ClamAV (10 = "zINSTREAM\0") */ + if (send(sock, "zINSTREAM", 10, 0) < 0) + return m_errlog_defer_3(scanent, + string_sprintf("unable to send zINSTREAM to socket (%s)", + strerror(errno)), + sock); + + #define CLOSE_SOCKDATA /**/ + #endif + + /* calc file size */ + if ((clam_fd = open(CS eml_filename, O_RDONLY)) < 0) { + int err = errno; + CLOSE_SOCKDATA; + return m_errlog_defer_3(scanent, + string_sprintf("can't open spool file %s: %s", + eml_filename, strerror(err)), + sock); + } + if ((fsize = lseek(clam_fd, 0, SEEK_END)) < 0) { + int err = errno; + CLOSE_SOCKDATA; (void)close(clam_fd); + return m_errlog_defer_3(scanent, + string_sprintf("can't seek spool file %s: %s", + eml_filename, strerror(err)), + sock); + } + lseek(clam_fd, 0, SEEK_SET); + + if (!(clamav_fbuf = (uschar *) malloc (fsize))) { + CLOSE_SOCKDATA; (void)close(clam_fd); + return m_errlog_defer_3(scanent, + string_sprintf("unable to allocate memory %u for file (%s)", + fsize, eml_filename), + sock); + } + + if ((result = read(clam_fd, clamav_fbuf, fsize)) < 0) { + int err = errno; + free(clamav_fbuf); CLOSE_SOCKDATA; (void)close(clam_fd); + return m_errlog_defer_3(scanent, + string_sprintf("can't read spool file %s: %s", + eml_filename, strerror(err)), + sock); + } + (void)close(clam_fd); + + /* send file body to socket */ + #ifdef WITH_OLD_CLAMAV_STREAM + if (send(sockData, clamav_fbuf, fsize, 0) < 0) { + free(clamav_fbuf); CLOSE_SOCKDATA; + return m_errlog_defer_3(scanent, + string_sprintf("unable to send file body to socket (%s:%u)", + hostname, port), + sock); + } + #else + send_size = htonl(fsize); + send_final_zeroblock = 0; + if ((send(sock, &send_size, sizeof(send_size), 0) < 0) || + (send(sock, clamav_fbuf, fsize, 0) < 0) || + (send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0)) + { + free(clamav_fbuf); + return m_errlog_defer_3(scanent, + string_sprintf("unable to send file body to socket (%s)", hostname), + sock); + } + #endif + + free(clamav_fbuf); + + CLOSE_SOCKDATA; + #undef CLOSE_SOCKDATA + + } else { /* use scan command */ + /* Send a SCAN command pointing to a filename; then in the then in the + * scan-method-neutral part, read the response back */ + + /* ================================================================= */ + + /* Prior to the reworking post-Exim-4.72, this scanned a directory, + which dates to when ClamAV needed us to break apart the email into the + MIME parts (eg, with the now deprecated demime condition coming first). + Some time back, ClamAV gained the ability to deconstruct the emails, so + doing this would actually have resulted in the mail attachments being + scanned twice, in the broken out files and from the original .eml. + Since ClamAV now handles emails (and has for quite some time) we can + just use the email file itself. */ + /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */ + file_name = string_sprintf("SCAN %s\n", eml_filename); + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s local-path scan [%s]\n", + scanner_name, scanner_options); + + if (send(sock, file_name, Ustrlen(file_name), 0) < 0) + return m_errlog_defer_3(scanent, + string_sprintf("unable to write to socket (%s)", strerror(errno)), + sock); + + /* Do not shut down the socket for writing; a user report noted that + * clamd 0.70 does not react well to this. */ + } + /* Commands have been sent, no matter which scan method or connection + * type we're using; now just read the result, independent of method. */ + + /* Read the result */ + memset(av_buffer, 0, sizeof(av_buffer)); + bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT); + (void)close(sock); + sock = -1; + + if (!(bread > 0)) + return m_errlog_defer(scanent, + string_sprintf("unable to read from socket (%s)", strerror(errno))); + + if (bread == sizeof(av_buffer)) + return m_errlog_defer(scanent, US"buffer too small"); + /* We're now assured of a NULL at the end of av_buffer */ + + /* Check the result. ClamAV returns one of two result formats. + In the basic mode, the response is of the form: + infected: -> ": FOUND" + not-infected: -> ": OK" + error: -> ": ERROR + If the ExtendedDetectionInfo option has been turned on, then we get: + ": (:) FOUND" + for the infected case. Compare: + /tmp/eicar.com: Eicar-Test-Signature FOUND + /tmp/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND + + In the streaming case, clamd uses the filename "stream" which you should + be able to verify with { ktrace clamdscan --stream /tmp/eicar.com }. (The + client app will replace "stream" with the original filename before returning + results to stdout, but the trace shows the data). + + We will assume that the pathname passed to clamd from Exim does not contain + a colon. We will have whined loudly above if the eml_filename does (and we're + passing a filename to clamd). */ + + if (!(*av_buffer)) + return m_errlog_defer(scanent, US"ClamAV returned null"); + + /* strip newline at the end (won't be present for zINSTREAM) + (also any trailing whitespace, which shouldn't exist, but we depend upon + this below, so double-check) */ + p = av_buffer + Ustrlen(av_buffer) - 1; + if (*p == '\n') *p = '\0'; + + DEBUG(D_acl) debug_printf("Malware response: %s\n", av_buffer); + + while (isspace(*--p) && (p > av_buffer)) + *p = '\0'; + if (*p) ++p; + response_end = p; + + /* colon in returned output? */ + if((p = Ustrchr(av_buffer,':')) == NULL) + return m_errlog_defer(scanent, + string_sprintf("ClamAV returned malformed result (missing colon): %s", + av_buffer)); + + /* strip filename */ + while (*p && isspace(*++p)) /**/; + vname = p; + + /* It would be bad to encounter a virus with "FOUND" in part of the name, + but we should at least be resistant to it. */ + p = Ustrrchr(vname, ' '); + result_tag = p ? p+1 : vname; + + if (Ustrcmp(result_tag, "FOUND") == 0) { + /* p should still be the whitespace before the result_tag */ + while (isspace(*p)) --p; + *++p = '\0'; + /* Strip off the extended information too, which will be in parens + after the virus name, with no intervening whitespace. */ + if (*--p == ')') { + /* "(hash:size)", so previous '(' will do; if not found, we have + a curious virus name, but not an error. */ + p = Ustrrchr(vname, '('); + if (p) + *p = '\0'; + } + malware_name = string_copy(vname); + DEBUG(D_acl) debug_printf("Malware found, name \"%s\"\n", malware_name); + + } else if (Ustrcmp(result_tag, "ERROR") == 0) + return m_errlog_defer(scanent, + string_sprintf("ClamAV returned: %s", av_buffer)); + + else if (Ustrcmp(result_tag, "OK") == 0) { + /* Everything should be OK */ + malware_name = NULL; + DEBUG(D_acl) debug_printf("Malware not found\n"); + + } else + return m_errlog_defer(scanent, + string_sprintf("unparseable response from ClamAV: {%s}", av_buffer)); + + break; + } /* clamd */ + + case M_SOCK: /* "sock" scanner type ------------------------------------- */ + /* This code was derived by Martin Poole from the clamd code contributed + by David Saez and the cmdline code + */ + { + int bread; + uschar * commandline; + uschar av_buffer[1024]; + uschar * linebuffer; + uschar * sockline_scanner; + uschar sockline_scanner_default[] = "%s\n"; + const pcre *sockline_trig_re; + const pcre *sockline_name_re; + + /* find scanner command line */ + if ((sockline_scanner = string_nextinlist(&av_scanner_work, &sep, + NULL, 0))) + { /* check for no expansions apart from one %s */ + char * s = index(CS sockline_scanner, '%'); + if (s++) + if ((*s != 's' && *s != '%') || index(s+1, '%')) + return m_errlog_defer_3(scanent, + US"unsafe sock scanner call spec", sock); + } + else + sockline_scanner = sockline_scanner_default; + + /* find scanner output trigger */ + sockline_trig_re = m_pcre_nextinlist(&av_scanner_work, &sep, + "missing trigger specification", &errstr); + if (!sockline_trig_re) + return m_errlog_defer_3(scanent, errstr, sock); + + /* find virus name regex */ + sockline_name_re = m_pcre_nextinlist(&av_scanner_work, &sep, + "missing virus name regex specification", &errstr); + if (!sockline_name_re) + return m_errlog_defer_3(scanent, errstr, sock); + + /* prepare scanner call - security depends on expansions check above */ + commandline = string_sprintf("%s/scan/%s/%s.eml", spool_directory, message_id, message_id); + commandline = string_sprintf( CS sockline_scanner, CS commandline); + + + /* Pass the command string to the socket */ + if (m_sock_send(sock, commandline, Ustrlen(commandline), &errstr) < 0) + return m_errlog_defer(scanent, errstr); + + /* Read the result */ + memset(av_buffer, 0, sizeof(av_buffer)); + bread = read(sock, av_buffer, sizeof(av_buffer)); + + if (!(bread > 0)) + return m_errlog_defer_3(scanent, + string_sprintf("unable to read from socket (%s)", strerror(errno)), + sock); + + if (bread == sizeof(av_buffer)) + return m_errlog_defer_3(scanent, US"buffer too small", sock); + linebuffer = string_copy(av_buffer); + + /* try trigger match */ + if (regex_match_and_setup(sockline_trig_re, linebuffer, 0, -1)) { + if (!(malware_name = m_pcre_exec(sockline_name_re, av_buffer))) + malware_name = US "unknown"; + } + else /* no virus found */ + malware_name = NULL; + break; } - /* Check the result. ClamAV returns one of two result formats. - In the basic mode, the response is of the form: - infected: -> ": FOUND" - not-infected: -> ": OK" - error: -> ": ERROR - If the ExtendedDetectionInfo option has been turned on, then we get: - ": (:) FOUND" - for the infected case. Compare: -/tmp/eicar.com: Eicar-Test-Signature FOUND -/tmp/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND - - In the streaming case, clamd uses the filename "stream" which you should - be able to verify with { ktrace clamdscan --stream /tmp/eicar.com }. (The - client app will replace "stream" with the original filename before returning - results to stdout, but the trace shows the data). - - We will assume that the pathname passed to clamd from Exim does not contain - a colon. We will have whined loudly above if the eml_filename does (and we're - passing a filename to clamd). */ - - if (!(*av_buffer)) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: ClamAV returned null"); - return DEFER; - } + case M_MKSD: /* "mksd" scanner type ------------------------------------- */ + { + char *mksd_options_end; + int mksd_maxproc = 1; /* default, if no option supplied */ + int sock; + int retval; + + if (scanner_options) { + mksd_maxproc = (int)strtol(CS scanner_options, &mksd_options_end, 10); + if ( *scanner_options == '\0' + || *mksd_options_end != '\0' + || mksd_maxproc < 1 + || mksd_maxproc > 32 + ) + return m_errlog_defer(scanent, + string_sprintf("invalid option '%s'", scanner_options)); + } - /* strip newline at the end (won't be present for zINSTREAM) - (also any trailing whitespace, which shouldn't exist, but we depend upon - this below, so double-check) */ - p = av_buffer + Ustrlen(av_buffer) - 1; - if (*p == '\n') *p = '\0'; - - DEBUG(D_acl) debug_printf("Malware response: %s\n", av_buffer); - - while (isspace(*--p) && (p > av_buffer)) - *p = '\0'; - if (*p) ++p; - response_end = p; - - /* colon in returned output? */ - if((p = Ustrchr(av_buffer,':')) == NULL) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: ClamAV returned malformed result (missing colon): %s", - av_buffer); - return DEFER; - } + if((sock = m_unixsocket(US "/var/run/mksd/socket", &errstr)) < 0) + return m_errlog_defer(scanent, errstr); - /* strip filename */ - while (*p && isspace(*++p)) /**/; - vname = p; - - /* It would be bad to encounter a virus with "FOUND" in part of the name, - but we should at least be resistant to it. */ - p = Ustrrchr(vname, ' '); - if (p) - result_tag = p + 1; - else - result_tag = vname; - - if (Ustrcmp(result_tag, "FOUND") == 0) { - /* p should still be the whitespace before the result_tag */ - while (isspace(*p)) --p; - *++p = '\0'; - /* Strip off the extended information too, which will be in parens - after the virus name, with no intervening whitespace. */ - if (*--p == ')') { - /* "(hash:size)", so previous '(' will do; if not found, we have - a curious virus name, but not an error. */ - p = Ustrrchr(vname, '('); - if (p) - *p = '\0'; - } - Ustrncpy(malware_name_buffer, vname, sizeof(malware_name_buffer)-1); - malware_name = malware_name_buffer; - DEBUG(D_acl) debug_printf("Malware found, name \"%s\"\n", malware_name); - - } else if (Ustrcmp(result_tag, "ERROR") == 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: ClamAV returned: %s", - av_buffer); - return DEFER; - - } else if (Ustrcmp(result_tag, "OK") == 0) { - /* Everything should be OK */ malware_name = NULL; - DEBUG(D_acl) debug_printf("Malware not found\n"); - } else { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unparseable response from ClamAV: {%s}", - av_buffer); - return DEFER; - } + DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan\n", scanner_name); - } /* clamd */ - - /* ----------------------------------------------------------------------- */ - - - /* "mksd" scanner type --------------------------------------------------- */ - else if (strcmpic(scanner_name,US"mksd") == 0) { - uschar *mksd_options; - char *mksd_options_end; - uschar mksd_options_buffer[32]; - int mksd_maxproc = 1; /* default, if no option supplied */ - struct sockaddr_un server; - int sock; - int retval; - - if ((mksd_options = string_nextinlist(&av_scanner_work, &sep, - mksd_options_buffer, - sizeof(mksd_options_buffer))) != NULL) { - mksd_maxproc = (int) strtol(CS mksd_options, &mksd_options_end, 10); - if ((*mksd_options == '\0') || (*mksd_options_end != '\0') || - (mksd_maxproc < 1) || (mksd_maxproc > 32)) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: mksd: invalid option '%s'", mksd_options); - return DEFER; - } - } - - /* open the mksd socket */ - sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: can't open UNIX socket."); - return DEFER; - } - server.sun_family = AF_UNIX; - Ustrcpy(server.sun_path, "/var/run/mksd/socket"); - if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { - (void)close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to connect to mksd UNIX socket (/var/run/mksd/socket). errno=%d", errno); - return DEFER; + if ((retval = mksd_scan_packed(scanent, sock, eml_filename)) != OK) { + close (sock); + return retval; + } + break; } - - malware_name = NULL; - - DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan\n", scanner_name); - - retval = mksd_scan_packed(sock, eml_filename); - - if (retval != OK) - return retval; } - /* ----------------------------------------------------------------------- */ - /* "unknown" scanner type ------------------------------------------------- */ - else { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware condition: unknown scanner type '%s'", scanner_name); - return DEFER; - }; - /* ----------------------------------------------------------------------- */ - - /* set "been here, done that" marker */ - malware_ok = 1; - }; + if (sock >= 0) + (void) close (sock); + malware_ok = TRUE; /* set "been here, done that" marker */ + } /* match virus name against pattern (caseless ------->----------v) */ - if ( (malware_name != NULL) && - (regex_match_and_setup(re, malware_name, 0, -1)) ) { + if ( malware_name && (regex_match_and_setup(re, malware_name, 0, -1)) ) { DEBUG(D_acl) debug_printf("Matched regex to malware [%s] [%s]\n", malware_regex, malware_name); return OK; } - else { + else return FAIL; - }; } /* simple wrapper for reading lines from sockets */ -int recv_line(int sock, uschar *buffer, int size) { +int +recv_line(int sock, uschar *buffer, int size) +{ uschar *p = buffer; memset(buffer,0,size); @@ -1895,7 +1538,7 @@ int recv_line(int sock, uschar *buffer, int size) { if ((p-buffer) > (size-2)) break; if (*p == '\n') break; if (*p != '\r') p++; - }; + } *p = '\0'; return (p-buffer); @@ -1906,7 +1549,8 @@ int recv_line(int sock, uschar *buffer, int size) { #include -static int mksd_writev (int sock, struct iovec *iov, int iovcnt) +static inline int +mksd_writev (int sock, struct iovec *iov, int iovcnt) { int i; @@ -1915,9 +1559,7 @@ static int mksd_writev (int sock, struct iovec *iov, int iovcnt) i = writev (sock, iov, iovcnt); while ((i < 0) && (errno == EINTR)); if (i <= 0) { - close (sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to write to mksd UNIX socket (/var/run/mksd/socket)"); + (void) malware_errlog_defer(US"unable to write to mksd UNIX socket (/var/run/mksd/socket)"); return -1; } @@ -1935,25 +1577,22 @@ static int mksd_writev (int sock, struct iovec *iov, int iovcnt) } } -static int mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size) +static inline int +mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size) { int offset = 0; int i; do { if ((i = recv (sock, av_buffer+offset, av_buffer_size-offset, 0)) <= 0) { - close (sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: unable to read from mksd UNIX socket (/var/run/mksd/socket)"); + (void) malware_errlog_defer(US"unable to read from mksd UNIX socket (/var/run/mksd/socket)"); return -1; } offset += i; /* offset == av_buffer_size -> buffer full */ if (offset == av_buffer_size) { - close (sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: malformed reply received from mksd"); + (void) malware_errlog_defer(US"malformed reply received from mksd"); return -1; } } while (av_buffer[offset-1] != '\n'); @@ -1962,41 +1601,39 @@ static int mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size) return offset; } -static int mksd_parse_line (char *line) +static inline int +mksd_parse_line(struct scan * scanent, char *line) { char *p; switch (*line) { - case 'O': - /* OK */ + case 'O': /* OK */ return OK; + case 'E': - case 'A': - /* ERR */ + case 'A': /* ERR */ if ((p = strchr (line, '\n')) != NULL) - (*p) = '\0'; - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: mksd scanner failed: %s", line); - return DEFER; - default: - /* VIR */ + *p = '\0'; + return m_errlog_defer(scanent, + string_sprintf("scanner failed: %s", line)); + + default: /* VIR */ if ((p = strchr (line, '\n')) != NULL) { - (*p) = '\0'; - if (((p-line) > 5) && ((p-line) < sizeof (malware_name_buffer)) && (line[3] == ' ')) + *p = '\0'; + if (((p-line) > 5) && (line[3] == ' ')) if (((p = strchr (line+4, ' ')) != NULL) && ((p-line) > 4)) { - (*p) = '\0'; - Ustrcpy (malware_name_buffer, line+4); - malware_name = malware_name_buffer; + *p = '\0'; + malware_name = string_copy(US line+4); return OK; } } - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: malformed reply received from mksd: %s", line); - return DEFER; + return m_errlog_defer(scanent, + string_sprintf("malformed reply received: %s", line)); } } -static int mksd_scan_packed(int sock, uschar *scan_filename) +static int +mksd_scan_packed(struct scan * scanent, int sock, uschar *scan_filename) { struct iovec iov[3]; const char *cmd = "MSQ\n"; @@ -2015,9 +1652,10 @@ static int mksd_scan_packed(int sock, uschar *scan_filename) if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer)) < 0) return DEFER; - close (sock); - - return mksd_parse_line (CS av_buffer); + return mksd_parse_line (scanent, CS av_buffer); } -#endif +#endif /*WITH_CONTENT_SCAN*/ +/* + * vi: aw ai sw=2 + */ diff --git a/src/src/match.c b/src/src/match.c index 66ae3dddb..97a098205 100644 --- a/src/src/match.c +++ b/src/src/match.c @@ -221,6 +221,8 @@ if (cb->at_is_special && pattern[0] == '@') NULL, /* service name not relevant */ NULL, /* srv_fail_domains not relevant */ NULL, /* mx_fail_domains not relevant */ + NULL, /* no dnssec request XXX ? */ + NULL, /* no dnssec require XXX ? */ NULL, /* no feedback FQDN */ &removed); /* feedback if local removed */ diff --git a/src/src/moan.c b/src/src/moan.c index 3b670a144..4d7b51b9a 100644 --- a/src/src/moan.c +++ b/src/src/moan.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2009 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions for sending messages to sender or to mailmaster. */ diff --git a/src/src/readconf.c b/src/src/readconf.c index 77c798412..fb1476365 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions for reading the configuration file, and for displaying @@ -140,7 +140,7 @@ static optionlist optionlist_config[] = { { "acl_smtp_auth", opt_stringptr, &acl_smtp_auth }, { "acl_smtp_connect", opt_stringptr, &acl_smtp_connect }, { "acl_smtp_data", opt_stringptr, &acl_smtp_data }, -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR { "acl_smtp_data_prdr", opt_stringptr, &acl_smtp_data_prdr }, #endif #ifndef DISABLE_DKIM @@ -229,6 +229,9 @@ static optionlist optionlist_config[] = { /* This option is now a no-op, retained for compability */ { "drop_cr", opt_bool, &drop_cr }, /*********************************************************/ +#ifdef EXPERIMENTAL_DSN + { "dsn_advertise_hosts", opt_stringptr, &dsn_advertise_hosts }, +#endif { "dsn_from", opt_stringptr, &dsn_from }, { "envelope_to_remove", opt_bool, &envelope_to_remove }, { "errors_copy", opt_stringptr, &errors_copy }, @@ -324,7 +327,7 @@ static optionlist optionlist_config[] = { #endif { "pid_file_path", opt_stringptr, &pid_file_path }, { "pipelining_advertise_hosts", opt_stringptr, &pipelining_advertise_hosts }, -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR { "prdr_enable", opt_bool, &prdr_enable }, #endif { "preserve_message_logs", opt_bool, &preserve_message_logs }, @@ -332,6 +335,9 @@ static optionlist optionlist_config[] = { { "print_topbitchars", opt_bool, &print_topbitchars }, { "process_log_path", opt_stringptr, &process_log_path }, { "prod_requires_admin", opt_bool, &prod_requires_admin }, +#ifdef EXPERIMENTAL_PROXY + { "proxy_required_hosts", opt_stringptr, &proxy_required_hosts }, +#endif { "qualify_domain", opt_stringptr, &qualify_domain_sender }, { "qualify_recipient", opt_stringptr, &qualify_domain_recipient }, { "queue_domains", opt_stringptr, &queue_domains }, @@ -433,7 +439,7 @@ static optionlist optionlist_config[] = { { "tls_crl", opt_stringptr, &tls_crl }, { "tls_dh_max_bits", opt_int, &tls_dh_max_bits }, { "tls_dhparam", opt_stringptr, &tls_dhparam }, -# if defined(EXPERIMENTAL_OCSP) && !defined(USE_GNUTLS) +# ifndef DISABLE_OCSP { "tls_ocsp_file", opt_stringptr, &tls_ocsp_file }, # endif { "tls_on_connect_ports", opt_stringptr, &tls_in.on_connect_ports }, @@ -1559,15 +1565,21 @@ switch (type) Because we only do this once, near process start-up, I'm prepared to let this slide for the time being, even though it rankles. */ } - else if (*str_target && (ol->type & opt_rep_str)) - { + else if (ol->type & opt_rep_str) + { uschar sep = Ustrncmp(name, "headers_add", 11)==0 ? '\n' : ':'; - saved_condition = *str_target; - strtemp = saved_condition + Ustrlen(saved_condition)-1; - if (*strtemp == sep) *strtemp = 0; /* eliminate trailing list-sep */ - strtemp = string_sprintf("%s%c%s", saved_condition, sep, sptr); - *str_target = string_copy_malloc(strtemp); - } + uschar * cp; + + /* Strip trailing whitespace and seperators */ + for (cp = sptr + Ustrlen(sptr) - 1; + cp >= sptr && (*cp == '\n' || *cp == '\t' || *cp == ' ' || *cp == sep); + cp--) *cp = '\0'; + + if (cp >= sptr) + *str_target = string_copy_malloc( + *str_target ? string_sprintf("%s%c%s", *str_target, sep, sptr) + : sptr); + } else { *str_target = sptr; @@ -4128,4 +4140,6 @@ while(next_section[0] != 0) (void)fclose(config_file); } +/* vi: aw ai sw=2 +*/ /* End of readconf.c */ diff --git a/src/src/receive.c b/src/src/receive.c index 072fee9f1..ea957c7cf 100644 --- a/src/src/receive.c +++ b/src/src/receive.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Code for receiving a message and setting up spool files. */ @@ -497,6 +497,10 @@ recipients_list[recipients_count].bmi_optin = bmi_current_optin; /* reset optin string pointer for next recipient */ bmi_current_optin = NULL; #endif +#ifdef EXPERIMENTAL_DSN +recipients_list[recipients_count].orcpt = NULL; +recipients_list[recipients_count].dsn_flags = 0; +#endif recipients_list[recipients_count++].errors_to = NULL; } @@ -519,7 +523,7 @@ Arguments: Returns: nothing */ -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR static void smtp_user_msg(uschar *code, uschar *user_msg) { @@ -984,11 +988,24 @@ Returns: nothing */ static void -add_acl_headers(uschar *acl_name) +add_acl_headers(int where, uschar *acl_name) { header_line *h, *next; header_line *last_received = NULL; +switch(where) + { + case ACL_WHERE_DKIM: + case ACL_WHERE_MIME: + case ACL_WHERE_DATA: + if (cutthrough_fd >= 0 && (acl_removed_headers || acl_added_headers)) + { + log_write(0, LOG_MAIN|LOG_PANIC, "Header modification in data ACLs" + " will not take effect on cutthrough deliveries"); + return; + } + } + if (acl_removed_headers != NULL) { DEBUG(D_receive|D_acl) debug_printf(">>Headers removed by %s ACL:\n", acl_name); @@ -1264,7 +1281,7 @@ if (rc == OK) } END_MIME_ACL: -add_acl_headers(US"MIME"); +add_acl_headers(ACL_WHERE_MIME, US"MIME"); if (rc == DISCARD) { recipients_count = 0; @@ -1454,7 +1471,7 @@ BOOL resents_exist = FALSE; uschar *resent_prefix = US""; uschar *blackholed_by = NULL; uschar *blackhole_log_msg = US""; -enum {NOT_TRIED, TMP_REJ, PERM_REJ, ACCEPTED} cutthrough_done; +enum {NOT_TRIED, TMP_REJ, PERM_REJ, ACCEPTED} cutthrough_done = NOT_TRIED; flock_t lock_data; error_block *bad_addresses = NULL; @@ -2826,7 +2843,7 @@ if (cutthrough_fd >= 0) goto TIDYUP; /* Skip to end of function */ } received_header_gen(); - add_acl_headers(US"MAIL or RCPT"); + add_acl_headers(ACL_WHERE_RCPT, US"MAIL or RCPT"); (void) cutthrough_headers_send(); } @@ -3118,7 +3135,7 @@ if (received_header->text == NULL) /* Non-cutthrough case */ /* If an ACL from any RCPT commands set up any warning headers to add, do so now, before running the DATA ACL. */ - add_acl_headers(US"MAIL or RCPT"); + add_acl_headers(ACL_WHERE_RCPT, US"MAIL or RCPT"); } else message_body_size = (fstat(data_fd, &statbuf) == 0)? @@ -3231,7 +3248,7 @@ else break; } } - add_acl_headers(US"DKIM"); + add_acl_headers(ACL_WHERE_DKIM, US"DKIM"); if (rc == DISCARD) { recipients_count = 0; @@ -3264,8 +3281,8 @@ else dmarc_up = dmarc_store_data(from_header); #endif /* EXPERIMENTAL_DMARC */ -#ifdef EXPERIMENTAL_PRDR - if (prdr_requested && recipients_count > 1 && acl_smtp_data_prdr != NULL ) +#ifndef DISABLE_PRDR + if (prdr_requested && recipients_count > 1 && acl_smtp_data_prdr) { unsigned int c; int all_pass = OK; @@ -3333,7 +3350,7 @@ else } else prdr_requested = FALSE; -#endif /* EXPERIMENTAL_PRDR */ +#endif /* !DISABLE_PRDR */ /* Check the recipients count again, as the MIME ACL might have changed them. */ @@ -3341,7 +3358,7 @@ else if (acl_smtp_data != NULL && recipients_count > 0) { rc = acl_check(ACL_WHERE_DATA, NULL, acl_smtp_data, &user_msg, &log_msg); - add_acl_headers(US"DATA"); + add_acl_headers(ACL_WHERE_DATA, US"DATA"); if (rc == DISCARD) { recipients_count = 0; @@ -3424,7 +3441,7 @@ else /* Does not return */ } } - add_acl_headers(US"non-SMTP"); + add_acl_headers(ACL_WHERE_NOTSMTP, US"non-SMTP"); } } @@ -3726,21 +3743,20 @@ if (message_reference != NULL) s = add_host_info_for_log(s, &size, &sptr); #ifdef SUPPORT_TLS -if ((log_extra_selector & LX_tls_cipher) != 0 && tls_in.cipher != NULL) +if (log_extra_selector & LX_tls_cipher && tls_in.cipher) s = string_append(s, &size, &sptr, 2, US" X=", tls_in.cipher); -if ((log_extra_selector & LX_tls_certificate_verified) != 0 && - tls_in.cipher != NULL) +if (log_extra_selector & LX_tls_certificate_verified && tls_in.cipher) s = string_append(s, &size, &sptr, 2, US" CV=", tls_in.certificate_verified? "yes":"no"); -if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_in.peerdn != NULL) +if (log_extra_selector & LX_tls_peerdn && tls_in.peerdn) s = string_append(s, &size, &sptr, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\""); -if ((log_extra_selector & LX_tls_sni) != 0 && tls_in.sni != NULL) +if (log_extra_selector & LX_tls_sni && tls_in.sni) s = string_append(s, &size, &sptr, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); #endif -if (sender_host_authenticated != NULL) +if (sender_host_authenticated) { s = string_append(s, &size, &sptr, 2, US" A=", sender_host_authenticated); if (authenticated_id != NULL) @@ -3751,11 +3767,16 @@ if (sender_host_authenticated != NULL) } } -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR if (prdr_requested) s = string_append(s, &size, &sptr, 1, US" PRDR"); #endif +#ifdef EXPERIMENTAL_PROXY +if (proxy_session && log_extra_selector & LX_proxy) + s = string_append(s, &size, &sptr, 2, US" PRX=", proxy_host_address); +#endif + sprintf(CS big_buffer, "%d", msg_size); s = string_append(s, &size, &sptr, 2, US" S=", big_buffer); @@ -3949,7 +3970,6 @@ for this message. */ XXX We do not handle queue-only, freezing, or blackholes. */ -cutthrough_done = NOT_TRIED; if(cutthrough_fd >= 0) { uschar * msg= cutthrough_finaldot(); /* Ask the target system to accept the messsage */ @@ -3972,11 +3992,11 @@ if(cutthrough_fd >= 0) } } -if(smtp_reply == NULL -#ifdef EXPERIMENTAL_PRDR - || prdr_requested +#ifndef DISABLE_PRDR +if(!smtp_reply || prdr_requested) +#else +if(!smtp_reply) #endif - ) { log_write(0, LOG_MAIN | (((log_extra_selector & LX_received_recipients) != 0)? LOG_RECIPIENTS : 0) | diff --git a/src/src/route.c b/src/src/route.c index f8f3b86a5..6ba1d9f10 100644 --- a/src/src/route.c +++ b/src/src/route.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2009 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions concerned with routing, and the list of generic router options. */ @@ -58,6 +58,10 @@ optionlist optionlist_routers[] = { (void *)offsetof(router_instance, domains) }, { "driver", opt_stringptr|opt_public, (void *)offsetof(router_instance, driver_name) }, + #ifdef EXPERIMENTAL_DSN + { "dsn_lasthop", opt_bool|opt_public, + (void *)offsetof(router_instance, dsn_lasthop) }, + #endif { "errors_to", opt_stringptr|opt_public, (void *)(offsetof(router_instance, errors_to)) }, { "expn", opt_bool|opt_public, @@ -270,6 +274,15 @@ for (r = routers; r != NULL; r = r->next) if (r->pass_router_name != NULL) set_router(r, r->pass_router_name, &(r->pass_router), TRUE); + + #ifdef EXPERIMENTAL_DSN + DEBUG(D_route) { + if (r->dsn_lasthop == FALSE) + debug_printf("DSN: %s propagating DSN\n", r->name); + else + debug_printf("DSN: %s lasthop set\n", r->name); + } + #endif } } @@ -1412,6 +1425,10 @@ new->p.errors_address = parent->p.errors_address; copyflag(new, addr, af_propagate); new->p.address_data = addr->p.address_data; +#ifdef EXPERIMENTAL_DSN +new->dsn_flags = addr->dsn_flags; +new->dsn_orcpt = addr->dsn_orcpt; +#endif /* As it has turned out, we haven't set headers_add or headers_remove for the @@ -1719,6 +1736,17 @@ for (r = (addr->start_router == NULL)? routers : addr->start_router; /* Run the router, and handle the consequences. */ +#ifdef EXPERIMENTAL_DSN +/* ... but let us check on DSN before. If this should be the last hop for DSN + set flag +*/ + if ((r->dsn_lasthop == TRUE) && ((addr->dsn_flags & rf_dsnlasthop) == 0)) + { + addr->dsn_flags |= rf_dsnlasthop; + HDEBUG(D_route) debug_printf("DSN: last hop for %s\n", addr->address); + } +#endif + HDEBUG(D_route) debug_printf("calling %s router\n", r->name); yield = (r->info->code)(r, addr, pw, verify, paddr_local, paddr_remote, @@ -1941,6 +1969,7 @@ DEBUG(D_route) if (h->mx >= 0) debug_printf(" MX=%d", h->mx); else if (h->mx != MX_NONE) debug_printf(" rgroup=%d", h->mx); if (h->port != PORT_NONE) debug_printf(" port=%d", h->port); + /* if (h->dnssec != DS_UNK) debug_printf(" dnssec=%s", h->dnssec==DS_YES ? "yes" : "no"); */ debug_printf("\n"); } } diff --git a/src/src/routers/dnslookup.c b/src/src/routers/dnslookup.c index 057a2a15d..c8fd3f991 100644 --- a/src/src/routers/dnslookup.c +++ b/src/src/routers/dnslookup.c @@ -18,6 +18,10 @@ optionlist dnslookup_router_options[] = { (void *)(offsetof(dnslookup_router_options_block, check_secondary_mx)) }, { "check_srv", opt_stringptr, (void *)(offsetof(dnslookup_router_options_block, check_srv)) }, + { "dnssec_request_domains", opt_stringptr, + (void *)(offsetof(dnslookup_router_options_block, dnssec_request_domains)) }, + { "dnssec_require_domains", opt_stringptr, + (void *)(offsetof(dnslookup_router_options_block, dnssec_require_domains)) }, { "mx_domains", opt_stringptr, (void *)(offsetof(dnslookup_router_options_block, mx_domains)) }, { "mx_fail_domains", opt_stringptr, @@ -53,7 +57,9 @@ dnslookup_router_options_block dnslookup_router_option_defaults = { NULL, /* mx_domains */ NULL, /* mx_fail_domains */ NULL, /* srv_fail_domains */ - NULL /* check_srv */ + NULL, /* check_srv */ + NULL, /* dnssec_request_domains */ + NULL /* dnssec_require_domains */ }; @@ -261,7 +267,9 @@ for (;;) } rc = host_find_bydns(&h, rblock->ignore_target_hosts, flags, srv_service, - ob->srv_fail_domains, ob->mx_fail_domains, &fully_qualified_name, &removed); + ob->srv_fail_domains, ob->mx_fail_domains, + ob->dnssec_request_domains, ob->dnssec_require_domains, + &fully_qualified_name, &removed); if (removed) setflag(addr, af_local_host_removed); /* If host found with only address records, test for the domain's being in diff --git a/src/src/routers/dnslookup.h b/src/src/routers/dnslookup.h index b0c384367..518b7f478 100644 --- a/src/src/routers/dnslookup.h +++ b/src/src/routers/dnslookup.h @@ -17,6 +17,8 @@ typedef struct { uschar *mx_fail_domains; uschar *srv_fail_domains; uschar *check_srv; + uschar *dnssec_request_domains; + uschar *dnssec_require_domains; } dnslookup_router_options_block; /* Data for reading the private options. */ diff --git a/src/src/routers/rf_get_munge_headers.c b/src/src/routers/rf_get_munge_headers.c index 76e87e9c7..a4a13b04f 100644 --- a/src/src/routers/rf_get_munge_headers.c +++ b/src/src/routers/rf_get_munge_headers.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2009 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ #include "../exim.h" @@ -13,7 +13,7 @@ * Get additional headers for a router * *************************************************/ -/* This function is called by both routers to sort out the additional headers +/* This function is called by routers to sort out the additional headers and header remove list for a particular address. Arguments: @@ -32,83 +32,78 @@ rf_get_munge_headers(address_item *addr, router_instance *rblock, header_line **extra_headers, uschar **remove_headers) { /* Default is to retain existing headers */ - *extra_headers = addr->p.extra_headers; -if (rblock->extra_headers != NULL) +if (rblock->extra_headers) { - header_line *h; - uschar *s = expand_string(rblock->extra_headers); + uschar * list = rblock->extra_headers; + int sep = '\n'; + uschar * s; + int slen; - if (s == NULL) - { - if (!expand_string_forcedfail) + while ((s = string_nextinlist(&list, &sep, NULL, 0))) + if (!(s = expand_string(s))) { - addr->message = string_sprintf("%s router failed to expand \"%s\": %s", - rblock->name, rblock->extra_headers, expand_string_message); - return DEFER; + if (!expand_string_forcedfail) + { + addr->message = string_sprintf("%s router failed to expand \"%s\": %s", + rblock->name, rblock->extra_headers, expand_string_message); + return DEFER; + } } - } - - /* Expand succeeded. Put extra header at the start of the chain because - further down it may point to headers from other routers, which may be - shared with other addresses. The output function outputs them in reverse - order. */ - - else - { - int slen = Ustrlen(s); - if (slen > 0) + else if ((slen = Ustrlen(s)) > 0) { - h = store_get(sizeof(header_line)); + /* Expand succeeded. Put extra headers at the start of the chain because + further down it may point to headers from other routers, which may be + shared with other addresses. The output function outputs them in reverse + order. */ + + header_line * h = store_get(sizeof(header_line)); /* We used to use string_sprintf() to add the newline if needed, but that causes problems if the header line is exceedingly long (e.g. adding something to a pathologically long line). So avoid it. */ if (s[slen-1] == '\n') - { - h->text = s; - } + h->text = s; else - { - h->text = store_get(slen+2); - memcpy(h->text, s, slen); - h->text[slen++] = '\n'; - h->text[slen] = 0; - } - - h->next = addr->p.extra_headers; + { + h->text = store_get(slen+2); + memcpy(h->text, s, slen); + h->text[slen++] = '\n'; + h->text[slen] = 0; + } + + h->next = *extra_headers; h->type = htype_other; h->slen = slen; *extra_headers = h; } - } } /* Default is to retain existing removes */ - *remove_headers = addr->p.remove_headers; -if (rblock->remove_headers != NULL) +/* Expand items from colon-sep list separately, then build new list */ +if (rblock->remove_headers) { - uschar *s = expand_string(rblock->remove_headers); - if (s == NULL) - { - if (!expand_string_forcedfail) + uschar * list = rblock->remove_headers; + int sep = ':'; + uschar * s; + uschar buffer[128]; + + while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer)))) + if (!(s = expand_string(s))) { - addr->message = string_sprintf("%s router failed to expand \"%s\": %s", - rblock->name, rblock->remove_headers, expand_string_message); - return DEFER; + if (!expand_string_forcedfail) + { + addr->message = string_sprintf("%s router failed to expand \"%s\": %s", + rblock->name, rblock->remove_headers, expand_string_message); + return DEFER; + } } - } - else if (*s != 0) - { - if (addr->p.remove_headers == NULL) - *remove_headers = s; - else - *remove_headers = string_sprintf("%s : %s", addr->p.remove_headers, s); - } + else if (*s) + *remove_headers = string_append_listele(*remove_headers, ':', s); } return OK; diff --git a/src/src/routers/rf_lookup_hostlist.c b/src/src/routers/rf_lookup_hostlist.c index eadcd5df7..0eae31e61 100644 --- a/src/src/routers/rf_lookup_hostlist.c +++ b/src/src/routers/rf_lookup_hostlist.c @@ -94,6 +94,8 @@ for (h = addr->host_list; h != NULL; h = next_h) NULL, /* SRV service not relevant */ NULL, /* failing srv domains not relevant */ NULL, /* no special mx failing domains */ + NULL, /* no dnssec request XXX ? */ + NULL, /* no dnssec require XXX ? */ NULL, /* fully_qualified_name */ NULL); /* indicate local host removed */ } @@ -117,7 +119,9 @@ for (h = addr->host_list; h != NULL; h = next_h) BOOL removed; DEBUG(D_route|D_host_lookup) debug_printf("doing DNS lookup\n"); rc = host_find_bydns(h, ignore_target_hosts, HOST_FIND_BY_A, NULL, NULL, - NULL, &canonical_name, &removed); + NULL, + NULL, NULL, /*XXX dnssec? */ + &canonical_name, &removed); if (rc == HOST_FOUND) { if (removed) setflag(addr, af_local_host_removed); diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 4740aa5ff..4ea6cd404 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions for handling an incoming SMTP call. */ @@ -94,6 +94,10 @@ enum { QUIT_CMD, HELP_CMD, +#ifdef EXPERIMENTAL_PROXY + PROXY_FAIL_IGNORE_CMD, +#endif + /* These are specials that don't correspond to actual commands */ EOF_CMD, OTHER_CMD, BADARG_CMD, BADCHAR_CMD, BADSYN_CMD, @@ -117,6 +121,9 @@ static BOOL auth_advertised; #ifdef SUPPORT_TLS static BOOL tls_advertised; #endif +#ifdef EXPERIMENTAL_DSN +static BOOL dsn_advertised; +#endif static BOOL esmtp; static BOOL helo_required = FALSE; static BOOL helo_verify = FALSE; @@ -210,8 +217,11 @@ static uschar *protocols[] = { /* Sanity check and validate optional args to MAIL FROM: envelope */ enum { ENV_MAIL_OPT_SIZE, ENV_MAIL_OPT_BODY, ENV_MAIL_OPT_AUTH, -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR ENV_MAIL_OPT_PRDR, +#endif +#ifdef EXPERIMENTAL_DSN + ENV_MAIL_OPT_RET, ENV_MAIL_OPT_ENVID, #endif ENV_MAIL_OPT_NULL }; @@ -225,8 +235,12 @@ static env_mail_type_t env_mail_type_list[] = { { US"SIZE", ENV_MAIL_OPT_SIZE, TRUE }, { US"BODY", ENV_MAIL_OPT_BODY, TRUE }, { US"AUTH", ENV_MAIL_OPT_AUTH, TRUE }, -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR { US"PRDR", ENV_MAIL_OPT_PRDR, FALSE }, +#endif +#ifdef EXPERIMENTAL_DSN + { US"RET", ENV_MAIL_OPT_RET, TRUE }, + { US"ENVID", ENV_MAIL_OPT_ENVID, TRUE }, #endif { US"NULL", ENV_MAIL_OPT_NULL, FALSE } }; @@ -549,6 +563,375 @@ exim_exit(EXIT_FAILURE); +#ifdef EXPERIMENTAL_PROXY +/************************************************* +* Restore socket timeout to previous value * +*************************************************/ +/* If the previous value was successfully retrieved, restore +it before returning control to the non-proxy routines + +Arguments: fd - File descriptor for input + get_ok - Successfully retrieved previous values + tvtmp - Time struct with previous values + vslen - Length of time struct +Returns: none +*/ +static void +restore_socket_timeout(int fd, int get_ok, struct timeval tvtmp, socklen_t vslen) +{ +if (get_ok == 0) + setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tvtmp, vslen); +} + +/************************************************* +* Check if host is required proxy host * +*************************************************/ +/* The function determines if inbound host will be a regular smtp host +or if it is configured that it must use Proxy Protocol. + +Arguments: none +Returns: bool +*/ + +static BOOL +check_proxy_protocol_host() +{ +int rc; +/* Cannot configure local connection as a proxy inbound */ +if (sender_host_address == NULL) return proxy_session; + +rc = verify_check_this_host(&proxy_required_hosts, NULL, NULL, + sender_host_address, NULL); +if (rc == OK) + { + DEBUG(D_receive) + debug_printf("Detected proxy protocol configured host\n"); + proxy_session = TRUE; + } +return proxy_session; +} + + +/************************************************* +* Setup host for proxy protocol * +*************************************************/ +/* The function configures the connection based on a header from the +inbound host to use Proxy Protocol. The specification is very exact +so exit with an error if do not find the exact required pieces. This +includes an incorrect number of spaces separating args. + +Arguments: none +Returns: int +*/ + +static BOOL +setup_proxy_protocol_host() +{ +union { + struct { + uschar line[108]; + } v1; + struct { + uschar sig[12]; + uint8_t ver_cmd; + uint8_t fam; + uint16_t len; + union { + struct { /* TCP/UDP over IPv4, len = 12 */ + uint32_t src_addr; + uint32_t dst_addr; + uint16_t src_port; + uint16_t dst_port; + } ip4; + struct { /* TCP/UDP over IPv6, len = 36 */ + uint8_t src_addr[16]; + uint8_t dst_addr[16]; + uint16_t src_port; + uint16_t dst_port; + } ip6; + struct { /* AF_UNIX sockets, len = 216 */ + uschar src_addr[108]; + uschar dst_addr[108]; + } unx; + } addr; + } v2; +} hdr; + +/* Temp variables used in PPv2 address:port parsing */ +uint16_t tmpport; +char tmpip[INET_ADDRSTRLEN]; +struct sockaddr_in tmpaddr; +char tmpip6[INET6_ADDRSTRLEN]; +struct sockaddr_in6 tmpaddr6; + +int get_ok = 0; +int size, ret, fd; +const char v2sig[12] = "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A"; +uschar *iptype; /* To display debug info */ +struct timeval tv; +socklen_t vslen = 0; +struct timeval tvtmp; + +vslen = sizeof(struct timeval); + +fd = fileno(smtp_in); + +/* Save current socket timeout values */ +get_ok = getsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tvtmp, + &vslen); + +/* Proxy Protocol host must send header within a short time +(default 3 seconds) or it's considered invalid */ +tv.tv_sec = PROXY_NEGOTIATION_TIMEOUT_SEC; +tv.tv_usec = PROXY_NEGOTIATION_TIMEOUT_USEC; +setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tv, + sizeof(struct timeval)); + +do + { + /* The inbound host was declared to be a Proxy Protocol host, so + don't do a PEEK into the data, actually slurp it up. */ + ret = recv(fd, &hdr, sizeof(hdr), 0); + } + while (ret == -1 && errno == EINTR); + +if (ret == -1) + { + restore_socket_timeout(fd, get_ok, tvtmp, vslen); + return (errno == EAGAIN) ? 0 : ERRNO_PROXYFAIL; + } + +if (ret >= 16 && + memcmp(&hdr.v2, v2sig, 12) == 0) + { + uint8_t ver, cmd; + + /* May 2014: haproxy combined the version and command into one byte to + allow two full bytes for the length field in order to proxy SSL + connections. SSL Proxy is not supported in this version of Exim, but + must still seperate values here. */ + ver = (hdr.v2.ver_cmd & 0xf0) >> 4; + cmd = (hdr.v2.ver_cmd & 0x0f); + + if (ver != 0x02) + { + DEBUG(D_receive) debug_printf("Invalid Proxy Protocol version: %d\n", ver); + goto proxyfail; + } + DEBUG(D_receive) debug_printf("Detected PROXYv2 header\n"); + /* The v2 header will always be 16 bytes per the spec. */ + size = 16 + hdr.v2.len; + if (ret < size) + { + DEBUG(D_receive) debug_printf("Truncated or too large PROXYv2 header (%d/%d)\n", + ret, size); + goto proxyfail; + } + switch (cmd) + { + case 0x01: /* PROXY command */ + switch (hdr.v2.fam) + { + case 0x11: /* TCPv4 address type */ + iptype = US"IPv4"; + tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr; + inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip)); + if (!string_is_ip_address(US tmpip,NULL)) + { + DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype); + return ERRNO_PROXYFAIL; + } + proxy_host_address = sender_host_address; + sender_host_address = string_copy(US tmpip); + tmpport = ntohs(hdr.v2.addr.ip4.src_port); + proxy_host_port = sender_host_port; + sender_host_port = tmpport; + /* Save dest ip/port */ + tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.dst_addr; + inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip)); + if (!string_is_ip_address(US tmpip,NULL)) + { + DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype); + return ERRNO_PROXYFAIL; + } + proxy_target_address = string_copy(US tmpip); + tmpport = ntohs(hdr.v2.addr.ip4.dst_port); + proxy_target_port = tmpport; + goto done; + case 0x21: /* TCPv6 address type */ + iptype = US"IPv6"; + memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16); + inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6)); + if (!string_is_ip_address(US tmpip6,NULL)) + { + DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype); + return ERRNO_PROXYFAIL; + } + proxy_host_address = sender_host_address; + sender_host_address = string_copy(US tmpip6); + tmpport = ntohs(hdr.v2.addr.ip6.src_port); + proxy_host_port = sender_host_port; + sender_host_port = tmpport; + /* Save dest ip/port */ + memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.dst_addr, 16); + inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6)); + if (!string_is_ip_address(US tmpip6,NULL)) + { + DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype); + return ERRNO_PROXYFAIL; + } + proxy_target_address = string_copy(US tmpip6); + tmpport = ntohs(hdr.v2.addr.ip6.dst_port); + proxy_target_port = tmpport; + goto done; + default: + DEBUG(D_receive) + debug_printf("Unsupported PROXYv2 connection type: 0x%02x\n", + hdr.v2.fam); + goto proxyfail; + } + /* Unsupported protocol, keep local connection address */ + break; + case 0x00: /* LOCAL command */ + /* Keep local connection address for LOCAL */ + break; + default: + DEBUG(D_receive) + debug_printf("Unsupported PROXYv2 command: 0x%x\n", cmd); + goto proxyfail; + } + } +else if (ret >= 8 && + memcmp(hdr.v1.line, "PROXY", 5) == 0) + { + uschar *p = string_copy(hdr.v1.line); + uschar *end = memchr(p, '\r', ret - 1); + uschar *sp; /* Utility variables follow */ + int tmp_port; + char *endc; + + if (!end || end[1] != '\n') + { + DEBUG(D_receive) debug_printf("Partial or invalid PROXY header\n"); + goto proxyfail; + } + *end = '\0'; /* Terminate the string */ + size = end + 2 - hdr.v1.line; /* Skip header + CRLF */ + DEBUG(D_receive) debug_printf("Detected PROXYv1 header\n"); + /* Step through the string looking for the required fields. Ensure + strict adherance to required formatting, exit for any error. */ + p += 5; + if (!isspace(*(p++))) + { + DEBUG(D_receive) debug_printf("Missing space after PROXY command\n"); + goto proxyfail; + } + if (!Ustrncmp(p, CCS"TCP4", 4)) + iptype = US"IPv4"; + else if (!Ustrncmp(p,CCS"TCP6", 4)) + iptype = US"IPv6"; + else if (!Ustrncmp(p,CCS"UNKNOWN", 7)) + { + iptype = US"Unknown"; + goto done; + } + else + { + DEBUG(D_receive) debug_printf("Invalid TCP type\n"); + goto proxyfail; + } + + p += Ustrlen(iptype); + if (!isspace(*(p++))) + { + DEBUG(D_receive) debug_printf("Missing space after TCP4/6 command\n"); + goto proxyfail; + } + /* Find the end of the arg */ + if ((sp = Ustrchr(p, ' ')) == NULL) + { + DEBUG(D_receive) + debug_printf("Did not find proxied src %s\n", iptype); + goto proxyfail; + } + *sp = '\0'; + if(!string_is_ip_address(p,NULL)) + { + DEBUG(D_receive) + debug_printf("Proxied src arg is not an %s address\n", iptype); + goto proxyfail; + } + proxy_host_address = sender_host_address; + sender_host_address = p; + p = sp + 1; + if ((sp = Ustrchr(p, ' ')) == NULL) + { + DEBUG(D_receive) + debug_printf("Did not find proxy dest %s\n", iptype); + goto proxyfail; + } + *sp = '\0'; + if(!string_is_ip_address(p,NULL)) + { + DEBUG(D_receive) + debug_printf("Proxy dest arg is not an %s address\n", iptype); + goto proxyfail; + } + proxy_target_address = p; + p = sp + 1; + if ((sp = Ustrchr(p, ' ')) == NULL) + { + DEBUG(D_receive) debug_printf("Did not find proxied src port\n"); + goto proxyfail; + } + *sp = '\0'; + tmp_port = strtol(CCS p,&endc,10); + if (*endc || tmp_port == 0) + { + DEBUG(D_receive) + debug_printf("Proxied src port '%s' not an integer\n", p); + goto proxyfail; + } + proxy_host_port = sender_host_port; + sender_host_port = tmp_port; + p = sp + 1; + if ((sp = Ustrchr(p, '\0')) == NULL) + { + DEBUG(D_receive) debug_printf("Did not find proxy dest port\n"); + goto proxyfail; + } + tmp_port = strtol(CCS p,&endc,10); + if (*endc || tmp_port == 0) + { + DEBUG(D_receive) + debug_printf("Proxy dest port '%s' not an integer\n", p); + goto proxyfail; + } + proxy_target_port = tmp_port; + /* Already checked for /r /n above. Good V1 header received. */ + goto done; + } +else + { + /* Wrong protocol */ + DEBUG(D_receive) debug_printf("Invalid proxy protocol version negotiation\n"); + goto proxyfail; + } + +proxyfail: +restore_socket_timeout(fd, get_ok, tvtmp, vslen); +/* Don't flush any potential buffer contents. Any input should cause a + synchronization failure */ +return FALSE; + +done: +restore_socket_timeout(fd, get_ok, tvtmp, vslen); +DEBUG(D_receive) + debug_printf("Valid %s sender from Proxy Protocol header\n", iptype); +return proxy_session; +} +#endif + /************************************************* * Read one command line * *************************************************/ @@ -622,6 +1005,14 @@ if required. */ for (p = cmd_list; p < cmd_list_end; p++) { + #ifdef EXPERIMENTAL_PROXY + /* Only allow QUIT command if Proxy Protocol parsing failed */ + if (proxy_session && proxy_session_failed) + { + if (p->cmd != QUIT_CMD) + continue; + } + #endif if (strncmpic(smtp_cmd_buffer, US p->name, p->len) == 0 && (smtp_cmd_buffer[p->len-1] == ':' || /* "mail from:" or "rcpt to:" */ smtp_cmd_buffer[p->len] == 0 || @@ -669,6 +1060,12 @@ for (p = cmd_list; p < cmd_list_end; p++) } } +#ifdef EXPERIMENTAL_PROXY +/* Only allow QUIT command if Proxy Protocol parsing failed */ +if (proxy_session && proxy_session_failed) + return PROXY_FAIL_IGNORE_CMD; +#endif + /* Enforce synchronization for unknown commands */ if (smtp_inptr < smtp_inend && /* Outstanding input */ @@ -825,6 +1222,45 @@ return string_sprintf("SMTP connection from %s", hostname); +#ifdef SUPPORT_TLS +/* Append TLS-related information to a log line + +Arguments: + s String under construction: allocated string to extend, or NULL + sizep Pointer to current allocation size (update on return), or NULL + ptrp Pointer to index for new entries in string (update on return), or NULL + +Returns: Allocated string or NULL +*/ +static uschar * +s_tlslog(uschar * s, int * sizep, int * ptrp) +{ + int size = sizep ? *sizep : 0; + int ptr = ptrp ? *ptrp : 0; + + if ((log_extra_selector & LX_tls_cipher) != 0 && tls_in.cipher != NULL) + s = string_append(s, &size, &ptr, 2, US" X=", tls_in.cipher); + if ((log_extra_selector & LX_tls_certificate_verified) != 0 && + tls_in.cipher != NULL) + s = string_append(s, &size, &ptr, 2, US" CV=", + tls_in.certificate_verified? "yes":"no"); + if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_in.peerdn != NULL) + s = string_append(s, &size, &ptr, 3, US" DN=\"", + string_printing(tls_in.peerdn), US"\""); + if ((log_extra_selector & LX_tls_sni) != 0 && tls_in.sni != NULL) + s = string_append(s, &size, &ptr, 3, US" SNI=\"", + string_printing(tls_in.sni), US"\""); + + if (s) + { + s[ptr] = '\0'; + if (sizep) *sizep = size; + if (ptrp) *ptrp = ptr; + } + return s; +} +#endif + /************************************************* * Log lack of MAIL if so configured * *************************************************/ @@ -857,18 +1293,7 @@ if (sender_host_authenticated != NULL) } #ifdef SUPPORT_TLS -if ((log_extra_selector & LX_tls_cipher) != 0 && tls_in.cipher != NULL) - s = string_append(s, &size, &ptr, 2, US" X=", tls_in.cipher); -if ((log_extra_selector & LX_tls_certificate_verified) != 0 && - tls_in.cipher != NULL) - s = string_append(s, &size, &ptr, 2, US" CV=", - tls_in.certificate_verified? "yes":"no"); -if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_in.peerdn != NULL) - s = string_append(s, &size, &ptr, 3, US" DN=\"", - string_printing(tls_in.peerdn), US"\""); -if ((log_extra_selector & LX_tls_sni) != 0 && tls_in.sni != NULL) - s = string_append(s, &size, &ptr, 3, US" SNI=\"", - string_printing(tls_in.sni), US"\""); +s = s_tlslog(s, &size, &ptr); #endif sep = (smtp_connection_had[SMTP_HBUFF_SIZE-1] != SCH_NONE)? @@ -1073,6 +1498,13 @@ sender_address_unrewritten = NULL; /* Set only after verify rewrite */ sender_verified_list = NULL; /* No senders verified */ memset(sender_address_cache, 0, sizeof(sender_address_cache)); memset(sender_domain_cache, 0, sizeof(sender_domain_cache)); + +#ifdef EXPERIMENTAL_DSN +/* Reset the DSN flags */ +dsn_ret = 0; +dsn_envid = NULL; +#endif + authenticated_sender = NULL; #ifdef EXPERIMENTAL_BRIGHTMAIL bmi_run = 0; @@ -1417,8 +1849,14 @@ authenticated_by = NULL; #ifdef SUPPORT_TLS tls_in.cipher = tls_in.peerdn = NULL; +tls_in.ourcert = tls_in.peercert = NULL; +tls_in.sni = NULL; +tls_in.ocsp = OCSP_NOT_REQ; tls_advertised = FALSE; #endif +#ifdef EXPERIMENTAL_DSN +dsn_advertised = FALSE; +#endif /* Reset ACL connection variables */ @@ -1832,6 +2270,28 @@ if (!sender_host_unknown) if (smtp_batched_input) return TRUE; +#ifdef EXPERIMENTAL_PROXY +/* If valid Proxy Protocol source is connecting, set up session. + * Failure will not allow any SMTP function other than QUIT. */ +proxy_session = FALSE; +proxy_session_failed = FALSE; +if (check_proxy_protocol_host()) + { + if (setup_proxy_protocol_host() == FALSE) + { + proxy_session_failed = TRUE; + DEBUG(D_receive) + debug_printf("Failure to extract proxied host, only QUIT allowed\n"); + } + else + { + sender_host_name = NULL; + (void)host_name_lookup(); + host_build_sender_fullhost(); + } + } +#endif + /* Run the ACL if it exists */ user_msg = NULL; @@ -2211,7 +2671,7 @@ uschar *what = #endif (where == ACL_WHERE_PREDATA)? US"DATA" : (where == ACL_WHERE_DATA)? US"after DATA" : -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR (where == ACL_WHERE_PRDR)? US"after DATA PRDR" : #endif (smtp_cmd_data == NULL)? @@ -2334,9 +2794,17 @@ the connection is not forcibly to be dropped, return 0. Otherwise, log why it is closing if required and return 2. */ if (log_reject_target != 0) - log_write(0, log_reject_target, "%s %s%srejected %s%s", - host_and_ident(TRUE), + { +#ifdef SUPPORT_TLS + uschar * s = s_tlslog(NULL, NULL, NULL); + if (!s) s = US""; +#else + uschar * s = US""; +#endif + log_write(0, log_reject_target, "%s%s %s%srejected %s%s", + host_and_ident(TRUE), s, sender_info, (rc == FAIL)? US"" : US"temporarily ", what, log_msg); + } if (!drop) return 0; @@ -2594,7 +3062,6 @@ smtp_respond(code, len, TRUE, user_msg); - /************************************************* * Initialize for SMTP incoming message * *************************************************/ @@ -2679,6 +3146,10 @@ while (done <= 0) int ptr, size, rc; int c, i; auth_instance *au; +#ifdef EXPERIMENTAL_DSN + uschar *orcpt = NULL; + int flags; +#endif switch(smtp_read_command(TRUE)) { @@ -3023,6 +3494,9 @@ while (done <= 0) #ifdef SUPPORT_TLS tls_advertised = FALSE; #endif + #ifdef EXPERIMENTAL_DSN + dsn_advertised = FALSE; + #endif smtp_code = US"250 "; /* Default response code plus space*/ if (user_msg == NULL) @@ -3106,6 +3580,16 @@ while (done <= 0) s = string_cat(s, &size, &ptr, US"-8BITMIME\r\n", 11); } + #ifdef EXPERIMENTAL_DSN + /* Advertise DSN support if configured to do so. */ + if (verify_check_host(&dsn_advertise_hosts) != FAIL) + { + s = string_cat(s, &size, &ptr, smtp_code, 3); + s = string_cat(s, &size, &ptr, US"-DSN\r\n", 6); + dsn_advertised = TRUE; + } + #endif + /* Advertise ETRN if there's an ACL checking whether a host is permitted to issue it; a check is made when any host actually tries. */ @@ -3195,12 +3679,13 @@ while (done <= 0) } #endif - #ifdef EXPERIMENTAL_PRDR + #ifndef DISABLE_PRDR /* Per Recipient Data Response, draft by Eric A. Hall extending RFC */ - if (prdr_enable) { + if (prdr_enable) + { s = string_cat(s, &size, &ptr, smtp_code, 3); s = string_cat(s, &size, &ptr, US"-PRDR\r\n", 7); - } + } #endif /* Finish off the multiline reply with one that is always available. */ @@ -3360,6 +3845,45 @@ while (done <= 0) arg_error = TRUE; break; + #ifdef EXPERIMENTAL_DSN + + /* Handle the two DSN options, but only if configured to do so (which + will have caused "DSN" to be given in the EHLO response). The code itself + is included only if configured in at build time. */ + + case ENV_MAIL_OPT_RET: + if (dsn_advertised) { + /* Check if RET has already been set */ + if (dsn_ret > 0) { + synprot_error(L_smtp_syntax_error, 501, NULL, + US"RET can be specified once only"); + goto COMMAND_LOOP; + } + dsn_ret = (strcmpic(value, US"HDRS") == 0)? dsn_ret_hdrs : + (strcmpic(value, US"FULL") == 0)? dsn_ret_full : 0; + DEBUG(D_receive) debug_printf("DSN_RET: %d\n", dsn_ret); + /* Check for invalid invalid value, and exit with error */ + if (dsn_ret == 0) { + synprot_error(L_smtp_syntax_error, 501, NULL, + US"Value for RET is invalid"); + goto COMMAND_LOOP; + } + } + break; + case ENV_MAIL_OPT_ENVID: + if (dsn_advertised) { + /* Check if the dsn envid has been already set */ + if (dsn_envid != NULL) { + synprot_error(L_smtp_syntax_error, 501, NULL, + US"ENVID can be specified once only"); + goto COMMAND_LOOP; + } + dsn_envid = string_copy(value); + DEBUG(D_receive) debug_printf("DSN_ENVID: %s\n", dsn_envid); + } + break; + #endif + /* Handle the AUTH extension. If the value given is not "<>" and either the ACL says "yes" or there is no ACL but the sending host is authenticated, we set it up as the authenticated sender. However, if the @@ -3429,9 +3953,9 @@ while (done <= 0) } break; -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR case ENV_MAIL_OPT_PRDR: - if ( prdr_enable ) + if (prdr_enable) prdr_requested = TRUE; break; #endif @@ -3556,29 +4080,32 @@ while (done <= 0) when pipelining is not advertised, do another sync check in case the ACL delayed and the client started sending in the meantime. */ - if (acl_smtp_mail == NULL) rc = OK; else + if (acl_smtp_mail) { rc = acl_check(ACL_WHERE_MAIL, NULL, acl_smtp_mail, &user_msg, &log_msg); if (rc == OK && !pipelining_advertised && !check_sync()) goto SYNC_FAILURE; } + else + rc = OK; if (rc == OK || rc == DISCARD) { - if (user_msg == NULL) + if (!user_msg) smtp_printf("%s%s%s", US"250 OK", - #ifdef EXPERIMENTAL_PRDR - prdr_requested == TRUE ? US", PRDR Requested" : - #endif + #ifndef DISABLE_PRDR + prdr_requested ? US", PRDR Requested" : US"", + #else US"", + #endif US"\r\n"); else { - #ifdef EXPERIMENTAL_PRDR - if ( prdr_requested == TRUE ) + #ifndef DISABLE_PRDR + if (prdr_requested) user_msg = string_sprintf("%s%s", user_msg, US", PRDR Requested"); #endif - smtp_user_msg(US"250",user_msg); + smtp_user_msg(US"250", user_msg); } smtp_delay_rcpt = smtp_rlr_base; recipients_discarded = (rc == DISCARD); @@ -3633,6 +4160,86 @@ while (done <= 0) rcpt_fail_count++; break; } + + #ifdef EXPERIMENTAL_DSN + /* Set the DSN flags orcpt and dsn_flags from the session*/ + orcpt = NULL; + flags = 0; + + if (esmtp) for(;;) + { + uschar *name, *value, *end; + int size; + + if (!extract_option(&name, &value)) + { + break; + } + + if (dsn_advertised && strcmpic(name, US"ORCPT") == 0) + { + /* Check whether orcpt has been already set */ + if (orcpt != NULL) { + synprot_error(L_smtp_syntax_error, 501, NULL, + US"ORCPT can be specified once only"); + goto COMMAND_LOOP; + } + orcpt = string_copy(value); + DEBUG(D_receive) debug_printf("DSN orcpt: %s\n", orcpt); + } + + else if (dsn_advertised && strcmpic(name, US"NOTIFY") == 0) + { + /* Check if the notify flags have been already set */ + if (flags > 0) { + synprot_error(L_smtp_syntax_error, 501, NULL, + US"NOTIFY can be specified once only"); + goto COMMAND_LOOP; + } + if (strcmpic(value, US"NEVER") == 0) flags |= rf_notify_never; else + { + uschar *p = value; + while (*p != 0) + { + uschar *pp = p; + while (*pp != 0 && *pp != ',') pp++; + if (*pp == ',') *pp++ = 0; + if (strcmpic(p, US"SUCCESS") == 0) { + DEBUG(D_receive) debug_printf("DSN: Setting notify success\n"); + flags |= rf_notify_success; + } + else if (strcmpic(p, US"FAILURE") == 0) { + DEBUG(D_receive) debug_printf("DSN: Setting notify failure\n"); + flags |= rf_notify_failure; + } + else if (strcmpic(p, US"DELAY") == 0) { + DEBUG(D_receive) debug_printf("DSN: Setting notify delay\n"); + flags |= rf_notify_delay; + } + else { + /* Catch any strange values */ + synprot_error(L_smtp_syntax_error, 501, NULL, + US"Invalid value for NOTIFY parameter"); + goto COMMAND_LOOP; + } + p = pp; + } + DEBUG(D_receive) debug_printf("DSN Flags: %x\n", flags); + } + } + + /* Unknown option. Stick back the terminator characters and break + the loop. An error for a malformed address will occur. */ + + else + { + DEBUG(D_receive) debug_printf("Invalid RCPT option: %s : %s\n", name, value); + name[-1] = ' '; + value[-1] = '='; + break; + } + } + #endif /* Apply SMTP rewriting then extract the working address. Don't allow "<>" as a recipient address */ @@ -3747,6 +4354,21 @@ while (done <= 0) if (user_msg == NULL) smtp_printf("250 Accepted\r\n"); else smtp_user_msg(US"250", user_msg); receive_add_recipient(recipient, -1); + + #ifdef EXPERIMENTAL_DSN + /* Set the dsn flags in the recipients_list */ + if (orcpt != NULL) + recipients_list[recipients_count-1].orcpt = orcpt; + else + recipients_list[recipients_count-1].orcpt = NULL; + + if (flags != 0) + recipients_list[recipients_count-1].dsn_flags = flags; + else + recipients_list[recipients_count-1].dsn_flags = 0; + DEBUG(D_receive) debug_printf("DSN: orcpt: %s flags: %d\n", recipients_list[recipients_count-1].orcpt, recipients_list[recipients_count-1].dsn_flags); + #endif + } /* The recipient was discarded */ @@ -4379,6 +5001,11 @@ while (done <= 0) done = 1; /* Pretend eof - drops connection */ break; + #ifdef EXPERIMENTAL_PROXY + case PROXY_FAIL_IGNORE_CMD: + smtp_printf("503 Command refused, required Proxy negotiation failed\r\n"); + break; + #endif default: if (unknown_command_count++ >= smtp_max_unknown_commands) @@ -4413,4 +5040,6 @@ while (done <= 0) return done - 2; /* Convert yield values */ } +/* vi: aw ai sw=2 +*/ /* End of smtp_in.c */ diff --git a/src/src/spf.c b/src/src/spf.c index 4bbabbf4c..7167f5778 100644 --- a/src/src/spf.c +++ b/src/src/spf.c @@ -3,7 +3,7 @@ *************************************************/ /* Experimental SPF support. - Copyright (c) Tom Kistner 2004 + Copyright (c) Tom Kistner 2004 - 2014 License: GPL */ /* Code for calling spf checks via libspf-alt. Called from acl.c. */ @@ -19,8 +19,10 @@ static spf_result_id spf_result_id_list[] = { { US"fail", 3 }, { US"softfail", 4 }, { US"none", 5 }, - { US"err_temp", 6 }, - { US"err_perm", 7 } + { US"err_temp", 6 }, /* Deprecated Apr 2014 */ + { US"err_perm", 7 }, /* Deprecated Apr 2014 */ + { US"temperror", 6 }, /* RFC 4408 defined */ + { US"permerror", 7 } /* RFC 4408 defined */ }; SPF_server_t *spf_server = NULL; diff --git a/src/src/spool_in.c b/src/src/spool_in.c index a546b6521..5e604fa15 100644 --- a/src/src/spool_in.c +++ b/src/src/spool_in.c @@ -285,14 +285,22 @@ dkim_collect_input = FALSE; #ifdef SUPPORT_TLS tls_in.certificate_verified = FALSE; tls_in.cipher = NULL; +tls_in.ourcert = NULL; +tls_in.peercert = NULL; tls_in.peerdn = NULL; tls_in.sni = NULL; +tls_in.ocsp = OCSP_NOT_REQ; #endif #ifdef WITH_CONTENT_SCAN spam_score_int = NULL; #endif +#ifdef EXPERIMENTAL_DSN +dsn_ret = 0; +dsn_envid = NULL; +#endif + /* Generate the full name and open the file. If message_subdir is already set, just look in the given directory. Otherwise, look in both the split and unsplit directories, as for the data file above. */ @@ -467,6 +475,17 @@ for (;;) case 'd': if (Ustrcmp(p, "eliver_firsttime") == 0) deliver_firsttime = TRUE; + #ifdef EXPERIMENTAL_DSN + /* Check if the dsn flags have been set in the header file */ + else if (Ustrncmp(p, "sn_ret", 6) == 0) + { + dsn_ret= atoi(big_buffer + 8); + } + else if (Ustrncmp(p, "sn_envid", 8) == 0) + { + dsn_envid = string_copy(big_buffer + 11); + } + #endif break; case 'f': @@ -548,10 +567,18 @@ for (;;) tls_in.certificate_verified = TRUE; else if (Ustrncmp(p, "ls_cipher", 9) == 0) tls_in.cipher = string_copy(big_buffer + 12); +#ifndef COMPILE_UTILITY + else if (Ustrncmp(p, "ls_ourcert", 10) == 0) + (void) tls_import_cert(big_buffer + 13, &tls_in.ourcert); + else if (Ustrncmp(p, "ls_peercert", 11) == 0) + (void) tls_import_cert(big_buffer + 14, &tls_in.peercert); +#endif else if (Ustrncmp(p, "ls_peerdn", 9) == 0) tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12)); else if (Ustrncmp(p, "ls_sni", 6) == 0) tls_in.sni = string_unprinting(string_copy(big_buffer + 9)); + else if (Ustrncmp(p, "ls_ocsp", 7) == 0) + tls_in.ocsp = big_buffer[10] - '0'; break; #endif @@ -604,6 +631,10 @@ for (recipients_count = 0; recipients_count < rcount; recipients_count++) { int nn; int pno = -1; + #ifdef EXPERIMENTAL_DSN + int dsn_flags = 0; + uschar *orcpt = NULL; + #endif uschar *errors_to = NULL; uschar *p; @@ -646,6 +677,9 @@ for (recipients_count = 0; recipients_count < rcount; recipients_count++) ends with , where pno is the parent number for one_time addresses, and len is the length of the errors_to address (zero meaning none). + + Bit 02 indicates that, again reading from right to left, the data continues + with orcpt len(orcpt),dsn_flags */ while (isdigit(*p)) p--; @@ -676,6 +710,13 @@ for (recipients_count = 0; recipients_count < rcount; recipients_count++) else if (*p == '#') { int flags; + + #ifdef EXPERIMENTAL_DSN + #ifndef COMPILE_UTILITY + DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 4 standard format spoolfile\n"); + #endif /* COMPILE_UTILITY */ + #endif + (void)sscanf(CS p+1, "%d", &flags); if ((flags & 0x01) != 0) /* one_time data exists */ @@ -688,15 +729,54 @@ for (recipients_count = 0; recipients_count < rcount; recipients_count++) { p -= len; errors_to = string_copy(p); - } + } } *(--p) = 0; /* Terminate address */ +#ifdef EXPERIMENTAL_DSN + if ((flags & 0x02) != 0) /* one_time data exists */ + { + int len; + while (isdigit(*(--p)) || *p == ',' || *p == '-'); + (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags); + *p = 0; + if (len > 0) + { + p -= len; + orcpt = string_copy(p); + } + } + + *(--p) = 0; /* Terminate address */ +#endif /* EXPERIMENTAL_DSN */ + } +#ifdef EXPERIMENTAL_DSN + #ifndef COMPILE_UTILITY + else + { + DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n"); + } + + if ((orcpt != NULL) || (dsn_flags != 0)) + { + DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| orcpt: |%s| dsn_flags: %d\n", + big_buffer, orcpt, dsn_flags); } + if (errors_to != NULL) + { + DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| errorsto: |%s|\n", + big_buffer, errors_to); + } + #endif /* COMPILE_UTILITY */ +#endif /* EXPERIMENTAL_DSN */ recipients_list[recipients_count].address = string_copy(big_buffer); recipients_list[recipients_count].pno = pno; recipients_list[recipients_count].errors_to = errors_to; + #ifdef EXPERIMENTAL_DSN + recipients_list[recipients_count].orcpt = orcpt; + recipients_list[recipients_count].dsn_flags = dsn_flags; + #endif } /* The remainder of the spool header file contains the headers for the message, @@ -799,4 +879,6 @@ errno = ERRNO_SPOOLFORMAT; return inheader? spool_read_hdrerror : spool_read_enverror; } +/* vi: aw ai sw=2 +*/ /* End of spool_in.c */ diff --git a/src/src/spool_out.c b/src/src/spool_out.c index ce25a564e..01b70341d 100644 --- a/src/src/spool_out.c +++ b/src/src/spool_out.c @@ -229,9 +229,28 @@ if (bmi_verdicts != NULL) fprintf(f, "-bmi_verdicts %s\n", bmi_verdicts); #ifdef SUPPORT_TLS if (tls_in.certificate_verified) fprintf(f, "-tls_certificate_verified\n"); -if (tls_in.cipher != NULL) fprintf(f, "-tls_cipher %s\n", tls_in.cipher); -if (tls_in.peerdn != NULL) fprintf(f, "-tls_peerdn %s\n", string_printing(tls_in.peerdn)); -if (tls_in.sni != NULL) fprintf(f, "-tls_sni %s\n", string_printing(tls_in.sni)); +if (tls_in.cipher) fprintf(f, "-tls_cipher %s\n", tls_in.cipher); +if (tls_in.peercert) + { + (void) tls_export_cert(big_buffer, big_buffer_size, tls_in.peercert); + fprintf(f, "-tls_peercert %s\n", CS big_buffer); + } +if (tls_in.peerdn) fprintf(f, "-tls_peerdn %s\n", string_printing(tls_in.peerdn)); +if (tls_in.sni) fprintf(f, "-tls_sni %s\n", string_printing(tls_in.sni)); +if (tls_in.ourcert) + { + (void) tls_export_cert(big_buffer, big_buffer_size, tls_in.ourcert); + fprintf(f, "-tls_ourcert %s\n", CS big_buffer); + } +if (tls_in.ocsp) fprintf(f, "-tls_ocsp %d\n", tls_in.ocsp); +#endif + +#ifdef EXPERIMENTAL_DSN +/* Write the dsn flags to the spool header file */ +DEBUG(D_deliver) debug_printf("DSN: Write SPOOL :-dsn_envid %s\n", dsn_envid); +if (dsn_envid != NULL) fprintf(f, "-dsn_envid %s\n", dsn_envid); +DEBUG(D_deliver) debug_printf("DSN: Write SPOOL :-dsn_ret %d\n", dsn_ret); +if (dsn_ret != 0) fprintf(f, "-dsn_ret %d\n", dsn_ret); #endif /* To complete the envelope, write out the tree of non-recipients, followed by @@ -244,14 +263,34 @@ fprintf(f, "%d\n", recipients_count); for (i = 0; i < recipients_count; i++) { recipient_item *r = recipients_list + i; - if (r->pno < 0 && r->errors_to == NULL) +#ifdef EXPERIMENTAL_DSN +DEBUG(D_deliver) debug_printf("DSN: Flags :%d\n", r->dsn_flags); +#endif + if (r->pno < 0 && r->errors_to == NULL + #ifdef EXPERIMENTAL_DSN + && r->dsn_flags == 0 + #endif + ) fprintf(f, "%s\n", r->address); else { uschar *errors_to = (r->errors_to == NULL)? US"" : r->errors_to; + #ifdef EXPERIMENTAL_DSN + /* for DSN SUPPORT extend exim 4 spool in a compatible way by + adding new values upfront and add flag 0x02 */ + uschar *orcpt = (r->orcpt == NULL)? US"" : r->orcpt; + fprintf(f, "%s %s %d,%d %s %d,%d#3\n", r->address, orcpt, Ustrlen(orcpt), r->dsn_flags, + errors_to, Ustrlen(errors_to), r->pno); + #else fprintf(f, "%s %s %d,%d#1\n", r->address, errors_to, Ustrlen(errors_to), r->pno); + #endif } + + #ifdef EXPERIMENTAL_DSN + DEBUG(D_deliver) debug_printf("DSN: **** SPOOL_OUT - address: |%s| errorsto: |%s| orcpt: |%s| dsn_flags: %d\n", + r->address, r->errors_to, r->orcpt, r->dsn_flags); + #endif } /* Put a blank line before the headers */ diff --git a/src/src/string.c b/src/src/string.c index 0e73e2c79..0f657dcca 100644 --- a/src/src/string.c +++ b/src/src/string.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Miscellaneous string-handling functions. Some are not required for @@ -34,7 +34,7 @@ Returns: 0 if the string is not a textual representation of an IP address */ int -string_is_ip_address(uschar *s, int *maskptr) +string_is_ip_address(const uschar *s, int *maskptr) { int i; int yield = 4; @@ -44,7 +44,7 @@ offset. */ if (maskptr != NULL) { - uschar *ss = s + Ustrlen(s); + const uschar *ss = s + Ustrlen(s); *maskptr = 0; if (s != ss && isdigit(*(--ss))) { @@ -304,7 +304,7 @@ if (nonprintcount == 0) return s; /* Get a new block of store guaranteed big enough to hold the expanded string. */ -ss = store_get(length + nonprintcount * 4 + 1); +ss = store_get(length + nonprintcount * 3 + 1); /* Copy everying, escaping non printers. */ @@ -374,7 +374,8 @@ while (*p) { if (*p == '\\') { - *q = string_interpret_escape(&p); + *q++ = string_interpret_escape(&p); + p++; } else { @@ -716,7 +717,8 @@ uschar buffer[STRING_SPRINTF_BUFFER_SIZE]; va_start(ap, format); if (!string_vformat(buffer, sizeof(buffer), format, ap)) log_write(0, LOG_MAIN|LOG_PANIC_DIE, - "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer)); + "string_sprintf expansion was longer than " SIZE_T_FMT " (%s)", + sizeof(buffer), format); va_end(ap); return string_copy(buffer); } @@ -965,6 +967,50 @@ return buffer; #endif /* COMPILE_UTILITY */ +#ifndef COMPILE_UTILITY +/************************************************ +* Add element to seperated list * +************************************************/ +/* This function is used to build a list, returning +an allocated null-terminated growable string. The +given element has any embedded seperator characters +doubled. + +Arguments: + list points to the start of the list that is being built, or NULL + if this is a new list that has no contents yet + sep list seperator charactoer + ele new lement to be appended to the list + +Returns: pointer to the start of the list, changed if copied for expansion. +*/ + +uschar * +string_append_listele(uschar * list, uschar sep, const uschar * ele) +{ +uschar * new = NULL; +int sz = 0, off = 0; +uschar * sp; + +if (list) + { + new = string_cat(new, &sz, &off, list, Ustrlen(list)); + new = string_cat(new, &sz, &off, &sep, 1); + } + +while((sp = Ustrchr(ele, sep))) + { + new = string_cat(new, &sz, &off, ele, sp-ele+1); + new = string_cat(new, &sz, &off, &sep, 1); + ele = sp+1; + } +new = string_cat(new, &sz, &off, ele, Ustrlen(ele)); +new[off] = '\0'; +return new; +} +#endif /* COMPILE_UTILITY */ + + #ifndef COMPILE_UTILITY /************************************************* diff --git a/src/src/structs.h b/src/src/structs.h index baf9a0f85..71ac5d8e3 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ @@ -55,6 +55,8 @@ typedef struct ugid_block { but also used when checking lists of hosts and when transporting. Looking up host addresses is done using this structure. */ +typedef enum {DS_UNK=-1, DS_NO, DS_YES} dnssec_status_t; + typedef struct host_item { struct host_item *next; uschar *name; /* Host name */ @@ -65,6 +67,7 @@ typedef struct host_item { int status; /* Usable, unusable, or unknown */ int why; /* Why host is unusable */ int last_try; /* Time of last try if known */ + dnssec_status_t dnssec; } host_item; /* Chain of rewrite rules, read from the rewrite config, or parsed from the @@ -282,6 +285,9 @@ typedef struct router_instance { BOOL verify_sender; /* Use this router when verifying a sender */ BOOL uid_set; /* Flag to indicate uid is set */ BOOL unseen; /* If TRUE carry on, even after success */ +#ifdef EXPERIMENTAL_DSN + BOOL dsn_lasthop; /* If TRUE, this router is a DSN endpoint */ +#endif int self_code; /* Encoded version of "self" */ uid_t uid; /* Fixed uid value */ @@ -485,7 +491,7 @@ typedef struct address_item_propagated { #define af_cert_verified 0x01000000 /* delivered with verified TLS cert */ #define af_pass_message 0x02000000 /* pass message in bounces */ #define af_bad_reply 0x04000000 /* filter could not generate autoreply */ -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR # define af_prdr_used 0x08000000 /* delivery used SMTP PRDR */ #endif #define af_force_command 0x10000000 /* force_command in pipe transport */ @@ -540,13 +546,22 @@ typedef struct address_item { #ifdef SUPPORT_TLS uschar *cipher; /* Cipher used for transport */ + void *ourcert; /* Certificate offered to peer, binary */ + void *peercert; /* Certificate from peer, binary */ uschar *peerdn; /* DN of server's certificate */ + int ocsp; /* OCSP status of peer cert */ #endif uschar *authenticator; /* auth driver name used by transport */ uschar *auth_id; /* auth "login" name used by transport */ uschar *auth_sndr; /* AUTH arg to SMTP MAIL, used by transport */ + #ifdef EXPERIMENTAL_DSN + uschar *dsn_orcpt; /* DSN orcpt value */ + int dsn_flags; /* DSN flags */ + int dsn_aware; /* DSN aware flag */ + #endif + uid_t uid; /* uid for transporting */ gid_t gid; /* gid for transporting */ diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 5a37fae56..5bdb21e6e 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Copyright (c) Phil Pennock 2012 */ @@ -43,6 +43,14 @@ require current GnuTLS, then we'll drop support for the ancient libraries). #if GNUTLS_VERSION_NUMBER >= 0x020c00 # include #endif +#if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP) +# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile" +# define DISABLE_OCSP +#endif + +#ifndef DISABLE_OCSP +# include +#endif /* GnuTLS 2 vs 3 @@ -57,7 +65,12 @@ Changes: /* Values for verify_requirement */ -enum peer_verify_requirement { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED }; +enum peer_verify_requirement + { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED +#ifdef EXPERIMENTAL_CERTNAMES + ,VERIFY_WITHHOST +#endif + }; /* This holds most state for server or client; with this, we can set up an outbound TLS-enabled connection in an ACL callout, while not stomping all @@ -71,19 +84,20 @@ Not handled here: global tls_channelbinding_b64. */ typedef struct exim_gnutls_state { - gnutls_session_t session; + gnutls_session_t session; gnutls_certificate_credentials_t x509_cred; - gnutls_priority_t priority_cache; + gnutls_priority_t priority_cache; enum peer_verify_requirement verify_requirement; - int fd_in; - int fd_out; - BOOL peer_cert_verified; - BOOL trigger_sni_changes; - BOOL have_set_peerdn; + int fd_in; + int fd_out; + BOOL peer_cert_verified; + BOOL trigger_sni_changes; + BOOL have_set_peerdn; const struct host_item *host; - uschar *peerdn; - uschar *ciphersuite; - uschar *received_sni; + gnutls_x509_crt_t peercert; + uschar *peerdn; + uschar *ciphersuite; + uschar *received_sni; const uschar *tls_certificate; const uschar *tls_privatekey; @@ -91,12 +105,17 @@ typedef struct exim_gnutls_state { const uschar *tls_verify_certificates; const uschar *tls_crl; const uschar *tls_require_ciphers; + uschar *exp_tls_certificate; uschar *exp_tls_privatekey; uschar *exp_tls_sni; uschar *exp_tls_verify_certificates; uschar *exp_tls_crl; uschar *exp_tls_require_ciphers; + uschar *exp_tls_ocsp_file; +#ifdef EXPERIMENTAL_CERTNAMES + uschar *exp_tls_verify_cert_hostnames; +#endif tls_support *tlsp; /* set in tls_init() */ @@ -111,7 +130,10 @@ static const exim_gnutls_state_st exim_gnutls_state_init = { NULL, NULL, NULL, VERIFY_NONE, -1, -1, FALSE, FALSE, FALSE, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, NULL, NULL, NULL, +#ifdef EXPERIMENTAL_CERTNAMES + NULL, +#endif NULL, NULL, 0, 0, 0, 0, }; @@ -173,18 +195,18 @@ before, for now. */ #define expand_check_tlsvar(Varname) expand_check(state->Varname, US #Varname, &state->exp_##Varname) #if GNUTLS_VERSION_NUMBER >= 0x020c00 -#define HAVE_GNUTLS_SESSION_CHANNEL_BINDING -#define HAVE_GNUTLS_SEC_PARAM_CONSTANTS -#define HAVE_GNUTLS_RND +# define HAVE_GNUTLS_SESSION_CHANNEL_BINDING +# define HAVE_GNUTLS_SEC_PARAM_CONSTANTS +# define HAVE_GNUTLS_RND /* The security fix we provide with the gnutls_allow_auto_pkcs11 option * (4.82 PP/09) introduces a compatibility regression. The symbol simply * isn't available sometimes, so this needs to become a conditional * compilation; the sanest way to deal with this being a problem on * older OSes is to block it in the Local/Makefile with this compiler * definition */ -#ifndef AVOID_GNUTLS_PKCS11 -#define HAVE_GNUTLS_PKCS11 -#endif /* AVOID_GNUTLS_PKCS11 */ +# ifndef AVOID_GNUTLS_PKCS11 +# define HAVE_GNUTLS_PKCS11 +# endif /* AVOID_GNUTLS_PKCS11 */ #endif @@ -199,6 +221,10 @@ static void exim_gnutls_logger_cb(int level, const char *message); static int exim_sni_handling_cb(gnutls_session_t session); +#ifndef DISABLE_OCSP +static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, + gnutls_datum_t * ocsp_response); +#endif @@ -285,12 +311,40 @@ tls_error(when, msg, state->host); * Set various Exim expansion vars * *************************************************/ +#define exim_gnutls_cert_err(Label) \ + do \ + { \ + if (rc != GNUTLS_E_SUCCESS) \ + { \ + DEBUG(D_tls) debug_printf("TLS: cert problem: %s: %s\n", \ + (Label), gnutls_strerror(rc)); \ + return rc; \ + } \ + } while (0) + +static int +import_cert(const gnutls_datum * cert, gnutls_x509_crt_t * crtp) +{ +int rc; + +rc = gnutls_x509_crt_init(crtp); +exim_gnutls_cert_err(US"gnutls_x509_crt_init (crt)"); + +rc = gnutls_x509_crt_import(*crtp, cert, GNUTLS_X509_FMT_DER); +exim_gnutls_cert_err(US"failed to import certificate [gnutls_x509_crt_import(cert)]"); + +return rc; +} + +#undef exim_gnutls_cert_err + + /* We set various Exim global variables from the state, once a session has been established. With TLS callouts, may need to change this to stack variables, or just re-call it with the server state after client callout has finished. -Make sure anything set here is inset in tls_getc(). +Make sure anything set here is unset in tls_getc(). Sets: tls_active fd @@ -298,15 +352,17 @@ Sets: tls_certificate_verified bool indicator tls_channelbinding_b64 for some SASL mechanisms tls_cipher a string + tls_peercert pointer to library internal tls_peerdn a string tls_sni a (UTF-8) string + tls_ourcert pointer to library internal Argument: state the relevant exim_gnutls_state_st * */ static void -extract_exim_vars_from_tls_state(exim_gnutls_state_st *state, BOOL is_server) +extract_exim_vars_from_tls_state(exim_gnutls_state_st * state) { gnutls_cipher_algorithm_t cipher; #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING @@ -314,18 +370,19 @@ int old_pool; int rc; gnutls_datum_t channel; #endif +tls_support * tlsp = state->tlsp; -state->tlsp->active = state->fd_out; +tlsp->active = state->fd_out; cipher = gnutls_cipher_get(state->session); /* returns size in "bytes" */ -state->tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8; +tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8; -state->tlsp->cipher = state->ciphersuite; +tlsp->cipher = state->ciphersuite; DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite); -state->tlsp->certificate_verified = state->peer_cert_verified; +tlsp->certificate_verified = state->peer_cert_verified; /* note that tls_channelbinding_b64 is not saved to the spool file, since it's only available for use for authenticators while this TLS session is running. */ @@ -346,8 +403,17 @@ if (rc) { } #endif -state->tlsp->peerdn = state->peerdn; -state->tlsp->sni = state->received_sni; +/* peercert is set in peer_status() */ +tlsp->peerdn = state->peerdn; +tlsp->sni = state->received_sni; + +/* record our certificate */ + { + const gnutls_datum * cert = gnutls_certificate_get_ours(state->session); + gnutls_x509_crt_t crt; + + tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL; + } } @@ -658,7 +724,7 @@ uschar *saved_tls_crl = NULL; int cert_count; /* We check for tls_sni *before* expansion. */ -if (!state->host) +if (!host) /* server */ { if (!state->received_sni) { @@ -700,7 +766,7 @@ if (!expand_check_tlsvar(tls_certificate)) if ((state->exp_tls_certificate == NULL) || (*state->exp_tls_certificate == '\0')) { - if (state->host == NULL) + if (!host) return tls_error(US"no TLS server certificate is specified", NULL, NULL); else DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n"); @@ -745,6 +811,30 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate) DEBUG(D_tls) debug_printf("TLS: cert/key registered\n"); } /* tls_certificate */ + +/* Set the OCSP stapling server info */ + +#ifndef DISABLE_OCSP +if ( !host /* server */ + && tls_ocsp_file + ) + { + if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", + &state->exp_tls_ocsp_file)) + return DEFER; + + /* Use the full callback method for stapling just to get observability. + More efficient would be to read the file once only, if it never changed + (due to SNI). Would need restart on file update, or watch datestamp. */ + + gnutls_certificate_set_ocsp_status_request_function(state->x509_cred, + server_ocsp_stapling_cb, state->exp_tls_ocsp_file); + + DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", &state->exp_tls_ocsp_file); + } +#endif + + /* Set the trusted CAs file if one is provided, and then add the CRL if one is provided. Experiment shows that, if the certificate file is empty, an unhelpful error message is provided. However, if we just refrain from setting anything up @@ -1072,7 +1162,6 @@ return OK; - /************************************************* * Extract peer information * *************************************************/ @@ -1154,7 +1243,7 @@ if (cert_list == NULL || cert_list_size == 0) { DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n", cert_list, cert_list_size); - if (state->verify_requirement == VERIFY_REQUIRED) + if (state->verify_requirement >= VERIFY_REQUIRED) return tls_error(US"certificate verification failed", "no certificate received from peer", state->host); return OK; @@ -1166,23 +1255,29 @@ if (ct != GNUTLS_CRT_X509) const char *ctn = gnutls_certificate_type_get_name(ct); DEBUG(D_tls) debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn); - if (state->verify_requirement == VERIFY_REQUIRED) + if (state->verify_requirement >= VERIFY_REQUIRED) return tls_error(US"certificate verification not possible, unhandled type", ctn, state->host); return OK; } -#define exim_gnutls_peer_err(Label) do { \ - if (rc != GNUTLS_E_SUCCESS) { \ - DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", (Label), gnutls_strerror(rc)); \ - if (state->verify_requirement == VERIFY_REQUIRED) { return tls_error((Label), gnutls_strerror(rc), state->host); } \ - return OK; } } while (0) +#define exim_gnutls_peer_err(Label) \ + do { \ + if (rc != GNUTLS_E_SUCCESS) \ + { \ + DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \ + (Label), gnutls_strerror(rc)); \ + if (state->verify_requirement >= VERIFY_REQUIRED) \ + return tls_error((Label), gnutls_strerror(rc), state->host); \ + return OK; \ + } \ + } while (0) -rc = gnutls_x509_crt_init(&crt); -exim_gnutls_peer_err(US"gnutls_x509_crt_init (crt)"); +rc = import_cert(&cert_list[0], &crt); +exim_gnutls_peer_err(US"cert 0"); + +state->tlsp->peercert = state->peercert = crt; -rc = gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER); -exim_gnutls_peer_err(US"failed to import certificate [gnutls_x509_crt_import(cert 0)]"); sz = 0; rc = gnutls_x509_crt_get_dn(crt, NULL, &sz); if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER) @@ -1193,6 +1288,7 @@ if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER) dn_buf = store_get_perm(sz); rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz); exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]"); + state->peerdn = dn_buf; return OK; @@ -1228,42 +1324,63 @@ unsigned int verify; *error = NULL; -rc = peer_status(state); -if (rc != OK) +if ((rc = peer_status(state)) != OK) { verify = GNUTLS_CERT_INVALID; - *error = "not supplied"; + *error = "certificate not supplied"; } else - { rc = gnutls_certificate_verify_peers2(state->session, &verify); - } /* Handle the result of verification. INVALID seems to be set as well as REVOKED, but leave the test for both. */ -if ((rc < 0) || (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0) +if (rc < 0 || + verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED) + ) { state->peer_cert_verified = FALSE; - if (*error == NULL) - *error = ((verify & GNUTLS_CERT_REVOKED) != 0) ? "revoked" : "invalid"; + if (!*error) + *error = verify & GNUTLS_CERT_REVOKED + ? "certificate revoked" : "certificate invalid"; DEBUG(D_tls) - debug_printf("TLS certificate verification failed (%s): peerdn=%s\n", + debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n", *error, state->peerdn ? state->peerdn : US""); - if (state->verify_requirement == VERIFY_REQUIRED) + if (state->verify_requirement >= VERIFY_REQUIRED) { - gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE); + gnutls_alert_send(state->session, + GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE); return FALSE; } DEBUG(D_tls) debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n"); } + else { +#ifdef EXPERIMENTAL_CERTNAMES + if (state->verify_requirement == VERIFY_WITHHOST) + { + int sep = 0; + uschar * list = state->exp_tls_verify_cert_hostnames; + uschar * name; + while (name = string_nextinlist(&list, &sep, NULL, 0)) + if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name)) + break; + if (!name) + { + DEBUG(D_tls) + debug_printf("TLS certificate verification failed: cert name mismatch\n"); + gnutls_alert_send(state->session, + GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE); + return FALSE; + } + } +#endif state->peer_cert_verified = TRUE; - DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=%s\n", + DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n", state->peerdn ? state->peerdn : US""); } @@ -1373,6 +1490,31 @@ return 0; +#ifndef DISABLE_OCSP + +static int +server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, + gnutls_datum_t * ocsp_response) +{ +int ret; + +if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0) + { + DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n", + (char *)ptr); + tls_in.ocsp = OCSP_NOT_RESP; + return GNUTLS_E_NO_CERTIFICATE_STATUS; + } + +tls_in.ocsp = OCSP_VFY_NOT_TRIED; +return 0; +} + +#endif + + + + /* ------------------------------------------------------------------------ */ /* Exported functions */ @@ -1427,19 +1569,22 @@ optional, set up appropriately. */ if (verify_check_host(&tls_verify_hosts) == OK) { - DEBUG(D_tls) debug_printf("TLS: a client certificate will be required.\n"); + DEBUG(D_tls) + debug_printf("TLS: a client certificate will be required.\n"); state->verify_requirement = VERIFY_REQUIRED; gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE); } else if (verify_check_host(&tls_try_verify_hosts) == OK) { - DEBUG(D_tls) debug_printf("TLS: a client certificate will be requested but not required.\n"); + DEBUG(D_tls) + debug_printf("TLS: a client certificate will be requested but not required.\n"); state->verify_requirement = VERIFY_OPTIONAL; gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST); } else { - DEBUG(D_tls) debug_printf("TLS: a client certificate will not be requested.\n"); + DEBUG(D_tls) + debug_printf("TLS: a client certificate will not be requested.\n"); state->verify_requirement = VERIFY_NONE; gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE); } @@ -1459,15 +1604,15 @@ mode, the fflush() happens when smtp_getc() is called. */ if (!state->tlsp->on_connect) { smtp_printf("220 TLS go ahead\r\n"); - fflush(smtp_out); /*XXX JGH */ + fflush(smtp_out); } /* Now negotiate the TLS session. We put our own timer on it, since it seems that the GnuTLS library doesn't. */ gnutls_transport_set_ptr2(state->session, - (gnutls_transport_ptr)fileno(smtp_in), - (gnutls_transport_ptr)fileno(smtp_out)); + (gnutls_transport_ptr)(long) fileno(smtp_in), + (gnutls_transport_ptr)(long) fileno(smtp_out)); state->fd_in = fileno(smtp_in); state->fd_out = fileno(smtp_out); @@ -1501,22 +1646,17 @@ DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n"); /* Verify after the fact */ -if (state->verify_requirement != VERIFY_NONE) +if ( state->verify_requirement != VERIFY_NONE + && !verify_certificate(state, &error)) { - if (!verify_certificate(state, &error)) + if (state->verify_requirement != VERIFY_OPTIONAL) { - if (state->verify_requirement == VERIFY_OPTIONAL) - { - DEBUG(D_tls) - debug_printf("TLS: continuing on only because verification was optional, after: %s\n", - error); - } - else - { - tls_error(US"certificate verification failed", error, NULL); - return FAIL; - } + tls_error(US"certificate verification failed", error, NULL); + return FAIL; } + DEBUG(D_tls) + debug_printf("TLS: continuing on only because verification was optional, after: %s\n", + error); } /* Figure out peer DN, and if authenticated, etc. */ @@ -1526,7 +1666,7 @@ if (rc != OK) return rc; /* Sets various Exim expansion variables; always safe within server */ -extract_exim_vars_from_tls_state(state, TRUE); +extract_exim_vars_from_tls_state(state); /* TLS has been set up. Adjust the input functions to read via TLS, and initialize appropriately. */ @@ -1555,14 +1695,7 @@ Arguments: fd the fd of the connection host connected host (for messages) addr the first address (not used) - certificate certificate file - privatekey private key file - sni TLS SNI to send to remote host - verify_certs file for certificate verify - verify_crl CRL for verify - require_ciphers list of allowed ciphers or NULL - dh_min_bits minimum number of bits acceptable in server's DH prime - timeout startup timeout + ob smtp transport options Returns: OK/DEFER/FAIL (because using common functions), but for a client, DEFER and FAIL have the same meaning @@ -1571,58 +1704,116 @@ Returns: OK/DEFER/FAIL (because using common functions), int tls_client_start(int fd, host_item *host, address_item *addr ARG_UNUSED, - uschar *certificate, uschar *privatekey, uschar *sni, - uschar *verify_certs, uschar *verify_crl, - uschar *require_ciphers, -#ifdef EXPERIMENTAL_OCSP - uschar *require_ocsp ARG_UNUSED, -#endif - int dh_min_bits, int timeout) + void *v_ob) { +smtp_transport_options_block *ob = v_ob; int rc; const char *error; exim_gnutls_state_st *state = NULL; +#ifndef DISABLE_OCSP +BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, + NULL, host->name, host->address, NULL) == OK; +BOOL request_ocsp = require_ocsp ? TRUE + : verify_check_this_host(&ob->hosts_request_ocsp, + NULL, host->name, host->address, NULL) == OK; +#endif DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd); -rc = tls_init(host, certificate, privatekey, - sni, verify_certs, verify_crl, require_ciphers, &state); -if (rc != OK) return rc; +if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey, + ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl, + ob->tls_require_ciphers, &state)) != OK) + return rc; -if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS) { - DEBUG(D_tls) - debug_printf("WARNING: tls_dh_min_bits far too low, clamping %d up to %d\n", - dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS); - dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS; - } + int dh_min_bits = ob->tls_dh_min_bits; + if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS) + { + DEBUG(D_tls) + debug_printf("WARNING: tls_dh_min_bits far too low," + " clamping %d up to %d\n", + dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS); + dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS; + } -DEBUG(D_tls) debug_printf("Setting D-H prime minimum acceptable bits to %d\n", - dh_min_bits); -gnutls_dh_set_prime_bits(state->session, dh_min_bits); + DEBUG(D_tls) debug_printf("Setting D-H prime minimum" + " acceptable bits to %d\n", + dh_min_bits); + gnutls_dh_set_prime_bits(state->session, dh_min_bits); + } -if (verify_certs == NULL) +/* Stick to the old behaviour for compatibility if tls_verify_certificates is +set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only +the specified host patterns if one of them is defined */ + +if (( state->exp_tls_verify_certificates + && !ob->tls_verify_hosts + && !ob->tls_try_verify_hosts + ) + || + verify_check_host(&ob->tls_verify_hosts) == OK + ) { - DEBUG(D_tls) debug_printf("TLS: server certificate verification not required\n"); - state->verify_requirement = VERIFY_NONE; - /* we still ask for it, to log it, etc */ +#ifdef EXPERIMENTAL_CERTNAMES + if (ob->tls_verify_cert_hostnames) + { + DEBUG(D_tls) + debug_printf("TLS: server cert incl. hostname verification required.\n"); + state->verify_requirement = VERIFY_WITHHOST; + if (!expand_check(ob->tls_verify_cert_hostnames, + US"tls_verify_cert_hostnames", + &state->exp_tls_verify_cert_hostnames)) + return FAIL; + if (state->exp_tls_verify_cert_hostnames) + DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", + state->exp_tls_verify_cert_hostnames); + } + else +#endif + { + DEBUG(D_tls) + debug_printf("TLS: server certificate verification required.\n"); + state->verify_requirement = VERIFY_REQUIRED; + } + gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE); + } +else if (verify_check_host(&ob->tls_try_verify_hosts) == OK) + { + DEBUG(D_tls) + debug_printf("TLS: server certificate verification optional.\n"); + state->verify_requirement = VERIFY_OPTIONAL; gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST); } else { - DEBUG(D_tls) debug_printf("TLS: server certificate verification required\n"); - state->verify_requirement = VERIFY_REQUIRED; - gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE); + DEBUG(D_tls) + debug_printf("TLS: server certificate verification not required.\n"); + state->verify_requirement = VERIFY_NONE; + gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE); } -gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)fd); +#ifndef DISABLE_OCSP + /* supported since GnuTLS 3.1.3 */ +if (request_ocsp) + { + DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n"); + if ((rc = gnutls_ocsp_status_request_enable_client(state->session, + NULL, 0, NULL)) != OK) + return tls_error(US"cert-status-req", + gnutls_strerror(rc), state->host); + tls_out.ocsp = OCSP_NOT_RESP; + } +#endif + +gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)(long) fd); state->fd_in = fd; state->fd_out = fd; +DEBUG(D_tls) debug_printf("about to gnutls_handshake\n"); /* There doesn't seem to be a built-in timeout on connection. */ sigalrm_seen = FALSE; -alarm(timeout); +alarm(ob->command_timeout); do { rc = gnutls_handshake(state->session); @@ -1642,14 +1833,45 @@ if (state->verify_requirement != VERIFY_NONE && !verify_certificate(state, &error)) return tls_error(US"certificate verification failed", error, state->host); +#ifndef DISABLE_OCSP +if (require_ocsp) + { + DEBUG(D_tls) + { + gnutls_datum_t stapling; + gnutls_ocsp_resp_t resp; + gnutls_datum_t printed; + if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0 + && (rc= gnutls_ocsp_resp_init(&resp)) == 0 + && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0 + && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0 + ) + { + debug_printf("%.4096s", printed.data); + gnutls_free(printed.data); + } + else + (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host); + } + + if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0) + { + tls_out.ocsp = OCSP_FAILED; + return tls_error(US"certificate status check failed", NULL, state->host); + } + DEBUG(D_tls) debug_printf("Passed OCSP checking\n"); + tls_out.ocsp = OCSP_VFIED; + } +#endif + /* Figure out peer DN, and if authenticated, etc. */ -rc = peer_status(state); -if (rc != OK) return rc; +if ((rc = peer_status(state)) != OK) + return rc; /* Sets various Exim expansion variables; may need to adjust for ACL callouts */ -extract_exim_vars_from_tls_state(state, FALSE); +extract_exim_vars_from_tls_state(state); return OK; } @@ -1747,8 +1969,9 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm) state->tlsp->active = -1; state->tlsp->bits = 0; state->tlsp->certificate_verified = FALSE; - tls_channelbinding_b64 = NULL; /*XXX JGH */ + tls_channelbinding_b64 = NULL; state->tlsp->cipher = NULL; + state->tlsp->peercert = NULL; state->tlsp->peerdn = NULL; return smtp_getc(); @@ -2031,4 +2254,6 @@ fprintf(f, "Library version: GnuTLS: Compile: %s\n" gnutls_check_version(NULL)); } +/* vi: aw ai sw=2 +*/ /* End of tls-gnu.c */ diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index b273fff75..9609d6252 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Portions Copyright (c) The OpenSSL Project 1999 */ @@ -22,17 +22,22 @@ functions from the OpenSSL library. */ #include #include #include -#ifdef EXPERIMENTAL_OCSP -#include +#ifndef DISABLE_OCSP +# include #endif -#ifdef EXPERIMENTAL_OCSP -#define EXIM_OCSP_SKEW_SECONDS (300L) -#define EXIM_OCSP_MAX_AGE (-1L) +#ifndef DISABLE_OCSP +# define EXIM_OCSP_SKEW_SECONDS (300L) +# define EXIM_OCSP_MAX_AGE (-1L) #endif #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) -#define EXIM_HAVE_OPENSSL_TLSEXT +# define EXIM_HAVE_OPENSSL_TLSEXT +#endif + +#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP) +# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile" +# define DISABLE_OCSP #endif /* Structure for collecting random data for seeding. */ @@ -88,7 +93,7 @@ static BOOL reexpand_tls_files_for_sni = FALSE; typedef struct tls_ext_ctx_cb { uschar *certificate; uschar *privatekey; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP BOOL is_server; union { struct { @@ -97,7 +102,8 @@ typedef struct tls_ext_ctx_cb { OCSP_RESPONSE *response; } server; struct { - X509_STORE *verify_store; + X509_STORE *verify_store; /* non-null if status requested */ + BOOL verify_required; } client; } u_ocsp; #endif @@ -106,6 +112,10 @@ typedef struct tls_ext_ctx_cb { uschar *server_cipher_list; /* only passed down to tls_error: */ host_item *host; + +#ifdef EXPERIMENTAL_CERTNAMES + uschar * verify_cert_hostnames; +#endif } tls_ext_ctx_cb; /* should figure out a cleanup of API to handle state preserved per @@ -122,7 +132,7 @@ setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL opt #ifdef EXIM_HAVE_OPENSSL_TLSEXT static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg); #endif -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP static int tls_server_stapling_cb(SSL *s, void *arg); #endif @@ -208,7 +218,7 @@ return rsa_key; /* Extreme debug -#if defined(EXPERIMENTAL_OCSP) +#ifndef DISABLE_OCSP void x509_store_dump_cert_s_names(X509_STORE * store) { @@ -261,59 +271,103 @@ Returns: 1 if verified, 0 if not */ static int -verify_callback(int state, X509_STORE_CTX *x509ctx, tls_support *tlsp, BOOL *calledp, BOOL *optionalp) +verify_callback(int state, X509_STORE_CTX *x509ctx, + tls_support *tlsp, BOOL *calledp, BOOL *optionalp) { +X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx); static uschar txt[256]; -X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert), - CS txt, sizeof(txt)); +X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt)); if (state == 0) { log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s", - x509ctx->error_depth, - X509_verify_cert_error_string(x509ctx->error), + X509_STORE_CTX_get_error_depth(x509ctx), + X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), txt); tlsp->certificate_verified = FALSE; *calledp = TRUE; - if (!*optionalp) return 0; /* reject */ + if (!*optionalp) + { + tlsp->peercert = X509_dup(cert); + return 0; /* reject */ + } DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in " "tls_try_verify_hosts)\n"); - return 1; /* accept */ } -if (x509ctx->error_depth != 0) +else if (X509_STORE_CTX_get_error_depth(x509ctx) != 0) { - DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n", - x509ctx->error_depth, txt); -#ifdef EXPERIMENTAL_OCSP + DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", + X509_STORE_CTX_get_error_depth(x509ctx), txt); +#ifndef DISABLE_OCSP if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store) { /* client, wanting stapling */ /* Add the server cert's signing chain as the one for the verification of the OCSP stapled information. */ if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store, - x509ctx->current_cert)) + cert)) ERR_clear_error(); } #endif } else { - DEBUG(D_tls) debug_printf("SSL%s peer: %s\n", - *calledp ? "" : " authenticated", txt); +#ifdef EXPERIMENTAL_CERTNAMES + uschar * verify_cert_hostnames; +#endif + tlsp->peerdn = txt; - } + tlsp->peercert = X509_dup(cert); -/*XXX JGH: this looks bogus - we set "verified" first time through, which -will be for the root CS cert (calls work down the chain). Why should it -not be on the last call, where we're setting peerdn? +#ifdef EXPERIMENTAL_CERTNAMES + if ( tlsp == &tls_out + && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames))) + /* client, wanting hostname check */ -To test: set up a chain anchored by a good root-CA but with a bad server cert. -Does certificate_verified get set? -*/ -if (!*calledp) tlsp->certificate_verified = TRUE; -*calledp = TRUE; +# if OPENSSL_VERSION_NUMBER >= 0x010100000L || OPENSSL_VERSION_NUMBER >= 0x010002000L +# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS +# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0 +# endif + { + int sep = 0; + uschar * list = verify_cert_hostnames; + uschar * name; + int rc; + while ((name = string_nextinlist(&list, &sep, NULL, 0))) + if ((rc = X509_check_host(cert, name, 0, + X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS))) + { + if (rc < 0) + { + log_write(0, LOG_MAIN, "SSL verify error: internal error\n"); + name = NULL; + } + break; + } + if (!name) + { + log_write(0, LOG_MAIN, + "SSL verify error: certificate name mismatch: \"%s\"\n", txt); + return 0; /* reject */ + } + } +# else + if (!tls_is_name_for_cert(verify_cert_hostnames, cert)) + { + log_write(0, LOG_MAIN, + "SSL verify error: certificate name mismatch: \"%s\"\n", txt); + return 0; /* reject */ + } +# endif +#endif + + DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n", + *calledp ? "" : " authenticated", txt); + if (!*calledp) tlsp->certificate_verified = TRUE; + *calledp = TRUE; + } return 1; /* accept */ } @@ -449,7 +503,7 @@ return TRUE; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP /************************************************* * Load OCSP information into state * *************************************************/ @@ -566,24 +620,24 @@ if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX } supply_response: -cbinfo->u_ocsp.server.response = resp; + cbinfo->u_ocsp.server.response = resp; return; bad: -if (running_in_test_harness) - { - extern char ** environ; - uschar ** p; - for (p = USS environ; *p != NULL; p++) - if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0) - { - DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n"); - goto supply_response; - } - } + if (running_in_test_harness) + { + extern char ** environ; + uschar ** p; + for (p = USS environ; *p != NULL; p++) + if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0) + { + DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n"); + goto supply_response; + } + } return; } -#endif /*EXPERIMENTAL_OCSP*/ +#endif /*!DISABLE_OCSP*/ @@ -645,7 +699,7 @@ if (expanded != NULL && *expanded != 0) "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL); } -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL) { if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded)) @@ -735,7 +789,7 @@ SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb); SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo); if (cbinfo->server_cipher_list) SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list); -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if (cbinfo->u_ocsp.server.file) { SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb); @@ -764,7 +818,7 @@ return SSL_TLSEXT_ERR_OK; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP /************************************************* * Callback to handle OCSP Stapling * @@ -785,22 +839,22 @@ const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg; uschar *response_der; int response_der_len; -if (log_extra_selector & LX_tls_cipher) - log_write(0, LOG_MAIN, "[%s] Recieved OCSP stapling req;%s responding", - sender_host_address, cbinfo->u_ocsp.server.response ? "":" not"); -else - DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.", +DEBUG(D_tls) + debug_printf("Received TLS status request (OCSP stapling); %s response.", cbinfo->u_ocsp.server.response ? "have" : "lack"); +tls_in.ocsp = OCSP_NOT_RESP; if (!cbinfo->u_ocsp.server.response) return SSL_TLSEXT_ERR_NOACK; response_der = NULL; -response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, &response_der); +response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, + &response_der); if (response_der_len <= 0) return SSL_TLSEXT_ERR_NOACK; SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len); +tls_in.ocsp = OCSP_VFIED; return SSL_TLSEXT_ERR_OK; } @@ -827,14 +881,18 @@ DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):"); len = SSL_get_tlsext_status_ocsp_resp(s, &p); if(!p) { - if (log_extra_selector & LX_tls_cipher) - log_write(0, LOG_MAIN, "Received TLS status response, null content"); + /* Expect this when we requested ocsp but got none */ + if ( cbinfo->u_ocsp.client.verify_required + && log_extra_selector & LX_tls_cipher) + log_write(0, LOG_MAIN, "Received TLS status callback, null content"); else DEBUG(D_tls) debug_printf(" null\n"); - return 0; /* This is the fail case for require-ocsp; none from server */ + return cbinfo->u_ocsp.client.verify_required ? 0 : 1; } + if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len))) { + tls_out.ocsp = OCSP_FAILED; if (log_extra_selector & LX_tls_cipher) log_write(0, LOG_MAIN, "Received TLS status response, parse error"); else @@ -844,6 +902,7 @@ if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len))) if(!(bs = OCSP_response_get1_basic(rsp))) { + tls_out.ocsp = OCSP_FAILED; if (log_extra_selector & LX_tls_cipher) log_write(0, LOG_MAIN, "Received TLS status response, error parsing response"); else @@ -855,14 +914,12 @@ if(!(bs = OCSP_response_get1_basic(rsp))) /* We'd check the nonce here if we'd put one in the request. */ /* However that would defeat cacheability on the server so we don't. */ - /* This section of code reworked from OpenSSL apps source; The OpenSSL Project retains copyright: Copyright (c) 1999 The OpenSSL Project. All rights reserved. */ { BIO * bp = NULL; - OCSP_CERTID *id; int status, reason; ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; @@ -873,11 +930,13 @@ if(!(bs = OCSP_response_get1_basic(rsp))) /* Use the chain that verified the server cert to verify the stapled info */ /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */ - if ((i = OCSP_basic_verify(bs, NULL, cbinfo->u_ocsp.client.verify_store, 0)) <= 0) + if ((i = OCSP_basic_verify(bs, NULL, + cbinfo->u_ocsp.client.verify_store, 0)) <= 0) { + tls_out.ocsp = OCSP_FAILED; BIO_printf(bp, "OCSP response verify failure\n"); ERR_print_errors(bp); - i = 0; + i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; goto out; } @@ -889,39 +948,52 @@ if(!(bs = OCSP_response_get1_basic(rsp))) if (sk_OCSP_SINGLERESP_num(sresp) != 1) { - log_write(0, LOG_MAIN, "OCSP stapling with multiple responses not handled"); + tls_out.ocsp = OCSP_FAILED; + log_write(0, LOG_MAIN, "OCSP stapling " + "with multiple responses not handled"); + i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; goto out; } single = OCSP_resp_get0(bs, 0); - status = OCSP_single_get0_status(single, &reason, &rev, &thisupd, &nextupd); + status = OCSP_single_get0_status(single, &reason, &rev, + &thisupd, &nextupd); } - i = 0; DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd); DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd); - if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE)) + if (!OCSP_check_validity(thisupd, nextupd, + EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE)) { + tls_out.ocsp = OCSP_FAILED; DEBUG(D_tls) ERR_print_errors(bp); log_write(0, LOG_MAIN, "Server OSCP dates invalid"); - goto out; + i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; } - - DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n", OCSP_cert_status_str(status)); - switch(status) + else { - case V_OCSP_CERTSTATUS_GOOD: - i = 1; - break; - case V_OCSP_CERTSTATUS_REVOKED: - log_write(0, LOG_MAIN, "Server certificate revoked%s%s", - reason != -1 ? "; reason: " : "", reason != -1 ? OCSP_crl_reason_str(reason) : ""); - DEBUG(D_tls) time_print(bp, "Revocation Time", rev); - i = 0; - break; - default: - log_write(0, LOG_MAIN, "Server certificate status unknown, in OCSP stapling"); - i = 0; - break; + DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n", + OCSP_cert_status_str(status)); + switch(status) + { + case V_OCSP_CERTSTATUS_GOOD: + tls_out.ocsp = OCSP_VFIED; + i = 1; + break; + case V_OCSP_CERTSTATUS_REVOKED: + tls_out.ocsp = OCSP_FAILED; + log_write(0, LOG_MAIN, "Server certificate revoked%s%s", + reason != -1 ? "; reason: " : "", + reason != -1 ? OCSP_crl_reason_str(reason) : ""); + DEBUG(D_tls) time_print(bp, "Revocation Time", rev); + i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; + break; + default: + tls_out.ocsp = OCSP_FAILED; + log_write(0, LOG_MAIN, + "Server certificate status unknown, in OCSP stapling"); + i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; + break; + } } out: BIO_free(bp); @@ -930,7 +1002,7 @@ if(!(bs = OCSP_response_get1_basic(rsp))) OCSP_RESPONSE_free(rsp); return i; } -#endif /*EXPERIMENTAL_OCSP*/ +#endif /*!DISABLE_OCSP*/ @@ -938,8 +1010,8 @@ return i; * Initialize for TLS * *************************************************/ -/* Called from both server and client code, to do preliminary initialization of -the library. +/* Called from both server and client code, to do preliminary initialization +of the library. We allocate and return a context structure. Arguments: host connected host, if client; NULL if server @@ -948,6 +1020,7 @@ Arguments: privatekey private key ocsp_file file of stapling info (server); flag for require ocsp (client) addr address if client; NULL if server (for some randomness) + cbp place to put allocated context Returns: OK/DEFER/FAIL */ @@ -955,7 +1028,7 @@ Returns: OK/DEFER/FAIL static int tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate, uschar *privatekey, -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP uschar *ocsp_file, #endif address_item *addr, tls_ext_ctx_cb ** cbp) @@ -968,7 +1041,7 @@ tls_ext_ctx_cb *cbinfo; cbinfo = store_malloc(sizeof(tls_ext_ctx_cb)); cbinfo->certificate = certificate; cbinfo->privatekey = privatekey; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if ((cbinfo->is_server = host==NULL)) { cbinfo->u_ocsp.server.file = ocsp_file; @@ -1070,7 +1143,7 @@ if (rc != OK) return rc; #ifdef EXIM_HAVE_OPENSSL_TLSEXT if (host == NULL) /* server */ { -# ifdef EXPERIMENTAL_OCSP +# ifndef DISABLE_OCSP /* We check u_ocsp.server.file, not server.response, because we care about if the option exists, not what the current expansion might be, as SNI might change the certificate and OCSP file in use between now and the time the @@ -1086,7 +1159,7 @@ if (host == NULL) /* server */ SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb); SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo); } -# ifdef EXPERIMENTAL_OCSP +# ifndef DISABLE_OCSP else /* client */ if(ocsp_file) /* wanting stapling */ { @@ -1101,6 +1174,10 @@ else /* client */ # endif #endif +#ifdef EXPERIMENTAL_CERTNAMES +cbinfo->verify_cert_hostnames = NULL; +#endif + /* Set up the RSA callback */ SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback); @@ -1137,37 +1214,9 @@ construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits) yet reflect that. It should be a safe change anyway, even 0.9.8 versions have the accessor functions use const in the prototype. */ const SSL_CIPHER *c; -uschar *ver; - -switch (ssl->session->ssl_version) - { - case SSL2_VERSION: - ver = US"SSLv2"; - break; - - case SSL3_VERSION: - ver = US"SSLv3"; - break; - - case TLS1_VERSION: - ver = US"TLSv1"; - break; - -#ifdef TLS1_1_VERSION - case TLS1_1_VERSION: - ver = US"TLSv1.1"; - break; -#endif +const uschar *ver; -#ifdef TLS1_2_VERSION - case TLS1_2_VERSION: - ver = US"TLSv1.2"; - break; -#endif - - default: - ver = US"UNKNOWN"; - } +ver = (const uschar *)SSL_get_version(ssl); c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl); SSL_CIPHER_get_bits(c, bits); @@ -1347,7 +1396,7 @@ if (tls_in.active >= 0) the error. */ rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey, -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP tls_ocsp_file, #endif NULL, &server_static_cbinfo); @@ -1461,6 +1510,11 @@ DEBUG(D_tls) debug_printf("Shared ciphers: %s\n", buf); } +/* Record the certificate we presented */ + { + X509 * crt = SSL_get_certificate(server_ssl); + tls_in.ourcert = crt ? X509_dup(crt) : NULL; + } /* Only used by the server-side tls (tls_in), including tls_getc. Client-side (tls_out) reads (seem to?) go via @@ -1495,15 +1549,7 @@ Argument: fd the fd of the connection host connected host (for messages) addr the first address - certificate certificate file - privatekey private key file - sni TLS SNI to send to remote host - verify_certs file for certificate verify - crl file containing CRL - require_ciphers list of allowed ciphers - dh_min_bits minimum number of bits acceptable in server's DH prime - (unused in OpenSSL) - timeout startup timeout + ob smtp transport options Returns: OK on success FAIL otherwise - note that tls_error() will not give DEFER @@ -1512,27 +1558,26 @@ Returns: OK on success int tls_client_start(int fd, host_item *host, address_item *addr, - uschar *certificate, uschar *privatekey, uschar *sni, - uschar *verify_certs, uschar *crl, - uschar *require_ciphers, -#ifdef EXPERIMENTAL_OCSP - uschar *hosts_require_ocsp, -#endif - int dh_min_bits ARG_UNUSED, int timeout) + void *v_ob) { +smtp_transport_options_block * ob = v_ob; static uschar txt[256]; uschar *expciphers; X509* server_cert; int rc; static uschar cipherbuf[256]; -#ifdef EXPERIMENTAL_OCSP -BOOL require_ocsp = verify_check_this_host(&hosts_require_ocsp, +#ifndef DISABLE_OCSP +BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, NULL, host->name, host->address, NULL) == OK; +BOOL request_ocsp = require_ocsp ? TRUE + : verify_check_this_host(&ob->hosts_request_ocsp, + NULL, host->name, host->address, NULL) == OK; #endif -rc = tls_init(&client_ctx, host, NULL, certificate, privatekey, -#ifdef EXPERIMENTAL_OCSP - require_ocsp ? US"" : NULL, +rc = tls_init(&client_ctx, host, NULL, + ob->tls_certificate, ob->tls_privatekey, +#ifndef DISABLE_OCSP + (void *)(long)request_ocsp, #endif addr, &client_static_cbinfo); if (rc != OK) return rc; @@ -1540,7 +1585,8 @@ if (rc != OK) return rc; tls_out.certificate_verified = FALSE; client_verify_callback_called = FALSE; -if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers)) +if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers", + &expciphers)) return FAIL; /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they @@ -1556,17 +1602,48 @@ if (expciphers != NULL) return tls_error(US"SSL_CTX_set_cipher_list", host, NULL); } -rc = setup_certs(client_ctx, verify_certs, crl, host, FALSE, verify_callback_client); -if (rc != OK) return rc; +/* stick to the old behaviour for compatibility if tls_verify_certificates is + set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only + the specified host patterns if one of them is defined */ -if ((client_ssl = SSL_new(client_ctx)) == NULL) return tls_error(US"SSL_new", host, NULL); +if ((!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) || + (verify_check_host(&ob->tls_verify_hosts) == OK)) + { + if ((rc = setup_certs(client_ctx, ob->tls_verify_certificates, + ob->tls_crl, host, FALSE, verify_callback_client)) != OK) + return rc; + client_verify_optional = FALSE; + +#ifdef EXPERIMENTAL_CERTNAMES + if (ob->tls_verify_cert_hostnames) + { + if (!expand_check(ob->tls_verify_cert_hostnames, + US"tls_verify_cert_hostnames", + &client_static_cbinfo->verify_cert_hostnames)) + return FAIL; + if (client_static_cbinfo->verify_cert_hostnames) + DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", + client_static_cbinfo->verify_cert_hostnames); + } +#endif + } +else if (verify_check_host(&ob->tls_try_verify_hosts) == OK) + { + if ((rc = setup_certs(client_ctx, ob->tls_verify_certificates, + ob->tls_crl, host, TRUE, verify_callback_client)) != OK) + return rc; + client_verify_optional = TRUE; + } + +if ((client_ssl = SSL_new(client_ctx)) == NULL) + return tls_error(US"SSL_new", host, NULL); SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx)); SSL_set_fd(client_ssl, fd); SSL_set_connect_state(client_ssl); -if (sni) +if (ob->tls_sni) { - if (!expand_check(sni, US"tls_sni", &tls_out.sni)) + if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni)) return FAIL; if (tls_out.sni == NULL) { @@ -1587,18 +1664,22 @@ if (sni) } } -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP /* Request certificate status at connection-time. If the server does OCSP stapling we will get the callback (set in tls_init()) */ -if (require_ocsp) +if (request_ocsp) + { SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp); + client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp; + tls_out.ocsp = OCSP_NOT_RESP; + } #endif /* There doesn't seem to be a built-in timeout on connection. */ DEBUG(D_tls) debug_printf("Calling SSL_connect\n"); sigalrm_seen = FALSE; -alarm(timeout); +alarm(ob->command_timeout); rc = SSL_connect(client_ssl); alarm(0); @@ -1608,12 +1689,13 @@ if (rc <= 0) DEBUG(D_tls) debug_printf("SSL_connect succeeded\n"); /* Beware anonymous ciphers which lead to server_cert being NULL */ +/*XXX server_cert is never freed... use X509_free() */ server_cert = SSL_get_peer_certificate (client_ssl); if (server_cert) { tls_out.peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert), CS txt, sizeof(txt)); - tls_out.peerdn = txt; + tls_out.peerdn = txt; /*XXX a static buffer... */ } else tls_out.peerdn = NULL; @@ -1621,6 +1703,12 @@ else construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits); tls_out.cipher = cipherbuf; +/* Record the certificate we presented */ + { + X509 * crt = SSL_get_certificate(client_ssl); + tls_out.ourcert = crt ? X509_dup(crt) : NULL; + } + tls_out.active = fd; return OK; } @@ -1934,6 +2022,11 @@ one version of OpenSSL but the run-time linker picks up another version, it can result in serious failures, including crashing with a SIGSEGV. So report the version found by the compiler and the run-time version. +Note: some OS vendors backport security fixes without changing the version +number/string, and the version date remains unchanged. The _build_ date +will change, so we can more usefully assist with version diagnosis by also +reporting the build date. + Arguments: a FILE* to print the results to Returns: nothing */ @@ -1942,9 +2035,13 @@ void tls_version_report(FILE *f) { fprintf(f, "Library version: OpenSSL: Compile: %s\n" - " Runtime: %s\n", + " Runtime: %s\n" + " : %s\n", OPENSSL_VERSION_TEXT, - SSLeay_version(SSLEAY_VERSION)); + SSLeay_version(SSLEAY_VERSION), + SSLeay_version(SSLEAY_BUILT_ON)); +/* third line is 38 characters for the %s and the line is 73 chars long; +the OpenSSL output includes a "built on: " prefix already. */ } @@ -2252,4 +2349,6 @@ for (s=option_spec; *s != '\0'; /**/) return TRUE; } +/* vi: aw ai sw=2 +*/ /* End of tls-openssl.c */ diff --git a/src/src/tls.c b/src/src/tls.c index 0625c48b8..f2ab56706 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -17,6 +17,7 @@ functions from the OpenSSL or GNU TLS libraries. */ #include "exim.h" +#include "transports/smtp.h" /* This module is compiled only when it is specifically requested in the build-time configuration. However, some compilers don't like compiling empty @@ -85,6 +86,7 @@ return TRUE; #ifdef USE_GNUTLS #include "tls-gnu.c" +#include "tlscert-gnu.c" #define ssl_xfer_buffer (state_server.xfer_buffer) #define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm) @@ -94,6 +96,7 @@ return TRUE; #else #include "tls-openssl.c" +#include "tlscert-openssl.c" #endif @@ -181,4 +184,154 @@ return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm; #endif /* SUPPORT_TLS */ +void +tls_modify_variables(tls_support * dest_tsp) +{ +modify_variable(US"tls_bits", &dest_tsp->bits); +modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified); +modify_variable(US"tls_cipher", &dest_tsp->cipher); +modify_variable(US"tls_peerdn", &dest_tsp->peerdn); +#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) +modify_variable(US"tls_sni", &dest_tsp->sni); +#endif +} + + +#ifdef SUPPORT_TLS +/************************************************ +* TLS certificate name operations * +************************************************/ + +/* Convert an rfc4514 DN to an exim comma-sep list. +Backslashed commas need to be replaced by doublecomma +for Exim's list quoting. We modify the given string +inplace. +*/ + +static void +dn_to_list(uschar * dn) +{ +uschar * cp; +for (cp = dn; *cp; cp++) + if (cp[0] == '\\' && cp[1] == ',') + *cp++ = ','; +} + + +/* Extract fields of a given type from an RFC4514- +format Distinguished Name. Return an Exim list. +NOTE: We modify the supplied dn string during operation. + +Arguments: + dn Distinguished Name string + mod string containing optional list-sep and + field selector match, comma-separated +Return: + allocated string with list of matching fields, + field type stripped +*/ + +uschar * +tls_field_from_dn(uschar * dn, uschar * mod) +{ +int insep = ','; +uschar outsep = '\n'; +uschar * ele; +uschar * match = NULL; +int len; +uschar * list = NULL; + +while ((ele = string_nextinlist(&mod, &insep, NULL, 0))) + if (ele[0] != '>') + match = ele; /* field tag to match */ + else if (ele[1]) + outsep = ele[1]; /* nondefault separator */ + +dn_to_list(dn); +insep = ','; +len = Ustrlen(match); +while ((ele = string_nextinlist(&dn, &insep, NULL, 0))) + if (Ustrncmp(ele, match, len) == 0 && ele[len] == '=') + list = string_append_listele(list, outsep, ele+len+1); +return list; +} + + +# ifdef EXPERIMENTAL_CERTNAMES +/* Compare a domain name with a possibly-wildcarded name. Wildcards +are restricted to a single one, as the first element of patterns +having at least three dot-separated elements. Case-independent. +Return TRUE for a match +*/ +static BOOL +is_name_match(const uschar * name, const uschar * pat) +{ +uschar * cp; +return *pat == '*' /* possible wildcard match */ + ? *++pat == '.' /* starts star, dot */ + && !Ustrchr(++pat, '*') /* has no more stars */ + && Ustrchr(pat, '.') /* and has another dot. */ + && (cp = Ustrchr(name, '.'))/* The name has at least one dot */ + && strcmpic(++cp, pat) == 0 /* and we only compare after it. */ + : !Ustrchr(pat+1, '*') + && strcmpic(name, pat) == 0; +} + +/* Compare a list of names with the dnsname elements +of the Subject Alternate Name, if any, and the +Subject otherwise. + +Arguments: + namelist names to compare + cert certificate + +Returns: + TRUE/FALSE +*/ + +BOOL +tls_is_name_for_cert(uschar * namelist, void * cert) +{ +uschar * altnames = tls_cert_subject_altname(cert, US"dns"); +uschar * subjdn; +uschar * certname; +int cmp_sep = 0; +uschar * cmpname; + +if ((altnames = tls_cert_subject_altname(cert, US"dns"))) + { + int alt_sep = '\n'; + while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0))) + { + uschar * an = altnames; + while ((certname = string_nextinlist(&an, &alt_sep, NULL, 0))) + if (is_name_match(cmpname, certname)) + return TRUE; + } + } + +else if ((subjdn = tls_cert_subject(cert, NULL))) + { + int sn_sep = ','; + + dn_to_list(subjdn); + while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0))) + { + uschar * sn = subjdn; + while ((certname = string_nextinlist(&sn, &sn_sep, NULL, 0))) + if ( *certname++ == 'C' + && *certname++ == 'N' + && *certname++ == '=' + && is_name_match(cmpname, certname) + ) + return TRUE; + } + } +return FALSE; +} +# endif /*EXPERIMENTAL_CERTNAMES*/ +#endif /*SUPPORT_TLS*/ + +/* vi: aw ai sw=2 +*/ /* End of tls.c */ diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c new file mode 100644 index 000000000..3261c4e8d --- /dev/null +++ b/src/src/tlscert-gnu.c @@ -0,0 +1,451 @@ +/************************************************* +* Exim - an Internet mail transport agent * +*************************************************/ + +/* Copyright (c) Jeremy Harris 2014 */ + +/* This file provides TLS/SSL support for Exim using the GnuTLS library, +one of the available supported implementations. This file is #included into +tls.c when USE_GNUTLS has been set. +*/ + +#include +/* needed for cert checks in verification and DN extraction: */ +#include +/* needed to disable PKCS11 autoload unless requested */ +#if GNUTLS_VERSION_NUMBER >= 0x020c00 +# include +#endif + + +/***************************************************** +* Export/import a certificate, binary/printable +*****************************************************/ +int +tls_export_cert(uschar * buf, size_t buflen, void * cert) +{ +size_t sz = buflen; +void * reset_point = store_get(0); +int fail; +uschar * cp; + +if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert, + GNUTLS_X509_FMT_PEM, buf, &sz))) + { + log_write(0, LOG_MAIN, "TLS error in certificate export: %s", + gnutls_strerror(fail)); + return 1; + } +if ((cp = string_printing(buf)) != buf) + { + Ustrncpy(buf, cp, buflen); + if (buf[buflen-1]) + fail = 1; + } +store_reset(reset_point); +return fail; +} + +int +tls_import_cert(const uschar * buf, void ** cert) +{ +void * reset_point = store_get(0); +gnutls_datum_t datum; +gnutls_x509_crt_t crt; +int fail = 0; + +gnutls_global_init(); +gnutls_x509_crt_init(&crt); + +datum.data = string_unprinting(US buf); +datum.size = Ustrlen(datum.data); +if ((fail = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM))) + { + log_write(0, LOG_MAIN, "TLS error in certificate import: %s", + gnutls_strerror(fail)); + fail = 1; + } +else + *cert = (void *)crt; + +store_reset(reset_point); +return fail; +} + +void +tls_free_cert(void * cert) +{ +gnutls_x509_crt_deinit((gnutls_x509_crt_t) cert); +gnutls_global_deinit(); +} + +/***************************************************** +* Certificate field extraction routines +*****************************************************/ + +/* First, some internal service functions */ + +static uschar * +g_err(const char * tag, const char * from, int gnutls_err) +{ +expand_string_message = string_sprintf("%s: %s fail: %s\n", + from, tag, gnutls_strerror(gnutls_err)); +return NULL; +} + + +static uschar * +time_copy(time_t t, uschar * mod) +{ +uschar * cp; +struct tm * tp; +size_t len; + +if (mod && Ustrcmp(mod, "int") == 0) + return string_sprintf("%u", (unsigned)t); + +cp = store_get(32); +tp = gmtime(&t); +len = strftime(CS cp, 32, "%b %e %T %Y %Z", tp); +return len > 0 ? cp : NULL; +} + + +/**/ +/* Now the extractors, called from expand.c +Arguments: + cert The certificate + mod Optional modifiers for the operator + +Return: + Allocated string with extracted value +*/ + +uschar * +tls_cert_issuer(void * cert, uschar * mod) +{ +uschar * cp = NULL; +int ret; +size_t siz = 0; + +if ((ret = gnutls_x509_crt_get_issuer_dn(cert, cp, &siz)) + != GNUTLS_E_SHORT_MEMORY_BUFFER) + return g_err("gi0", __FUNCTION__, ret); + +cp = store_get(siz); +if ((ret = gnutls_x509_crt_get_issuer_dn(cert, cp, &siz)) < 0) + return g_err("gi1", __FUNCTION__, ret); + +return mod ? tls_field_from_dn(cp, mod) : cp; +} + +uschar * +tls_cert_not_after(void * cert, uschar * mod) +{ +return time_copy( + gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert), + mod); +} + +uschar * +tls_cert_not_before(void * cert, uschar * mod) +{ +return time_copy( + gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert), + mod); +} + +uschar * +tls_cert_serial_number(void * cert, uschar * mod) +{ +uschar bin[50], txt[150]; +size_t sz = sizeof(bin); +uschar * sp; +uschar * dp; +int ret; + +if ((ret = gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert, + bin, &sz))) + return g_err("gs0", __FUNCTION__, ret); + +for(dp = txt, sp = bin; sz; dp += 2, sp++, sz--) + sprintf(dp, "%.2x", *sp); +for(sp = txt; sp[0]=='0' && sp[1]; ) sp++; /* leading zeroes */ +return string_copy(sp); +} + +uschar * +tls_cert_signature(void * cert, uschar * mod) +{ +uschar * cp1; +uschar * cp2; +uschar * cp3; +size_t len = 0; +int ret; + +if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len)) + != GNUTLS_E_SHORT_MEMORY_BUFFER) + return g_err("gs0", __FUNCTION__, ret); + +cp1 = store_get(len*4+1); +if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len) != 0) + return g_err("gs1", __FUNCTION__, ret); + +for(cp3 = cp2 = cp1+len; cp1 < cp2; cp3 += 3, cp1++) + sprintf(cp3, "%.2x ", *cp1); +cp3[-1]= '\0'; + +return cp2; +} + +uschar * +tls_cert_signature_algorithm(void * cert, uschar * mod) +{ +gnutls_sign_algorithm_t algo = + gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert); +return algo < 0 ? NULL : string_copy(gnutls_sign_get_name(algo)); +} + +uschar * +tls_cert_subject(void * cert, uschar * mod) +{ +uschar * cp = NULL; +int ret; +size_t siz = 0; + +if ((ret = gnutls_x509_crt_get_dn(cert, cp, &siz)) + != GNUTLS_E_SHORT_MEMORY_BUFFER) + return g_err("gs0", __FUNCTION__, ret); + +cp = store_get(siz); +if ((ret = gnutls_x509_crt_get_dn(cert, cp, &siz)) < 0) + return g_err("gs1", __FUNCTION__, ret); + +return mod ? tls_field_from_dn(cp, mod) : cp; +} + +uschar * +tls_cert_version(void * cert, uschar * mod) +{ +return string_sprintf("%d", gnutls_x509_crt_get_version(cert)); +} + +uschar * +tls_cert_ext_by_oid(void * cert, uschar * oid, int idx) +{ +uschar * cp1 = NULL; +uschar * cp2; +uschar * cp3; +size_t siz = 0; +unsigned int crit; +int ret; + +ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert, + oid, idx, cp1, &siz, &crit); +if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) + return g_err("ge0", __FUNCTION__, ret); + +cp1 = store_get(siz*4 + 1); + +ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert, + oid, idx, cp1, &siz, &crit); +if (ret < 0) + return g_err("ge1", __FUNCTION__, ret); + +/* binary data, DER encoded */ + +/* just dump for now */ +for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp3 += 3, cp1++) + sprintf(cp3, "%.2x ", *cp1); +cp3[-1]= '\0'; + +return cp2; +} + +uschar * +tls_cert_subject_altname(void * cert, uschar * mod) +{ +uschar * list = NULL; +int index; +size_t siz; +int ret; +uschar sep = '\n'; +uschar * tag = US""; +uschar * ele; +int match = -1; + +while (mod) + { + if (*mod == '>' && *++mod) sep = *mod++; + else if (Ustrcmp(mod, "dns")==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; } + else if (Ustrcmp(mod, "uri")==0) { match = GNUTLS_SAN_URI; mod += 3; } + else if (Ustrcmp(mod, "mail")==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; } + else continue; + + if (*mod++ != ',') + break; + } + +for(index = 0;; index++) + { + siz = 0; + switch(ret = gnutls_x509_crt_get_subject_alt_name( + (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL)) + { + case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE: + return list; /* no more elements; normal exit */ + + case GNUTLS_E_SHORT_MEMORY_BUFFER: + break; + + default: + return g_err("gs0", __FUNCTION__, ret); + } + + ele = store_get(siz+1); + if ((ret = gnutls_x509_crt_get_subject_alt_name( + (gnutls_x509_crt_t)cert, index, ele, &siz, NULL)) < 0) + return g_err("gs1", __FUNCTION__, ret); + ele[siz] = '\0'; + + if ( match != -1 && match != ret /* wrong type of SAN */ + || Ustrlen(ele) != siz) /* contains a NUL */ + continue; + switch (ret) + { + case GNUTLS_SAN_DNSNAME: tag = US"DNS"; break; + case GNUTLS_SAN_URI: tag = US"URI"; break; + case GNUTLS_SAN_RFC822NAME: tag = US"MAIL"; break; + default: continue; /* ignore unrecognised types */ + } + list = string_append_listele(list, sep, + match == -1 ? string_sprintf("%s=%s", tag, ele) : ele); + } +/*NOTREACHED*/ +} + +uschar * +tls_cert_ocsp_uri(void * cert, uschar * mod) +{ +#if GNUTLS_VERSION_NUMBER >= 0x030000 +gnutls_datum_t uri; +int ret; +uschar sep = '\n'; +int index; +uschar * list = NULL; + +if (mod) + if (*mod == '>' && *++mod) sep = *mod++; + +for(index = 0;; index++) + { + ret = gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t)cert, + index, GNUTLS_IA_OCSP_URI, &uri, NULL); + + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + return list; + if (ret < 0) + return g_err("gai", __FUNCTION__, ret); + + list = string_append_listele(list, sep, + string_copyn(uri.data, uri.size)); + } +/*NOTREACHED*/ + +#else + +expand_string_message = + string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n", + __FUNCTION__); +return NULL; + +#endif +} + +uschar * +tls_cert_crl_uri(void * cert, uschar * mod) +{ +int ret; +size_t siz; +uschar sep = '\n'; +int index; +uschar * list = NULL; +uschar * ele; + +if (mod) + if (*mod == '>' && *++mod) sep = *mod++; + +for(index = 0;; index++) + { + siz = 0; + switch(ret = gnutls_x509_crt_get_crl_dist_points( + (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL, NULL)) + { + case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE: + return list; + case GNUTLS_E_SHORT_MEMORY_BUFFER: + break; + default: + return g_err("gc0", __FUNCTION__, ret); + } + + ele = store_get(siz+1); + if ((ret = gnutls_x509_crt_get_crl_dist_points( + (gnutls_x509_crt_t)cert, index, ele, &siz, NULL, NULL)) < 0) + return g_err("gc1", __FUNCTION__, ret); + + ele[siz] = '\0'; + list = string_append_listele(list, sep, ele); + } +/*NOTREACHED*/ +} + + +/***************************************************** +* Certificate operator routines +*****************************************************/ +static uschar * +fingerprint(gnutls_x509_crt_t cert, gnutls_digest_algorithm_t algo) +{ +int ret; +size_t siz = 0; +uschar * cp; +uschar * cp2; +uschar * cp3; + +if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, NULL, &siz)) + != GNUTLS_E_SHORT_MEMORY_BUFFER) + return g_err("gf0", __FUNCTION__, ret); + +cp = store_get(siz*3+1); +if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, cp, &siz)) < 0) + return g_err("gf1", __FUNCTION__, ret); + +for (cp3 = cp2 = cp+siz; cp < cp2; cp++, cp3+=2) + sprintf(cp3, "%02X",*cp); +return cp2; +} + + +uschar * +tls_cert_fprt_md5(void * cert) +{ +return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_MD5); +} + +uschar * +tls_cert_fprt_sha1(void * cert) +{ +return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA1); +} + +uschar * +tls_cert_fprt_sha256(void * cert) +{ +return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA256); +} + + +/* vi: aw ai sw=2 +*/ +/* End of tlscert-gnu.c */ diff --git a/src/src/tlscert-openssl.c b/src/src/tlscert-openssl.c new file mode 100644 index 000000000..2411dea9e --- /dev/null +++ b/src/src/tlscert-openssl.c @@ -0,0 +1,431 @@ +/************************************************* +* Exim - an Internet mail transport agent * +*************************************************/ + +/* Copyright (c) Jeremy Harris 2014 */ + +/* This module provides TLS (aka SSL) support for Exim using the OpenSSL +library. It is #included into the tls.c file when that library is used. +*/ + + +/* Heading stuff */ + +#include +#include +#include +#include +#include + + +/***************************************************** +* Export/import a certificate, binary/printable +*****************************************************/ +int +tls_export_cert(uschar * buf, size_t buflen, void * cert) +{ +BIO * bp = BIO_new(BIO_s_mem()); +int fail; + +if ((fail = PEM_write_bio_X509(bp, (X509 *)cert) ? 0 : 1)) + log_write(0, LOG_MAIN, "TLS error in certificate export: %s", + ERR_error_string(ERR_get_error(), NULL)); +else + { + char * cp = CS buf; + int n; + buflen -= 2; + for(;;) + { + if ((n = BIO_gets(bp, cp, (int)buflen)) <= 0) break; + cp += n+1; + buflen -= n+1; + cp[-2] = '\\'; cp[-1] = 'n'; /* newline->"\n" */ + } /* compat with string_printing() */ + *cp = '\0'; + } + +BIO_free(bp); +return fail; +} + +int +tls_import_cert(const uschar * buf, void ** cert) +{ +void * reset_point = store_get(0); +const uschar * cp = string_unprinting(US buf); +BIO * bp; +X509 * x; +int fail = 0; + +bp = BIO_new_mem_buf(US cp, -1); +if (!(x = PEM_read_bio_X509(bp, NULL, 0, NULL))) + { + log_write(0, LOG_MAIN, "TLS error in certificate import: %s", + ERR_error_string(ERR_get_error(), NULL)); + fail = 1; + } +else + *cert = (void *)x; +BIO_free(bp); +store_reset(reset_point); +return fail; +} + +void +tls_free_cert(void * cert) +{ +X509_free((X509 *)cert); +} + + +/***************************************************** +* Certificate field extraction routines +*****************************************************/ + +/* First, some internal service functions */ + +static uschar * +badalloc(void) +{ +expand_string_message = US"allocation failure"; +return NULL; +} + +static uschar * +bio_string_copy(BIO * bp, int len) +{ +uschar * cp = US""; +len = len > 0 ? (int) BIO_get_mem_data(bp, &cp) : 0; +cp = string_copyn(cp, len); +BIO_free(bp); +return cp; +} + +static uschar * +bio_string_time_to_int(BIO * bp, int len) +{ +uschar * cp = US""; +struct tm t; +len = len > 0 ? (int) BIO_get_mem_data(bp, &cp) : 0; +/*XXX %Z might be glibc-specific? */ +(void) strptime(CS cp, "%b%t%e%t%T%t%Y%t%Z", &t); +BIO_free(bp); +/*XXX timegm might not be portable? */ +return string_sprintf("%u", (unsigned) timegm(&t)); +} + +static uschar * +asn1_time_copy(const ASN1_TIME * time, uschar * mod) +{ +BIO * bp = BIO_new(BIO_s_mem()); +int len; + +if (!bp) return badalloc(); + +len = ASN1_TIME_print(bp, time); +return mod && Ustrcmp(mod, "int") == 0 + ? bio_string_time_to_int(bp, len) + : bio_string_copy(bp, len); +} + +static uschar * +x509_name_copy(X509_NAME * name) +{ +BIO * bp = BIO_new(BIO_s_mem()); +int len_good; + +if (!bp) return badalloc(); + +len_good = + X509_NAME_print_ex(bp, name, 0, XN_FLAG_RFC2253) >= 0 + ? 1 : 0; +return bio_string_copy(bp, len_good); +} + +/**/ +/* Now the extractors, called from expand.c +Arguments: + cert The certificate + mod Optional modifiers for the operator + +Return: + Allocated string with extracted value +*/ + +uschar * +tls_cert_issuer(void * cert, uschar * mod) +{ +uschar * cp = x509_name_copy(X509_get_issuer_name((X509 *)cert)); +return mod ? tls_field_from_dn(cp, mod) : cp; +} + +uschar * +tls_cert_not_before(void * cert, uschar * mod) +{ +return asn1_time_copy(X509_get_notBefore((X509 *)cert), mod); +} + +uschar * +tls_cert_not_after(void * cert, uschar * mod) +{ +return asn1_time_copy(X509_get_notAfter((X509 *)cert), mod); +} + +uschar * +tls_cert_serial_number(void * cert, uschar * mod) +{ +uschar txt[256]; +BIO * bp = BIO_new(BIO_s_mem()); +int len; + +if (!bp) return badalloc(); + +len = i2a_ASN1_INTEGER(bp, X509_get_serialNumber((X509 *)cert)); +if (len < sizeof(txt)) + BIO_read(bp, txt, len); +else + len = 0; +BIO_free(bp); +return string_copynlc(txt, len); /* lowercase */ +} + +uschar * +tls_cert_signature(void * cert, uschar * mod) +{ +uschar * cp = NULL; +BIO * bp = BIO_new(BIO_s_mem()); + +if (!bp) return badalloc(); + +if (X509_print_ex(bp, (X509 *)cert, 0, + X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION | X509_FLAG_NO_SERIAL | + X509_FLAG_NO_SIGNAME | X509_FLAG_NO_ISSUER | X509_FLAG_NO_VALIDITY | + X509_FLAG_NO_SUBJECT | X509_FLAG_NO_PUBKEY | X509_FLAG_NO_EXTENSIONS | + /* X509_FLAG_NO_SIGDUMP is the missing one */ + X509_FLAG_NO_AUX) == 1) + { + long len = BIO_get_mem_data(bp, &cp); + cp = string_copyn(cp, len); + } +BIO_free(bp); +return cp; +} + +uschar * +tls_cert_signature_algorithm(void * cert, uschar * mod) +{ +return string_copy(US OBJ_nid2ln(X509_get_signature_type((X509 *)cert))); +} + +uschar * +tls_cert_subject(void * cert, uschar * mod) +{ +uschar * cp = x509_name_copy(X509_get_subject_name((X509 *)cert)); +return mod ? tls_field_from_dn(cp, mod) : cp; +} + +uschar * +tls_cert_version(void * cert, uschar * mod) +{ +return string_sprintf("%d", X509_get_version((X509 *)cert)); +} + +uschar * +tls_cert_ext_by_oid(void * cert, uschar * oid, int idx) +{ +int nid = OBJ_create(CS oid, "", ""); +int nidx = X509_get_ext_by_NID((X509 *)cert, nid, idx); +X509_EXTENSION * ex = X509_get_ext((X509 *)cert, nidx); +ASN1_OCTET_STRING * adata = X509_EXTENSION_get_data(ex); +BIO * bp = BIO_new(BIO_s_mem()); +long len; +uschar * cp1; +uschar * cp2; +uschar * cp3; + +if (!bp) return badalloc(); + +M_ASN1_OCTET_STRING_print(bp, adata); +/* binary data, DER encoded */ + +/* just dump for now */ +len = BIO_get_mem_data(bp, &cp1); +cp3 = cp2 = store_get(len*3+1); + +while(len) + { + sprintf(CS cp2, "%.2x ", *cp1++); + cp2 += 3; + len--; + } +cp2[-1] = '\0'; + +return cp3; +} + +uschar * +tls_cert_subject_altname(void * cert, uschar * mod) +{ +uschar * list = NULL; +STACK_OF(GENERAL_NAME) * san = (STACK_OF(GENERAL_NAME) *) + X509_get_ext_d2i((X509 *)cert, NID_subject_alt_name, NULL, NULL); +uschar sep = '\n'; +uschar * tag = US""; +uschar * ele; +int match = -1; +int len; + +if (!san) return NULL; + +while (mod) + { + if (*mod == '>' && *++mod) sep = *mod++; + else if (Ustrcmp(mod, "dns")==0) { match = GEN_DNS; mod += 3; } + else if (Ustrcmp(mod, "uri")==0) { match = GEN_URI; mod += 3; } + else if (Ustrcmp(mod, "mail")==0) { match = GEN_EMAIL; mod += 4; } + else continue; + + if (*mod++ != ',') + break; + } + +while (sk_GENERAL_NAME_num(san) > 0) + { + GENERAL_NAME * namePart = sk_GENERAL_NAME_pop(san); + if (match != -1 && match != namePart->type) + continue; + switch (namePart->type) + { + case GEN_DNS: + tag = US"DNS"; + ele = ASN1_STRING_data(namePart->d.dNSName); + len = ASN1_STRING_length(namePart->d.dNSName); + break; + case GEN_URI: + tag = US"URI"; + ele = ASN1_STRING_data(namePart->d.uniformResourceIdentifier); + len = ASN1_STRING_length(namePart->d.uniformResourceIdentifier); + break; + case GEN_EMAIL: + tag = US"MAIL"; + ele = ASN1_STRING_data(namePart->d.rfc822Name); + len = ASN1_STRING_length(namePart->d.rfc822Name); + break; + default: + continue; /* ignore unrecognised types */ + } + if (ele[len]) /* not nul-terminated */ + ele = string_copyn(ele, len); + + if (strnlen(CS ele, len) == len) /* ignore any with embedded nul */ + list = string_append_listele(list, sep, + match == -1 ? string_sprintf("%s=%s", tag, ele) : ele); + } + +sk_GENERAL_NAME_free(san); +return list; +} + +uschar * +tls_cert_ocsp_uri(void * cert, uschar * mod) +{ +STACK_OF(ACCESS_DESCRIPTION) * ads = (STACK_OF(ACCESS_DESCRIPTION) *) + X509_get_ext_d2i((X509 *)cert, NID_info_access, NULL, NULL); +int adsnum = sk_ACCESS_DESCRIPTION_num(ads); +int i; +uschar sep = '\n'; +uschar * list = NULL; + +if (mod) + if (*mod == '>' && *++mod) sep = *mod++; + +for (i = 0; i < adsnum; i++) + { + ACCESS_DESCRIPTION * ad = sk_ACCESS_DESCRIPTION_value(ads, i); + + if (ad && OBJ_obj2nid(ad->method) == NID_ad_OCSP) + list = string_append_listele(list, sep, + ASN1_STRING_data(ad->location->d.ia5)); + } +return list; +} + +uschar * +tls_cert_crl_uri(void * cert, uschar * mod) +{ +STACK_OF(DIST_POINT) * dps = (STACK_OF(DIST_POINT) *) + X509_get_ext_d2i((X509 *)cert, NID_crl_distribution_points, + NULL, NULL); +DIST_POINT * dp; +int dpsnum = sk_DIST_POINT_num(dps); +int i; +uschar sep = '\n'; +uschar * list = NULL; + +if (mod) + if (*mod == '>' && *++mod) sep = *mod++; + +if (dps) for (i = 0; i < dpsnum; i++) + if ((dp = sk_DIST_POINT_value(dps, i))) + { + STACK_OF(GENERAL_NAME) * names = dp->distpoint->name.fullname; + GENERAL_NAME * np; + int nnum = sk_GENERAL_NAME_num(names); + int j; + + for (j = 0; j < nnum; j++) + if ( (np = sk_GENERAL_NAME_value(names, j)) + && np->type == GEN_URI + ) + list = string_append_listele(list, sep, + ASN1_STRING_data(np->d.uniformResourceIdentifier)); + } +return list; +} + + + +/***************************************************** +* Certificate operator routines +*****************************************************/ +static uschar * +fingerprint(X509 * cert, const EVP_MD * fdig) +{ +int j; +unsigned int n; +uschar md[EVP_MAX_MD_SIZE]; +uschar * cp; + +if (!X509_digest(cert,fdig,md,&n)) + { + expand_string_message = US"tls_cert_fprt: out of mem\n"; + return NULL; + } +cp = store_get(n*2+1); +for (j = 0; j < (int)n; j++) sprintf(CS cp+2*j, "%02X", md[j]); +return(cp); +} + +uschar * +tls_cert_fprt_md5(void * cert) +{ +return fingerprint((X509 *)cert, EVP_md5()); +} + +uschar * +tls_cert_fprt_sha1(void * cert) +{ +return fingerprint((X509 *)cert, EVP_sha1()); +} + +uschar * +tls_cert_fprt_sha256(void * cert) +{ +return fingerprint((X509 *)cert, EVP_sha256()); +} + + +/* vi: aw ai sw=2 +*/ +/* End of tlscert-openssl.c */ diff --git a/src/src/tod.c b/src/src/tod.c index 9aa845c82..427227c68 100644 --- a/src/src/tod.c +++ b/src/src/tod.c @@ -59,7 +59,8 @@ if (type == tod_epoch_l) { struct timeval tv; gettimeofday(&tv, NULL); - (void) sprintf(CS timebuf, "%ld%06ld", tv.tv_sec, tv.tv_usec ); /* Unix epoch/usec format */ + /* Unix epoch/usec format */ + (void) sprintf(CS timebuf, "%ld%06ld", tv.tv_sec, (long) tv.tv_usec ); return timebuf; } diff --git a/src/src/transport.c b/src/src/transport.c index d2540be62..f0b748639 100644 --- a/src/src/transport.c +++ b/src/src/transport.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* General functions concerned with transportation, and generic options for all @@ -600,6 +600,177 @@ return write_chunk(fd, pp->address, Ustrlen(pp->address), use_crlf); +/* Add/remove/rewwrite headers, and send them plus the empty-line sparator. + +Globals: + header_list + +Arguments: + addr (chain of) addresses (for extra headers), or NULL; + only the first address is used + fd file descriptor to write the message to + sendfn function for output + use_crlf turn NL into CR LF + rewrite_rules chain of header rewriting rules + rewrite_existflags flags for the rewriting rules + +Returns: TRUE on success; FALSE on failure. +*/ +BOOL +transport_headers_send(address_item *addr, int fd, uschar *add_headers, uschar *remove_headers, + BOOL (*sendfn)(int fd, uschar * s, int len, BOOL use_crlf), + BOOL use_crlf, rewrite_rule *rewrite_rules, int rewrite_existflags) +{ +header_line *h; + +/* Then the message's headers. Don't write any that are flagged as "old"; +that means they were rewritten, or are a record of envelope rewriting, or +were removed (e.g. Bcc). If remove_headers is not null, skip any headers that +match any entries therein. It is a colon-sep list; expand the items +separately and squash any empty ones. +Then check addr->p.remove_headers too, provided that addr is not NULL. */ + +for (h = header_list; h != NULL; h = h->next) if (h->type != htype_old) + { + int i; + uschar *list = remove_headers; + + BOOL include_header = TRUE; + + for (i = 0; i < 2; i++) /* For remove_headers && addr->p.remove_headers */ + { + if (list) + { + int sep = ':'; /* This is specified as a colon-separated list */ + uschar *s, *ss; + uschar buffer[128]; + while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer)))) + { + int len; + + if (i == 0) + if (!(s = expand_string(s)) && !expand_string_forcedfail) + { + errno = ERRNO_CHHEADER_FAIL; + return FALSE; + } + len = Ustrlen(s); + if (strncmpic(h->text, s, len) != 0) continue; + ss = h->text + len; + while (*ss == ' ' || *ss == '\t') ss++; + if (*ss == ':') break; + } + if (s != NULL) { include_header = FALSE; break; } + } + if (addr != NULL) list = addr->p.remove_headers; + } + + /* If this header is to be output, try to rewrite it if there are rewriting + rules. */ + + if (include_header) + { + if (rewrite_rules) + { + void *reset_point = store_get(0); + header_line *hh; + + if ((hh = rewrite_header(h, NULL, NULL, rewrite_rules, rewrite_existflags, FALSE))) + { + if (!sendfn(fd, hh->text, hh->slen, use_crlf)) return FALSE; + store_reset(reset_point); + continue; /* With the next header line */ + } + } + + /* Either no rewriting rules, or it didn't get rewritten */ + + if (!sendfn(fd, h->text, h->slen, use_crlf)) return FALSE; + } + + /* Header removed */ + + else + { + DEBUG(D_transport) debug_printf("removed header line:\n%s---\n", h->text); + } + } + +/* Add on any address-specific headers. If there are multiple addresses, +they will all have the same headers in order to be batched. The headers +are chained in reverse order of adding (so several addresses from the +same alias might share some of them) but we want to output them in the +opposite order. This is a bit tedious, but there shouldn't be very many +of them. We just walk the list twice, reversing the pointers each time, +but on the second time, write out the items. + +Headers added to an address by a router are guaranteed to end with a newline. +*/ + +if (addr) + { + int i; + header_line *hprev = addr->p.extra_headers; + header_line *hnext; + for (i = 0; i < 2; i++) + { + for (h = hprev, hprev = NULL; h != NULL; h = hnext) + { + hnext = h->next; + h->next = hprev; + hprev = h; + if (i == 1) + { + if (!sendfn(fd, h->text, h->slen, use_crlf)) return FALSE; + DEBUG(D_transport) + debug_printf("added header line(s):\n%s---\n", h->text); + } + } + } + } + +/* If a string containing additional headers exists it is a newline-sep +list. Expand each item and write out the result. This is done last so that +if it (deliberately or accidentally) isn't in header format, it won't mess +up any other headers. An empty string or a forced expansion failure are +noops. An added header string from a transport may not end with a newline; +add one if it does not. */ + +if (add_headers) + { + int sep = '\n'; + uschar * s; + + while ((s = string_nextinlist(&add_headers, &sep, NULL, 0))) + if (!(s = expand_string(s))) + { + if (!expand_string_forcedfail) + { errno = ERRNO_CHHEADER_FAIL; return FALSE; } + } + else + { + int len = Ustrlen(s); + if (len > 0) + { + if (!sendfn(fd, s, len, use_crlf)) return FALSE; + if (s[len-1] != '\n' && !sendfn(fd, US"\n", 1, use_crlf)) + return FALSE; + DEBUG(D_transport) + { + debug_printf("added header line:\n%s", s); + if (s[len-1] != '\n') debug_printf("\n"); + debug_printf("---\n"); + } + } + } + } + +/* Separate headers from body with a blank line */ + +return sendfn(fd, US"\n", 1, use_crlf); +} + + /************************************************* * Write the message * *************************************************/ @@ -666,7 +837,6 @@ internal_transport_write_message(address_item *addr, int fd, int options, { int written = 0; int len; -header_line *h; BOOL use_crlf = (options & topt_use_crlf) != 0; /* Initialize pointer in output buffer. */ @@ -747,154 +917,9 @@ if ((options & topt_no_headers) == 0) were removed (e.g. Bcc). If remove_headers is not null, skip any headers that match any entries therein. Then check addr->p.remove_headers too, provided that addr is not NULL. */ - - if (remove_headers != NULL) - { - uschar *s = expand_string(remove_headers); - if (s == NULL && !expand_string_forcedfail) - { - errno = ERRNO_CHHEADER_FAIL; - return FALSE; - } - remove_headers = s; - } - - for (h = header_list; h != NULL; h = h->next) - { - int i; - uschar *list = NULL; - BOOL include_header; - - if (h->type == htype_old) continue; - - include_header = TRUE; - list = remove_headers; - - for (i = 0; i < 2; i++) /* For remove_headers && addr->p.remove_headers */ - { - if (list != NULL) - { - int sep = ':'; /* This is specified as a colon-separated list */ - uschar *s, *ss; - uschar buffer[128]; - while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) - != NULL) - { - int len = Ustrlen(s); - if (strncmpic(h->text, s, len) != 0) continue; - ss = h->text + len; - while (*ss == ' ' || *ss == '\t') ss++; - if (*ss == ':') break; - } - if (s != NULL) { include_header = FALSE; break; } - } - if (addr != NULL) list = addr->p.remove_headers; - } - - /* If this header is to be output, try to rewrite it if there are rewriting - rules. */ - - if (include_header) - { - if (rewrite_rules != NULL) - { - void *reset_point = store_get(0); - header_line *hh = - rewrite_header(h, NULL, NULL, rewrite_rules, rewrite_existflags, - FALSE); - if (hh != NULL) - { - if (!write_chunk(fd, hh->text, hh->slen, use_crlf)) return FALSE; - store_reset(reset_point); - continue; /* With the next header line */ - } - } - - /* Either no rewriting rules, or it didn't get rewritten */ - - if (!write_chunk(fd, h->text, h->slen, use_crlf)) return FALSE; - } - - /* Header removed */ - - else - { - DEBUG(D_transport) debug_printf("removed header line:\n%s---\n", - h->text); - } - } - - /* Add on any address-specific headers. If there are multiple addresses, - they will all have the same headers in order to be batched. The headers - are chained in reverse order of adding (so several addresses from the - same alias might share some of them) but we want to output them in the - opposite order. This is a bit tedious, but there shouldn't be very many - of them. We just walk the list twice, reversing the pointers each time, - but on the second time, write out the items. - - Headers added to an address by a router are guaranteed to end with a newline. - */ - - if (addr != NULL) - { - int i; - header_line *hprev = addr->p.extra_headers; - header_line *hnext; - for (i = 0; i < 2; i++) - { - for (h = hprev, hprev = NULL; h != NULL; h = hnext) - { - hnext = h->next; - h->next = hprev; - hprev = h; - if (i == 1) - { - if (!write_chunk(fd, h->text, h->slen, use_crlf)) return FALSE; - DEBUG(D_transport) - debug_printf("added header line(s):\n%s---\n", h->text); - } - } - } - } - - /* If a string containing additional headers exists, expand it and write - out the result. This is done last so that if it (deliberately or accidentally) - isn't in header format, it won't mess up any other headers. An empty string - or a forced expansion failure are noops. An added header string from a - transport may not end with a newline; add one if it does not. */ - - if (add_headers != NULL) - { - uschar *s = expand_string(add_headers); - if (s == NULL) - { - if (!expand_string_forcedfail) - { - errno = ERRNO_CHHEADER_FAIL; - return FALSE; - } - } - else - { - int len = Ustrlen(s); - if (len > 0) - { - if (!write_chunk(fd, s, len, use_crlf)) return FALSE; - if (s[len-1] != '\n' && !write_chunk(fd, US"\n", 1, use_crlf)) - return FALSE; - DEBUG(D_transport) - { - debug_printf("added header line(s):\n%s", s); - if (s[len-1] != '\n') debug_printf("\n"); - debug_printf("---\n"); - } - } - } - } - - /* Separate headers from body with a blank line */ - - if (!write_chunk(fd, US"\n", 1, use_crlf)) return FALSE; + if (!transport_headers_send(addr, fd, add_headers, remove_headers, &write_chunk, + use_crlf, rewrite_rules, rewrite_existflags)) + return FALSE; } /* If the body is required, ensure that the data for check strings (formerly @@ -1802,6 +1827,11 @@ if ((pid = fork()) == 0) argv = child_exec_exim(CEE_RETURN_ARGV, TRUE, &i, FALSE, 0); + #ifdef EXPERIMENTAL_DSN + /* Call with the dsn flag */ + if (smtp_use_dsn) argv[i++] = US"-MCD"; + #endif + if (smtp_authenticated) argv[i++] = US"-MCA"; #ifdef SUPPORT_TLS @@ -2157,4 +2187,6 @@ if (expand_arguments) return TRUE; } +/* vi: aw ai sw=2 +*/ /* End of transport.c */ diff --git a/src/src/transports/lmtp.c b/src/src/transports/lmtp.c index 06eb72969..84bbeb939 100644 --- a/src/src/transports/lmtp.c +++ b/src/src/transports/lmtp.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2009 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ @@ -662,8 +662,14 @@ if (send_data) if (addr->transport_return != PENDING_OK) continue; if (lmtp_read_response(out, buffer, sizeof(buffer), '2', timeout)) + { addr->transport_return = OK; - + if ((log_extra_selector & LX_smtp_confirmation) != 0) + { + uschar *s = string_printing(buffer); + addr->message = (s == buffer)? (uschar *)string_copy(s) : s; + } + } /* If the response has failed badly, use it for all the remaining pending addresses and give up. */ diff --git a/src/src/transports/pipe.c b/src/src/transports/pipe.c index 54989410a..3366a6dcf 100644 --- a/src/src/transports/pipe.c +++ b/src/src/transports/pipe.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2009 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ diff --git a/src/src/transports/pipe.h b/src/src/transports/pipe.h index e10117458..ed5c142b3 100644 --- a/src/src/transports/pipe.h +++ b/src/src/transports/pipe.h @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2009 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Private structure for the private options. */ diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 9918f3116..db424fa61 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ #include "../exim.h" @@ -55,6 +55,10 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, dns_qualify_single) }, { "dns_search_parents", opt_bool, (void *)offsetof(smtp_transport_options_block, dns_search_parents) }, + { "dnssec_request_domains", opt_stringptr, + (void *)offsetof(smtp_transport_options_block, dnssec_request_domains) }, + { "dnssec_require_domains", opt_stringptr, + (void *)offsetof(smtp_transport_options_block, dnssec_require_domains) }, { "dscp", opt_stringptr, (void *)offsetof(smtp_transport_options_block, dscp) }, { "fallback_hosts", opt_stringptr, @@ -98,10 +102,14 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, hosts_override) }, { "hosts_randomize", opt_bool, (void *)offsetof(smtp_transport_options_block, hosts_randomize) }, +#if defined(SUPPORT_TLS) && !defined(DISABLE_OCSP) + { "hosts_request_ocsp", opt_stringptr, + (void *)offsetof(smtp_transport_options_block, hosts_request_ocsp) }, +#endif { "hosts_require_auth", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_require_auth) }, #ifdef SUPPORT_TLS -# if defined EXPERIMENTAL_OCSP +# ifndef DISABLE_OCSP { "hosts_require_ocsp", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_require_ocsp) }, # endif @@ -110,7 +118,7 @@ optionlist smtp_transport_options[] = { #endif { "hosts_try_auth", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_try_auth) }, -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR { "hosts_try_prdr", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_try_prdr) }, #endif @@ -153,8 +161,16 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, tls_sni) }, { "tls_tempfail_tryclear", opt_bool, (void *)offsetof(smtp_transport_options_block, tls_tempfail_tryclear) }, + { "tls_try_verify_hosts", opt_stringptr, + (void *)offsetof(smtp_transport_options_block, tls_try_verify_hosts) }, +#ifdef EXPERIMENTAL_CERTNAMES + { "tls_verify_cert_hostnames", opt_stringptr, + (void *)offsetof(smtp_transport_options_block,tls_verify_cert_hostnames)}, +#endif { "tls_verify_certificates", opt_stringptr, - (void *)offsetof(smtp_transport_options_block, tls_verify_certificates) } + (void *)offsetof(smtp_transport_options_block, tls_verify_certificates) }, + { "tls_verify_hosts", opt_stringptr, + (void *)offsetof(smtp_transport_options_block, tls_verify_hosts) } #endif #ifdef EXPERIMENTAL_TPDA ,{ "tpda_host_defer_action", opt_stringptr, @@ -184,10 +200,11 @@ smtp_transport_options_block smtp_transport_option_defaults = { NULL, /* serialize_hosts */ NULL, /* hosts_try_auth */ NULL, /* hosts_require_auth */ -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR NULL, /* hosts_try_prdr */ #endif -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP + US"*", /* hosts_request_ocsp */ NULL, /* hosts_require_ocsp */ #endif NULL, /* hosts_require_tls */ @@ -209,6 +226,8 @@ smtp_transport_options_block smtp_transport_option_defaults = { FALSE, /* gethostbyname */ TRUE, /* dns_qualify_single */ FALSE, /* dns_search_parents */ + NULL, /* dnssec_request_domains */ + NULL, /* dnssec_require_domains */ TRUE, /* delay_after_cutoff */ FALSE, /* hosts_override */ FALSE, /* hosts_randomize */ @@ -227,7 +246,12 @@ smtp_transport_options_block smtp_transport_option_defaults = { NULL, /* tls_verify_certificates */ EXIM_CLIENT_DH_DEFAULT_MIN_BITS, /* tls_dh_min_bits */ - TRUE /* tls_tempfail_tryclear */ + TRUE, /* tls_tempfail_tryclear */ + NULL, /* tls_verify_hosts */ + NULL /* tls_try_verify_hosts */ +# ifdef EXPERIMENTAL_CERTNAMES + ,NULL /* tls_verify_cert_hostnames */ +# endif #endif #ifndef DISABLE_DKIM ,NULL, /* dkim_canon */ @@ -242,6 +266,16 @@ smtp_transport_options_block smtp_transport_option_defaults = { #endif }; +#ifdef EXPERIMENTAL_DSN +/* some DSN flags for use later */ + +static int rf_list[] = {rf_notify_never, rf_notify_success, + rf_notify_failure, rf_notify_delay }; + +static uschar *rf_names[] = { "NEVER", "SUCCESS", "FAILURE", "DELAY" }; +#endif + + /* Local statics */ @@ -619,7 +653,7 @@ tpda_defer_errstr = addr->message ? string_sprintf("%s: %s", addr->message, strerror(addr->basic_errno)) : string_copy(addr->message) : addr->basic_errno > 0 - ? string_copy(strerror(addr->basic_errno)) + ? string_copy(US strerror(addr->basic_errno)) : NULL; DEBUG(D_transport) @@ -1168,10 +1202,13 @@ BOOL completed_address = FALSE; BOOL esmtp = TRUE; BOOL pending_MAIL; BOOL pass_message = FALSE; -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR BOOL prdr_offered = FALSE; BOOL prdr_active; #endif +#ifdef EXPERIMENTAL_DSN +BOOL dsn_all_lasthop = TRUE; +#endif smtp_inblock inblock; smtp_outblock outblock; int max_rcpt = tblock->max_addresses; @@ -1207,25 +1244,27 @@ outblock.authenticating = FALSE; /* Reset the parameters of a TLS session. */ -tls_in.bits = 0; -tls_in.cipher = NULL; /* for back-compatible behaviour */ -tls_in.peerdn = NULL; -#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) -tls_in.sni = NULL; -#endif - tls_out.bits = 0; tls_out.cipher = NULL; /* the one we may use for this transport */ +tls_out.ourcert = NULL; +tls_out.peercert = NULL; tls_out.peerdn = NULL; #if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) tls_out.sni = NULL; #endif +tls_out.ocsp = OCSP_NOT_REQ; + +/* Flip the legacy TLS-related variables over to the outbound set in case +they're used in the context of the transport. Don't bother resetting +afterward as we're in a subprocess. */ + +tls_modify_variables(&tls_out); #ifndef SUPPORT_TLS if (smtps) { - set_errno(addrlist, 0, US"TLS support not available", DEFER, FALSE); - return ERROR; + set_errno(addrlist, 0, US"TLS support not available", DEFER, FALSE); + return ERROR; } #endif @@ -1367,7 +1406,7 @@ goto SEND_QUIT; PCRE_EOPT, NULL, 0) >= 0; #endif - #ifdef EXPERIMENTAL_PRDR + #ifndef DISABLE_PRDR prdr_offered = esmtp && (pcre_exec(regex_PRDR, NULL, CS buffer, Ustrlen(buffer), 0, PCRE_EOPT, NULL, 0) >= 0) && @@ -1433,20 +1472,7 @@ if (tls_offered && !suppress_tls && else TLS_NEGOTIATE: { - int rc = tls_client_start(inblock.sock, - host, - addrlist, - ob->tls_certificate, - ob->tls_privatekey, - ob->tls_sni, - ob->tls_verify_certificates, - ob->tls_crl, - ob->tls_require_ciphers, -#ifdef EXPERIMENTAL_OCSP - ob->hosts_require_ocsp, -#endif - ob->tls_dh_min_bits, - ob->command_timeout); + int rc = tls_client_start(inblock.sock, host, addrlist, ob); /* TLS negotiation failed; give an error. From outside, this function may be called again to try in clear on a new connection, if the options permit @@ -1467,7 +1493,10 @@ if (tls_offered && !suppress_tls && if (addr->transport_return == PENDING_DEFER) { addr->cipher = tls_out.cipher; + addr->ourcert = tls_out.ourcert; + addr->peercert = tls_out.peercert; addr->peerdn = tls_out.peerdn; + addr->ocsp = tls_out.ocsp; } } } @@ -1576,7 +1605,7 @@ if (continue_hostname == NULL DEBUG(D_transport) debug_printf("%susing PIPELINING\n", smtp_use_pipelining? "" : "not "); -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR prdr_offered = esmtp && pcre_exec(regex_PRDR, NULL, CS buffer, Ustrlen(CS buffer), 0, PCRE_EOPT, NULL, 0) >= 0 && @@ -1587,6 +1616,13 @@ if (continue_hostname == NULL {DEBUG(D_transport) debug_printf("PRDR usable\n");} #endif +#ifdef EXPERIMENTAL_DSN + /* Note if the server supports DSN */ + smtp_use_dsn = esmtp && pcre_exec(regex_DSN, NULL, CS buffer, (int)Ustrlen(CS buffer), 0, + PCRE_EOPT, NULL, 0) >= 0; + DEBUG(D_transport) debug_printf("use_dsn=%d\n", smtp_use_dsn); +#endif + /* Note if the response to EHLO specifies support for the AUTH extension. If it has, check that this host is one we want to authenticate to, and do the business. The host name and address must be available when the @@ -1664,7 +1700,7 @@ if (smtp_use_size) while (*p) p++; } -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR prdr_active = FALSE; if (prdr_offered) { @@ -1684,6 +1720,38 @@ if (prdr_offered) prdr_is_active: #endif +#ifdef EXPERIMENTAL_DSN +/* check if all addresses have lasthop flag */ +/* do not send RET and ENVID if true */ +dsn_all_lasthop = TRUE; +for (addr = first_addr; + address_count < max_rcpt && addr != NULL; + addr = addr->next) + if ((addr->dsn_flags & rf_dsnlasthop) != 1) + dsn_all_lasthop = FALSE; + +/* Add any DSN flags to the mail command */ + +if ((smtp_use_dsn) && (dsn_all_lasthop == FALSE)) + { + if (dsn_ret == dsn_ret_hdrs) + { + strcpy(p, " RET=HDRS"); + while (*p) p++; + } + else if (dsn_ret == dsn_ret_full) + { + strcpy(p, " RET=FULL"); + while (*p) p++; + } + if (dsn_envid != NULL) + { + string_format(p, sizeof(buffer) - (p-buffer), " ENVID=%s", dsn_envid); + while (*p) p++; + } + } +#endif + /* If an authenticated_sender override has been specified for this transport instance, expand it. If the expansion is forced to fail, and there was already an authenticated_sender for this message, the original value will be used. @@ -1746,18 +1814,66 @@ for (addr = first_addr; int count; BOOL no_flush; + #ifdef EXPERIMENTAL_DSN + if(smtp_use_dsn) + addr->dsn_aware = dsn_support_yes; + else + addr->dsn_aware = dsn_support_no; + #endif + if (addr->transport_return != PENDING_DEFER) continue; address_count++; no_flush = smtp_use_pipelining && (!mua_wrapper || addr->next != NULL); + #ifdef EXPERIMENTAL_DSN + /* Add any DSN flags to the rcpt command and add to the sent string */ + + p = buffer; + *p = 0; + + if ((smtp_use_dsn) && ((addr->dsn_flags & rf_dsnlasthop) != 1)) + { + if ((addr->dsn_flags & rf_dsnflags) != 0) + { + int i; + BOOL first = TRUE; + strcpy(p, " NOTIFY="); + while (*p) p++; + for (i = 0; i < 4; i++) + { + if ((addr->dsn_flags & rf_list[i]) != 0) + { + if (!first) *p++ = ','; + first = FALSE; + strcpy(p, rf_names[i]); + while (*p) p++; + } + } + } + + if (addr->dsn_orcpt != NULL) { + string_format(p, sizeof(buffer) - (p-buffer), " ORCPT=%s", + addr->dsn_orcpt); + while (*p) p++; + } + } + #endif + + /* Now send the RCPT command, and process outstanding responses when necessary. After a timeout on RCPT, we just end the function, leaving the yield as OK, because this error can often mean that there is a problem with just one address, so we don't want to delay the host. */ + #ifdef EXPERIMENTAL_DSN + count = smtp_write_command(&outblock, no_flush, "RCPT TO:<%s>%s%s\r\n", + transport_rcpt_address(addr, tblock->rcpt_include_affixes), igquotstr, buffer); + #else count = smtp_write_command(&outblock, no_flush, "RCPT TO:<%s>%s\r\n", transport_rcpt_address(addr, tblock->rcpt_include_affixes), igquotstr); + #endif + if (count < 0) goto SEND_FAILED; if (count > 0) { @@ -1900,7 +2016,7 @@ if (!ok) ok = TRUE; else smtp_command = US"end of data"; -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR /* For PRDR we optionally get a partial-responses warning * followed by the individual responses, before going on with * the overall response. If we don't get the warning then deal @@ -1995,7 +2111,7 @@ if (!ok) ok = TRUE; else address. For temporary errors, add a retry item for the address so that it doesn't get tried again too soon. */ -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR if (lmtp || prdr_active) #else if (lmtp) @@ -2006,7 +2122,7 @@ if (!ok) ok = TRUE; else { if (errno != 0 || buffer[0] == 0) goto RESPONSE_FAILED; addr->message = string_sprintf( -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR "%s error after %s: %s", prdr_active ? "PRDR":"LMTP", #else "LMTP error after %s: %s", @@ -2020,7 +2136,7 @@ if (!ok) ok = TRUE; else errno = ERRNO_DATA4XX; addr->more_errno |= ((buffer[1] - '0')*10 + buffer[2] - '0') << 8; addr->transport_return = DEFER; -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR if (!prdr_active) #endif retry_add_item(addr, addr->address_retry_key, 0); @@ -2043,12 +2159,12 @@ if (!ok) ok = TRUE; else addr->host_used = thost; addr->special_action = flag; addr->message = conf; -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR if (prdr_active) addr->flags |= af_prdr_used; #endif flag = '-'; -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR if (!prdr_active) #endif { @@ -2070,7 +2186,7 @@ if (!ok) ok = TRUE; else } } -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR if (prdr_active) { /* PRDR - get the final, overall response. For any non-success @@ -2404,8 +2520,6 @@ tls_close(FALSE, TRUE); #endif /* Close the socket, and return the appropriate value, first setting -continue_transport and continue_hostname NULL to prevent any other addresses -that may include the host from trying to re-use a continuation socket. This works because the NULL setting is passed back to the calling process, and remote_max_parallel is forced to 1 when delivering over an existing connection, @@ -2506,7 +2620,10 @@ for (addr = addrlist; addr != NULL; addr = addr->next) addr->message = NULL; #ifdef SUPPORT_TLS addr->cipher = NULL; + addr->ourcert = NULL; + addr->peercert = NULL; addr->peerdn = NULL; + addr->ocsp = OCSP_NOT_REQ; #endif } return first_addr; @@ -2809,6 +2926,7 @@ for (cutoff_retry = 0; expired && rc = host_find_byname(host, NULL, flags, &canonical_name, TRUE); else rc = host_find_bydns(host, NULL, flags, NULL, NULL, NULL, + ob->dnssec_request_domains, ob->dnssec_require_domains, &canonical_name, NULL); /* Update the host (and any additional blocks, resulting from @@ -2908,6 +3026,9 @@ for (cutoff_retry = 0; expired && deliver_host = host->name; deliver_host_address = host->address; + lookup_dnssec_authenticated = host->dnssec == DS_YES ? US"yes" + : host->dnssec == DS_NO ? US"no" + : US""; /* Set up a string for adding to the retry key if the port number is not the standard SMTP port. A host may have its own port setting that overrides @@ -3421,4 +3542,6 @@ DEBUG(D_transport) debug_printf("Leaving %s transport\n", tblock->name); return TRUE; /* Each address has its status */ } +/* vi: aw ai sw=2 +*/ /* End of transport/smtp.c */ diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index 0d8801647..dd41e1f15 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2012 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Private structure for the private options and other private data. */ @@ -21,10 +21,11 @@ typedef struct { uschar *serialize_hosts; uschar *hosts_try_auth; uschar *hosts_require_auth; -#ifdef EXPERIMENTAL_PRDR +#ifndef DISABLE_PRDR uschar *hosts_try_prdr; #endif -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP + uschar *hosts_request_ocsp; uschar *hosts_require_ocsp; #endif uschar *hosts_require_tls; @@ -46,13 +47,15 @@ typedef struct { BOOL gethostbyname; BOOL dns_qualify_single; BOOL dns_search_parents; + uschar *dnssec_request_domains; + uschar *dnssec_require_domains; BOOL delay_after_cutoff; BOOL hosts_override; BOOL hosts_randomize; BOOL keepalive; BOOL lmtp_ignore_quota; BOOL retry_include_ip_address; - #ifdef SUPPORT_TLS +#ifdef SUPPORT_TLS uschar *tls_certificate; uschar *tls_crl; uschar *tls_privatekey; @@ -64,18 +67,23 @@ typedef struct { uschar *tls_verify_certificates; int tls_dh_min_bits; BOOL tls_tempfail_tryclear; - #endif - #ifndef DISABLE_DKIM + uschar *tls_verify_hosts; + uschar *tls_try_verify_hosts; +# ifdef EXPERIMENTAL_CERTNAMES + uschar *tls_verify_cert_hostnames; +# endif +#endif +#ifndef DISABLE_DKIM uschar *dkim_domain; uschar *dkim_private_key; uschar *dkim_selector; uschar *dkim_canon; uschar *dkim_sign_headers; uschar *dkim_strict; - #endif - #ifdef EXPERIMENTAL_TPDA +#endif +#ifdef EXPERIMENTAL_TPDA uschar *tpda_host_defer_action; - #endif +#endif } smtp_transport_options_block; /* Data for reading the private options. */ diff --git a/src/src/verify.c b/src/src/verify.c index a09782bcd..ea733b605 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2009 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions concerned with verifying things. The original code for callout @@ -373,10 +373,13 @@ if (!addr->transport) { HDEBUG(D_verify) debug_printf("cannot callout via null transport\n"); } +else if (Ustrcmp(addr->transport->driver_name, "smtp") != 0) + log_write(0, LOG_MAIN|LOG_PANIC|LOG_CONFIG_FOR, "callout transport '%s': %s is non-smtp", + addr->transport->name, addr->transport->driver_name); else { smtp_transport_options_block *ob = - (smtp_transport_options_block *)(addr->transport->options_block); + (smtp_transport_options_block *)addr->transport->options_block; /* The information wasn't available in the cache, so we have to do a real callout and save the result in the cache for next time, unless no_cache is set, @@ -538,7 +541,7 @@ else #endif if (!(done= smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout))) goto RESPONSE_FAILED; - + /* Not worth checking greeting line for ESMTP support */ if (!(esmtp = verify_check_this_host(&(ob->hosts_avoid_esmtp), NULL, host->name, host->address, NULL) != OK)) @@ -633,15 +636,12 @@ else /* STARTTLS accepted or ssl-on-connect: try to negotiate a TLS session. */ else { - int rc = tls_client_start(inblock.sock, host, addr, - ob->tls_certificate, ob->tls_privatekey, - ob->tls_sni, - ob->tls_verify_certificates, ob->tls_crl, - ob->tls_require_ciphers, -#ifdef EXPERIMENTAL_OCSP - ob->hosts_require_ocsp, -#endif - ob->tls_dh_min_bits, callout); + int oldtimeout = ob->command_timeout; + int rc; + + ob->command_timeout = callout; + rc = tls_client_start(inblock.sock, host, addr, ob); + ob->command_timeout = oldtimeout; /* TLS negotiation failed; give an error. Try in clear on a new connection, if the options permit it for this host. */ @@ -694,13 +694,25 @@ else done = TRUE; /* so far so good; have response to HELO */ - /*XXX the EHLO response would be analyzed here for IGNOREQUOTA, SIZE, PIPELINING, AUTH */ - /* If we haven't authenticated, but are required to, give up. */ + /*XXX the EHLO response would be analyzed here for IGNOREQUOTA, SIZE, PIPELINING */ - /*XXX "filter command specified for this transport" ??? */ - /* for now, transport_filter by cutthrough-delivery is not supported */ + /* For now, transport_filter by cutthrough-delivery is not supported */ /* Need proper integration with the proper transport mechanism. */ - + if (cutthrough_delivery) + { + if (addr->transport->filter_command) + { + cutthrough_delivery= FALSE; + HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n"); + } + #ifndef DISABLE_DKIM + if (ob->dkim_domain) + { + cutthrough_delivery= FALSE; + HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of DKIM signing\n"); + } + #endif + } SEND_FAILED: RESPONSE_FAILED: @@ -722,6 +734,7 @@ else } } + /* If we haven't authenticated, but are required to, give up. */ /* Try to AUTH */ else done = smtp_auth(responsebuffer, sizeof(responsebuffer), @@ -962,6 +975,7 @@ else { cutthrough_fd= outblock.sock; /* We assume no buffer in use in the outblock */ cutthrough_addr = *addr; /* Save the address_item for later logging */ + cutthrough_addr.next = NULL; cutthrough_addr.host_used = store_get(sizeof(host_item)); cutthrough_addr.host_used->name = host->name; cutthrough_addr.host_used->address = host->address; @@ -1230,27 +1244,43 @@ return cutthrough_response('3', NULL) == '3'; } +/* fd and use_crlf args only to match write_chunk() */ +static BOOL +cutthrough_write_chunk(int fd, uschar * s, int len, BOOL use_crlf) +{ +uschar * s2; +while(s && (s2 = Ustrchr(s, '\n'))) + { + if(!cutthrough_puts(s, s2-s) || !cutthrough_put_nl()) + return FALSE; + s = s2+1; + } +return TRUE; +} + + /* Buffered send of headers. Return success boolean. */ /* Expands newlines to wire format (CR,NL). */ /* Also sends header-terminating blank line. */ BOOL cutthrough_headers_send( void ) { -header_line * h; -uschar * cp1, * cp2; - if(cutthrough_fd < 0) return FALSE; -for(h= header_list; h != NULL; h= h->next) - if(h->type != htype_old && h->text != NULL) - for (cp1 = h->text; *cp1 && (cp2 = Ustrchr(cp1, '\n')); cp1 = cp2+1) - if( !cutthrough_puts(cp1, cp2-cp1) - || !cutthrough_put_nl()) - return FALSE; +/* We share a routine with the mainline transport to handle header add/remove/rewrites, + but having a separate buffered-output function (for now) +*/ +HDEBUG(D_acl) debug_printf("----------- start cutthrough headers send -----------\n"); + +if (!transport_headers_send(&cutthrough_addr, cutthrough_fd, + cutthrough_addr.transport->add_headers, cutthrough_addr.transport->remove_headers, + &cutthrough_write_chunk, TRUE, + cutthrough_addr.transport->rewrite_rules, cutthrough_addr.transport->rewrite_existflags)) + return FALSE; -HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>>(nl)\n"); -return cutthrough_put_nl(); +HDEBUG(D_acl) debug_printf("----------- done cutthrough headers send ------------\n"); +return TRUE; } @@ -1542,13 +1572,7 @@ if (address[0] == 0) return OK; they're used in the context of a transport used by verification. Reset them at exit from this routine. */ -modify_variable(US"tls_bits", &tls_out.bits); -modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified); -modify_variable(US"tls_cipher", &tls_out.cipher); -modify_variable(US"tls_peerdn", &tls_out.peerdn); -#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) -modify_variable(US"tls_sni", &tls_out.sni); -#endif +tls_modify_variables(&tls_out); /* Save a copy of the sender address for re-instating if we change it to <> while verifying a sender address (a nice bit of self-reference there). */ @@ -1721,8 +1745,20 @@ while (addr_new != NULL) string_is_ip_address(host->name, NULL) != 0) (void)host_find_byname(host, NULL, flags, &canonical_name, TRUE); else + { + uschar * d_request = NULL, * d_require = NULL; + if (Ustrcmp(addr->transport->driver_name, "smtp") == 0) + { + smtp_transport_options_block * ob = + (smtp_transport_options_block *) + addr->transport->options_block; + d_request = ob->dnssec_request_domains; + d_require = ob->dnssec_require_domains; + } + (void)host_find_bydns(host, NULL, flags, NULL, NULL, NULL, - &canonical_name, NULL); + d_request, d_require, &canonical_name, NULL); + } } } } @@ -2007,14 +2043,7 @@ for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++) the -bv or -bt case). */ out: - -modify_variable(US"tls_bits", &tls_in.bits); -modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified); -modify_variable(US"tls_cipher", &tls_in.cipher); -modify_variable(US"tls_peerdn", &tls_in.peerdn); -#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) -modify_variable(US"tls_sni", &tls_in.sni); -#endif +tls_modify_variables(&tls_in); return yield; } @@ -2144,6 +2173,41 @@ return yield; } +/************************************************* +* Check header names for 8-bit characters * +*************************************************/ + +/* This function checks for invalid charcters in header names. See +RFC 5322, 2.2. and RFC 6532, 3. + +Arguments: + msgptr where to put an error message + +Returns: OK + FAIL +*/ + +int +verify_check_header_names_ascii(uschar **msgptr) +{ +header_line *h; +uschar *colon, *s; + +for (h = header_list; h != NULL; h = h->next) + { + colon = Ustrchr(h->text, ':'); + for(s = h->text; s < colon; s++) + { + if ((*s < 33) || (*s > 126)) + { + *msgptr = string_sprintf("Invalid character in header \"%.*s\" found", + colon - h->text, h->text); + return FAIL; + } + } + } +return OK; +} /************************************************* * Check for blind recipients * @@ -3490,7 +3554,7 @@ revadd[0] = 0; /* In case this is the first time the DNS resolver is being used. */ -dns_init(FALSE, FALSE); +dns_init(FALSE, FALSE, FALSE); /*XXX dnssec? */ /* Loop through all the domains supplied, until something matches */ @@ -3661,4 +3725,6 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL return FAIL; } +/* vi: aw ai sw=2 +*/ /* End of verify.c */ diff --git a/src/util/proxy_protocol_client.pl b/src/util/proxy_protocol_client.pl new file mode 100644 index 000000000..feae3ca90 --- /dev/null +++ b/src/util/proxy_protocol_client.pl @@ -0,0 +1,250 @@ +#!/usr/bin/perl +# +# Copyright (C) 2014 Todd Lyons +# License GPLv2: GNU GPL version 2 +# +# +# This script emulates a proxy which uses Proxy Protocol to communicate +# to a backend server. It should be run from an IP which is configured +# to be a Proxy Protocol connection (or not, if you are testing error +# scenarios) because Proxy Protocol specs require not to fall back to a +# non-proxied mode. +# +# The script is interactive, so when you run it, you are expected to +# perform whatever conversation is required for the protocol being +# tested. It uses STDIN/STDOUT, so you can also pipe output to/from the +# script. It was originally written to test Exim's Proxy Protocol +# code, and it could be tested like this: +# +# swaks --pipe 'perl proxy_protocol_client.pl --server-ip +# host.internal.lan' --from user@example.com --to user@example.net +# +use strict; +use warnings; +use IO::Select; +use IO::Socket; +use Getopt::Long; +use Data::Dumper; + +my %opts; +GetOptions( \%opts, + 'help', + '6|ipv6', + 'dest-ip:s', + 'dest-port:i', + 'source-ip:s', + 'source-port:i', + 'server-ip:s', + 'server-port:i', + 'version:i' +); +&usage() if ($opts{help} || !$opts{'server-ip'}); + +my ($dest_ip,$source_ip,$dest_port,$source_port); +my %socket_map; +my $status_line = "Testing Proxy Protocol Version " . + ($opts{version} ? $opts{version} : '2') . + ":\n"; + +# All ip's and ports are in network byte order in version 2 mode, but are +# simple strings when in version 1 mode. The binary_pack_*() functions +# return the required data for the Proxy Protocol version being used. + +# Use provided source or fall back to www.mrball.net +$source_ip = $opts{'source-ip'} ? binary_pack_ip($opts{'source-ip'}) : + $opts{6} ? + binary_pack_ip("2001:470:d:367::50") : + binary_pack_ip("208.89.139.252"); +$source_port = $opts{'source-port'} ? + binary_pack_port($opts{'source-port'}) : + binary_pack_port(43118); + +$status_line .= "-> " if (!$opts{version} || $opts{version} == 2); + +# Use provided dest or fall back to mail.exim.org +$dest_ip = $opts{'dest-ip'} ? binary_pack_ip($opts{'dest-ip'}) : + $opts{6} ? + binary_pack_ip("2001:630:212:8:204:23ff:fed6:b664") : + binary_pack_ip("131.111.8.192"); +$dest_port = $opts{'dest-port'} ? + binary_pack_port($opts{'dest-port'}) : + binary_pack_port(25); + +# The IP and port of the Proxy Protocol backend real server being tested, +# don't binary pack it. +my $server_ip = $opts{'server-ip'}; +my $server_port = $opts{'server-port'} ? $opts{'server-port'} : 25; + +my $s = IO::Select->new(); # for socket polling + +sub generate_preamble { + my @preamble; + if (!$opts{version} || $opts{version} == 2) { + @preamble = ( + "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A", # 12 byte v2 header + "\x21", # top 4 bits declares v2 + # bottom 4 bits is command + $opts{6} ? "\x21" : "\x11", # inet6/4 and TCP (stream) + $opts{6} ? "\x00\x24" : "\x00\x0b", # 36 bytes / 12 bytes + $source_ip, + $dest_ip, + $source_port, + $dest_port + ); + } + else { + @preamble = ( + "PROXY", " ", # Request proxy mode + $opts{6} ? "TCP6" : "TCP4", " ", # inet6/4 and TCP (stream) + $source_ip, " ", + $dest_ip, " ", + $source_port, " ", + $dest_port, + "\x0d\x0a" + ); + $status_line .= join "", @preamble; + } + print "\n", $status_line, "\n"; + print "\n" if (!$opts{version} || $opts{version} == 2); + return @preamble; +} + +sub binary_pack_port { + my $port = shift(); + if ($opts{version} && $opts{version} == 1) { + return $port + if ($port && $port =~ /^\d+$/ && $port > 0 && $port < 65536); + die "Not a valid port: $port"; + } + $status_line .= $port." "; + $port = pack "S", $port; + return $port; +} + +sub binary_pack_ip { + my $ip = shift(); + if ( $ip =~ m/\./ && !$opts{6}) { + if (IP4_valid($ip)) { + return $ip if ($opts{version} && $opts{version} == 1); + $status_line .= $ip.":"; + $ip = pack "C*", split /\./, $ip; + } + else { die "Invalid IPv4: $ip"; } + } + elsif ($ip =~ m/:/ && $opts{6}) { + $ip = pad_ipv6($ip); + if (IP6_valid($ip)) { + return $ip if ($opts{version} && $opts{version} == 1); + $status_line .= $ip.":"; + $ip = pack "S>*", map hex, split /:/, $ip; + } + else { die "Invalid IPv6: $ip"; } + } + else { die "Mismatching IP families passed: $ip"; } + return $ip; +} + +sub pad_ipv6 { + my $ip = shift(); + my @ip = split /:/, $ip; + my $segments = scalar @ip; + return $ip if ($segments == 8); + $ip = ""; + for (my $count=1; $count <= $segments; $count++) { + my $block = $ip[$count-1]; + if ($block) { + $ip .= $block; + $ip .= ":" unless $count == $segments; + } + elsif ($count == 1) { + # Somebody passed us ::1, fix it, but it's not really valid + $ip = "0:"; + } + else { + $ip .= join ":", map "0", 0..(8-$segments); + $ip .= ":"; + } + } + return $ip; +} + +sub IP6_valid { + my $ip = shift; + $ip = lc($ip); + return 0 unless ($ip =~ /^[0-9a-f:]+$/); + my @ip = split /:/, $ip; + return 0 if (scalar @ip != 8); + return 1; +} + +sub IP4_valid { + my $ip = shift; + $ip =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/; + foreach ($1,$2,$3,$4){ + if ($_ <256 && $_ >0) {next;} + return 0; + } + return 1; +} + +sub go_interactive { + my $continue = 1; + while($continue) { + # Check for input on both ends, recheck every 5 sec + for my $socket ($s->can_read(5)) { + my $remote = $socket_map{$socket}; + my $buffer; + my $read = $socket->sysread($buffer, 4096); + if ($read) { + $remote->syswrite($buffer); + } + else { + $continue = 0; + } + } + } +} + +sub connect_stdin_to_proxy { + my $sock = new IO::Socket::INET( + PeerAddr => $server_ip, + PeerPort => $server_port, + Proto => 'tcp' + ); + + die "Could not create socket: $!\n" unless $sock; + # Add sockets to the Select group + $s->add(\*STDIN); + $s->add($sock); + # Tie the sockets together using this hash + $socket_map{\*STDIN} = $sock; + $socket_map{$sock} = \*STDOUT; + return $sock; +} + +sub usage { + chomp(my $prog = `basename $0`); + print <>> bin/client command built" @echo " " bin/client-gnutls: src/client.c Makefile - $(CC) $(CFLAGS) -DHAVE_GNUTLS $(LDFLAGS) -o bin/client-gnutls src/client.c -lgnutls -lgcrypt + $(CC) $(CFLAGS) -DHAVE_GNUTLS $(LDFLAGS) -o bin/client-gnutls src/client.c -lgnutls -lgcrypt $(LIBS) @echo ">>> bin/client-gnutls command built" @echo " " bin/client-ssl: src/client.c Makefile - $(CC) $(CFLAGS) -DHAVE_OPENSSL $(LDFLAGS) -o bin/client-ssl src/client.c -lssl -lcrypto + $(CC) $(CFLAGS) -DHAVE_OPENSSL $(LDFLAGS) -o bin/client-ssl src/client.c -lssl -lcrypto $(LIBS) @echo ">>> bin/client-ssl command built" @echo " " @@ -89,7 +90,7 @@ bin/mtpscript: src/mtpscript.c Makefile @echo " " bin/server: src/server.c Makefile - $(CC) $(CFLAGS) $(LDFLAGS) -o bin/server src/server.c + $(CC) $(CFLAGS) $(LDFLAGS) -o bin/server src/server.c $(LIBS) @echo ">>> bin/server command built" @echo " " diff --git a/test/aux-fixed/exim-ca/README b/test/aux-fixed/exim-ca/README index b8d2a41f9..136f4c97a 100644 --- a/test/aux-fixed/exim-ca/README +++ b/test/aux-fixed/exim-ca/README @@ -35,7 +35,7 @@ The ocsp response files are those gotten that way. in .der format; is out-of-date, and "revoked" meaning the cert has been revoked. -The files were created using the genall script which utilises a +The files were created using the "genall" script which utilises a combination of tools, openssl @@ -47,5 +47,9 @@ line CA tool which can be found at http://people.redhat.com/mpoole/clica/ +NOTE: + During running of "genall" you need to manipulate the system + date/time. Shutdown ntpd service before doing this, and restart + after. diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/CA.pem b/test/aux-fixed/exim-ca/example.com/BLANK/CA.pem index d51c5d089..a3ea0bff7 100644 --- a/test/aux-fixed/exim-ca/example.com/BLANK/CA.pem +++ b/test/aux-fixed/exim-ca/example.com/BLANK/CA.pem @@ -1,10 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw -MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o -mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+ -ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw +MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh +tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX +Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02 +H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl +qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46 +eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z +RSHyhbTD0HeiJDI281BoOJjm -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/Signer.pem b/test/aux-fixed/exim-ca/example.com/BLANK/Signer.pem index fc29ebbda..741da3e3f 100644 --- a/test/aux-fixed/exim-ca/example.com/BLANK/Signer.pem +++ b/test/aux-fixed/exim-ca/example.com/BLANK/Signer.pem @@ -1,11 +1,14 @@ -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw -MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y -7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St -u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa -ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/cert8.db b/test/aux-fixed/exim-ca/example.com/BLANK/cert8.db index f82510ff6..444f8348d 100644 Binary files a/test/aux-fixed/exim-ca/example.com/BLANK/cert8.db and b/test/aux-fixed/exim-ca/example.com/BLANK/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/key3.db b/test/aux-fixed/exim-ca/example.com/BLANK/key3.db index cb031c0af..0e5bdb901 100644 Binary files a/test/aux-fixed/exim-ca/example.com/BLANK/key3.db and b/test/aux-fixed/exim-ca/example.com/BLANK/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.com/BLANK/secmod.db b/test/aux-fixed/exim-ca/example.com/BLANK/secmod.db index 8a8319376..b709dd8a5 100644 Binary files a/test/aux-fixed/exim-ca/example.com/BLANK/secmod.db and b/test/aux-fixed/exim-ca/example.com/BLANK/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.com/CA/CA.pem b/test/aux-fixed/exim-ca/example.com/CA/CA.pem index d51c5d089..a3ea0bff7 100644 --- a/test/aux-fixed/exim-ca/example.com/CA/CA.pem +++ b/test/aux-fixed/exim-ca/example.com/CA/CA.pem @@ -1,10 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw -MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o -mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+ -ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw +MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh +tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX +Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02 +H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl +qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46 +eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z +RSHyhbTD0HeiJDI281BoOJjm -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/CA/OCSP.key b/test/aux-fixed/exim-ca/example.com/CA/OCSP.key index 7a361dcf9..87e8e32d7 100644 --- a/test/aux-fixed/exim-ca/example.com/CA/OCSP.key +++ b/test/aux-fixed/exim-ca/example.com/CA/OCSP.key @@ -1,14 +1,20 @@ Bag Attributes friendlyName: OCSP Signer - localKeyID: A6 E7 21 3B BE A3 47 BE 58 6F 34 77 E2 AA D5 22 91 AA 0F D6 + localKeyID: A6 CA B2 02 9F 97 B7 22 79 C0 88 21 64 7D 68 9D F1 AE EB B4 Key Attributes: -----BEGIN PRIVATE KEY----- -MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAuGANFQATQUtX6l1r -tDa/TimQ722a/2wGSmty/n9Va36t7O9S0Uxi7yQMN11I284FekjzP82THLWv4TJZ -x7AvywIDAQABAkAhrko1f+IEl4Lj6VT3gtjHqogzdM5PwqgTiDVlkFVGYXp6a8o6 -ySmMofHeEjDgPFI7sz12eQOoofjhjTCnTcJhAiEA3Afe796M2vm5+V6t1ayFhgP0 -9QnSVde6mLvqHFHAKHUCIQDWhAVspNc3bw2PIBqlK2ibANwi9BFurBlATBHhKP3v -PwIgTiwttKMpABOBU2uj7ypgNgDp4rUemYkPrnv07SLOVpECIAVXhEsQT8uxmETY -J9G1IwW5H8I/EbAP2REg09EnlCtBAiBgZn9NxSr05na0P+NjyIPQ44Y9L5R9P3PL -2PceGVDcQw== +MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM6cTVJb3XKpcx/R +yywzRGgPTlu5kmOdDMliOvkCKy79zYfkguzTi1twxUWCxbQTGNOsYLZ5IaLCU5lc +feQPe77YvWMgH1qZ2S87OpURTJRe/SSP2ufy7c+a9oGSXjD6wLfzfKjQPUMq7po0 +NwI877gJg5dybIYL+ZrHPuKtQkbtAgMBAAECgYA20FrnLb4bjH8hgvw/Fr7gSKdG +SH5g9SqORwRUSdIBHo6nreVaRWlkcg+0OFSRSLu+dK4X2x0kXB/nwRUZK05twnOR +4/yxB3yYRLWKSSs+wNyCEB/nmLqY4gxgkwiYvMhGqcRz5PIFO+kWs0NhZCnI5haO +eRwbokPoJSwnDsZptQJBAOgDC/t9AhT2+n3+fhs3QMHJYBXb5TU6bUeK7d3EkpBk +5R43S3iC5JyDMVoimH9Ml6qE9gpUFSmp2tGactmSGe8CQQDj+OzyrtiNoo8unA74 +ebasVZL3YhcYMHtcfHSxAUbRpRT00m/UaLlfboHcts4iH50rqUx4iIGiUInzuU/C +hzjjAkEAim9G9wff9iJn1EXFePe+6+H8Mw7B9MCn88gxpeFkkkOhciYMIhv3zGt7 +RwzdcReCZ3xuUjtZZUK0DdzaKnfCgQJAG9wK0OmPK1fnWZHWvoTZTxwyFqtVGS6r +lLTc6di3F92tvvGMmw+lP8VYd2mbrU3hvjk1UDGWbgiboz5NQf+WcwJACZuXjzTr +LT9uWdLvfAkp02YxSemGgzNiF/MAEdA4Wx3YIFsWIoktRqMVTX/+eBUxCSKCaOf0 +9d7cy6kI01EH0Q== -----END PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.com/CA/OCSP.p12 b/test/aux-fixed/exim-ca/example.com/CA/OCSP.p12 index 208dc6981..2dbe70a05 100644 Binary files a/test/aux-fixed/exim-ca/example.com/CA/OCSP.p12 and b/test/aux-fixed/exim-ca/example.com/CA/OCSP.p12 differ diff --git a/test/aux-fixed/exim-ca/example.com/CA/OCSP.pem b/test/aux-fixed/exim-ca/example.com/CA/OCSP.pem index f78456dd6..5abc6acb9 100644 --- a/test/aux-fixed/exim-ca/example.com/CA/OCSP.pem +++ b/test/aux-fixed/exim-ca/example.com/CA/OCSP.pem @@ -1,11 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIBgDCCASqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICBTCCAW6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMVoXDTM4MDEwMTEyMzQwMVowMjEUMBIGA1UEChMLZXhhbXBsZS5jb20xGjAY -BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB -ALhgDRUAE0FLV+pda7Q2v04pkO9tmv9sBkprcv5/VWt+rezvUtFMYu8kDDddSNvO -BXpI8z/Nkxy1r+EyWcewL8sCAwEAAaMqMCgwDgYDVR0PAQH/BAQDAgeAMBYGA1Ud -JQEB/wQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBBQUAA0EAQalK8cinGimBjryO -q8scOPr7Zkv2RlhnUUTtpPfFKkTne9yXyXxBVDfy8wwPTz7ZTOzMVtPTgFT9g0Kf -tXze7g== +MzQwNVoXDTM4MDEwMTEyMzQwNVowMjEUMBIGA1UEChMLZXhhbXBsZS5jb20xGjAY +BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +iQKBgQDOnE1SW91yqXMf0cssM0RoD05buZJjnQzJYjr5Aisu/c2H5ILs04tbcMVF +gsW0ExjTrGC2eSGiwlOZXH3kD3u+2L1jIB9amdkvOzqVEUyUXv0kj9rn8u3PmvaB +kl4w+sC383yo0D1DKu6aNDcCPO+4CYOXcmyGC/maxz7irUJG7QIDAQABoyowKDAO +BgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcN +AQEFBQADgYEASKF8V7Ykc7MK5uVOcL272uheZzwFUtlx4HjWRI11QliwyBzegL3b +ZdhmnDr/XbtWFTF2pId76dRWNPcWd9nCV8yvhwOgydLHnDov20soUyJeqJJuXonb +InlafhkIGJ8wMEeCjY70VbIip+akW8lSCw8ralCMg2ewNuKv5D0ujsQ= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/CA/Signer.pem b/test/aux-fixed/exim-ca/example.com/CA/Signer.pem index fc29ebbda..741da3e3f 100644 --- a/test/aux-fixed/exim-ca/example.com/CA/Signer.pem +++ b/test/aux-fixed/exim-ca/example.com/CA/Signer.pem @@ -1,11 +1,14 @@ -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw -MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y -7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St -u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa -ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/CA/ca.conf b/test/aux-fixed/exim-ca/example.com/CA/ca.conf index 90875899f..d75b9df20 100644 --- a/test/aux-fixed/exim-ca/example.com/CA/ca.conf +++ b/test/aux-fixed/exim-ca/example.com/CA/ca.conf @@ -1,5 +1,5 @@ ; Config::Simple 4.59 -; Thu Nov 1 12:34:00 2012 +; Thu Nov 1 12:34:02 2012 [CLICA] crl_url=http://crl.example.com/latest.crl @@ -13,6 +13,6 @@ ocsp_url=http://oscp/example.com/ org=example.com subject=clica CA name=Certificate Authority -bits=512 +bits=1024 diff --git a/test/aux-fixed/exim-ca/example.com/CA/cert8.db b/test/aux-fixed/exim-ca/example.com/CA/cert8.db index 5ae12015d..889b90d6c 100644 Binary files a/test/aux-fixed/exim-ca/example.com/CA/cert8.db and b/test/aux-fixed/exim-ca/example.com/CA/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.empty b/test/aux-fixed/exim-ca/example.com/CA/crl.empty index 7814b8029..f579159b3 100644 Binary files a/test/aux-fixed/exim-ca/example.com/CA/crl.empty and b/test/aux-fixed/exim-ca/example.com/CA/crl.empty differ diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.empty.in.txt b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.in.txt index 250311c00..114640be1 100644 --- a/test/aux-fixed/exim-ca/example.com/CA/crl.empty.in.txt +++ b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.in.txt @@ -1 +1 @@ -update=20130127152434Z +update=20140422152734Z diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.empty.pem b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.pem index fdc506dc5..7ff473c8c 100644 --- a/test/aux-fixed/exim-ca/example.com/CA/crl.empty.pem +++ b/test/aux-fixed/exim-ca/example.com/CA/crl.empty.pem @@ -1,6 +1,7 @@ -----BEGIN X509 CRL----- -MIGsMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5jb20x -GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxMzAxMjcxNTI0MzRaMA0G -CSqGSIb3DQEBBQUAA0EAjClqFKe0w0T5ARNSMOSfuDtbOA0iN2yOrUwJfidgQdVQ -YPW+5TwKhe+Vm6skgHSIWNcuMVzojsuDZcBZnNimPA== +MIHtMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5jb20x +GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxNDA0MjIxNTI3MzRaMA0G +CSqGSIb3DQEBBQUAA4GBAHoGAZpobbrLkTayml3YbpVuF8Ig9FAAj6zmvNuqqsha +dSn0qL1ca9RgVaa1XIlqVeIs1uHFF0zA/F3BVvxWfPxTbgn8b/QyKEwG36f6Urax +nngK87UT2z8M5+prZeSIaroYV+sG5M2+4fFsUt62RmJr1rAnsxO+vguM97LSOJaB -----END X509 CRL----- diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.v2 b/test/aux-fixed/exim-ca/example.com/CA/crl.v2 index 66fb34ddc..a0a1ef54b 100644 Binary files a/test/aux-fixed/exim-ca/example.com/CA/crl.v2 and b/test/aux-fixed/exim-ca/example.com/CA/crl.v2 differ diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt index 434045ffe..2485f76b3 100644 --- a/test/aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt +++ b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.in.txt @@ -1,3 +1,3 @@ -update=20130127152437Z -addcert 102 20130127152437Z -addcert 202 20130127152437Z +update=20140422152736Z +addcert 102 20140422152736Z +addcert 202 20140422152736Z diff --git a/test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem index da781d7d8..efa992071 100644 --- a/test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem +++ b/test/aux-fixed/exim-ca/example.com/CA/crl.v2.pem @@ -1,7 +1,9 @@ -----BEGIN X509 CRL----- -MIHcMIGHAgEBMA0GCSqGSIb3DQEBBQUAMDMxFDASBgNVBAoTC2V4YW1wbGUuY29t -MRswGQYDVQQDExJjbGljYSBTaWduaW5nIENlcnQYDzIwMTMwMTI3MTUyNDM3WjAt -MBQCAWYYDzIwMTMwMTI3MTUyNDM3WjAVAgIAyhgPMjAxMzAxMjcxNTI0MzdaMA0G -CSqGSIb3DQEBBQUAA0EAS5A0/pStULkfIhBRMt+DfehLBbppc6FftG3TpBMvBW4k -xGwMPKUN8lk3uMuQxk/cvbaFqPtiR/WnkAFc3i1bpA== +MIIBHTCBhwIBATANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFtcGxlLmNv +bTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0GA8yMDE0MDQyMjE1MjczNlow +LTAUAgFmGA8yMDE0MDQyMjE1MjczNlowFQICAMoYDzIwMTQwNDIyMTUyNzM2WjAN +BgkqhkiG9w0BAQUFAAOBgQBNEXTCKmqCrYZ5/C4lKqSjKsy2iXoJCNcYoFj60AA2 +Lc8yju8/TkUe8DkZ/leefksdLGzsCGsAgpgSSqMClfL83r9a50OBSCg21dvahyEx +A45RfUx7M9Hy+ITWSY7hV7VaMoaL76ZxPBtdjMoqp8pxOj8k68d9V32OdcEpRsT+ +wA== -----END X509 CRL----- diff --git a/test/aux-fixed/exim-ca/example.com/CA/key3.db b/test/aux-fixed/exim-ca/example.com/CA/key3.db index 30718a996..5aad54594 100644 Binary files a/test/aux-fixed/exim-ca/example.com/CA/key3.db and b/test/aux-fixed/exim-ca/example.com/CA/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.com/CA/noise.file b/test/aux-fixed/exim-ca/example.com/CA/noise.file index 0003cbb45..6d1781759 100644 --- a/test/aux-fixed/exim-ca/example.com/CA/noise.file +++ b/test/aux-fixed/exim-ca/example.com/CA/noise.file @@ -1,301 +1,244 @@ processor : 0 vendor_id : GenuineIntel cpu family : 6 -model : 26 -model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz -stepping : 5 -cpu MHz : 2260.628 -cache size : 8192 KB +model : 13 +model name : QEMU Virtual CPU version (cpu64-rhel6) +stepping : 3 +cpu MHz : 1994.999 +cache size : 4096 KB fpu : yes fpu_exception : yes -cpuid level : 11 +cpuid level : 4 wp : yes -flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts -bogomips : 4521.25 +flags : fpu de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pse36 clflush mmx fxsr sse sse2 syscall nx lm up unfair_spinlock pni cx16 hypervisor lahf_lm +bogomips : 3989.99 clflush size : 64 cache_alignment : 64 -address sizes : 40 bits physical, 48 bits virtual +address sizes : 38 bits physical, 48 bits virtual power management: -processor : 1 -vendor_id : GenuineIntel -cpu family : 6 -model : 26 -model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz -stepping : 5 -cpu MHz : 2260.628 -cache size : 8192 KB -fpu : yes -fpu_exception : yes -cpuid level : 11 -wp : yes -flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts -bogomips : 4521.25 -clflush size : 64 -cache_alignment : 64 -address sizes : 40 bits physical, 48 bits virtual -power management: - - CPU0 CPU1 - 0: 2481 0 IO-APIC-edge timer - 1: 21441 346 IO-APIC-edge i8042 - 3: 1 0 IO-APIC-edge - 4: 1 0 IO-APIC-edge - 7: 0 0 IO-APIC-edge parport0 - 8: 1 0 IO-APIC-edge rtc0 - 9: 0 0 IO-APIC-fasteoi acpi - 12: 78986 1718 IO-APIC-edge i8042 - 14: 0 0 IO-APIC-edge ata_piix - 15: 2423330 1435 IO-APIC-edge ata_piix - 16: 1025 0 IO-APIC-fasteoi Ensoniq AudioPCI - 17: 239842 2559 IO-APIC-fasteoi ehci_hcd:usb1, ioc0 - 18: 246 0 IO-APIC-fasteoi uhci_hcd:usb2 - 19: 1868676 51479 IO-APIC-fasteoi eth0 - 24: 0 0 PCI-MSI-edge pciehp - 25: 0 0 PCI-MSI-edge pciehp - 26: 0 0 PCI-MSI-edge pciehp - 27: 0 0 PCI-MSI-edge pciehp - 28: 0 0 PCI-MSI-edge pciehp - 29: 0 0 PCI-MSI-edge pciehp - 30: 0 0 PCI-MSI-edge pciehp - 31: 0 0 PCI-MSI-edge pciehp - 32: 0 0 PCI-MSI-edge pciehp - 33: 0 0 PCI-MSI-edge pciehp - 34: 0 0 PCI-MSI-edge pciehp - 35: 0 0 PCI-MSI-edge pciehp - 36: 0 0 PCI-MSI-edge pciehp - 37: 0 0 PCI-MSI-edge pciehp - 38: 0 0 PCI-MSI-edge pciehp - 39: 0 0 PCI-MSI-edge pciehp - 40: 0 0 PCI-MSI-edge pciehp - 41: 0 0 PCI-MSI-edge pciehp - 42: 0 0 PCI-MSI-edge pciehp - 43: 0 0 PCI-MSI-edge pciehp - 44: 0 0 PCI-MSI-edge pciehp - 45: 0 0 PCI-MSI-edge pciehp - 46: 0 0 PCI-MSI-edge pciehp - 47: 0 0 PCI-MSI-edge pciehp - 48: 0 0 PCI-MSI-edge pciehp - 49: 0 0 PCI-MSI-edge pciehp - 50: 0 0 PCI-MSI-edge pciehp - 51: 0 0 PCI-MSI-edge pciehp - 52: 0 0 PCI-MSI-edge pciehp - 53: 0 0 PCI-MSI-edge pciehp - 54: 0 0 PCI-MSI-edge pciehp - 55: 0 0 PCI-MSI-edge pciehp - 56: 1 0 PCI-MSI-edge vmci - 57: 0 0 PCI-MSI-edge vmci -NMI: 0 0 Non-maskable interrupts -LOC: 12397935 14240444 Local timer interrupts -SPU: 0 0 Spurious interrupts -PMI: 0 0 Performance monitoring interrupts -IWI: 0 0 IRQ work interrupts -RES: 282548 308972 Rescheduling interrupts -CAL: 1955 163540 Function call interrupts -TLB: 17884 15542 TLB shootdowns -TRM: 0 0 Thermal event interrupts -THR: 0 0 Threshold APIC interrupts -MCE: 0 0 Machine check exceptions -MCP: 2310 2310 Machine check polls + CPU0 + 0: 258 IO-APIC-edge timer + 1: 6 IO-APIC-edge i8042 + 4: 1 IO-APIC-edge + 8: 0 IO-APIC-edge rtc0 + 9: 0 IO-APIC-fasteoi acpi + 10: 953 IO-APIC-fasteoi virtio3 + 11: 62 IO-APIC-fasteoi uhci_hcd:usb1, snd_hda_intel + 12: 104 IO-APIC-edge i8042 + 14: 0 IO-APIC-edge ata_piix + 15: 106 IO-APIC-edge ata_piix + 24: 0 PCI-MSI-edge virtio2-config + 25: 48985 PCI-MSI-edge virtio2-requests + 26: 0 PCI-MSI-edge virtio0-config + 27: 296814 PCI-MSI-edge virtio0-input + 28: 1 PCI-MSI-edge virtio0-output + 29: 0 PCI-MSI-edge virtio1-config + 30: 18867 PCI-MSI-edge virtio1-input + 31: 1 PCI-MSI-edge virtio1-output +NMI: 0 Non-maskable interrupts +LOC: 771688 Local timer interrupts +SPU: 0 Spurious interrupts +PMI: 0 Performance monitoring interrupts +IWI: 0 IRQ work interrupts +RES: 0 Rescheduling interrupts +CAL: 0 Function call interrupts +TLB: 0 TLB shootdowns +TRM: 0 Thermal event interrupts +THR: 0 Threshold APIC interrupts +MCE: 0 Machine check exceptions +MCP: 271 Machine check polls ERR: 0 MIS: 0 -MemTotal: 1914844 kB -MemFree: 135496 kB -Buffers: 142048 kB -Cached: 951840 kB -SwapCached: 108 kB -Active: 980724 kB -Inactive: 540136 kB -Active(anon): 287056 kB -Inactive(anon): 143480 kB -Active(file): 693668 kB -Inactive(file): 396656 kB +MemTotal: 487904 kB +MemFree: 74352 kB +Buffers: 73812 kB +Cached: 140872 kB +SwapCached: 0 kB +Active: 131704 kB +Inactive: 118904 kB +Active(anon): 15124 kB +Inactive(anon): 21900 kB +Active(file): 116580 kB +Inactive(file): 97004 kB Unevictable: 0 kB Mlocked: 0 kB -SwapTotal: 4194296 kB -SwapFree: 4193560 kB -Dirty: 928 kB +SwapTotal: 524280 kB +SwapFree: 524280 kB +Dirty: 848 kB Writeback: 0 kB -AnonPages: 427064 kB -Mapped: 70976 kB -Shmem: 3400 kB -Slab: 190892 kB -SReclaimable: 125404 kB -SUnreclaim: 65488 kB -KernelStack: 2304 kB -PageTables: 23476 kB +AnonPages: 35972 kB +Mapped: 15624 kB +Shmem: 1128 kB +Slab: 136276 kB +SReclaimable: 83896 kB +SUnreclaim: 52380 kB +KernelStack: 752 kB +PageTables: 3420 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB -CommitLimit: 5151716 kB -Committed_AS: 973184 kB +CommitLimit: 768232 kB +Committed_AS: 116976 kB VmallocTotal: 34359738367 kB -VmallocUsed: 280772 kB -VmallocChunk: 34359441168 kB +VmallocUsed: 12116 kB +VmallocChunk: 34359713232 kB HardwareCorrupted: 0 kB -AnonHugePages: 249856 kB +AnonHugePages: 2048 kB HugePages_Total: 0 HugePages_Free: 0 HugePages_Rsvd: 0 HugePages_Surp: 0 Hugepagesize: 2048 kB -DirectMap4k: 8192 kB -DirectMap2M: 2088960 kB +DirectMap4k: 7156 kB +DirectMap2M: 1492992 kB slabinfo - version: 2.1 # name : tunables : slabdata -bridge_fdb_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -fuse_request 0 0 632 6 1 : tunables 54 27 8 : slabdata 0 0 0 -fuse_inode 0 0 768 5 1 : tunables 54 27 8 : slabdata 0 0 0 -rpc_buffers 8 8 2048 2 1 : tunables 24 12 8 : slabdata 4 4 0 -rpc_tasks 8 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0 -rpc_inode_cache 8 8 832 4 1 : tunables 54 27 8 : slabdata 2 2 0 -hgfsInodeCache 1 6 640 6 1 : tunables 54 27 8 : slabdata 1 1 0 -AF_VMCI 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 8 : slabdata 0 0 0 -nf_conntrack_ffffffff8200cec0 22 26 304 13 1 : tunables 54 27 8 : slabdata 2 2 0 -fib6_nodes 22 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0 -ip6_dst_cache 13 30 384 10 1 : tunables 54 27 8 : slabdata 3 3 0 -ndisc_cache 1 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0 -ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0 -RAWv6 67 68 1024 4 1 : tunables 54 27 8 : slabdata 17 17 0 -UDPLITEv6 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -UDPv6 4 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0 -tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 8 : slabdata 0 0 0 -request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0 -TCPv6 9 10 1856 2 1 : tunables 24 12 8 : slabdata 5 5 0 -jbd2_1k 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -avtab_node 502203 502416 24 144 1 : tunables 120 60 8 : slabdata 3489 3489 0 -ext4_inode_cache 74762 74820 1024 4 1 : tunables 54 27 8 : slabdata 18705 18705 0 -ext4_xattr 9 44 88 44 1 : tunables 120 60 8 : slabdata 1 1 0 -ext4_free_block_extents 32 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0 -ext4_alloc_context 28 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0 -ext4_prealloc_space 18 37 104 37 1 : tunables 120 60 8 : slabdata 1 1 0 -ext4_system_zone 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0 -jbd2_journal_handle 32 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0 -jbd2_journal_head 74 102 112 34 1 : tunables 120 60 8 : slabdata 3 3 0 -jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 8 : slabdata 1 1 0 -jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0 -dm_crypt_io 50 50 152 25 1 : tunables 120 60 8 : slabdata 2 2 0 -sd_ext_cdb 2 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0 -scsi_sense_cache 25 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0 -scsi_cmd_cache 28 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0 -dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 8 : slabdata 0 0 0 -kcopyd_job 0 0 3240 2 2 : tunables 24 12 8 : slabdata 0 0 0 -io 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -dm_uevent 0 0 2608 3 2 : tunables 24 12 8 : slabdata 0 0 0 -dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 8 : slabdata 0 0 0 -dm_rq_target_io 0 0 392 10 1 : tunables 54 27 8 : slabdata 0 0 0 -dm_target_io 844 864 24 144 1 : tunables 120 60 8 : slabdata 6 6 0 -dm_io 828 828 40 92 1 : tunables 120 60 8 : slabdata 9 9 0 -flow_cache 0 0 96 40 1 : tunables 120 60 8 : slabdata 0 0 0 -uhci_urb_priv 6 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0 -cfq_io_context 4 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0 -cfq_queue 5 16 240 16 1 : tunables 120 60 8 : slabdata 1 1 0 -bsg_cmd 0 0 312 12 1 : tunables 54 27 8 : slabdata 0 0 0 -mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 8 : slabdata 1 1 0 -isofs_inode_cache 0 0 640 6 1 : tunables 54 27 8 : slabdata 0 0 0 -hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 8 : slabdata 1 1 0 -dquot 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 -kioctx 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0 -kiocb 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 -inotify_event_private_data 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0 -inotify_inode_mark_entry 186 204 112 34 1 : tunables 120 60 8 : slabdata 6 6 0 -dnotify_mark_entry 1 34 112 34 1 : tunables 120 60 8 : slabdata 1 1 0 -dnotify_struct 1 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0 -fasync_cache 6 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0 -khugepaged_mm_slot 83 92 40 92 1 : tunables 120 60 8 : slabdata 1 1 0 -ksm_mm_slot 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0 -ksm_stable_node 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0 -ksm_rmap_item 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -utrace_engine 0 0 56 67 1 : tunables 120 60 8 : slabdata 0 0 0 -utrace 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -pid_namespace 0 0 2120 3 2 : tunables 24 12 8 : slabdata 0 0 0 -nsproxy 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0 -posix_timers_cache 0 0 176 22 1 : tunables 120 60 8 : slabdata 0 0 0 -uid_cache 10 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0 -UNIX 459 480 768 5 1 : tunables 54 27 8 : slabdata 96 96 0 -ip_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0 -UDP-Lite 0 0 832 9 2 : tunables 54 27 8 : slabdata 0 0 0 -tcp_bind_bucket 15 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0 -inet_peer_cache 4 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0 -secpath_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -xfrm_dst_cache 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0 -ip_fib_alias 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0 -ip_fib_hash 10 106 72 53 1 : tunables 120 60 8 : slabdata 2 2 0 -ip_dst_cache 29 50 384 10 1 : tunables 54 27 8 : slabdata 5 5 0 -arp_cache 4 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0 -RAW 65 72 832 9 2 : tunables 54 27 8 : slabdata 8 8 0 -UDP 6 18 832 9 2 : tunables 54 27 8 : slabdata 2 2 0 -tw_sock_TCP 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 -request_sock_TCP 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0 -TCP 20 24 1664 4 2 : tunables 24 12 8 : slabdata 6 6 0 -eventpoll_pwq 126 212 72 53 1 : tunables 120 60 8 : slabdata 4 4 0 -eventpoll_epi 126 180 128 30 1 : tunables 120 60 8 : slabdata 6 6 0 -sgpool-128 2 2 4096 1 1 : tunables 24 12 8 : slabdata 2 2 0 -sgpool-64 2 2 2048 2 1 : tunables 24 12 8 : slabdata 1 1 0 -sgpool-32 2 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0 -sgpool-16 2 8 512 8 1 : tunables 54 27 8 : slabdata 1 1 0 -sgpool-8 15 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0 -scsi_data_buffer 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0 -blkdev_integrity 0 0 112 34 1 : tunables 120 60 8 : slabdata 0 0 0 -blkdev_queue 29 30 2856 2 2 : tunables 24 12 8 : slabdata 15 15 0 -blkdev_requests 42 66 352 11 1 : tunables 54 27 8 : slabdata 5 6 0 -blkdev_ioc 5 48 80 48 1 : tunables 120 60 8 : slabdata 1 1 0 -fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0 -fsnotify_event 0 0 104 37 1 : tunables 120 60 8 : slabdata 0 0 0 -bio-0 180 180 192 20 1 : tunables 120 60 8 : slabdata 9 9 0 -biovec-256 66 66 4096 1 1 : tunables 24 12 8 : slabdata 66 66 0 -biovec-128 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0 -biovec-64 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -biovec-16 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 +nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 0 : slabdata 0 0 0 +nf_conntrack_ffffffff81b18540 35 36 312 12 1 : tunables 54 27 0 : slabdata 3 3 0 +fib6_nodes 45 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0 +ip6_dst_cache 24 40 384 10 1 : tunables 54 27 0 : slabdata 4 4 0 +ndisc_cache 24 30 256 15 1 : tunables 120 60 0 : slabdata 2 2 0 +ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +RAWv6 4 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0 +UDPLITEv6 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0 +UDPv6 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0 +tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 0 : slabdata 0 0 0 +request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0 +TCPv6 9 10 1920 2 1 : tunables 24 12 0 : slabdata 5 5 0 +jbd2_1k 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0 +avtab_node 551039 551088 24 144 1 : tunables 120 60 0 : slabdata 3827 3827 0 +ext4_inode_cache 36092 36888 1016 4 1 : tunables 54 27 0 : slabdata 9222 9222 0 +ext4_xattr 5 44 88 44 1 : tunables 120 60 0 : slabdata 1 1 0 +ext4_free_block_extents 16 67 56 67 1 : tunables 120 60 0 : slabdata 1 1 0 +ext4_alloc_context 16 28 136 28 1 : tunables 120 60 0 : slabdata 1 1 0 +ext4_prealloc_space 3 37 104 37 1 : tunables 120 60 0 : slabdata 1 1 0 +ext4_system_zone 0 0 40 92 1 : tunables 120 60 0 : slabdata 0 0 0 +jbd2_journal_handle 16 144 24 144 1 : tunables 120 60 0 : slabdata 1 1 0 +jbd2_journal_head 68 68 112 34 1 : tunables 120 60 0 : slabdata 2 2 0 +jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 0 : slabdata 1 1 0 +jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0 +scsi_sense_cache 2 30 128 30 1 : tunables 120 60 0 : slabdata 1 1 0 +scsi_cmd_cache 2 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0 +dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 0 : slabdata 0 0 0 +kcopyd_job 0 0 3240 2 2 : tunables 24 12 0 : slabdata 0 0 0 +io 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +dm_uevent 0 0 2608 3 2 : tunables 24 12 0 : slabdata 0 0 0 +dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 0 : slabdata 0 0 0 +dm_rq_target_io 0 0 392 10 1 : tunables 54 27 0 : slabdata 0 0 0 +dm_target_io 576 576 24 144 1 : tunables 120 60 0 : slabdata 4 4 0 +dm_io 552 552 40 92 1 : tunables 120 60 0 : slabdata 6 6 0 +flow_cache 0 0 104 37 1 : tunables 120 60 0 : slabdata 0 0 0 +uhci_urb_priv 0 0 56 67 1 : tunables 120 60 0 : slabdata 0 0 0 +cfq_io_context 0 0 136 28 1 : tunables 120 60 0 : slabdata 0 0 0 +cfq_queue 0 0 240 16 1 : tunables 120 60 0 : slabdata 0 0 0 +bsg_cmd 0 0 312 12 1 : tunables 54 27 0 : slabdata 0 0 0 +mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 0 : slabdata 1 1 0 +isofs_inode_cache 0 0 640 6 1 : tunables 54 27 0 : slabdata 0 0 0 +hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 0 : slabdata 1 1 0 +dquot 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0 +kioctx 0 0 384 10 1 : tunables 54 27 0 : slabdata 0 0 0 +kiocb 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0 +inotify_event_private_data 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0 +inotify_inode_mark_entry 110 136 112 34 1 : tunables 120 60 0 : slabdata 4 4 0 +dnotify_mark_entry 0 0 112 34 1 : tunables 120 60 0 : slabdata 0 0 0 +dnotify_struct 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0 +dio 0 0 640 6 1 : tunables 54 27 0 : slabdata 0 0 0 +fasync_cache 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0 +khugepaged_mm_slot 17 92 40 92 1 : tunables 120 60 0 : slabdata 1 1 0 +ksm_mm_slot 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +ksm_stable_node 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +ksm_rmap_item 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +utrace_engine 0 0 56 67 1 : tunables 120 60 0 : slabdata 0 0 0 +utrace 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +pid_namespace 0 0 2168 3 2 : tunables 24 12 0 : slabdata 0 0 0 +posix_timers_cache 0 0 176 22 1 : tunables 120 60 0 : slabdata 0 0 0 +uid_cache 3 30 128 30 1 : tunables 120 60 0 : slabdata 1 1 0 +UNIX 107 110 768 5 1 : tunables 54 27 0 : slabdata 22 22 0 +ip_mrt_cache 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +UDP-Lite 0 0 832 9 2 : tunables 54 27 0 : slabdata 0 0 0 +tcp_bind_bucket 9 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0 +inet_peer_cache 2 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0 +secpath_cache 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +xfrm_dst_cache 0 0 448 8 1 : tunables 54 27 0 : slabdata 0 0 0 +ip_fib_alias 1 112 32 112 1 : tunables 120 60 0 : slabdata 1 1 0 +ip_fib_hash 14 53 72 53 1 : tunables 120 60 0 : slabdata 1 1 0 +ip_dst_cache 26 30 384 10 1 : tunables 54 27 0 : slabdata 3 3 0 +arp_cache 6 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0 +PING 0 0 832 9 2 : tunables 54 27 0 : slabdata 0 0 0 +RAW 2 9 832 9 2 : tunables 54 27 0 : slabdata 1 1 0 +UDP 1 9 832 9 2 : tunables 54 27 0 : slabdata 1 1 0 +tw_sock_TCP 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0 +request_sock_TCP 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +TCP 10 12 1728 4 2 : tunables 24 12 0 : slabdata 3 3 0 +eventpoll_pwq 59 106 72 53 1 : tunables 120 60 0 : slabdata 2 2 0 +eventpoll_epi 59 90 128 30 1 : tunables 120 60 0 : slabdata 3 3 0 +sgpool-128 2 2 4096 1 1 : tunables 24 12 0 : slabdata 2 2 0 +sgpool-64 2 2 2048 2 1 : tunables 24 12 0 : slabdata 1 1 0 +sgpool-32 2 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0 +sgpool-16 2 8 512 8 1 : tunables 54 27 0 : slabdata 1 1 0 +sgpool-8 2 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0 +scsi_data_buffer 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0 +blkdev_integrity 0 0 112 34 1 : tunables 120 60 0 : slabdata 0 0 0 +blkdev_queue 28 28 2864 2 2 : tunables 24 12 0 : slabdata 14 14 0 +blkdev_requests 22 22 352 11 1 : tunables 54 27 0 : slabdata 2 2 0 +blkdev_ioc 3 48 80 48 1 : tunables 120 60 0 : slabdata 1 1 0 +fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0 +fsnotify_event 0 0 104 37 1 : tunables 120 60 0 : slabdata 0 0 0 +bio-0 80 80 192 20 1 : tunables 120 60 0 : slabdata 4 4 0 +biovec-256 34 34 4096 1 1 : tunables 24 12 0 : slabdata 34 34 0 +biovec-128 0 0 2048 2 1 : tunables 24 12 0 : slabdata 0 0 0 +biovec-64 4 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0 +biovec-16 15 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0 bip-256 2 2 4224 1 2 : tunables 8 4 0 : slabdata 2 2 0 -bip-128 0 0 2176 3 2 : tunables 24 12 8 : slabdata 0 0 0 -bip-64 0 0 1152 7 2 : tunables 24 12 8 : slabdata 0 0 0 -bip-16 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0 -bip-4 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0 -bip-1 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0 -sock_inode_cache 667 685 704 5 1 : tunables 54 27 8 : slabdata 137 137 0 -skbuff_fclone_cache 7 7 512 7 1 : tunables 54 27 8 : slabdata 1 1 0 -skbuff_head_cache 302 450 256 15 1 : tunables 120 60 8 : slabdata 30 30 0 -file_lock_cache 38 44 176 22 1 : tunables 120 60 8 : slabdata 2 2 0 -net_namespace 0 0 2112 3 2 : tunables 24 12 8 : slabdata 0 0 0 -shmem_inode_cache 774 775 800 5 1 : tunables 54 27 8 : slabdata 155 155 0 -Acpi-Operand 4563 4664 72 53 1 : tunables 120 60 8 : slabdata 88 88 0 -Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 8 : slabdata 0 0 0 -Acpi-Parse 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0 -Acpi-State 0 0 80 48 1 : tunables 120 60 8 : slabdata 0 0 0 -Acpi-Namespace 3311 3312 40 92 1 : tunables 120 60 8 : slabdata 36 36 0 -task_delay_info 332 340 112 34 1 : tunables 120 60 8 : slabdata 10 10 0 -taskstats 5 12 328 12 1 : tunables 54 27 8 : slabdata 1 1 0 -proc_inode_cache 1008 1008 640 6 1 : tunables 54 27 8 : slabdata 168 168 0 -sigqueue 35 48 160 24 1 : tunables 120 60 8 : slabdata 2 2 0 -bdev_cache 32 36 832 4 1 : tunables 54 27 8 : slabdata 9 9 0 -sysfs_dir_cache 11356 11367 144 27 1 : tunables 120 60 8 : slabdata 421 421 0 -mnt_cache 37 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0 -filp 4614 4700 192 20 1 : tunables 120 60 8 : slabdata 235 235 60 -inode_cache 6883 7308 592 6 1 : tunables 54 27 8 : slabdata 1218 1218 0 -dentry 61000 63960 192 20 1 : tunables 120 60 8 : slabdata 3198 3198 0 -names_cache 26 26 4096 1 1 : tunables 24 12 8 : slabdata 26 26 0 -avc_node 518 1239 64 59 1 : tunables 120 60 8 : slabdata 21 21 0 -selinux_inode_security 84086 86072 72 53 1 : tunables 120 60 8 : slabdata 1624 1624 0 -radix_tree_node 11552 11781 560 7 1 : tunables 54 27 8 : slabdata 1683 1683 0 -key_jar 11 20 192 20 1 : tunables 120 60 8 : slabdata 1 1 0 -buffer_head 220986 230214 104 37 1 : tunables 120 60 8 : slabdata 6222 6222 0 -vm_area_struct 12932 13034 200 19 1 : tunables 120 60 8 : slabdata 686 686 60 -mm_struct 145 145 1408 5 2 : tunables 24 12 8 : slabdata 29 29 0 -fs_cache 137 177 64 59 1 : tunables 120 60 8 : slabdata 3 3 0 -files_cache 162 165 704 11 2 : tunables 54 27 8 : slabdata 15 15 0 -signal_cache 204 204 1024 4 1 : tunables 54 27 8 : slabdata 51 51 0 -sighand_cache 195 195 2112 3 2 : tunables 24 12 8 : slabdata 65 65 0 -task_xstate 232 232 512 8 1 : tunables 54 27 8 : slabdata 29 29 0 -task_struct 303 303 2656 3 2 : tunables 24 12 8 : slabdata 101 101 0 -cred_jar 580 580 192 20 1 : tunables 120 60 8 : slabdata 29 29 0 -anon_vma_chain 7844 8162 48 77 1 : tunables 120 60 8 : slabdata 106 106 60 -anon_vma 5773 5888 40 92 1 : tunables 120 60 8 : slabdata 64 64 60 -pid 322 330 128 30 1 : tunables 120 60 8 : slabdata 11 11 0 -shared_policy_node 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0 -numa_policy 1 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0 -idr_layer_cache 428 434 544 7 1 : tunables 54 27 8 : slabdata 62 62 0 +bip-128 0 0 2176 3 2 : tunables 24 12 0 : slabdata 0 0 0 +bip-64 0 0 1152 7 2 : tunables 24 12 0 : slabdata 0 0 0 +bip-16 0 0 384 10 1 : tunables 54 27 0 : slabdata 0 0 0 +bip-4 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0 +bip-1 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +sock_inode_cache 151 160 704 5 1 : tunables 54 27 0 : slabdata 32 32 0 +skbuff_fclone_cache 7 7 512 7 1 : tunables 54 27 0 : slabdata 1 1 0 +skbuff_head_cache 66 105 256 15 1 : tunables 120 60 0 : slabdata 7 7 0 +file_lock_cache 21 22 176 22 1 : tunables 120 60 0 : slabdata 1 1 0 +net_namespace 0 0 2432 3 2 : tunables 24 12 0 : slabdata 0 0 0 +shmem_inode_cache 654 655 784 5 1 : tunables 54 27 0 : slabdata 131 131 0 +Acpi-Operand 1211 1219 72 53 1 : tunables 120 60 0 : slabdata 23 23 0 +Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 0 : slabdata 0 0 0 +Acpi-Parse 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +Acpi-State 0 0 80 48 1 : tunables 120 60 0 : slabdata 0 0 0 +Acpi-Namespace 407 460 40 92 1 : tunables 120 60 0 : slabdata 5 5 0 +task_delay_info 102 102 112 34 1 : tunables 120 60 0 : slabdata 3 3 0 +taskstats 0 0 328 12 1 : tunables 54 27 0 : slabdata 0 0 0 +proc_inode_cache 408 408 656 6 1 : tunables 54 27 0 : slabdata 68 68 0 +sigqueue 9 24 160 24 1 : tunables 120 60 0 : slabdata 1 1 0 +bdev_cache 31 32 832 4 1 : tunables 54 27 0 : slabdata 8 8 0 +sysfs_dir_cache 7588 7614 144 27 1 : tunables 120 60 0 : slabdata 282 282 0 +mnt_cache 27 30 256 15 1 : tunables 120 60 0 : slabdata 2 2 0 +filp 840 840 192 20 1 : tunables 120 60 0 : slabdata 42 42 0 +inode_cache 5826 5826 592 6 1 : tunables 54 27 0 : slabdata 971 971 0 +dentry 189280 189280 192 20 1 : tunables 120 60 0 : slabdata 9464 9464 0 +names_cache 1 1 4096 1 1 : tunables 24 12 0 : slabdata 1 1 0 +avc_node 518 708 64 59 1 : tunables 120 60 0 : slabdata 12 12 0 +selinux_inode_security 43199 46799 72 53 1 : tunables 120 60 0 : slabdata 883 883 0 +radix_tree_node 2964 3598 560 7 1 : tunables 54 27 0 : slabdata 514 514 0 +key_jar 5 20 192 20 1 : tunables 120 60 0 : slabdata 1 1 0 +buffer_head 24032 25493 104 37 1 : tunables 120 60 0 : slabdata 689 689 0 +nsproxy 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +vm_area_struct 2565 2565 200 19 1 : tunables 120 60 0 : slabdata 135 135 0 +mm_struct 40 40 1408 5 2 : tunables 24 12 0 : slabdata 8 8 0 +fs_cache 59 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0 +files_cache 44 44 704 11 2 : tunables 54 27 0 : slabdata 4 4 0 +signal_cache 91 91 1088 7 2 : tunables 24 12 0 : slabdata 13 13 0 +sighand_cache 90 90 2112 3 2 : tunables 24 12 0 : slabdata 30 30 0 +task_xstate 48 48 512 8 1 : tunables 54 27 0 : slabdata 6 6 0 +task_struct 96 96 2656 3 2 : tunables 24 12 0 : slabdata 32 32 0 +cred_jar 240 240 192 20 1 : tunables 120 60 0 : slabdata 12 12 0 +anon_vma_chain 1795 2079 48 77 1 : tunables 120 60 0 : slabdata 27 27 0 +anon_vma 1209 1380 40 92 1 : tunables 120 60 0 : slabdata 15 15 0 +pid 107 120 128 30 1 : tunables 120 60 0 : slabdata 4 4 0 +shared_policy_node 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +numa_policy 0 0 136 28 1 : tunables 120 60 0 : slabdata 0 0 0 +idr_layer_cache 281 287 544 7 1 : tunables 54 27 0 : slabdata 41 41 0 size-4194304(DMA) 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0 size-4194304 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0 size-2097152(DMA) 0 0 2097152 1 512 : tunables 1 1 0 : slabdata 0 0 0 @@ -307,36 +250,36 @@ size-524288 0 0 524288 1 128 : tunables 1 1 0 : sla size-262144(DMA) 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0 size-262144 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0 size-131072(DMA) 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0 -size-131072 1 1 131072 1 32 : tunables 8 4 0 : slabdata 1 1 0 +size-131072 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0 size-65536(DMA) 0 0 65536 1 16 : tunables 8 4 0 : slabdata 0 0 0 size-65536 2 2 65536 1 16 : tunables 8 4 0 : slabdata 2 2 0 size-32768(DMA) 0 0 32768 1 8 : tunables 8 4 0 : slabdata 0 0 0 size-32768 3 3 32768 1 8 : tunables 8 4 0 : slabdata 3 3 0 size-16384(DMA) 0 0 16384 1 4 : tunables 8 4 0 : slabdata 0 0 0 -size-16384 11 11 16384 1 4 : tunables 8 4 0 : slabdata 11 11 0 +size-16384 7 7 16384 1 4 : tunables 8 4 0 : slabdata 7 7 0 size-8192(DMA) 0 0 8192 1 2 : tunables 8 4 0 : slabdata 0 0 0 -size-8192 27 27 8192 1 2 : tunables 8 4 0 : slabdata 27 27 0 -size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 8 : slabdata 0 0 0 -size-4096 425 425 4096 1 1 : tunables 24 12 8 : slabdata 425 425 0 -size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0 -size-2048 578 578 2048 2 1 : tunables 24 12 8 : slabdata 289 289 0 -size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -size-1024 1304 1304 1024 4 1 : tunables 54 27 8 : slabdata 326 326 0 -size-512(DMA) 0 0 512 8 1 : tunables 54 27 8 : slabdata 0 0 0 -size-512 1123 1176 512 8 1 : tunables 54 27 8 : slabdata 147 147 0 -size-256(DMA) 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 -size-256 870 870 256 15 1 : tunables 120 60 8 : slabdata 58 58 0 -size-192(DMA) 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0 -size-192 2119 2160 192 20 1 : tunables 120 60 8 : slabdata 108 108 0 -size-128(DMA) 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0 -size-64(DMA) 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -size-64 33003 40887 64 59 1 : tunables 120 60 8 : slabdata 693 693 0 -size-32(DMA) 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0 -size-128 3921 4800 128 30 1 : tunables 120 60 8 : slabdata 160 160 0 -size-32 332359 332976 32 112 1 : tunables 120 60 8 : slabdata 2973 2973 0 -kmem_cache 191 191 32896 1 16 : tunables 8 4 0 : slabdata 191 191 0 +size-8192 12 12 8192 1 2 : tunables 8 4 0 : slabdata 12 12 0 +size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 0 : slabdata 0 0 0 +size-4096 119 119 4096 1 1 : tunables 24 12 0 : slabdata 119 119 0 +size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 0 : slabdata 0 0 0 +size-2048 200 200 2048 2 1 : tunables 24 12 0 : slabdata 100 100 0 +size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0 +size-1024 578 588 1024 4 1 : tunables 54 27 0 : slabdata 147 147 0 +size-512(DMA) 0 0 512 8 1 : tunables 54 27 0 : slabdata 0 0 0 +size-512 608 608 512 8 1 : tunables 54 27 0 : slabdata 76 76 0 +size-256(DMA) 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0 +size-256 815 825 256 15 1 : tunables 120 60 0 : slabdata 55 55 0 +size-192(DMA) 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0 +size-192 1260 1260 192 20 1 : tunables 120 60 0 : slabdata 63 63 0 +size-128(DMA) 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +size-64(DMA) 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +size-64 23094 25783 64 59 1 : tunables 120 60 0 : slabdata 437 437 0 +size-32(DMA) 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0 +size-128 3271 3450 128 30 1 : tunables 120 60 0 : slabdata 115 115 0 +size-32 352497 352576 32 112 1 : tunables 120 60 0 : slabdata 3148 3148 0 +kmem_cache 183 183 32896 1 16 : tunables 8 4 0 : slabdata 183 183 0 Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed - lo:267102759 105357 0 0 0 0 0 0 267102759 105357 0 0 0 0 0 0 - eth0:1013756074 1354469 0 0 0 0 0 0 245526499 966773 0 0 0 0 0 0 - pan0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + lo: 5243413 23981 0 0 0 0 0 0 5243413 23981 0 0 0 0 0 0 + eth0:25462133 318845 0 0 0 0 0 0 2039181 15966 0 0 0 0 0 0 + eth1: 1386405 18972 0 0 0 0 0 0 95634 1485 0 0 0 0 0 0 diff --git a/test/aux-fixed/exim-ca/example.com/CA/secmod.db b/test/aux-fixed/exim-ca/example.com/CA/secmod.db index c7f115bd6..f8cc0e78b 100644 Binary files a/test/aux-fixed/exim-ca/example.com/CA/secmod.db and b/test/aux-fixed/exim-ca/example.com/CA/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/expired1.example.com/ca_chain.pem index f8f92755b..78430e49d 100644 --- a/test/aux-fixed/exim-ca/example.com/expired1.example.com/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.com/CN=clica Signing Cert issuer=/O=example.com/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw -MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y -7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St -u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa -ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.com/CN=clica CA issuer=/O=example.com/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw -MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o -mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+ -ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw +MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh +tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX +Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02 +H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl +qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46 +eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z +RSHyhbTD0HeiJDI281BoOJjm -----END CERTIFICATE----- Bag Attributes friendlyName: expired1.example.com - localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF + localKeyID: 54 BE 44 70 F3 50 A6 ED E3 73 5C F3 DC BB E0 12 26 DC 31 A1 subject=/CN=expired1.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMVoXDTEyMTIwMTEyMzQwMVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs -ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuhbGp8Jqy4UZdYGiPLl+q1m4 -dBdrY6689kqn5x5FUZ4PNl9ty9+mnC2Dx5WiYbrOybQZViM9lAIvGRI1GKsHdwID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w -bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAkrXPLW+etluRGUilUcMsAWEZJ8Syu317 -kXvPuyjNVz3+lGo/4hzhehSusTzy4+22UgsBmgZpjG+uI8tNRmDnAQ== +MzQwNloXDTEyMTIwMTEyMzQwNlowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs +ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANUk3PULhKJc9xJO2RQU +MeMwVInv1cw7Izt2VRgM+G9GgKlK8ZUN+99b7UW7zIbeOlOLjbbSBWxkg7FhynFk +XL8xoYXgKutwSvCTxtCEzssUidmUcuQiLvGn5HVj4lBpzHU7VErirBi2yoYIEWuI +5Rbv3nvvUhGZTVLIP4VLGjlHAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHwYDVR0R +BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEARc5Z +IIljQytcuQHIwHLWNPG1JxCDpIBbJs9fRpN9KgsE2G+PIWK1YYP65f6VfiMt1SWT +gx+qt9/WJX8g5r8xyr+pBIhjcMo9lACK/hMVCfm7/0GX5f5WAPmepK47KF7llp/5 +hAqmARw/XJgkEPmcZ0lRinR3J/eeRo1dNpP/IIU= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/expired1.example.com/cert8.db index 29784aef4..86d239eae 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/cert8.db and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.chain.pem index fe5dcdf2f..51779fcd9 100644 --- a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.chain.pem +++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: expired1.example.com - localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF + localKeyID: 54 BE 44 70 F3 50 A6 ED E3 73 5C F3 DC BB E0 12 26 DC 31 A1 subject=/CN=expired1.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMVoXDTEyMTIwMTEyMzQwMVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs -ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuhbGp8Jqy4UZdYGiPLl+q1m4 -dBdrY6689kqn5x5FUZ4PNl9ty9+mnC2Dx5WiYbrOybQZViM9lAIvGRI1GKsHdwID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w -bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAkrXPLW+etluRGUilUcMsAWEZJ8Syu317 -kXvPuyjNVz3+lGo/4hzhehSusTzy4+22UgsBmgZpjG+uI8tNRmDnAQ== +MzQwNloXDTEyMTIwMTEyMzQwNlowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs +ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANUk3PULhKJc9xJO2RQU +MeMwVInv1cw7Izt2VRgM+G9GgKlK8ZUN+99b7UW7zIbeOlOLjbbSBWxkg7FhynFk +XL8xoYXgKutwSvCTxtCEzssUidmUcuQiLvGn5HVj4lBpzHU7VErirBi2yoYIEWuI +5Rbv3nvvUhGZTVLIP4VLGjlHAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHwYDVR0R +BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEARc5Z +IIljQytcuQHIwHLWNPG1JxCDpIBbJs9fRpN9KgsE2G+PIWK1YYP65f6VfiMt1SWT +gx+qt9/WJX8g5r8xyr+pBIhjcMo9lACK/hMVCfm7/0GX5f5WAPmepK47KF7llp/5 +hAqmARw/XJgkEPmcZ0lRinR3J/eeRo1dNpP/IIU= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw -MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y -7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St -u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa -ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.key b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.key index ecfb0cbc7..369fa30ca 100644 --- a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.key +++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: expired1.example.com - localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF + localKeyID: 54 BE 44 70 F3 50 A6 ED E3 73 5C F3 DC BB E0 12 26 DC 31 A1 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQINZM2aHxF3EcCAggA -MBQGCCqGSIb3DQMHBAjc9XMhJPg/ZwSCAVicoTPaeGXGPJyPdhflErlI9EWbj0PH -bv8AchovLDfYq1Q4EJzkUG1XyelHNha+BS/zFxCcmtpdQtXedL/SdXsOyM99wdJH -tjpJyWxM3bysqDUdhv2g11KTG0M9L7RBtKmbQq0zcHf9oTZbABKSe4EzX6a9khJY -5bRVBSQPNtj3/5aAr0BOQQnythh0880FcYmvbFmZQNR12Cexc0+X0/aTaQ/LhM1y -8GlRBFXGACP+mrY4RfEk/EatcGmqn4JCVASF7Z7zu7JKsEskLDArF9nvVh2xN22n -DugUfQDRPph4ug2MyUcKNSZzGs+khWmS2TgPgUV0gr1tqS4Sqo+59NuZInyGSMRn -FeiFTSYcd+zmxinF20MCs+Y6fFasErs6/zdK5oeV8pMlTCX0/yky9Ye4kfth2oHl -UV+Rfe2Bo40wn6QkxuptagYdoDTJrMUCH9WL/ODRn4IA1Q== +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIEJETKcyNPKkCAggA +MBQGCCqGSIb3DQMHBAj+HLWzdCLulASCAoCle4sKpW54xzwgFBCtdLDXFO55QrNL +rjiwWrmMDKP/SQTu6srl4wrB75aghZQTv9yuvhhiyrkEUm87m+J/scLIE8XEMiDv +64S0nsLkvRt/5ysZnAVHbpgR6GBHCa+aMSFLZcWeZ4mRRePJy3dxi2MID9Cu7P/Z +llAbQHC4yYAO/sboesY4k7Qp4x0Q1fwVqrhl/N2BtuBHJeeU/mug2SXJl7m3panu +cxUko+aGwHr/p3xQqHpCZ6RSTo1h+N8DqJHVs57JrN5l5/DYJbuo53MQpbahzLpL +SIXYq6lAni05+B88hXDW5ZPNMQwnjPL6SVSLUH2aDntJY5Ezor74NMSXKOmVf++q +MqUbxf5EpzwW/H/3clXA0UCoUXs6/Xr7DydsAyORMLFS7CI+ehF48BAhwYcpEjGv +uQyZdWsJMU5qaB3XnGFTwnsted1oVszu1FCqtQntfeuuG1V8s4LZgPtP25sE6zFP +NGvFU5SCkuoj5+lhbsFSoF6YjJO5rcbIbd3OuUUZgo6posHeoo49T7gI0G563E7E +KcMhpYR+/ayHGWRXm4J92x1X7NGCbbF+j1if76U8zd0fpgrXWdZKP2npA5gfp0Ae +un4KhQOSLSvJQ0Vq0Vzc788j9jeHowYlnNoItgfoUIJ1DaILZjEtXlXPkH/sUgkF +jsvmcjsMp4DpwDacmjzMvAu76Aw3FX3iU9aR9iYEwD9XkRkZzSf1hhB7Cfs4RXQX +Zj0y2KTP/cltPghKdc6Gx1UyzX3ZvHZNA516pV73vHpkMzkiiSo7Ko2Vz71m9QwA +dIkyMUVP00uZo6prpM/SfkEbrVmH8nwRbVNfR1Gwkol2Bk8mer+ifI+L -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.dated.resp index d7ba6319e..6ef6c30d9 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.good.resp index 3714a90de..f639d770e 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.req index 37b83a669..d5bc8ecd6 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.req and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.revoked.resp index 4a259407a..a20173cdf 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.p12 b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.p12 index 488e3e58d..c57a30504 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.p12 and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.p12 differ diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.pem b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.pem index d30bbe096..66dd58f02 100644 --- a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.pem +++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: expired1.example.com - localKeyID: C3 70 0A 4C 75 DB 50 B7 1F 67 60 9C DC AD 17 A3 C0 65 5F FF + localKeyID: 54 BE 44 70 F3 50 A6 ED E3 73 5C F3 DC BB E0 12 26 DC 31 A1 subject=/CN=expired1.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMVoXDTEyMTIwMTEyMzQwMVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs -ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuhbGp8Jqy4UZdYGiPLl+q1m4 -dBdrY6689kqn5x5FUZ4PNl9ty9+mnC2Dx5WiYbrOybQZViM9lAIvGRI1GKsHdwID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w -bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAkrXPLW+etluRGUilUcMsAWEZJ8Syu317 -kXvPuyjNVz3+lGo/4hzhehSusTzy4+22UgsBmgZpjG+uI8tNRmDnAQ== +MzQwNloXDTEyMTIwMTEyMzQwNlowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs +ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANUk3PULhKJc9xJO2RQU +MeMwVInv1cw7Izt2VRgM+G9GgKlK8ZUN+99b7UW7zIbeOlOLjbbSBWxkg7FhynFk +XL8xoYXgKutwSvCTxtCEzssUidmUcuQiLvGn5HVj4lBpzHU7VErirBi2yoYIEWuI +5Rbv3nvvUhGZTVLIP4VLGjlHAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHwYDVR0R +BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEARc5Z +IIljQytcuQHIwHLWNPG1JxCDpIBbJs9fRpN9KgsE2G+PIWK1YYP65f6VfiMt1SWT +gx+qt9/WJX8g5r8xyr+pBIhjcMo9lACK/hMVCfm7/0GX5f5WAPmepK47KF7llp/5 +hAqmARw/XJgkEPmcZ0lRinR3J/eeRo1dNpP/IIU= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.unlocked.key index 9754e14fe..a9d3f86b8 100644 --- a/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.unlocked.key +++ b/test/aux-fixed/exim-ca/example.com/expired1.example.com/expired1.example.com.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOQIBAAJBALoWxqfCasuFGXWBojy5fqtZuHQXa2OuvPZKp+ceRVGeDzZfbcvf -ppwtg8eVomG6zsm0GVYjPZQCLxkSNRirB3cCAwEAAQJAbb0wuY21XP/I27ru6dCa -GoJ2fD+zXL2XQccU7P608kO6R9g73lx48QT21OGvLkKGA4J2U3qqvqJWKP580o3X -gQIhAN8A4PM0w3cLBnibnQcr+5TfhSUye/4AQcaqUQBnjQW5AiEA1Z+eWtugFdR3 -D6ntc4UdyXsO1DMDn6QyuyEyrJqUDq8CIGGfrtqJVLB+gRy3cuy60m3/0/fOu/0b -+6+Oy9sTeebxAiBK7m5RWHBSt+/7YpOTzcGhBrUw4aQHv0S8Nuzbdm0wqQIgYW0B -7KVyChX6OpKifrdrSK3Jp3iXP9pgNunxGNj1QbM= +MIICXAIBAAKBgQDVJNz1C4SiXPcSTtkUFDHjMFSJ79XMOyM7dlUYDPhvRoCpSvGV +DfvfW+1Fu8yG3jpTi4220gVsZIOxYcpxZFy/MaGF4CrrcErwk8bQhM7LFInZlHLk +Ii7xp+R1Y+JQacx1O1RK4qwYtsqGCBFriOUW795771IRmU1SyD+FSxo5RwIDAQAB +AoGAPhr3pw8sHoMoGtWOuyMHRkOW3npbuZ6hrXnVYaSl3waUBsAnlF72vSZ0BJWs +CsBGDoHjURnxKpw/IzhzXIb53tNj5h8jIwxZfylqXQirkv7TfAW6WuxfAXwW7/Ca +OQnriyz0UB8AVohZ6UZQG4MrHcUypHrEsw8uwEkdb4I4f0ECQQD+BOlQuRuVOZ26 +iKrJs4K0DrJHTD/3cLtRYNGWRAF+q+tG2hAu0L7Dh4BDYA62A21hEHBp1XCBBk8h +2Q0rZ/uzAkEA1s5aq2tZCEPlvR+aRLJz4yEHAOtuj2wyVAq3weY/2SfDbtqTrHNa +sRWHGx2ofyO22jHDRXG4GdyhvBhHAk9yHQJAQEF5y4OnqI3UilT77t3L2ERHcKWn +IK6Rk7pMChjVz/cpItkScuU2/DsQhPqNfhlL19vSs9LcDKdN6SAAptQ85QJBALy0 +0Aaj6bVPILbC2p3bP9+bFjICokAxRw151PDsu86kFhZ+wxjOxi+nv+dcaLg4wdxx +tyB8xMVDhHpfwZIQBSkCQDmP11qxf43phqxiUo8T6uqMG7DfA5YdDtGlV43sgKmd +8iuIc26FKxdvr3kxn5w0qEIe1QqVisUHGvBYRfrF3so= -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/expired1.example.com/key3.db index 706f876a7..377e17f8b 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/key3.db and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.com/expired1.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/expired1.example.com/secmod.db index db5dae7d0..5ab9cbddd 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired1.example.com/secmod.db and b/test/aux-fixed/exim-ca/example.com/expired1.example.com/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/expired2.example.com/ca_chain.pem index cb3f97569..71784aecb 100644 --- a/test/aux-fixed/exim-ca/example.com/expired2.example.com/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.com/CN=clica Signing Cert issuer=/O=example.com/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw -MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y -7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St -u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa -ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.com/CN=clica CA issuer=/O=example.com/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw -MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o -mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+ -ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw +MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh +tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX +Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02 +H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl +qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46 +eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z +RSHyhbTD0HeiJDI281BoOJjm -----END CERTIFICATE----- Bag Attributes friendlyName: expired2.example.com - localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87 + localKeyID: C6 AF 42 A4 62 E4 DE A3 FA 0A 88 C9 9F 8A 3A 95 F8 BD 5F 68 subject=/CN=expired2.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w -bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANs6ryDCjUepqaS5l0ZmpJ3m -bU0/nDE43cIfDCU+70Jjvf4rxfiQu1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778C -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt -cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBABTJbEBMPo/NbiMz+shKPbN+T+oAoneT -mb1n+3cM5I3RGkkzF8mYDyamimNn+T8GKWdVkiM/Jov1kv+KY5Twg+U= +MjM0MDdaFw0xMjEyMDExMjM0MDdaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w +bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1CGIJL05trceWyUkd +Jdp3QFiQGuYn+nRTLUOOJR4v9cYUFomihLdPZ2ElUZuQUQaP3mo0rNwSZBnUWaS+ +2MBOInu3DwBMhCqX2lPmVtOoj9PC0jsxl18pIYW5tKKpVdSVuTXZa/bUCbf351DN +clNIEfh7zFXevzbwrI2x5qrteQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1Ud +EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4GBAGNy +FvCmqIUPn/BSasd66jOrg46+YkCh/YN8zt1ysQr5ZgM+mP26W+el9JiknnD17G26 +ImFaxP+X8ghPM54sErbAB3euFpjsdqVqdOr2g7SJJnVvD0XygYqxEy7h7XAl8M9n +ofNIBV2IWKQ1wLHnHquM1v5e3s1dL0ptyfBMPhDE -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/expired2.example.com/cert8.db index 1f5daa20e..b138d4233 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/cert8.db and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.chain.pem index 153025b6c..da6995fff 100644 --- a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.chain.pem +++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: expired2.example.com - localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87 + localKeyID: C6 AF 42 A4 62 E4 DE A3 FA 0A 88 C9 9F 8A 3A 95 F8 BD 5F 68 subject=/CN=expired2.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w -bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANs6ryDCjUepqaS5l0ZmpJ3m -bU0/nDE43cIfDCU+70Jjvf4rxfiQu1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778C -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt -cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBABTJbEBMPo/NbiMz+shKPbN+T+oAoneT -mb1n+3cM5I3RGkkzF8mYDyamimNn+T8GKWdVkiM/Jov1kv+KY5Twg+U= +MjM0MDdaFw0xMjEyMDExMjM0MDdaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w +bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1CGIJL05trceWyUkd +Jdp3QFiQGuYn+nRTLUOOJR4v9cYUFomihLdPZ2ElUZuQUQaP3mo0rNwSZBnUWaS+ +2MBOInu3DwBMhCqX2lPmVtOoj9PC0jsxl18pIYW5tKKpVdSVuTXZa/bUCbf351DN +clNIEfh7zFXevzbwrI2x5qrteQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1Ud +EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4GBAGNy +FvCmqIUPn/BSasd66jOrg46+YkCh/YN8zt1ysQr5ZgM+mP26W+el9JiknnD17G26 +ImFaxP+X8ghPM54sErbAB3euFpjsdqVqdOr2g7SJJnVvD0XygYqxEy7h7XAl8M9n +ofNIBV2IWKQ1wLHnHquM1v5e3s1dL0ptyfBMPhDE -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw -MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y -7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St -u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa -ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.key b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.key index 4390919d3..3cc7e43c6 100644 --- a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.key +++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: expired2.example.com - localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87 + localKeyID: C6 AF 42 A4 62 E4 DE A3 FA 0A 88 C9 9F 8A 3A 95 F8 BD 5F 68 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI0nrN9i220lwCAggA -MBQGCCqGSIb3DQMHBAjYbPQkuir8nQSCAWANYVbKcEW9iaRzdj6AmMMZw4wnklZI -rR+R/Eaz92xDWHLv9Qo03JK2OoGgkhE3QvyNxP7Sm69hgErN202M1s7CW66HAt60 -T0XmvbZoXYkn3iPzi6Txi1GQnzo7gfd1S0phD/4q+Tq38nRzJjvHjsL1ebjiFZ2y -t5cF+gW7+3LEKT/s0K/WpS6QKTgl/W5iV09Tix1eOPckv7z4Cs2fiurohPocUTFa -B/hdKTun4MwmcchFrgjRda+jz/P42xtgaSmhIETD+C3jnbdEZWFY4xYijyffEUR0 -gUHKH6UPxqoJyeL8ziQmz2jc4j1glnedslHjS+fKlLCU1QKYbhgCcRB4tqILxd9M -e3/QQksgTFZtGymqPuwPMngcR2Om+E3f0UJnCXcaINJp971l971H/yhieYjxQua4 -8NNKVdz6EzYa/46Gv77Nu7+OQ0zGhMowpjGS4kTE9qOQ3udrdL2kFYJm +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIcKV+HaIPaikCAggA +MBQGCCqGSIb3DQMHBAi+airF86oTpgSCAoAQpQyqLzxpkwzliQxxYsv2vMv+YzZy +k0w0p7KUl8ZP3n/UxfM7oPZqASlDkaGEMTcXG7CbH3f5geqYt3utdD4DoaKwDWcc +FI9NlgyqNrYttaF6cTI42OytDlafmQodvD0Wky3OVN3m+RvSNZqXkQb1zeS5Z2OR +exjM7K7IVqy33O4ShrrI7/tajBneKPZos/z56ubDKcSJvJw6D50xxzWXt9QiQR1r +be8vr2HP5kg/XnckX9KByMACqIBjGaWyG6AzvSmsmy0AWME5b+wTSDUxPaVcjLt0 +OjqWz4SsgS3xxlr2yWQzyxJgSQilNcaj9w0/z/3lEinDt+osTulMl0bT5mGm736c +P7v5A7qoBWgjBbgs61NzZy9+pP6721zBjXPG9UAEkSdjkx7gxhLe4ZN5j4Jvz4AW +dpHtcEntmmVF8aYjoCTNhHCpKaiP9NVr3pIuo6vXTufDmkwEEB56sKt/Cgku4jdC +agvMlgAy4iQTZcKPwMc6h9dsfLaj0NBdJ1t8kKkz0dD1VchlX5YoYcua6RSmvVM0 +ziCyznqOB2meSLLAMLcXQAt9waVATgy3UcaW9f7zr4Dq2kTKkfjAHJPArNStWmkR +XdiTTNJ5eiO7lEM3uY9PLpYpZBavbA3D02RRbxDds0PemJzb0SQicInPkLs+gjzJ +Dvj9LGm2/3v9Wlu6AJttYHTur7pYk5vOyJ8QhpnwYe3a1JZ6jQ1NurDRK/UHEzOV +GaWvrsWPzdVS9kJSmHnHdKMxXMZ6HLPgkBwEOQormnAxtIOR3HP43/UzV5RlmO0c +UHjiZgr+rwe88fd6SHegk7KZkNPboZMlVAA9kIk/+0OzySiLDtCsphse -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.dated.resp index 5690dfa9a..a3a768e21 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.good.resp index db5b8e0a3..2b8d5b370 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.req index 0242fc407..1587c41c5 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.req and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.revoked.resp index db5b8e0a3..2b8d5b370 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.p12 b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.p12 index d8327d3a5..6cea1b4e1 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.p12 and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.p12 differ diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.pem b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.pem index 91a46f95a..90f21dc81 100644 --- a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.pem +++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: expired2.example.com - localKeyID: 00 5E 8C 89 32 69 66 73 D9 E7 D3 9C E8 6A 72 27 1D C2 65 87 + localKeyID: C6 AF 42 A4 62 E4 DE A3 FA 0A 88 C9 9F 8A 3A 95 F8 BD 5F 68 subject=/CN=expired2.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDJaFw0xMjEyMDExMjM0MDJaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w -bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANs6ryDCjUepqaS5l0ZmpJ3m -bU0/nDE43cIfDCU+70Jjvf4rxfiQu1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778C -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt -cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBABTJbEBMPo/NbiMz+shKPbN+T+oAoneT -mb1n+3cM5I3RGkkzF8mYDyamimNn+T8GKWdVkiM/Jov1kv+KY5Twg+U= +MjM0MDdaFw0xMjEyMDExMjM0MDdaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w +bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1CGIJL05trceWyUkd +Jdp3QFiQGuYn+nRTLUOOJR4v9cYUFomihLdPZ2ElUZuQUQaP3mo0rNwSZBnUWaS+ +2MBOInu3DwBMhCqX2lPmVtOoj9PC0jsxl18pIYW5tKKpVdSVuTXZa/bUCbf351DN +clNIEfh7zFXevzbwrI2x5qrteQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1Ud +EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4GBAGNy +FvCmqIUPn/BSasd66jOrg46+YkCh/YN8zt1ysQr5ZgM+mP26W+el9JiknnD17G26 +ImFaxP+X8ghPM54sErbAB3euFpjsdqVqdOr2g7SJJnVvD0XygYqxEy7h7XAl8M9n +ofNIBV2IWKQ1wLHnHquM1v5e3s1dL0ptyfBMPhDE -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.unlocked.key index cc0620beb..029b53655 100644 --- a/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.unlocked.key +++ b/test/aux-fixed/exim-ca/example.com/expired2.example.com/expired2.example.com.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOgIBAAJBANs6ryDCjUepqaS5l0ZmpJ3mbU0/nDE43cIfDCU+70Jjvf4rxfiQ -u1N1iiTO2IdRcxai/STBGxpaJRvo/G5l778CAwEAAQJAads7RulKSMkuxgBrgC39 -3NSwAHXvmIDp61sMhUuPQhF8kxF9IistHoa4TBW3tdSVepBSDoMk0Ote+0UgO3wK -SQIhAPC8xBwjNC+gpnaxOvz2iLGbVwISPgM/TMaa+goBJ3o1AiEA6SDVyZi34Gia -W0YYzmQaJv2VcmGYh0JQ+diJT7qaoKMCIQCfZy6nvvu4KbTv1MzNYWUDzWsgePnM -5qYsv8OeykLcnQIgU4JDkrd2Bpjx0ghGEoihJZ5ozlRPgwQqZZU/eqPph+kCIBAd -MOImezJcizVRRG9PuyxuSvwLlPqjvFKnw2ixRkuW +MIICXQIBAAKBgQC1CGIJL05trceWyUkdJdp3QFiQGuYn+nRTLUOOJR4v9cYUFomi +hLdPZ2ElUZuQUQaP3mo0rNwSZBnUWaS+2MBOInu3DwBMhCqX2lPmVtOoj9PC0jsx +l18pIYW5tKKpVdSVuTXZa/bUCbf351DNclNIEfh7zFXevzbwrI2x5qrteQIDAQAB +AoGAAaTA1xqB2McSH9FWA5i7YgfIhg5odoZ0lei8S0cU/hR6JuaJe1s/Gs5yeFdE +VUwXBilbx3ymRth3z5C8ySrInCkRewoskB4CBzAqEXxgq/njX6cvCdqf/6afzgvE +YQ6UTSASRYnd+dUrdz5m+XP8BU3iW+9aT0ZRWnc4nkKb3gECQQDq4OC7PWtqU1b/ +8fDqp5Loejw1zSVhBTCEyfXKP+s+uWfLoM4e4krGxhjBgBrNS0Qdv006J/nDUPlK +0uT12UTBAkEAxU/tR3RytfW3hRUYFMNhkUGhC/906IoKajKoIiK17vBIA1qynAZ3 +jviT6Q5JQCYCRh25PHQvk+/0jZRNDuG+uQJAPkyNbzyYTCh00Ah1VVhDUCRz6fVS +78v3lZEX/6A6nnWBAXLSmUB+gwCyOkjnUwKeu6EtM7q8tcC5js4naspJQQJBAMEc +vvCmafbo7JrV0GHR79YI06Q4e6V0JUlXFvOB4WpfxTtzM0g9lBpb8/evQcYE7UjO +opMma8JwoXtH4DtmehECQQDWG5T5BXZMPkVSSG9pF6BYlLZveYK6Y7PK6naYj7VN +gR8uaIdeHDlIfvSCxTdiTNeC0y5bEKGNgAjkfrZNsNwn -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/expired2.example.com/key3.db index 9bce6fa62..de31ecd5c 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/key3.db and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.com/expired2.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/expired2.example.com/secmod.db index a21c55fdb..2461ab320 100644 Binary files a/test/aux-fixed/exim-ca/example.com/expired2.example.com/secmod.db and b/test/aux-fixed/exim-ca/example.com/expired2.example.com/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/ca_chain.pem index ea68b9616..44ca4bfeb 100644 --- a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.com/CN=clica Signing Cert issuer=/O=example.com/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw -MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y -7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St -u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa -ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.com/CN=clica CA issuer=/O=example.com/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw -MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o -mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+ -ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw +MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh +tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX +Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02 +H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl +qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46 +eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z +RSHyhbTD0HeiJDI281BoOJjm -----END CERTIFICATE----- Bag Attributes friendlyName: revoked1.example.com - localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07 + localKeyID: 20 71 F8 DC E7 30 30 96 0E C4 15 76 D6 41 24 BA ED 19 8C 15 subject=/CN=revoked1.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMVoXDTM4MDEwMTEyMzQwMVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs -ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtmfFkNpuJsl8xF0EINs9YniA -h0NKsf8Tt61IVzDsR5ULJOSpA7rcqmbniYuWJ7H1q8Rm5WTqjLs5zIKG+cR/lwID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w -bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAXzFO3fDq0RRzNgmAa9aorYUQUx1f6ifG -e9zS1V/Qua9HguY4FCm5NkLDSA46OA/NYEtnC3tDNF6PLSNi1Ww9NQ== +MzQwNloXDTM4MDEwMTEyMzQwNlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs +ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKu5DqPk2+MvI4TMS/rU +60uPCkU7DuVVJzyOSkUzxZFsQcEJxfd6sfkicGbzoMkhx2UclbtcP9ll9dLuUplh +hZVbQVI5vAeuEUKPGnHp1KIN776sOYDilf4PCOhQVDNR91OcOwcCKROjCfXu6w7c +RqVCdrIoaCRf/bpBrIyou8WxAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHwYDVR0R +BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEAMOti +HVUrF17HKVH9eRvCKNJ+1h1R76otCpevvmujGxY/2wrYpbZ5NIWPWoF2tDXfBNDK +r5w5f1DlNWeVZKW5dYtmVS8O7IxhICGlAq9U4A0laj3x6iglbGggqRnQl/QRUd7s +jCG0Bbsa1/nc+9JbPqWGz5LXT3t5cF/6NDeKi68= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/cert8.db index d74575f49..b7b8ebd14 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/cert8.db and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/key3.db index a35bc2662..94eadc545 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/key3.db and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem index abb2b6c7a..76d68aa58 100644 --- a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem +++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: revoked1.example.com - localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07 + localKeyID: 20 71 F8 DC E7 30 30 96 0E C4 15 76 D6 41 24 BA ED 19 8C 15 subject=/CN=revoked1.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMVoXDTM4MDEwMTEyMzQwMVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs -ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtmfFkNpuJsl8xF0EINs9YniA -h0NKsf8Tt61IVzDsR5ULJOSpA7rcqmbniYuWJ7H1q8Rm5WTqjLs5zIKG+cR/lwID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w -bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAXzFO3fDq0RRzNgmAa9aorYUQUx1f6ifG -e9zS1V/Qua9HguY4FCm5NkLDSA46OA/NYEtnC3tDNF6PLSNi1Ww9NQ== +MzQwNloXDTM4MDEwMTEyMzQwNlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs +ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKu5DqPk2+MvI4TMS/rU +60uPCkU7DuVVJzyOSkUzxZFsQcEJxfd6sfkicGbzoMkhx2UclbtcP9ll9dLuUplh +hZVbQVI5vAeuEUKPGnHp1KIN776sOYDilf4PCOhQVDNR91OcOwcCKROjCfXu6w7c +RqVCdrIoaCRf/bpBrIyou8WxAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHwYDVR0R +BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEAMOti +HVUrF17HKVH9eRvCKNJ+1h1R76otCpevvmujGxY/2wrYpbZ5NIWPWoF2tDXfBNDK +r5w5f1DlNWeVZKW5dYtmVS8O7IxhICGlAq9U4A0laj3x6iglbGggqRnQl/QRUd7s +jCG0Bbsa1/nc+9JbPqWGz5LXT3t5cF/6NDeKi68= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw -MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y -7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St -u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa -ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.key b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.key index 05072316a..a76ff9ea5 100644 --- a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.key +++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: revoked1.example.com - localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07 + localKeyID: 20 71 F8 DC E7 30 30 96 0E C4 15 76 D6 41 24 BA ED 19 8C 15 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIxIBGy/hgXxwCAggA -MBQGCCqGSIb3DQMHBAj96WZ8xRBC6QSCAVjQ7DTLCFeVW0ah1ECV+1bvGiQy9JwH -fxHD3s2Wg7+McsAfF2oSx8R0Za7miR70Ke94xrraIuH0NeltyalI5iQOjbGe1W8V -exnRfXI+87W9QHVI85TW2l6pXCR96cj6zrxQAhXFamDY/SfgwTbaQibrduD2eoct -IvJ8QsaywSKwpnQAN/4XlQ6aus7w1ywtvFek+15oAfgACG/mXaZZa9sg/pRzHT3a -8qJjMpJSDOd5QUxKIShidYPNKA88EIvdg9+0wNj42w9A4rAwaoqol4RzdLu8dXbG -lGjiRdGwkMvlwnAWY68hPnAPOiH8ev7lNPkOkk+YsIVoJK7AoEGyvNk2N02kaBBf -xfrHIt8jh8Suvfp0HJbdeBTTT1qu/acwNbeA2TVVXdXyoZTrSWiwmv4P0lBYXJIx -raWLqaaImi5JvL1o5ATr3s8RtD+0iWH5LUuWdzI/agJKUw== +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIaz4go+5KBqgCAggA +MBQGCCqGSIb3DQMHBAhtc8IZfwyFPwSCAoAPcxPLBxhSJXrDApap04PKVC86gzJ9 +4c0mZu50tugE1nDu7jDRCErbmYF9QH2IEoGFVL33gO5q+BH+c5r2D5vkiQ8csrfb +s8DZoPnk36cR40q1LjFBXmxut+Xq3Dw+K4fTzl3vgOtkUqaXYPnMvaB6iejjWNiF +bOIh7A8rlOxJZjVF3wVRVE/j3TyVFqzJ4NMaSfZwW/bMPDMsRpc06UyiX3ffb7i3 +N2I2Sb+MerlIbt/NCM5MRAOP5QzTg08qN959nuPjPyiRtvXwcExj70yqL+fC5KxL +gM2fO3rPIU5bOCJFZJxitddKSC2r99vyIUG+qEXqllGfYKaLvo8xbNJ3JK4kAum+ +j2oF2/PkYDxjhGVd6yLk37xmnMHNqwqNFS1lf9tXbpYD2sOQeyPqiYUSfSEbXniv +j+Gh4nJOccOPvTYakNLk4vSbg6tSmYjICoZIzwiNT5Um7Qstji53UCBggPOplIfN +Eqzxy7m5CxR/l5w2wx5El4F7ECN5lvg3eX2lMp5NT4Bui6lNQOAiAmE3e6MkJ+38 +9tv+NKEYVi5V2BdqOFXEUrZSI2azuSL5q4Ws0Qpp3It6541y/IE85hljvjiYvxqC +oPLdNdI/R5ANmCVNxKWVVmFe7ScoY/spePt2L93Zpikfa0cmheE5TePlfTJVHAVK +KH8fIAHo717gqfQYnE40IVzcLcL9v6WYQ3+nasnvM818CVNWsCKSDLkPFBoKuU8c +Ec0AXFIa+EPIwD96EEIZaZhcG9DicDaaEzLKssP9WL1MFuqDgpRpTKD8tqh3ytqq +PKqDohc0uRQRQuTodSjT73FtAyTZNVe62fxmfDQ0uxkDQzxaiBOzZEmm -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.dated.resp index 692482662..ad8c2b647 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.good.resp index ed8cdb33b..7e7975b2c 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.req index c16dc3702..605de1b2f 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.req and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.revoked.resp index 76a2e149e..b5a68fbc2 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.p12 b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.p12 index bcc39e53c..21be4a8ec 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.p12 and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.p12 differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.pem b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.pem index ada2bfd34..fd97a5e0e 100644 --- a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.pem +++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: revoked1.example.com - localKeyID: 33 F8 A9 1F FC 62 68 49 CC C9 26 E0 24 22 40 40 B5 8E E6 07 + localKeyID: 20 71 F8 DC E7 30 30 96 0E C4 15 76 D6 41 24 BA ED 19 8C 15 subject=/CN=revoked1.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMVoXDTM4MDEwMTEyMzQwMVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs -ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtmfFkNpuJsl8xF0EINs9YniA -h0NKsf8Tt61IVzDsR5ULJOSpA7rcqmbniYuWJ7H1q8Rm5WTqjLs5zIKG+cR/lwID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w -bGUuY29tMA0GCSqGSIb3DQEBBQUAA0EAXzFO3fDq0RRzNgmAa9aorYUQUx1f6ifG -e9zS1V/Qua9HguY4FCm5NkLDSA46OA/NYEtnC3tDNF6PLSNi1Ww9NQ== +MzQwNloXDTM4MDEwMTEyMzQwNlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs +ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKu5DqPk2+MvI4TMS/rU +60uPCkU7DuVVJzyOSkUzxZFsQcEJxfd6sfkicGbzoMkhx2UclbtcP9ll9dLuUplh +hZVbQVI5vAeuEUKPGnHp1KIN776sOYDilf4PCOhQVDNR91OcOwcCKROjCfXu6w7c +RqVCdrIoaCRf/bpBrIyou8WxAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHwYDVR0R +BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEAMOti +HVUrF17HKVH9eRvCKNJ+1h1R76otCpevvmujGxY/2wrYpbZ5NIWPWoF2tDXfBNDK +r5w5f1DlNWeVZKW5dYtmVS8O7IxhICGlAq9U4A0laj3x6iglbGggqRnQl/QRUd7s +jCG0Bbsa1/nc+9JbPqWGz5LXT3t5cF/6NDeKi68= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key index f124bccca..d31f30921 100644 --- a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key +++ b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOQIBAAJBALZnxZDabibJfMRdBCDbPWJ4gIdDSrH/E7etSFcw7EeVCyTkqQO6 -3Kpm54mLliex9avEZuVk6oy7OcyChvnEf5cCAwEAAQJALGjPfRjxQJhFvDk5TBaU -t2jHQidsBDIqRsn1luTeYf7KVwL5p51LV27UBqIF+UPa3Wl04rc5IWSCp5CIpASa -IQIhAN6Ekj/LESey/9nn85fDMUH45PgW/7J+NeqwgK6zoyulAiEA0doPRY/U2ano -Hu94mggwB693XasYuRsSsGZWK1+nCYsCIF1BXjGSH0xt/kAKr9IoodouP3eh2+Oo -dVw4QJX2/ylpAiAZUYjUKLVSiZhS2yue0ewRkU8CgxkZhDWuCLrOwtyhXwIgJr3H -b3LNAipslDnHrNzBK2GB6MlM7/+foJ7Lu7pbK+o= +MIICXAIBAAKBgQCruQ6j5NvjLyOEzEv61OtLjwpFOw7lVSc8jkpFM8WRbEHBCcX3 +erH5InBm86DJIcdlHJW7XD/ZZfXS7lKZYYWVW0FSObwHrhFCjxpx6dSiDe++rDmA +4pX+DwjoUFQzUfdTnDsHAikTown17usO3EalQnayKGgkX/26QayMqLvFsQIDAQAB +AoGAJghnkK8YcFm5YSkqTtSnhGWa3bh11R8mAIh3NJqB0HKMoad7fBNlpYsWIAcn +fkSH+AH7u7Jzxb+KUXxNOQFbZ1r6+Ye8nX0Gj1zEeRM9FWbJ3KB5hgd0jWS9tqoW +fbuqKMsxiPTzo10yJ8RNegtsUmx6KCc2om0RvROtiLrH79ECQQDdS826UMtHQwNk +518YWEQ6XogJpu9yO3HNhMfBG3mVpIZRw1vUhNuMAze4I2IAD7gqYPzx1QeX5pq1 +s57VKj19AkEAxqcTv/wwm9tPEUyPx/EBf9cQ4ta+XEpOkwy8VRHkZYi1vUcuniMO +7aQVLHDBG/Ksh2GWpFC7v5qjo9eNgXBvRQJAOhooBs4lwS0YHAsfja3HJCgjwZ0B +61UuOQ6uv8Xt81tCJP+NAcxsNGO34nHvziJScVYLs5cCKmDSp/hkMIWppQJAD6QI +Ag2xJhRWXV5R08Q+AfrE8ZdG1a1kEl/mVCxcd0IUTRrVqM3J1xwcLquSCMlKnD4q +xjU1Exjx2WyXT6GyoQJBAMM9muE6OBGpbcVM4g2jQFH5hUpLRt12+Zth9j6ZmprU +LljRN27vg++BFGdRSKk8dszK9RYJdRhenKqLUUagOoY= -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/secmod.db index f95ff683b..783e9a8f8 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked1.example.com/secmod.db and b/test/aux-fixed/exim-ca/example.com/revoked1.example.com/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/ca_chain.pem index d9830bc9e..426be78d1 100644 --- a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.com/CN=clica Signing Cert issuer=/O=example.com/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw -MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y -7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St -u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa -ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.com/CN=clica CA issuer=/O=example.com/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw -MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o -mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+ -ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw +MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh +tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX +Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02 +H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl +qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46 +eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z +RSHyhbTD0HeiJDI281BoOJjm -----END CERTIFICATE----- Bag Attributes friendlyName: revoked2.example.com - localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34 + localKeyID: F6 B8 57 6A D8 2D CB DC DC 43 07 E6 86 40 B7 FA 7B 99 A1 E5 subject=/CN=revoked2.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDJaFw0zODAxMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w -bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALl7NO1x6uz5p6etz9g+bD4n -/s5Wh/XGDL1IHD78fRFFX9B8dCyoMrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0C -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt -cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBAKtwWm1WtnL+jH97DwIutT6s4CkIY2uY -JkpV4segUV03S1pN9Cnamy4prQYPCfOI1BQO4krsDNOoV/PtDvqxuso= +MjM0MDdaFw0zODAxMDExMjM0MDdaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w +bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNy5rRDiIwXth1Wi0p +FFPOoZ/cXt9lQ3blYjE4gdk0gMZk4Tjqa0UEb/m0bB3EIgVa7IXWo84hMso2fMCP +ElM3Xm8oGzCQ1i9Ju+CKTFc+6yLJD4Ql/pN4tzBxC/Dc3sYWEvRKLNbsd082cO3L +GpKCgIly36apDf7pfQZxqEt1RwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1Ud +EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4GBAIDM +Wzp1Bzw74TGL96zIVmr92SKV+6EeFKiSm07CXHd7amfj+rIAabexTzEMxFil+VCD +om3NIObOF5HTtCOygBtnMc8/lF9r0rpYMo2cJTQXwUQVQ4UDtj2SsR3BofbCDxb5 +XPMB4J50KwXz7U3M/Kd1cGdSmbkutI56lJWDXSAI -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/cert8.db index 45ca163f9..e28f29ddc 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/cert8.db and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/key3.db index 4976f1463..ea70d2245 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/key3.db and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.chain.pem index ecdf2a56d..57e1c89cc 100644 --- a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.chain.pem +++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: revoked2.example.com - localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34 + localKeyID: F6 B8 57 6A D8 2D CB DC DC 43 07 E6 86 40 B7 FA 7B 99 A1 E5 subject=/CN=revoked2.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDJaFw0zODAxMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w -bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALl7NO1x6uz5p6etz9g+bD4n -/s5Wh/XGDL1IHD78fRFFX9B8dCyoMrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0C -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt -cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBAKtwWm1WtnL+jH97DwIutT6s4CkIY2uY -JkpV4segUV03S1pN9Cnamy4prQYPCfOI1BQO4krsDNOoV/PtDvqxuso= +MjM0MDdaFw0zODAxMDExMjM0MDdaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w +bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNy5rRDiIwXth1Wi0p +FFPOoZ/cXt9lQ3blYjE4gdk0gMZk4Tjqa0UEb/m0bB3EIgVa7IXWo84hMso2fMCP +ElM3Xm8oGzCQ1i9Ju+CKTFc+6yLJD4Ql/pN4tzBxC/Dc3sYWEvRKLNbsd082cO3L +GpKCgIly36apDf7pfQZxqEt1RwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1Ud +EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4GBAIDM +Wzp1Bzw74TGL96zIVmr92SKV+6EeFKiSm07CXHd7amfj+rIAabexTzEMxFil+VCD +om3NIObOF5HTtCOygBtnMc8/lF9r0rpYMo2cJTQXwUQVQ4UDtj2SsR3BofbCDxb5 +XPMB4J50KwXz7U3M/Kd1cGdSmbkutI56lJWDXSAI -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw -MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y -7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St -u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa -ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.key b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.key index 41e27177d..856666d8a 100644 --- a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.key +++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: revoked2.example.com - localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34 + localKeyID: F6 B8 57 6A D8 2D CB DC DC 43 07 E6 86 40 B7 FA 7B 99 A1 E5 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIFV1GIQOsrw4CAggA -MBQGCCqGSIb3DQMHBAgtBn7nWaro7ASCAWArJ92GA0suBbeIF2CisKcYFfGP+KD5 -LUOKocnSVgVeEvjQmoLzb/YAnXQsh3HtfHjbsJg1Hix4XIRI6skZD33JhhQZha/0 -M8QsA3GBCPcskjQCIMg0FVltjZOVnR20JxlI0HtMybZrIlhNCcWrLkVhU8CRbzFc -Pubs7P9xIxlfuWVAEBmlOb1LkctHKnWlvVDR4Bef7epwa/KttSmLbBHuayQiwvms -axUke+NYJvzFWfKpTXP0OHOfz7cdb5dN/BcF642LIGu2f7nY7vGbSG9+iZ4Mb85k -FBbuSFquqAdxho6IHL7p/xfsW3k8+o6jKhCqkFaY1O1TNLmNtyJSyULDEbJMBiBF -Q0pLC3AF6EtPDvN7gIvlY6jERZb7j8DJrCnjbEJR1IF09DrH3EdfaYLnGd+0/SRn -UPY0jNEmT8hwj1ANacuSlBaIXYSjtjDYwJTz4DJA36z+03TDo/ahxwaW +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIlxIrxmJRt8QCAggA +MBQGCCqGSIb3DQMHBAgod4MeM3j+0ASCAoBwu4gld5x2UyoP3M2re8SrlwbNnWut +VQH6reInjBZfOOYco4PekLMSoD2kZYcdcupquBe6cmb72ODBkmDHa84p/NtQznhI +FO1oF/isGm0OSQBp1odVoSY9ZqYrMlbikBHoCVljLFGimFZcdU69xRnNk9LKReB2 +sUVF2DzYQkgPM+OCQjza53nJh8XJTgXJkKjaqcjkfbP8QuVQBzBXgVRPqh2WnXA3 +St4Pj3qXuG177Q86X+NDS0S4mRuVwkarB8jDqkWnhdl3fcZz3NHCSj4aDxuOxos1 +3XcGCXG50W+31cAoj6oRfPKgaDt0zOfMySBJqhBYSYTV36Wddoq3rzPJyNOTHpFW +Y5K+792SYC++bIFEyJOrTH0a/NsVDrFHvX9ib94KscD9TM2yUP06Yr8j3jh9ecDs +YNfsVqdNq62Hj+B9hBPIrBUufuAMHwOengcB+tcpJvNX5/ckBIPCSFjxlbFWZ/nr +E87+AEmt4xYAQAXvutBRC/W6kLvcdD7oGIEKEmhUrBPegA6hFaAo7L+whpW5dp90 +cVwGTpPMqiHkbBEl5XOQmmpqtyZteRfccvAD6+obJHt59dZ6T/il7GItPmBOxO9Q +UWd4bCOLvI1gmSsfpP0akX2gUDFPAlzCuYgalMZ5krkk1VlEunRTMBUuW5zziiEE +YKw8I0AV9LjmYCsGHl00LGKgOof0GjCbh+RV+qcuJIlVe26Q+gl1ubsI/3sfPu+e +l+SFAdtxmWh0gQVrQIW6SdZJ5gfqIZZOleq6PXOl4em7/GnRD1+xtnzsEZRRMILt ++UF6GFSlar8Ug87RLEsTbA0uqcXA8KhsACU//Zof3ZWzGor4+dqcEabj -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.dated.resp index 2d46e900a..e37abf6ee 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.good.resp index 4651403ef..929fd6ac8 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.req index 78aa197a4..77bb71392 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.req and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.revoked.resp index 4651403ef..929fd6ac8 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.p12 b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.p12 index d94652eda..8f918c9d5 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.p12 and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.p12 differ diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.pem b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.pem index 529be660e..13043f350 100644 --- a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.pem +++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: revoked2.example.com - localKeyID: 17 78 A2 B6 AD CE 30 23 61 D1 78 DA EF AD AC 2D 72 C6 16 34 + localKeyID: F6 B8 57 6A D8 2D CB DC DC 43 07 E6 86 40 B7 FA 7B 99 A1 E5 subject=/CN=revoked2.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDJaFw0zODAxMDExMjM0MDJaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w -bGUuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALl7NO1x6uz5p6etz9g+bD4n -/s5Wh/XGDL1IHD78fRFFX9B8dCyoMrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0C -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5jb20vbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUuY29tLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt -cGxlLmNvbTANBgkqhkiG9w0BAQUFAANBAKtwWm1WtnL+jH97DwIutT6s4CkIY2uY -JkpV4segUV03S1pN9Cnamy4prQYPCfOI1BQO4krsDNOoV/PtDvqxuso= +MjM0MDdaFw0zODAxMDExMjM0MDdaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w +bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNy5rRDiIwXth1Wi0p +FFPOoZ/cXt9lQ3blYjE4gdk0gMZk4Tjqa0UEb/m0bB3EIgVa7IXWo84hMso2fMCP +ElM3Xm8oGzCQ1i9Ju+CKTFc+6yLJD4Ql/pN4tzBxC/Dc3sYWEvRKLNbsd082cO3L +GpKCgIly36apDf7pfQZxqEt1RwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMB8GA1Ud +EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4GBAIDM +Wzp1Bzw74TGL96zIVmr92SKV+6EeFKiSm07CXHd7amfj+rIAabexTzEMxFil+VCD +om3NIObOF5HTtCOygBtnMc8/lF9r0rpYMo2cJTQXwUQVQ4UDtj2SsR3BofbCDxb5 +XPMB4J50KwXz7U3M/Kd1cGdSmbkutI56lJWDXSAI -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.unlocked.key index 9c8a59b5a..1dab19489 100644 --- a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.unlocked.key +++ b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/revoked2.example.com.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBPAIBAAJBALl7NO1x6uz5p6etz9g+bD4n/s5Wh/XGDL1IHD78fRFFX9B8dCyo -MrzjFTIz8QkOr/sA4RD2B2uk83ZnqtNImY0CAwEAAQJBAKkeAI07YDOAEnCd1zPY -/sLRns+uMDtUwArZs/9uIe7a3X4ussXCv60z9epuGre7StXrVyDGBnGqGexsKIiH -uaECIQDzrY97z+Zcb1RZ/ncQfiep40jMGmpDX/un+wtfkeICWQIhAMLcSIgL/FTH -t7ehuH5pClcJY0bX0tbOpfNgOWvMniJVAiEAyrYMkewOb8Dxg/gLJn48ErkP2zLy -SWA0orZV7MgYIukCIBcGcIui3u4lq0/HjEVjpBUkxtZYKlG3mWRoumBCjW0BAiEA -tqIijH5G06iofDnTIJzXFfetUPNl/wqJ1Xz6ECFh84s= +MIICXQIBAAKBgQDNy5rRDiIwXth1Wi0pFFPOoZ/cXt9lQ3blYjE4gdk0gMZk4Tjq +a0UEb/m0bB3EIgVa7IXWo84hMso2fMCPElM3Xm8oGzCQ1i9Ju+CKTFc+6yLJD4Ql +/pN4tzBxC/Dc3sYWEvRKLNbsd082cO3LGpKCgIly36apDf7pfQZxqEt1RwIDAQAB +AoGAS7io5Fcg+U9MshFWIJFcLOGHYpx98lKagthYaARPGWRwm1nLiWWi5XkWFe7a +HPqvob75l/p5s/luMhJA/+OsPkAwxCN7+o1vBBAT2NFtF7AVk3gjaK5eAIdE+4XV +Og7njMoQM0yvHkN4JbHQrQgefla/R6JkOFn9cMxYQhoQLpECQQDvPOVaMSR+LPri +UAlxnPfiMB7wRSGCNMVXEoocOa6+2KJltxwospcqTgqFM4OUJQIMnETN9UBUaMZy +kUlrJGX1AkEA3DbdXbwSypr0IhMH9uIDSnU6UJozy04WXndC3Ucdxjl3prs49na5 +9S7EPjY/MYuaxJe8hXQ6/Oq3/S0W43asywJBAL5LAN/B0RYv7wtOwIRHaADZZ/KT ++nhYQ1PkIkkbNL0HEf24LcTNcWIsG0AiXpna6gtfzXbJinbZtGfy2qRHmnUCQHE7 +2PoQ8kyx/uTiik7dirmnq9O0ZvucbI4onv4vSlUaSbc3QCQjip1Tbd9bf4UXdv6t +02eAC7DvdKo/nCxcYp8CQQDsyIFsn5fVBGXTceFtFYVTw5KwG1b7+l6gM4q0IkKn +BS0IhuSjRpJuw6QfHMaxb2d6d2z/JOiRVCRJwpTnl9Zz -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/secmod.db index b7f2179f7..3413d5695 100644 Binary files a/test/aux-fixed/exim-ca/example.com/revoked2.example.com/secmod.db and b/test/aux-fixed/exim-ca/example.com/revoked2.example.com/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem index 5bb06777d..9b749e121 100644 --- a/test/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem @@ -3,45 +3,56 @@ Bag Attributes subject=/O=example.com/CN=clica Signing Cert issuer=/O=example.com/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw -MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y -7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St -u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa -ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.com/CN=clica CA issuer=/O=example.com/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw -MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o -mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+ -ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw +MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh +tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX +Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02 +H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl +qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46 +eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z +RSHyhbTD0HeiJDI281BoOJjm -----END CERTIFICATE----- Bag Attributes friendlyName: server1.example.com - localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC + localKeyID: 39 11 FB 30 22 36 42 DA FC D7 A2 8A 0C 60 83 2F 66 A7 B8 4E subject=/CN=server1.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMVoXDTM4MDEwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl -LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC6EbKf3ZB2Zm+SVn7KzSofX5I+ -3KANkvS0aVxUS/mtnKJg6JLKc2dVav1OmPTF/M8J21F6tVd8EHWBrlsgS3QdAgMB -AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB -BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu -Y29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw -Oi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl -LmNvbTANBgkqhkiG9w0BAQUFAANBALDva+1Fm8VMNtBTzLmk0wd+rAGNry/HPB++ -vNngBR33/8N/529Zr4WPrL2BeOZkQeDO1qH/2giCAvYfZoBOIO4= +MzQwNVoXDTM4MDEwMTEyMzQwNVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl +LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyAGT263/ZlxGjPEi2BQj +DMa/86TF+zVzMfozEZNOLiX6Sov54fW5I0nXCm0CjACOelLa2Eos/vqffxu0w5hM +A8slRHrt0Gak7dJjwgKK/5NAQDrA+WnyJx/62u25299oCKk+egulCC0D3XczA89N +cLuz8iKvYnWT+rdnbFdAPdcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMGUGA1Ud +EQReMFyCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLmNvbYIiYWx0ZXJu +YXRlbmFtZTIuc2VydmVyMS5leGFtcGxlLmNvbYITc2VydmVyMS5leGFtcGxlLmNv +bTANBgkqhkiG9w0BAQUFAAOBgQBWOqQ8y+u4J8KQCHQTiNxIxrUs5Sa+W5HUZ+c8 +SRLXRzDfmNtY7RiofUvbl0j1XH9wuTdjM/EkYnKSYPVu2ra8c8jC3NaVmr0WFqLv +CvHXQWj2rZha0P/ZG1GfWc4vPYTQ7ugr65syGg4CPswwiUQJKnWBRqe27X1B61pj ++pxY7w== -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/server1.example.com/cert8.db index 9d730fe90..cf3e41634 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/cert8.db and b/test/aux-fixed/exim-ca/example.com/server1.example.com/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/server1.example.com/key3.db index 672b08826..3dcc5a5c8 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/key3.db and b/test/aux-fixed/exim-ca/example.com/server1.example.com/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/server1.example.com/secmod.db index 0883379dc..f037d5104 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/secmod.db and b/test/aux-fixed/exim-ca/example.com/server1.example.com/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem index 6ea0a5291..75351ee68 100644 --- a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem +++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem @@ -1,29 +1,37 @@ Bag Attributes friendlyName: server1.example.com - localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC + localKeyID: 39 11 FB 30 22 36 42 DA FC D7 A2 8A 0C 60 83 2F 66 A7 B8 4E subject=/CN=server1.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMVoXDTM4MDEwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl -LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC6EbKf3ZB2Zm+SVn7KzSofX5I+ -3KANkvS0aVxUS/mtnKJg6JLKc2dVav1OmPTF/M8J21F6tVd8EHWBrlsgS3QdAgMB -AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB -BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu -Y29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw -Oi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl -LmNvbTANBgkqhkiG9w0BAQUFAANBALDva+1Fm8VMNtBTzLmk0wd+rAGNry/HPB++ -vNngBR33/8N/529Zr4WPrL2BeOZkQeDO1qH/2giCAvYfZoBOIO4= +MzQwNVoXDTM4MDEwMTEyMzQwNVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl +LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyAGT263/ZlxGjPEi2BQj +DMa/86TF+zVzMfozEZNOLiX6Sov54fW5I0nXCm0CjACOelLa2Eos/vqffxu0w5hM +A8slRHrt0Gak7dJjwgKK/5NAQDrA+WnyJx/62u25299oCKk+egulCC0D3XczA89N +cLuz8iKvYnWT+rdnbFdAPdcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMGUGA1Ud +EQReMFyCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLmNvbYIiYWx0ZXJu +YXRlbmFtZTIuc2VydmVyMS5leGFtcGxlLmNvbYITc2VydmVyMS5leGFtcGxlLmNv +bTANBgkqhkiG9w0BAQUFAAOBgQBWOqQ8y+u4J8KQCHQTiNxIxrUs5Sa+W5HUZ+c8 +SRLXRzDfmNtY7RiofUvbl0j1XH9wuTdjM/EkYnKSYPVu2ra8c8jC3NaVmr0WFqLv +CvHXQWj2rZha0P/ZG1GfWc4vPYTQ7ugr65syGg4CPswwiUQJKnWBRqe27X1B61pj ++pxY7w== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw -MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y -7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St -u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa -ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.key b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.key index 02d5161e4..015eda1c4 100644 --- a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.key +++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: server1.example.com - localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC + localKeyID: 39 11 FB 30 22 36 42 DA FC D7 A2 8A 0C 60 83 2F 66 A7 B8 4E Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIt+n3xYebFlACAggA -MBQGCCqGSIb3DQMHBAi30QtCXj3kIQSCAVjO+WdU7jaPYN1v7ev2qNehi8MrvllJ -Q03/xCaiGTI7fUQM55W4Tc5+b952ni6ZtCnYfCojIQ6Wr0uyrabRE9nCRTudKAGv -+RG/vO576Wv69XblZaKwPp1ru5Fb+TqMRDmHsJKzmjx4/iN3l/673w8QEW+opYjI -i+azRCzMjUcFDkExEqXunJCDD4k0iWv/LTiXa/WfKoPncY6dmtjGt/ceGG7gn+sy -IGTPbVyX85I4lfSb42mQjticlqpNWNv+BasZNGIAGkreGEIR1HqvoIeIjyze4j/k -yAA/oAO7WucowZfX6Rcno9yO5Cjsbn60RPMe5aSnCKXH8OnaklegbzQCIXwlRapH -VCE28ladQ1+7zwCBhCW60WwhRN0UDQz9aFTrbhZ0uUZ13t/EcRr17f43hXnjwCVg -+q6ixyRnx4zSncCTL6iOe2ybUV8IXCFdrWnd7CYJOz804w== +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI6fjxhvGKYVoCAggA +MBQGCCqGSIb3DQMHBAjQxvdFIdms8gSCAoAULVw7VEEz159PQHH1BB4asGdSs50D +q7BYWQR35O+NEsAPVc/fMn2XnV50X9ETPIYX+5U+5jwAJvYxaRfgkHAoo8Nkh06F +dMxgd0Ks2k5ri9satjESMmDVce55pFP2QIK+nqFDlpXmAg1hzYFFT0CLKRxzbPCY +sopcEUpg5zoXUVtMZbQ26HRPbagsIF5gmg7yKAgDBr6cbWkNbFhEjH5P6zV16t1A +dmhYOvAJgVd32arHiFLE3uj6mmi8qN+HUSTRATTXwVFgwYVz75wJL0+9TsFqqXXP +JIl/zM7FHa67kzSOXzhzkr3CqzVM498GadDl19hIuTGrw9lwvVlNEnPJQw2GerjQ +02R6A3FC9areZv+Ixoe/L2G30Z1Js9OIkuQbyTjAvLsPQg5yL+/Z6J4KPdY0SHZh +a4MIZ12vX4qzQPPQHiIZ8yTEcXBCq3v5towxnKutdtszonvHiTWTcwf2fMNIO6Kc +5H8V5l87Tl0LzIWC/gjA0nChDf7ckTJAzVPBWP8CI9Dhf0KbE7Z3d99+lSlhA9+u +Tjkrk13qjCSvaROlnI/tE9H99LwN74b6/BMfYy5F8hwYYeIYXZsZUdbY/S+Ugb+L +BvUxW3Z6ObTI4RPKOKVY9cCQilfUYjnnLTx9JagqkBnpgC4g6CgB8bEU7ClOulv4 +Y0+Z4WZySNAXBEC1nb5F/4V+zY2pSVbKaMRttILz7c0Uo/2lcBsQVy7lN6bD18ea +s/jWj3oDfM/pKHSGR+DY/VEy1AGnXrovqlV6NlpeuKUnk/cLtQNOFCRPMJLub7z6 +JF3aDC4L1yiIYyMGUZDagv70kTWhH7glcB1TzUsipET88HU8HM9t1yyO -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp index 0e35bdfff..feaab22d9 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp index c616136d2..9b7fd14e3 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.req index fb9674a6f..7a2852d88 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.req and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp index aa6d371b4..3de666f8c 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.p12 b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.p12 index e7f3cfb95..33f5b4f1e 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.p12 and b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.p12 differ diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem index 5080ef803..f5442cd0f 100644 --- a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem +++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem @@ -1,18 +1,23 @@ Bag Attributes friendlyName: server1.example.com - localKeyID: 7B 32 26 98 D0 B8 1E 75 99 29 DC F8 13 EE 29 B7 59 E3 DC DC + localKeyID: 39 11 FB 30 22 36 42 DA FC D7 A2 8A 0C 60 83 2F 66 A7 B8 4E subject=/CN=server1.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLmNvbTEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMVoXDTM4MDEwMTEyMzQwMVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl -LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC6EbKf3ZB2Zm+SVn7KzSofX5I+ -3KANkvS0aVxUS/mtnKJg6JLKc2dVav1OmPTF/M8J21F6tVd8EHWBrlsgS3QdAgMB -AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB -BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu -Y29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw -Oi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl -LmNvbTANBgkqhkiG9w0BAQUFAANBALDva+1Fm8VMNtBTzLmk0wd+rAGNry/HPB++ -vNngBR33/8N/529Zr4WPrL2BeOZkQeDO1qH/2giCAvYfZoBOIO4= +MzQwNVoXDTM4MDEwMTEyMzQwNVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl +LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyAGT263/ZlxGjPEi2BQj +DMa/86TF+zVzMfozEZNOLiX6Sov54fW5I0nXCm0CjACOelLa2Eos/vqffxu0w5hM +A8slRHrt0Gak7dJjwgKK/5NAQDrA+WnyJx/62u25299oCKk+egulCC0D3XczA89N +cLuz8iKvYnWT+rdnbFdAPdcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5jb20vMGUGA1Ud +EQReMFyCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLmNvbYIiYWx0ZXJu +YXRlbmFtZTIuc2VydmVyMS5leGFtcGxlLmNvbYITc2VydmVyMS5leGFtcGxlLmNv +bTANBgkqhkiG9w0BAQUFAAOBgQBWOqQ8y+u4J8KQCHQTiNxIxrUs5Sa+W5HUZ+c8 +SRLXRzDfmNtY7RiofUvbl0j1XH9wuTdjM/EkYnKSYPVu2ra8c8jC3NaVmr0WFqLv +CvHXQWj2rZha0P/ZG1GfWc4vPYTQ7ugr65syGg4CPswwiUQJKnWBRqe27X1B61pj ++pxY7w== -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key index a61697416..25d14df45 100644 --- a/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key +++ b/test/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOQIBAAJBALoRsp/dkHZmb5JWfsrNKh9fkj7coA2S9LRpXFRL+a2comDokspz -Z1Vq/U6Y9MX8zwnbUXq1V3wQdYGuWyBLdB0CAwEAAQJAC7hRqAAsuUh6fp00H1IM -9Szv6UW8Tx6Si0qXpjei4mx/reGBvQGTIUJuGdXmuBH5tQHLPskjEqXmgiccWydz -gQIhAPCP3JccbCUpKELah84ikXuQs0PEnGfyg4oP22x0B5q3AiEAxgKV7eFrd5Qa -FfjHsK/HfrL8YQYynm8yDqqHnSsJY8sCIFei4Sa/uPoUs1EfkWfcGgnc3iGrB5uq -spbiTfqFjpujAiAcWvhvdU13dUz7AoJOKg3udeEwX7vV9mR7ty3ucuBIWwIgEy7b -le8z7zokRTzIKSMpl5xr/0Vp6DWlS0KwuLNuJjc= +MIICXAIBAAKBgQDIAZPbrf9mXEaM8SLYFCMMxr/zpMX7NXMx+jMRk04uJfpKi/nh +9bkjSdcKbQKMAI56UtrYSiz++p9/G7TDmEwDyyVEeu3QZqTt0mPCAor/k0BAOsD5 +afInH/ra7bnb32gIqT56C6UILQPddzMDz01wu7PyIq9idZP6t2dsV0A91wIDAQAB +AoGAIT/Z48heUBcBB4dC4qceWI5l9MwsuaFeIC3W9ZIGijd4D5KLnRvrhklNPYd3 +x+yDwyQpC5HxPwZNI6VofKfB4whObRomItHBYDvy0u2xVGinZydYXdIgg9XUw4zj +FETx7NeIa+zQMA8oGbKfnk6c+5sFqJInylh9oYcVC5mr1BkCQQDnf/5cTco79KC+ +HDHO/XKiRrWZGlrl8m4BJldYvmocRtiYD7nu7YccrvNV5vRHiTY0xTScMZchoSaO +vWZ13i9LAkEA3SxTPa675S4Or+Ab2wKWORdvK1rKWXYgH4th3zfN9sWB5X7XTFe1 +tmelJjlb0diGYBX3ZyNLo3aHcqSOPYE4JQJAFuvkao1FPeR92fT+tYkAxbKMnoku +gOAdJj3+ngnUhdI59exws4iPPTbRXysL+t1KIbV4/RIn7auAHtgAAiGquwJAdtiq +oiqSrMPjAH7ceQMa1fLRueo/cXMYL9sl7FyAQGpBMqDF8C/xZOKsy61muYwwKNGk +77b3ng7DGcdy53nYQQJBAKxU/egi+ss4im9KOhzFLtnAS0VIqvKv5KXMUQ42bP6x +kKM6yiLi2005IjEKmO/eq3bD2ryXETMwS9Lc8/Ecm0A= -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem b/test/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem index dc1fbb709..089d6ebe3 100644 --- a/test/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.com/CN=clica Signing Cert issuer=/O=example.com/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw -MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y -7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St -u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa -ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.com/CN=clica CA issuer=/O=example.com/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAwWhcNMzgw -MTAxMTIzNDAwWjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxYR8NYQvEd7/e4MvOj9dh2+o -mnywT9ajMo1589DWt2z14ouRKhSZWlx4O4AicPZc6n4uvt7++t0tTHhmm5JIbwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBALjVd1KMBadFJFIzTEspoPYxJvXKvLMclekQs5QY0lmmUj5+ -ugITEG6ywu3s+REUB+8Dj+ofQz3tgIm9NBpkfsA= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA0WhcNMzgw +MTAxMTIzNDA0WjApMRQwEgYDVQQKEwtleGFtcGxlLmNvbTERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0wro64rve876glpdRh +tD6qFY6iH2kCarFFq3WaKmfCvOjYmn4CJr7pL7J5DuvCFh7A0H8lD/on5NK3yqkX +Yi6EUlaYWxeRo2/PuZYUGbCpejST41sibw9V2dT4MHLidjDShE0W9SfgiMmxfF02 +H5hLYswAGCL1kezsVeEJeH31AgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAIn9+8uyQtaq8sBEohTl +qyJQQeZk5xxaILYP/rCIxc+z5fgOh+usB9adaiD23RPuuD/P2c3UqHJQWqIUTu46 +eOKn9K7X7ndIH3WnaC/u4nysL+SIAug72/k1BAVGNQvyNQMhth6CfZTgY0tgcS0Z +RSHyhbTD0HeiJDI281BoOJjm -----END CERTIFICATE----- Bag Attributes friendlyName: server2.example.com - localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE + localKeyID: 40 B2 13 5E 6B 67 AE 36 A3 97 69 6D A3 28 42 36 85 E7 4C E3 subject=/CN=server2.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDFaFw0zODAxMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs -ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA2TCJENbO0UK+Cjs2HSqq1OlM -VIJQs/ctua3DEcPOphjNwLrUqVGv5qkWFDHbsJ00hpiW7uK9tDfawSWmcFis1wID -AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5jb20vMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs -ZS5jb20wDQYJKoZIhvcNAQEFBQADQQCeF6NprEufUaSaqXhBk7hP7kX2NtTEkHmg -hm1yvEzKL1/7gmqhMAGFapGV90k/8J6L4FiIEaxIHuTvm94KfKZi +MjM0MDZaFw0zODAxMDExMjM0MDZaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs +ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALLgFpuQXy2obzVio/WK +IQr7+KQt3p1umyTBM0FgRS2wEvbobbp5yi304Ob3v2BOpBwpKBbH+SXwAWKg5z8j +XVf/h76XGcKdbwSQtt7Rq1ANKW63urh0+MaGyHeBFC1zYdQHqvqHcfFzSA1Ai4yy +tXf7OdNmRI7cK/FwtPLji28xAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0R +BBcwFYITc2VydmVyMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQUFAAOBgQBsN0Em +TV30tTEQZ8r7ZLYimGL3HpV7bOZ0RyH0Xok2PrmcisVSu8SvEpMmO9c94FZxHh0h +IALt8E7VXkVC/Tw4QVSDhgs7v8VHOf8V6pPc/cc9GFhZyt0q2Ln5L7l2k/Su45FW +gC+MBC+tV+/SURn0tO8ynKw6fA24Odux4zBzGg== -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/cert8.db b/test/aux-fixed/exim-ca/example.com/server2.example.com/cert8.db index 840f69431..f943c1553 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/cert8.db and b/test/aux-fixed/exim-ca/example.com/server2.example.com/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/key3.db b/test/aux-fixed/exim-ca/example.com/server2.example.com/key3.db index 89bff133c..aba3c6b55 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/key3.db and b/test/aux-fixed/exim-ca/example.com/server2.example.com/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/secmod.db b/test/aux-fixed/exim-ca/example.com/server2.example.com/secmod.db index 8ea139c76..39f84807f 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/secmod.db and b/test/aux-fixed/exim-ca/example.com/server2.example.com/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.chain.pem b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.chain.pem index 52263a231..3381216f3 100644 --- a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.chain.pem +++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: server2.example.com - localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE + localKeyID: 40 B2 13 5E 6B 67 AE 36 A3 97 69 6D A3 28 42 36 85 E7 4C E3 subject=/CN=server2.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDFaFw0zODAxMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs -ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA2TCJENbO0UK+Cjs2HSqq1OlM -VIJQs/ctua3DEcPOphjNwLrUqVGv5qkWFDHbsJ00hpiW7uK9tDfawSWmcFis1wID -AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5jb20vMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs -ZS5jb20wDQYJKoZIhvcNAQEFBQADQQCeF6NprEufUaSaqXhBk7hP7kX2NtTEkHmg -hm1yvEzKL1/7gmqhMAGFapGV90k/8J6L4FiIEaxIHuTvm94KfKZi +MjM0MDZaFw0zODAxMDExMjM0MDZaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs +ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALLgFpuQXy2obzVio/WK +IQr7+KQt3p1umyTBM0FgRS2wEvbobbp5yi304Ob3v2BOpBwpKBbH+SXwAWKg5z8j +XVf/h76XGcKdbwSQtt7Rq1ANKW63urh0+MaGyHeBFC1zYdQHqvqHcfFzSA1Ai4yy +tXf7OdNmRI7cK/FwtPLji28xAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0R +BBcwFYITc2VydmVyMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQUFAAOBgQBsN0Em +TV30tTEQZ8r7ZLYimGL3HpV7bOZ0RyH0Xok2PrmcisVSu8SvEpMmO9c94FZxHh0h +IALt8E7VXkVC/Tw4QVSDhgs7v8VHOf8V6pPc/cc9GFhZyt0q2Ln5L7l2k/Su45FW +gC+MBC+tV+/SURn0tO8ynKw6fA24Odux4zBzGg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAxWhcNMzgw -MTAxMTIzNDAxWjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALGUYGllRw9Y -7ATtT3iqwv3rnnpYYWaxGdamUYznYS6l8lAyHFOqfEktdHZ+bUyRVWsbvyx/a2St -u1vpZpkihvMCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLmNvbS9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EApouSZ4cX2rx+pZWcDHJH+KaCMpMa -ScrHO8bFSCWI02ckzoIxWfu1DMNO++EpyzrTgyaXoCROjvhdslwucMqAIg== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLmNvbTERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA1WhcNMzgw +MTAxMTIzNDA1WjAzMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzwXsp +P4RsZUoDfQfm5O5bi5unhwl+BTrKIaOtl5TBxMau+qEdKa02DD7Bx6PCzLKhWiZ3 +/MrO7V/cXIBun97dF5Zr5kk+HJk+y3es+xoPd3doknvGQEC/0cSGLcEC7aQ/bEqi +fw2CgEY5ffkEAnDrdvGGeqBfJJGft/tqmlZbeQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +Lq4cCtWMjqLHqf6lJUOBMsm+tgFcYDdxwkTquSZyUrbP1jrODkg5lQWNCdvB76B2 +tZQfMJ3F/kct2EAfsKbHqN3f+DARqPAR2qtOqzl3Ou5+TJjExKgojjzIAPFQzswH +7v4aglpReaPBaVSNOZ7bMn/E8yRy3o466bhzdEIDcII= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.key b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.key index a4960f965..301154c09 100644 --- a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.key +++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: server2.example.com - localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE + localKeyID: 40 B2 13 5E 6B 67 AE 36 A3 97 69 6D A3 28 42 36 85 E7 4C E3 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIFmRnQVx4IM4CAggA -MBQGCCqGSIb3DQMHBAj96PHFOGcW+gSCAVhUx92WT6m/52ZEGgqV+RyBKgHPv0Vk -NCrmKEJJAvGRWGl+jnpU780hLNx+qWHxGV6r+wyPN9F81oDhqeYQtIRIYC8tWBeC -9mouIU/iNXYUkun4ZaH6sIJSFfB/2l/pz5/GaiCqgQPPufGmRFsHcGcZlYpnLHkb -PyRFagan7QYIwUouBTyJ0o/OKBU/r6QM+ZO1zB4YqUutpYMTUbcD9zkj3eAFpIDZ -fuci+WK1imuUek9LdKifM8f5jdc4n/Ya5rFcpHg45CXz+pLntsprjQVzhFdQblZW -60ZyiJm682h7ioHhcJYmYyEa5DMItEqzLasQncMi/s8+SUCqTE0QaWYWJ+ofv1cD -GBYWoM7Ar47zaqgQYlKMKs9mDfUQ4FQy382yrnsPnyo+K8ra5ESUA++uIxMwouHo -x3dD4wV51jP8VC9VN2GWprZWffnxwMP4PxZejmZVbSWvPw== +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI9nwG/TOpp3MCAggA +MBQGCCqGSIb3DQMHBAilpHreae+faASCAoBx69kd96hrjqkgteXaXrMEVH/9sbBQ +GXzBvazDadBDfUGHJweJKHJfJMujbHCL+ogsQsfwilWZotbkStMjg5ik5pwmq7ry +nRZF/6vm5lusqXc/4XJcb1tiag8ItcMrgfKCBHIA7HuJveE02C1z20vU40CAvgBW +QV1+0yZ7t4PPncYU/Mia1DY+hfEDX0U/pV3btevlIqAB38a6/pMptdwEdfQqsgjW +T+Fu7oW9C9Flo2R5xfGOzfeA4/Ujng9uxQTQoC3fE9j/jp64wE0vRDr6SRTfXM70 +F8YH38oKnhCkAwmnWAV65UBS9k90NIqgqdKljpSmikBuGi7oawgYWFXokAGWru9E +m8LoMsf6eyxKD9NVJ0F+2lK+qBfHEdR5VOCVZP1VveY/CgZq/E7nRejhQjKsrf/6 +eKmxFYsH4zuz8heEqjZKfl0YAHffKd34dsBetmPviegf6FUBXAUAdtm5nEshYt1g +A8YQtBNOzoM42T/7temhyo7ZrYBKeXLmej/ZQXCoDT6t1o0vtjPMBBMqTmKZXLGt +lf2xjAy7uQYvZfarPNVO8ENUSgwsKIfF4ty5wVOQfHrHjRpe51AWi/AcTOcM87r+ +cUvOEUERq6zjC72WEPZB0X2+sTN6yWZgPipIOCuPEiChvs5hjcmXGkOlEjhH11F9 +diTTUvjQh2v8x1Iz+wMlbTVSJnqZXFrXEgQe212zKy8RpKA8tat2y57cgchHJ2n1 +BSSJbWom2HVZ2yYtZoHZSgH9rVJul7QsGI0/MgEuAGy3TKYZhlsSRgjBKqSz+mgU +Kw7KQxhJnF4nzRsZ17pGWxoEzs0cSTO7c+QGZI126KwCMGIFHFXwcHwV -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.dated.resp index baa228161..8ea000df7 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.good.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.good.resp index 80180be4b..49e93ade1 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.req b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.req index fe4957efd..18bd85859 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.req and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.revoked.resp index 80180be4b..49e93ade1 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.p12 b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.p12 index c080a6a7e..c8619f7a5 100644 Binary files a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.p12 and b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.p12 differ diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem index eacf55c65..e4d764a3f 100644 --- a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem +++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: server2.example.com - localKeyID: 69 B2 C3 8A B6 1C C2 19 F4 1B 4E 74 28 AF 12 89 E8 2E D9 BE + localKeyID: 40 B2 13 5E 6B 67 AE 36 A3 97 69 6D A3 28 42 36 85 E7 4C E3 subject=/CN=server2.example.com issuer=/O=example.com/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5jb20xGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDFaFw0zODAxMDExMjM0MDFaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs -ZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA2TCJENbO0UK+Cjs2HSqq1OlM -VIJQs/ctua3DEcPOphjNwLrUqVGv5qkWFDHbsJ00hpiW7uK9tDfawSWmcFis1wID -AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -LmNvbS9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5jb20vMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs -ZS5jb20wDQYJKoZIhvcNAQEFBQADQQCeF6NprEufUaSaqXhBk7hP7kX2NtTEkHmg -hm1yvEzKL1/7gmqhMAGFapGV90k/8J6L4FiIEaxIHuTvm94KfKZi +MjM0MDZaFw0zODAxMDExMjM0MDZaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs +ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALLgFpuQXy2obzVio/WK +IQr7+KQt3p1umyTBM0FgRS2wEvbobbp5yi304Ob3v2BOpBwpKBbH+SXwAWKg5z8j +XVf/h76XGcKdbwSQtt7Rq1ANKW63urh0+MaGyHeBFC1zYdQHqvqHcfFzSA1Ai4yy +tXf7OdNmRI7cK/FwtPLji28xAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUuY29tL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLmNvbS8wHgYDVR0R +BBcwFYITc2VydmVyMi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQUFAAOBgQBsN0Em +TV30tTEQZ8r7ZLYimGL3HpV7bOZ0RyH0Xok2PrmcisVSu8SvEpMmO9c94FZxHh0h +IALt8E7VXkVC/Tw4QVSDhgs7v8VHOf8V6pPc/cc9GFhZyt0q2Ln5L7l2k/Su45FW +gC+MBC+tV+/SURn0tO8ynKw6fA24Odux4zBzGg== -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key index 6e0c41e7a..2a17a489a 100644 --- a/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key +++ b/test/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOQIBAAJBANkwiRDWztFCvgo7Nh0qqtTpTFSCULP3LbmtwxHDzqYYzcC61KlR -r+apFhQx27CdNIaYlu7ivbQ32sElpnBYrNcCAwEAAQJAAT7+ClKxLRIs9PISBWjR -Qhd0kKeOvvmUEZSlodx1uw42qqDQ0vfYMSOWzn8dlGQ/XGJ4xVwvFFklNCfWva4M -QQIhAPaoF/TqmR/dc2CLsQkWoZQqdu7w+uBnTnqqcQ1A2ci9AiEA4Wqw3SszsAwV -ELV+DCDouyncyMmCzJkDjYA1WYNiVyMCIAc3AYRjfFknRCG11Fbct5s65sG0gNIh -k3UZGTd3ByfNAiAbwAqt75eZYKNnPzCZRaPhBrJLdaNIlL2/Ob1Xm7kLiQIgWtVa -weFGKWW86QXScrel5sjNDxFv+ZvMd+heAiPqkXs= +MIICXgIBAAKBgQCy4BabkF8tqG81YqP1iiEK+/ikLd6dbpskwTNBYEUtsBL26G26 +ecot9ODm979gTqQcKSgWx/kl8AFioOc/I11X/4e+lxnCnW8EkLbe0atQDSlut7q4 +dPjGhsh3gRQtc2HUB6r6h3Hxc0gNQIuMsrV3+znTZkSO3CvxcLTy44tvMQIDAQAB +AoGBAK76UIM6tjBmvOq/JF50EaC6HV8VU9gzM2a/65C/SMzJmbOYaIZqzuEn0718 +iuP96cF2bTXjxpBa+C/v8GYuBQcFv6Pkg02KTDOCyjjcZrvArhUcgmOx4n2BVVR/ +8nR1R0JDvdw0HJbIom4ABYLTAjNVG5HZcnWC3ylA/n57p+ABAkEA4XUa5Lc7U0b1 +rwRqHH2pdF/zYpDxSaLXcjP9YC2r1+siwyvbL7qtQy3DQyw3AM1WtCefUAQhL5Jq +Ex630RwiAQJBAMsbgoAwiI2ZQQ1eJyIjbG8pn3Pprq6QPbUKE9NdWaoUcxjyPRSB +1nhJcjgrk1T3BvooktNUEzseSUI8A7Wu7TECQQCpx03hPjpmk+EfUuu1WMvq3vah +GxUYppAnaA8+BiaKCn+7CaOdZa5kEGoig4FIEVlhgRTvZKy47kEC9PbneZABAkEA +mzhB6n+szDI0IegzlgZmZynzHx2WjvfTANlbv2uXC8EnGQh/n31+j1zp+n1q0kMb +RPDfDLwzGjoSGJlO6Hlv8QJAZHPfEo+GCWA18JwI1HM3o+idyJ7fH92Sig0/ZwwE +MG9RVzhYuCaqCBGlx6mRm1LIe3mjQCn4cE+x/gheyRfZhw== -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/CA.pem b/test/aux-fixed/exim-ca/example.net/BLANK/CA.pem index bed3d2fad..2ada0c42f 100644 --- a/test/aux-fixed/exim-ca/example.net/BLANK/CA.pem +++ b/test/aux-fixed/exim-ca/example.net/BLANK/CA.pem @@ -1,10 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje -SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2 -iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7 +lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO +HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x +XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb +bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca +o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h +VAtQ+ux57x052IuOi9FtrqVR -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/Signer.pem b/test/aux-fixed/exim-ca/example.net/BLANK/Signer.pem index 5d2b2ea83..a8946b2f5 100644 --- a/test/aux-fixed/exim-ca/example.net/BLANK/Signer.pem +++ b/test/aux-fixed/exim-ca/example.net/BLANK/Signer.pem @@ -1,11 +1,14 @@ -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY -392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a -d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit -Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo +cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e +RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW +7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ +ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh +XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/cert8.db b/test/aux-fixed/exim-ca/example.net/BLANK/cert8.db index 0d794a075..1978a29ef 100644 Binary files a/test/aux-fixed/exim-ca/example.net/BLANK/cert8.db and b/test/aux-fixed/exim-ca/example.net/BLANK/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/key3.db b/test/aux-fixed/exim-ca/example.net/BLANK/key3.db index 31b9ac72c..ecce1ece4 100644 Binary files a/test/aux-fixed/exim-ca/example.net/BLANK/key3.db and b/test/aux-fixed/exim-ca/example.net/BLANK/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.net/BLANK/secmod.db b/test/aux-fixed/exim-ca/example.net/BLANK/secmod.db index 8a8319376..b709dd8a5 100644 Binary files a/test/aux-fixed/exim-ca/example.net/BLANK/secmod.db and b/test/aux-fixed/exim-ca/example.net/BLANK/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.net/CA/CA.pem b/test/aux-fixed/exim-ca/example.net/CA/CA.pem index bed3d2fad..2ada0c42f 100644 --- a/test/aux-fixed/exim-ca/example.net/CA/CA.pem +++ b/test/aux-fixed/exim-ca/example.net/CA/CA.pem @@ -1,10 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje -SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2 -iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7 +lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO +HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x +XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb +bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca +o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h +VAtQ+ux57x052IuOi9FtrqVR -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/CA/OCSP.key b/test/aux-fixed/exim-ca/example.net/CA/OCSP.key index 5ab675ca1..79d4b03fc 100644 --- a/test/aux-fixed/exim-ca/example.net/CA/OCSP.key +++ b/test/aux-fixed/exim-ca/example.net/CA/OCSP.key @@ -1,14 +1,20 @@ Bag Attributes friendlyName: OCSP Signer - localKeyID: 16 61 1B 08 43 C0 0E C4 AF 4D 7B E9 27 1D EB B0 D7 05 E9 75 + localKeyID: EB 2F EB 2A 88 BA 65 6E B7 DF 67 0B D9 87 99 E4 7A C3 D7 FA Key Attributes: -----BEGIN PRIVATE KEY----- -MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAsT/jRe87h2kyfvbt -YbvgOPS3y6+BPP8pVdU2CefZAy4mYhuj4ZejZgOf8W9XoonCKTW0Y31feBcy0cM+ -2TNM3QIDAQABAkEApPyuBevggnP2T95zKfUiioGoD43HA8sTY9T53xCTnPOrNNCv -Vn5+ZXao86JF3ly2jY8Eg0b1hFpfZsZMhG/PgQIhAOg/SgSXqPL8oON/Uot1IUHe -xLfwqW4toMwTknwdWO39AiEAw2ClhCYw/YTDdbh8sstP7k9HDNBPynwAuURLqc6/ -oGECIBDxVQgCvFuFnIMcLbxovhVdGALHNsUH5RweLWiKh4tNAiBSgpVD6tETr6bQ -J1paM6yM6uQJkEuyKo4vr5z4mHyq4QIhAMtfRG4+QspRY6aaAAebWBS4zwDiAZCH -6bnyjSzbUHsm +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMQaJ47PbQGWMcH3 +JT2ec4ZEeNrDzreTs0wjeQ8B12FJ8t+xuPYbeYOLU4rchEPA/spnSQY8TrMBFSNy +bGuyrxUmqvolZt3RASK7olbOgUiQ6yFKdhu0dghS1Fonhi2a+iJN/AKH6FWla9o6 +G6XaoijCmaNK+0crLOOCUGw5SznJAgMBAAECgYBnhbseS+gqr0RDNholxlEML3dx +XW7yQHmllxBgWMN/q48YgfS3j1d9lv6aTsFQF0EqTo4hSZLuMoMbPFt6G1ELNsYE +jAmMALYLGhDNHH/h0B76qXviQIBLL0nOi88gKN9tpwvvHtJg3bFu02LGzkiydB2K +/uNE1Xr0oaomFBR3EQJBAPZd4j390E+bu/hvz8LEb/qxcxUTQKncIqpcGXwr4mYz +vQI8s5sdUwrk6y9dKVGI6Q8FSffyFX0b7c4HeNr/v2UCQQDLxSAd8aHVaNYOriRb +T9HYioG2RhS7e1jRwkkjH4rGb9jwXeDHLX/n7k7hpnlFnJHHKJbiiDzmQImjN0o8 +kkSVAkEAkqhetrJyIAHACutcjT/svRqHPGOCmdsek7VRwnZJRrfD6yIBdPQm7BRL +4J0frJbIzhVC7COjIR/QF1ahXhTidQJAYxHRHp3XF8HjqLmD1Z1GIiidDfiepdQ/ +h6QVGO2B9B52885AtbXqZOHZGh5tAaowugqC6VpheXTRNjhwcGiQzQJBAJLOlkmD +KhKvuSwWaWq5OkPR0qR9u95/Jp09J6oLcxkvCPx7L38fbDKe6Fd9wvI06rCd7FoK +mbVOWS+NUGd9VR4= -----END PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.net/CA/OCSP.p12 b/test/aux-fixed/exim-ca/example.net/CA/OCSP.p12 index 4ebddda7a..0ccbb2581 100644 Binary files a/test/aux-fixed/exim-ca/example.net/CA/OCSP.p12 and b/test/aux-fixed/exim-ca/example.net/CA/OCSP.p12 differ diff --git a/test/aux-fixed/exim-ca/example.net/CA/OCSP.pem b/test/aux-fixed/exim-ca/example.net/CA/OCSP.pem index 2d71376a7..b1d14b8d6 100644 --- a/test/aux-fixed/exim-ca/example.net/CA/OCSP.pem +++ b/test/aux-fixed/exim-ca/example.net/CA/OCSP.pem @@ -1,11 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIBgDCCASqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICBTCCAW6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwM1oXDTM4MDEwMTEyMzQwM1owMjEUMBIGA1UEChMLZXhhbXBsZS5uZXQxGjAY -BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB -ALE/40XvO4dpMn727WG74Dj0t8uvgTz/KVXVNgnn2QMuJmIbo+GXo2YDn/FvV6KJ -wik1tGN9X3gXMtHDPtkzTN0CAwEAAaMqMCgwDgYDVR0PAQH/BAQDAgeAMBYGA1Ud -JQEB/wQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBBQUAA0EAjPHbFyZJZHxLSqn5 -i4i7+sWFAueHbbVXyDkzbspOeAbUeuc+lyZ7gMkRofbfIyXIMzSggVKiBetK5gf8 -OhXNJA== +MzQxMloXDTM4MDEwMTEyMzQxMlowMjEUMBIGA1UEChMLZXhhbXBsZS5uZXQxGjAY +BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +iQKBgQDEGieOz20BljHB9yU9nnOGRHjaw863k7NMI3kPAddhSfLfsbj2G3mDi1OK +3IRDwP7KZ0kGPE6zARUjcmxrsq8VJqr6JWbd0QEiu6JWzoFIkOshSnYbtHYIUtRa +J4YtmvoiTfwCh+hVpWvaOhul2qIowpmjSvtHKyzjglBsOUs5yQIDAQABoyowKDAO +BgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcN +AQEFBQADgYEAZbAMzBc7Vaf2dW5zVH6/ImlnZe3qwZ2r/vb5nJlpF/Zc3AN13rrY ++7h7uvcG+wcwyteU0OmFs7cTWRRyjoJmmLMp4bYBjOliRKAjFgEYT9e1FmoxjmP3 +1XbEu2eUgEVUp+dBM7orlNcHYXs62GYQiVyA2WPCWoMahhIqEK4IBqw= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/CA/Signer.pem b/test/aux-fixed/exim-ca/example.net/CA/Signer.pem index 5d2b2ea83..a8946b2f5 100644 --- a/test/aux-fixed/exim-ca/example.net/CA/Signer.pem +++ b/test/aux-fixed/exim-ca/example.net/CA/Signer.pem @@ -1,11 +1,14 @@ -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY -392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a -d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit -Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo +cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e +RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW +7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ +ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh +XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/CA/ca.conf b/test/aux-fixed/exim-ca/example.net/CA/ca.conf index d162ea323..9b97ee55c 100644 --- a/test/aux-fixed/exim-ca/example.net/CA/ca.conf +++ b/test/aux-fixed/exim-ca/example.net/CA/ca.conf @@ -1,5 +1,5 @@ ; Config::Simple 4.59 -; Thu Nov 1 12:34:03 2012 +; Thu Nov 1 12:34:11 2012 [CLICA] crl_url=http://crl.example.net/latest.crl @@ -13,6 +13,6 @@ ocsp_url=http://oscp/example.net/ org=example.net subject=clica CA name=Certificate Authority -bits=512 +bits=1024 diff --git a/test/aux-fixed/exim-ca/example.net/CA/cert8.db b/test/aux-fixed/exim-ca/example.net/CA/cert8.db index 6a130c8e7..e6d5a8967 100644 Binary files a/test/aux-fixed/exim-ca/example.net/CA/cert8.db and b/test/aux-fixed/exim-ca/example.net/CA/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.empty b/test/aux-fixed/exim-ca/example.net/CA/crl.empty index 364b43da2..57414bcee 100644 Binary files a/test/aux-fixed/exim-ca/example.net/CA/crl.empty and b/test/aux-fixed/exim-ca/example.net/CA/crl.empty differ diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.empty.in.txt b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.in.txt index 250311c00..114640be1 100644 --- a/test/aux-fixed/exim-ca/example.net/CA/crl.empty.in.txt +++ b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.in.txt @@ -1 +1 @@ -update=20130127152434Z +update=20140422152734Z diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.empty.pem b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.pem index 8236f8598..936b0f79a 100644 --- a/test/aux-fixed/exim-ca/example.net/CA/crl.empty.pem +++ b/test/aux-fixed/exim-ca/example.net/CA/crl.empty.pem @@ -1,6 +1,7 @@ -----BEGIN X509 CRL----- -MIGsMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5uZXQx -GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxMzAxMjcxNTI0MzRaMA0G -CSqGSIb3DQEBBQUAA0EAnGNQN1GnKB2PGg9C+vguhNlTRLgf9j9lziLPBkPff4+k -8JLTVhcuQYnYTdw1WKq/DeXJRyZwd7Z8vAMMdsW5ZA== +MIHtMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5uZXQx +GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxNDA0MjIxNTI3MzRaMA0G +CSqGSIb3DQEBBQUAA4GBAFoXyOzTFY7uLHW/UjKfxOP4NP9S+4PF4nHz4fvn0tcC +3A7VE3ucmoNFWyxpkp4cSPYNGUJctBoJhS5t3WRvYd7ZweKKDO0/qsI8AQcfzY0n +YBu/pjphxfs6dHnXFcRdhaP7nz/eoArkWGXn1UlsneJQXnBK/ZSsld472GPL5XaM -----END X509 CRL----- diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.v2 b/test/aux-fixed/exim-ca/example.net/CA/crl.v2 index 7473ce83b..87b638c63 100644 Binary files a/test/aux-fixed/exim-ca/example.net/CA/crl.v2 and b/test/aux-fixed/exim-ca/example.net/CA/crl.v2 differ diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt index 434045ffe..2485f76b3 100644 --- a/test/aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt +++ b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.in.txt @@ -1,3 +1,3 @@ -update=20130127152437Z -addcert 102 20130127152437Z -addcert 202 20130127152437Z +update=20140422152736Z +addcert 102 20140422152736Z +addcert 202 20140422152736Z diff --git a/test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem index dceb45cd1..e12994f22 100644 --- a/test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem +++ b/test/aux-fixed/exim-ca/example.net/CA/crl.v2.pem @@ -1,7 +1,9 @@ -----BEGIN X509 CRL----- -MIHcMIGHAgEBMA0GCSqGSIb3DQEBBQUAMDMxFDASBgNVBAoTC2V4YW1wbGUubmV0 -MRswGQYDVQQDExJjbGljYSBTaWduaW5nIENlcnQYDzIwMTMwMTI3MTUyNDM3WjAt -MBQCAWYYDzIwMTMwMTI3MTUyNDM3WjAVAgIAyhgPMjAxMzAxMjcxNTI0MzdaMA0G -CSqGSIb3DQEBBQUAA0EAL1D/ZMfKSVVozt/TtAPIR/PMLTvBCGrRDbH31tI3pGUJ -l+FZTnkR48HXOkuaPCxMclubZ0ptQ6wXHP58iwKacA== +MIIBHTCBhwIBATANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFtcGxlLm5l +dDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0GA8yMDE0MDQyMjE1MjczNlow +LTAUAgFmGA8yMDE0MDQyMjE1MjczNlowFQICAMoYDzIwMTQwNDIyMTUyNzM2WjAN +BgkqhkiG9w0BAQUFAAOBgQCCvMQ1eAkuztnM/mIUCWFRyRZuqVyf/gnCISf3Ha5w +nOBMSJLn6vr2WYaTqe3vENqHYupQi5T2mK6B1JS/i3PGx2N+lCPAwTr/j08HAKwv +WICtPYMdjx+HuoXRbGO4V/Q9YeaEucde0Ldk99P2bMRn2msGPdpoXlWuLUX9aneA +Tg== -----END X509 CRL----- diff --git a/test/aux-fixed/exim-ca/example.net/CA/key3.db b/test/aux-fixed/exim-ca/example.net/CA/key3.db index e17cadfbb..3e5a99cea 100644 Binary files a/test/aux-fixed/exim-ca/example.net/CA/key3.db and b/test/aux-fixed/exim-ca/example.net/CA/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.net/CA/noise.file b/test/aux-fixed/exim-ca/example.net/CA/noise.file index c19c41f31..f2299dd6d 100644 --- a/test/aux-fixed/exim-ca/example.net/CA/noise.file +++ b/test/aux-fixed/exim-ca/example.net/CA/noise.file @@ -1,301 +1,244 @@ processor : 0 vendor_id : GenuineIntel cpu family : 6 -model : 26 -model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz -stepping : 5 -cpu MHz : 2260.628 -cache size : 8192 KB +model : 13 +model name : QEMU Virtual CPU version (cpu64-rhel6) +stepping : 3 +cpu MHz : 1994.999 +cache size : 4096 KB fpu : yes fpu_exception : yes -cpuid level : 11 +cpuid level : 4 wp : yes -flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts -bogomips : 4521.25 +flags : fpu de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pse36 clflush mmx fxsr sse sse2 syscall nx lm up unfair_spinlock pni cx16 hypervisor lahf_lm +bogomips : 3989.99 clflush size : 64 cache_alignment : 64 -address sizes : 40 bits physical, 48 bits virtual +address sizes : 38 bits physical, 48 bits virtual power management: -processor : 1 -vendor_id : GenuineIntel -cpu family : 6 -model : 26 -model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz -stepping : 5 -cpu MHz : 2260.628 -cache size : 8192 KB -fpu : yes -fpu_exception : yes -cpuid level : 11 -wp : yes -flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts -bogomips : 4521.25 -clflush size : 64 -cache_alignment : 64 -address sizes : 40 bits physical, 48 bits virtual -power management: - - CPU0 CPU1 - 0: 2481 0 IO-APIC-edge timer - 1: 21441 346 IO-APIC-edge i8042 - 3: 1 0 IO-APIC-edge - 4: 1 0 IO-APIC-edge - 7: 0 0 IO-APIC-edge parport0 - 8: 1 0 IO-APIC-edge rtc0 - 9: 0 0 IO-APIC-fasteoi acpi - 12: 78986 1718 IO-APIC-edge i8042 - 14: 0 0 IO-APIC-edge ata_piix - 15: 2423337 1435 IO-APIC-edge ata_piix - 16: 1025 0 IO-APIC-fasteoi Ensoniq AudioPCI - 17: 239858 2559 IO-APIC-fasteoi ehci_hcd:usb1, ioc0 - 18: 246 0 IO-APIC-fasteoi uhci_hcd:usb2 - 19: 1868825 51479 IO-APIC-fasteoi eth0 - 24: 0 0 PCI-MSI-edge pciehp - 25: 0 0 PCI-MSI-edge pciehp - 26: 0 0 PCI-MSI-edge pciehp - 27: 0 0 PCI-MSI-edge pciehp - 28: 0 0 PCI-MSI-edge pciehp - 29: 0 0 PCI-MSI-edge pciehp - 30: 0 0 PCI-MSI-edge pciehp - 31: 0 0 PCI-MSI-edge pciehp - 32: 0 0 PCI-MSI-edge pciehp - 33: 0 0 PCI-MSI-edge pciehp - 34: 0 0 PCI-MSI-edge pciehp - 35: 0 0 PCI-MSI-edge pciehp - 36: 0 0 PCI-MSI-edge pciehp - 37: 0 0 PCI-MSI-edge pciehp - 38: 0 0 PCI-MSI-edge pciehp - 39: 0 0 PCI-MSI-edge pciehp - 40: 0 0 PCI-MSI-edge pciehp - 41: 0 0 PCI-MSI-edge pciehp - 42: 0 0 PCI-MSI-edge pciehp - 43: 0 0 PCI-MSI-edge pciehp - 44: 0 0 PCI-MSI-edge pciehp - 45: 0 0 PCI-MSI-edge pciehp - 46: 0 0 PCI-MSI-edge pciehp - 47: 0 0 PCI-MSI-edge pciehp - 48: 0 0 PCI-MSI-edge pciehp - 49: 0 0 PCI-MSI-edge pciehp - 50: 0 0 PCI-MSI-edge pciehp - 51: 0 0 PCI-MSI-edge pciehp - 52: 0 0 PCI-MSI-edge pciehp - 53: 0 0 PCI-MSI-edge pciehp - 54: 0 0 PCI-MSI-edge pciehp - 55: 0 0 PCI-MSI-edge pciehp - 56: 1 0 PCI-MSI-edge vmci - 57: 0 0 PCI-MSI-edge vmci -NMI: 0 0 Non-maskable interrupts -LOC: 12398590 14242910 Local timer interrupts -SPU: 0 0 Spurious interrupts -PMI: 0 0 Performance monitoring interrupts -IWI: 0 0 IRQ work interrupts -RES: 282808 309226 Rescheduling interrupts -CAL: 1955 163556 Function call interrupts -TLB: 18075 15578 TLB shootdowns -TRM: 0 0 Thermal event interrupts -THR: 0 0 Threshold APIC interrupts -MCE: 0 0 Machine check exceptions -MCP: 2310 2310 Machine check polls + CPU0 + 0: 258 IO-APIC-edge timer + 1: 6 IO-APIC-edge i8042 + 4: 1 IO-APIC-edge + 8: 0 IO-APIC-edge rtc0 + 9: 0 IO-APIC-fasteoi acpi + 10: 953 IO-APIC-fasteoi virtio3 + 11: 62 IO-APIC-fasteoi uhci_hcd:usb1, snd_hda_intel + 12: 104 IO-APIC-edge i8042 + 14: 0 IO-APIC-edge ata_piix + 15: 106 IO-APIC-edge ata_piix + 24: 0 PCI-MSI-edge virtio2-config + 25: 49006 PCI-MSI-edge virtio2-requests + 26: 0 PCI-MSI-edge virtio0-config + 27: 296912 PCI-MSI-edge virtio0-input + 28: 1 PCI-MSI-edge virtio0-output + 29: 0 PCI-MSI-edge virtio1-config + 30: 18868 PCI-MSI-edge virtio1-input + 31: 1 PCI-MSI-edge virtio1-output +NMI: 0 Non-maskable interrupts +LOC: 778283 Local timer interrupts +SPU: 0 Spurious interrupts +PMI: 0 Performance monitoring interrupts +IWI: 0 IRQ work interrupts +RES: 0 Rescheduling interrupts +CAL: 0 Function call interrupts +TLB: 0 TLB shootdowns +TRM: 0 Thermal event interrupts +THR: 0 Threshold APIC interrupts +MCE: 0 Machine check exceptions +MCP: 271 Machine check polls ERR: 0 MIS: 0 -MemTotal: 1914844 kB -MemFree: 133340 kB -Buffers: 142048 kB -Cached: 953728 kB -SwapCached: 108 kB -Active: 982140 kB -Inactive: 540820 kB -Active(anon): 287228 kB -Inactive(anon): 143480 kB -Active(file): 694912 kB -Inactive(file): 397340 kB +MemTotal: 487904 kB +MemFree: 72616 kB +Buffers: 73820 kB +Cached: 142556 kB +SwapCached: 0 kB +Active: 133212 kB +Inactive: 119168 kB +Active(anon): 15164 kB +Inactive(anon): 21900 kB +Active(file): 118048 kB +Inactive(file): 97268 kB Unevictable: 0 kB Mlocked: 0 kB -SwapTotal: 4194296 kB -SwapFree: 4193560 kB -Dirty: 2760 kB +SwapTotal: 524280 kB +SwapFree: 524280 kB +Dirty: 2456 kB Writeback: 0 kB -AnonPages: 427016 kB -Mapped: 70844 kB -Shmem: 3400 kB -Slab: 191064 kB -SReclaimable: 125460 kB -SUnreclaim: 65604 kB -KernelStack: 2312 kB -PageTables: 23528 kB +AnonPages: 35924 kB +Mapped: 15592 kB +Shmem: 1128 kB +Slab: 136348 kB +SReclaimable: 83960 kB +SUnreclaim: 52388 kB +KernelStack: 752 kB +PageTables: 3420 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB -CommitLimit: 5151716 kB -Committed_AS: 973184 kB +CommitLimit: 768232 kB +Committed_AS: 116976 kB VmallocTotal: 34359738367 kB -VmallocUsed: 280772 kB -VmallocChunk: 34359441168 kB +VmallocUsed: 12116 kB +VmallocChunk: 34359713232 kB HardwareCorrupted: 0 kB -AnonHugePages: 249856 kB +AnonHugePages: 2048 kB HugePages_Total: 0 HugePages_Free: 0 HugePages_Rsvd: 0 HugePages_Surp: 0 Hugepagesize: 2048 kB -DirectMap4k: 8192 kB -DirectMap2M: 2088960 kB +DirectMap4k: 7156 kB +DirectMap2M: 1492992 kB slabinfo - version: 2.1 # name : tunables : slabdata -bridge_fdb_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -fuse_request 0 0 632 6 1 : tunables 54 27 8 : slabdata 0 0 0 -fuse_inode 0 0 768 5 1 : tunables 54 27 8 : slabdata 0 0 0 -rpc_buffers 8 8 2048 2 1 : tunables 24 12 8 : slabdata 4 4 0 -rpc_tasks 8 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0 -rpc_inode_cache 8 8 832 4 1 : tunables 54 27 8 : slabdata 2 2 0 -hgfsInodeCache 1 6 640 6 1 : tunables 54 27 8 : slabdata 1 1 0 -AF_VMCI 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 8 : slabdata 0 0 0 -nf_conntrack_ffffffff8200cec0 11 26 304 13 1 : tunables 54 27 8 : slabdata 2 2 0 -fib6_nodes 22 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0 -ip6_dst_cache 13 30 384 10 1 : tunables 54 27 8 : slabdata 3 3 0 -ndisc_cache 1 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0 -ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0 -RAWv6 67 68 1024 4 1 : tunables 54 27 8 : slabdata 17 17 0 -UDPLITEv6 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -UDPv6 4 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0 -tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 8 : slabdata 0 0 0 -request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0 -TCPv6 9 10 1856 2 1 : tunables 24 12 8 : slabdata 5 5 0 -jbd2_1k 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -avtab_node 502203 502416 24 144 1 : tunables 120 60 8 : slabdata 3489 3489 0 -ext4_inode_cache 74880 74880 1024 4 1 : tunables 54 27 8 : slabdata 18720 18720 0 -ext4_xattr 9 44 88 44 1 : tunables 120 60 8 : slabdata 1 1 0 -ext4_free_block_extents 32 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0 -ext4_alloc_context 28 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0 -ext4_prealloc_space 18 37 104 37 1 : tunables 120 60 8 : slabdata 1 1 0 -ext4_system_zone 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0 -jbd2_journal_handle 32 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0 -jbd2_journal_head 102 102 112 34 1 : tunables 120 60 8 : slabdata 3 3 0 -jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 8 : slabdata 1 1 0 -jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0 -dm_crypt_io 50 50 152 25 1 : tunables 120 60 8 : slabdata 2 2 0 -sd_ext_cdb 2 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0 -scsi_sense_cache 22 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0 -scsi_cmd_cache 23 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0 -dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 8 : slabdata 0 0 0 -kcopyd_job 0 0 3240 2 2 : tunables 24 12 8 : slabdata 0 0 0 -io 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -dm_uevent 0 0 2608 3 2 : tunables 24 12 8 : slabdata 0 0 0 -dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 8 : slabdata 0 0 0 -dm_rq_target_io 0 0 392 10 1 : tunables 54 27 8 : slabdata 0 0 0 -dm_target_io 844 864 24 144 1 : tunables 120 60 8 : slabdata 6 6 0 -dm_io 828 828 40 92 1 : tunables 120 60 8 : slabdata 9 9 0 -flow_cache 0 0 96 40 1 : tunables 120 60 8 : slabdata 0 0 0 -uhci_urb_priv 6 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0 -cfq_io_context 4 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0 -cfq_queue 5 16 240 16 1 : tunables 120 60 8 : slabdata 1 1 0 -bsg_cmd 0 0 312 12 1 : tunables 54 27 8 : slabdata 0 0 0 -mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 8 : slabdata 1 1 0 -isofs_inode_cache 0 0 640 6 1 : tunables 54 27 8 : slabdata 0 0 0 -hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 8 : slabdata 1 1 0 -dquot 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 -kioctx 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0 -kiocb 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 -inotify_event_private_data 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0 -inotify_inode_mark_entry 186 204 112 34 1 : tunables 120 60 8 : slabdata 6 6 0 -dnotify_mark_entry 1 34 112 34 1 : tunables 120 60 8 : slabdata 1 1 0 -dnotify_struct 1 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0 -fasync_cache 6 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0 -khugepaged_mm_slot 83 92 40 92 1 : tunables 120 60 8 : slabdata 1 1 0 -ksm_mm_slot 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0 -ksm_stable_node 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0 -ksm_rmap_item 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -utrace_engine 0 0 56 67 1 : tunables 120 60 8 : slabdata 0 0 0 -utrace 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -pid_namespace 0 0 2120 3 2 : tunables 24 12 8 : slabdata 0 0 0 -nsproxy 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0 -posix_timers_cache 0 0 176 22 1 : tunables 120 60 8 : slabdata 0 0 0 -uid_cache 10 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0 -UNIX 459 480 768 5 1 : tunables 54 27 8 : slabdata 96 96 0 -ip_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0 -UDP-Lite 0 0 832 9 2 : tunables 54 27 8 : slabdata 0 0 0 -tcp_bind_bucket 15 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0 -inet_peer_cache 4 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0 -secpath_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -xfrm_dst_cache 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0 -ip_fib_alias 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0 -ip_fib_hash 10 106 72 53 1 : tunables 120 60 8 : slabdata 2 2 0 -ip_dst_cache 29 50 384 10 1 : tunables 54 27 8 : slabdata 5 5 0 -arp_cache 4 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0 -RAW 65 72 832 9 2 : tunables 54 27 8 : slabdata 8 8 0 -UDP 6 18 832 9 2 : tunables 54 27 8 : slabdata 2 2 0 -tw_sock_TCP 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 -request_sock_TCP 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0 -TCP 20 24 1664 4 2 : tunables 24 12 8 : slabdata 6 6 0 -eventpoll_pwq 126 212 72 53 1 : tunables 120 60 8 : slabdata 4 4 0 -eventpoll_epi 126 180 128 30 1 : tunables 120 60 8 : slabdata 6 6 0 -sgpool-128 2 2 4096 1 1 : tunables 24 12 8 : slabdata 2 2 0 -sgpool-64 2 2 2048 2 1 : tunables 24 12 8 : slabdata 1 1 0 -sgpool-32 2 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0 -sgpool-16 2 8 512 8 1 : tunables 54 27 8 : slabdata 1 1 0 -sgpool-8 15 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0 -scsi_data_buffer 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0 -blkdev_integrity 0 0 112 34 1 : tunables 120 60 8 : slabdata 0 0 0 -blkdev_queue 29 30 2856 2 2 : tunables 24 12 8 : slabdata 15 15 0 -blkdev_requests 31 44 352 11 1 : tunables 54 27 8 : slabdata 4 4 0 -blkdev_ioc 5 48 80 48 1 : tunables 120 60 8 : slabdata 1 1 0 -fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0 -fsnotify_event 0 0 104 37 1 : tunables 120 60 8 : slabdata 0 0 0 -bio-0 180 180 192 20 1 : tunables 120 60 8 : slabdata 9 9 0 -biovec-256 66 66 4096 1 1 : tunables 24 12 8 : slabdata 66 66 0 -biovec-128 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0 -biovec-64 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -biovec-16 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 +nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 0 : slabdata 0 0 0 +nf_conntrack_ffffffff81b18540 35 36 312 12 1 : tunables 54 27 0 : slabdata 3 3 0 +fib6_nodes 59 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0 +ip6_dst_cache 40 40 384 10 1 : tunables 54 27 0 : slabdata 4 4 0 +ndisc_cache 20 30 256 15 1 : tunables 120 60 0 : slabdata 2 2 0 +ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +RAWv6 4 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0 +UDPLITEv6 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0 +UDPv6 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0 +tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 0 : slabdata 0 0 0 +request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0 +TCPv6 9 10 1920 2 1 : tunables 24 12 0 : slabdata 5 5 0 +jbd2_1k 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0 +avtab_node 551039 551088 24 144 1 : tunables 120 60 0 : slabdata 3827 3827 0 +ext4_inode_cache 36254 36888 1016 4 1 : tunables 54 27 0 : slabdata 9222 9222 0 +ext4_xattr 5 44 88 44 1 : tunables 120 60 0 : slabdata 1 1 0 +ext4_free_block_extents 16 67 56 67 1 : tunables 120 60 0 : slabdata 1 1 0 +ext4_alloc_context 16 28 136 28 1 : tunables 120 60 0 : slabdata 1 1 0 +ext4_prealloc_space 11 37 104 37 1 : tunables 120 60 0 : slabdata 1 1 0 +ext4_system_zone 0 0 40 92 1 : tunables 120 60 0 : slabdata 0 0 0 +jbd2_journal_handle 16 144 24 144 1 : tunables 120 60 0 : slabdata 1 1 0 +jbd2_journal_head 102 102 112 34 1 : tunables 120 60 0 : slabdata 3 3 0 +jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 0 : slabdata 1 1 0 +jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0 +scsi_sense_cache 2 30 128 30 1 : tunables 120 60 0 : slabdata 1 1 0 +scsi_cmd_cache 2 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0 +dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 0 : slabdata 0 0 0 +kcopyd_job 0 0 3240 2 2 : tunables 24 12 0 : slabdata 0 0 0 +io 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +dm_uevent 0 0 2608 3 2 : tunables 24 12 0 : slabdata 0 0 0 +dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 0 : slabdata 0 0 0 +dm_rq_target_io 0 0 392 10 1 : tunables 54 27 0 : slabdata 0 0 0 +dm_target_io 576 576 24 144 1 : tunables 120 60 0 : slabdata 4 4 0 +dm_io 552 552 40 92 1 : tunables 120 60 0 : slabdata 6 6 0 +flow_cache 0 0 104 37 1 : tunables 120 60 0 : slabdata 0 0 0 +uhci_urb_priv 0 0 56 67 1 : tunables 120 60 0 : slabdata 0 0 0 +cfq_io_context 0 0 136 28 1 : tunables 120 60 0 : slabdata 0 0 0 +cfq_queue 0 0 240 16 1 : tunables 120 60 0 : slabdata 0 0 0 +bsg_cmd 0 0 312 12 1 : tunables 54 27 0 : slabdata 0 0 0 +mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 0 : slabdata 1 1 0 +isofs_inode_cache 0 0 640 6 1 : tunables 54 27 0 : slabdata 0 0 0 +hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 0 : slabdata 1 1 0 +dquot 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0 +kioctx 0 0 384 10 1 : tunables 54 27 0 : slabdata 0 0 0 +kiocb 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0 +inotify_event_private_data 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0 +inotify_inode_mark_entry 110 136 112 34 1 : tunables 120 60 0 : slabdata 4 4 0 +dnotify_mark_entry 0 0 112 34 1 : tunables 120 60 0 : slabdata 0 0 0 +dnotify_struct 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0 +dio 0 0 640 6 1 : tunables 54 27 0 : slabdata 0 0 0 +fasync_cache 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0 +khugepaged_mm_slot 17 92 40 92 1 : tunables 120 60 0 : slabdata 1 1 0 +ksm_mm_slot 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +ksm_stable_node 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +ksm_rmap_item 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +utrace_engine 0 0 56 67 1 : tunables 120 60 0 : slabdata 0 0 0 +utrace 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +pid_namespace 0 0 2168 3 2 : tunables 24 12 0 : slabdata 0 0 0 +posix_timers_cache 0 0 176 22 1 : tunables 120 60 0 : slabdata 0 0 0 +uid_cache 3 30 128 30 1 : tunables 120 60 0 : slabdata 1 1 0 +UNIX 107 110 768 5 1 : tunables 54 27 0 : slabdata 22 22 0 +ip_mrt_cache 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +UDP-Lite 0 0 832 9 2 : tunables 54 27 0 : slabdata 0 0 0 +tcp_bind_bucket 9 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0 +inet_peer_cache 2 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0 +secpath_cache 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +xfrm_dst_cache 0 0 448 8 1 : tunables 54 27 0 : slabdata 0 0 0 +ip_fib_alias 1 112 32 112 1 : tunables 120 60 0 : slabdata 1 1 0 +ip_fib_hash 14 53 72 53 1 : tunables 120 60 0 : slabdata 1 1 0 +ip_dst_cache 26 30 384 10 1 : tunables 54 27 0 : slabdata 3 3 0 +arp_cache 6 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0 +PING 0 0 832 9 2 : tunables 54 27 0 : slabdata 0 0 0 +RAW 2 9 832 9 2 : tunables 54 27 0 : slabdata 1 1 0 +UDP 1 9 832 9 2 : tunables 54 27 0 : slabdata 1 1 0 +tw_sock_TCP 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0 +request_sock_TCP 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +TCP 10 12 1728 4 2 : tunables 24 12 0 : slabdata 3 3 0 +eventpoll_pwq 59 106 72 53 1 : tunables 120 60 0 : slabdata 2 2 0 +eventpoll_epi 59 90 128 30 1 : tunables 120 60 0 : slabdata 3 3 0 +sgpool-128 2 2 4096 1 1 : tunables 24 12 0 : slabdata 2 2 0 +sgpool-64 2 2 2048 2 1 : tunables 24 12 0 : slabdata 1 1 0 +sgpool-32 2 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0 +sgpool-16 2 8 512 8 1 : tunables 54 27 0 : slabdata 1 1 0 +sgpool-8 2 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0 +scsi_data_buffer 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0 +blkdev_integrity 0 0 112 34 1 : tunables 120 60 0 : slabdata 0 0 0 +blkdev_queue 28 28 2864 2 2 : tunables 24 12 0 : slabdata 14 14 0 +blkdev_requests 22 22 352 11 1 : tunables 54 27 0 : slabdata 2 2 0 +blkdev_ioc 3 48 80 48 1 : tunables 120 60 0 : slabdata 1 1 0 +fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0 +fsnotify_event 0 0 104 37 1 : tunables 120 60 0 : slabdata 0 0 0 +bio-0 120 120 192 20 1 : tunables 120 60 0 : slabdata 6 6 0 +biovec-256 34 34 4096 1 1 : tunables 24 12 0 : slabdata 34 34 0 +biovec-128 0 0 2048 2 1 : tunables 24 12 0 : slabdata 0 0 0 +biovec-64 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0 +biovec-16 1 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0 bip-256 2 2 4224 1 2 : tunables 8 4 0 : slabdata 2 2 0 -bip-128 0 0 2176 3 2 : tunables 24 12 8 : slabdata 0 0 0 -bip-64 0 0 1152 7 2 : tunables 24 12 8 : slabdata 0 0 0 -bip-16 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0 -bip-4 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0 -bip-1 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0 -sock_inode_cache 666 685 704 5 1 : tunables 54 27 8 : slabdata 137 137 0 -skbuff_fclone_cache 42 42 512 7 1 : tunables 54 27 8 : slabdata 6 6 0 -skbuff_head_cache 302 450 256 15 1 : tunables 120 60 8 : slabdata 30 30 0 -file_lock_cache 38 44 176 22 1 : tunables 120 60 8 : slabdata 2 2 0 -net_namespace 0 0 2112 3 2 : tunables 24 12 8 : slabdata 0 0 0 -shmem_inode_cache 774 775 800 5 1 : tunables 54 27 8 : slabdata 155 155 0 -Acpi-Operand 4563 4664 72 53 1 : tunables 120 60 8 : slabdata 88 88 0 -Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 8 : slabdata 0 0 0 -Acpi-Parse 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0 -Acpi-State 0 0 80 48 1 : tunables 120 60 8 : slabdata 0 0 0 -Acpi-Namespace 3311 3312 40 92 1 : tunables 120 60 8 : slabdata 36 36 0 -task_delay_info 332 340 112 34 1 : tunables 120 60 8 : slabdata 10 10 0 -taskstats 5 12 328 12 1 : tunables 54 27 8 : slabdata 1 1 0 -proc_inode_cache 1008 1008 640 6 1 : tunables 54 27 8 : slabdata 168 168 0 -sigqueue 35 48 160 24 1 : tunables 120 60 8 : slabdata 2 2 0 -bdev_cache 32 36 832 4 1 : tunables 54 27 8 : slabdata 9 9 0 -sysfs_dir_cache 11356 11367 144 27 1 : tunables 120 60 8 : slabdata 421 421 0 -mnt_cache 37 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0 -filp 4644 4700 192 20 1 : tunables 120 60 8 : slabdata 235 235 120 -inode_cache 6883 7308 592 6 1 : tunables 54 27 8 : slabdata 1218 1218 0 -dentry 61240 63960 192 20 1 : tunables 120 60 8 : slabdata 3198 3198 0 -names_cache 26 26 4096 1 1 : tunables 24 12 8 : slabdata 26 26 0 -avc_node 510 1239 64 59 1 : tunables 120 60 8 : slabdata 21 21 0 -selinux_inode_security 84206 86072 72 53 1 : tunables 120 60 8 : slabdata 1624 1624 0 -radix_tree_node 11606 11781 560 7 1 : tunables 54 27 8 : slabdata 1683 1683 0 -key_jar 11 20 192 20 1 : tunables 120 60 8 : slabdata 1 1 0 -buffer_head 221526 230214 104 37 1 : tunables 120 60 8 : slabdata 6222 6222 0 -vm_area_struct 12962 13034 200 19 1 : tunables 120 60 8 : slabdata 686 686 0 -mm_struct 145 145 1408 5 2 : tunables 24 12 8 : slabdata 29 29 0 -fs_cache 177 177 64 59 1 : tunables 120 60 8 : slabdata 3 3 0 -files_cache 162 165 704 11 2 : tunables 54 27 8 : slabdata 15 15 0 -signal_cache 208 208 1024 4 1 : tunables 54 27 8 : slabdata 52 52 0 -sighand_cache 201 201 2112 3 2 : tunables 24 12 8 : slabdata 67 67 0 -task_xstate 240 240 512 8 1 : tunables 54 27 8 : slabdata 30 30 0 -task_struct 306 306 2656 3 2 : tunables 24 12 8 : slabdata 102 102 0 -cred_jar 580 580 192 20 1 : tunables 120 60 8 : slabdata 29 29 0 -anon_vma_chain 7874 8162 48 77 1 : tunables 120 60 8 : slabdata 106 106 0 -anon_vma 5773 5888 40 92 1 : tunables 120 60 8 : slabdata 64 64 0 -pid 322 330 128 30 1 : tunables 120 60 8 : slabdata 11 11 0 -shared_policy_node 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0 -numa_policy 1 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0 -idr_layer_cache 428 434 544 7 1 : tunables 54 27 8 : slabdata 62 62 0 +bip-128 0 0 2176 3 2 : tunables 24 12 0 : slabdata 0 0 0 +bip-64 0 0 1152 7 2 : tunables 24 12 0 : slabdata 0 0 0 +bip-16 0 0 384 10 1 : tunables 54 27 0 : slabdata 0 0 0 +bip-4 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0 +bip-1 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +sock_inode_cache 150 160 704 5 1 : tunables 54 27 0 : slabdata 32 32 0 +skbuff_fclone_cache 7 7 512 7 1 : tunables 54 27 0 : slabdata 1 1 0 +skbuff_head_cache 66 105 256 15 1 : tunables 120 60 0 : slabdata 7 7 0 +file_lock_cache 21 22 176 22 1 : tunables 120 60 0 : slabdata 1 1 0 +net_namespace 0 0 2432 3 2 : tunables 24 12 0 : slabdata 0 0 0 +shmem_inode_cache 654 655 784 5 1 : tunables 54 27 0 : slabdata 131 131 0 +Acpi-Operand 1211 1219 72 53 1 : tunables 120 60 0 : slabdata 23 23 0 +Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 0 : slabdata 0 0 0 +Acpi-Parse 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +Acpi-State 0 0 80 48 1 : tunables 120 60 0 : slabdata 0 0 0 +Acpi-Namespace 407 460 40 92 1 : tunables 120 60 0 : slabdata 5 5 0 +task_delay_info 102 102 112 34 1 : tunables 120 60 0 : slabdata 3 3 0 +taskstats 0 0 328 12 1 : tunables 54 27 0 : slabdata 0 0 0 +proc_inode_cache 408 408 656 6 1 : tunables 54 27 0 : slabdata 68 68 0 +sigqueue 9 24 160 24 1 : tunables 120 60 0 : slabdata 1 1 0 +bdev_cache 31 32 832 4 1 : tunables 54 27 0 : slabdata 8 8 0 +sysfs_dir_cache 7588 7614 144 27 1 : tunables 120 60 0 : slabdata 282 282 0 +mnt_cache 27 30 256 15 1 : tunables 120 60 0 : slabdata 2 2 0 +filp 840 840 192 20 1 : tunables 120 60 0 : slabdata 42 42 0 +inode_cache 5826 5826 592 6 1 : tunables 54 27 0 : slabdata 971 971 0 +dentry 189540 189540 192 20 1 : tunables 120 60 0 : slabdata 9477 9477 0 +names_cache 1 1 4096 1 1 : tunables 24 12 0 : slabdata 1 1 0 +avc_node 572 708 64 59 1 : tunables 120 60 0 : slabdata 12 12 0 +selinux_inode_security 43319 46799 72 53 1 : tunables 120 60 0 : slabdata 883 883 0 +radix_tree_node 3018 3598 560 7 1 : tunables 54 27 0 : slabdata 514 514 0 +key_jar 5 20 192 20 1 : tunables 120 60 0 : slabdata 1 1 0 +buffer_head 24452 25493 104 37 1 : tunables 120 60 0 : slabdata 689 689 0 +nsproxy 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +vm_area_struct 2565 2565 200 19 1 : tunables 120 60 0 : slabdata 135 135 0 +mm_struct 40 40 1408 5 2 : tunables 24 12 0 : slabdata 8 8 0 +fs_cache 59 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0 +files_cache 44 44 704 11 2 : tunables 54 27 0 : slabdata 4 4 0 +signal_cache 91 91 1088 7 2 : tunables 24 12 0 : slabdata 13 13 0 +sighand_cache 90 90 2112 3 2 : tunables 24 12 0 : slabdata 30 30 0 +task_xstate 48 48 512 8 1 : tunables 54 27 0 : slabdata 6 6 0 +task_struct 96 96 2656 3 2 : tunables 24 12 0 : slabdata 32 32 0 +cred_jar 240 240 192 20 1 : tunables 120 60 0 : slabdata 12 12 0 +anon_vma_chain 1795 2079 48 77 1 : tunables 120 60 0 : slabdata 27 27 0 +anon_vma 1209 1380 40 92 1 : tunables 120 60 0 : slabdata 15 15 0 +pid 107 120 128 30 1 : tunables 120 60 0 : slabdata 4 4 0 +shared_policy_node 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +numa_policy 0 0 136 28 1 : tunables 120 60 0 : slabdata 0 0 0 +idr_layer_cache 281 287 544 7 1 : tunables 54 27 0 : slabdata 41 41 0 size-4194304(DMA) 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0 size-4194304 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0 size-2097152(DMA) 0 0 2097152 1 512 : tunables 1 1 0 : slabdata 0 0 0 @@ -307,36 +250,36 @@ size-524288 0 0 524288 1 128 : tunables 1 1 0 : sla size-262144(DMA) 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0 size-262144 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0 size-131072(DMA) 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0 -size-131072 1 1 131072 1 32 : tunables 8 4 0 : slabdata 1 1 0 +size-131072 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0 size-65536(DMA) 0 0 65536 1 16 : tunables 8 4 0 : slabdata 0 0 0 size-65536 2 2 65536 1 16 : tunables 8 4 0 : slabdata 2 2 0 size-32768(DMA) 0 0 32768 1 8 : tunables 8 4 0 : slabdata 0 0 0 size-32768 3 3 32768 1 8 : tunables 8 4 0 : slabdata 3 3 0 size-16384(DMA) 0 0 16384 1 4 : tunables 8 4 0 : slabdata 0 0 0 -size-16384 12 12 16384 1 4 : tunables 8 4 0 : slabdata 12 12 0 +size-16384 7 7 16384 1 4 : tunables 8 4 0 : slabdata 7 7 0 size-8192(DMA) 0 0 8192 1 2 : tunables 8 4 0 : slabdata 0 0 0 -size-8192 27 27 8192 1 2 : tunables 8 4 0 : slabdata 27 27 0 -size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 8 : slabdata 0 0 0 -size-4096 425 425 4096 1 1 : tunables 24 12 8 : slabdata 425 425 0 -size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0 -size-2048 573 578 2048 2 1 : tunables 24 12 8 : slabdata 289 289 0 -size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -size-1024 1340 1340 1024 4 1 : tunables 54 27 8 : slabdata 335 335 0 -size-512(DMA) 0 0 512 8 1 : tunables 54 27 8 : slabdata 0 0 0 -size-512 1123 1176 512 8 1 : tunables 54 27 8 : slabdata 147 147 0 -size-256(DMA) 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 -size-256 930 930 256 15 1 : tunables 120 60 8 : slabdata 62 62 0 -size-192(DMA) 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0 -size-192 2119 2160 192 20 1 : tunables 120 60 8 : slabdata 108 108 0 -size-128(DMA) 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0 -size-64(DMA) 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -size-64 33093 40887 64 59 1 : tunables 120 60 8 : slabdata 693 693 0 -size-32(DMA) 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0 -size-128 3921 4800 128 30 1 : tunables 120 60 8 : slabdata 160 160 0 -size-32 332389 332976 32 112 1 : tunables 120 60 8 : slabdata 2973 2973 0 -kmem_cache 191 191 32896 1 16 : tunables 8 4 0 : slabdata 191 191 0 +size-8192 12 12 8192 1 2 : tunables 8 4 0 : slabdata 12 12 0 +size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 0 : slabdata 0 0 0 +size-4096 119 119 4096 1 1 : tunables 24 12 0 : slabdata 119 119 0 +size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 0 : slabdata 0 0 0 +size-2048 200 200 2048 2 1 : tunables 24 12 0 : slabdata 100 100 0 +size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0 +size-1024 578 588 1024 4 1 : tunables 54 27 0 : slabdata 147 147 0 +size-512(DMA) 0 0 512 8 1 : tunables 54 27 0 : slabdata 0 0 0 +size-512 608 608 512 8 1 : tunables 54 27 0 : slabdata 76 76 0 +size-256(DMA) 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0 +size-256 815 825 256 15 1 : tunables 120 60 0 : slabdata 55 55 0 +size-192(DMA) 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0 +size-192 1253 1260 192 20 1 : tunables 120 60 0 : slabdata 63 63 0 +size-128(DMA) 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +size-64(DMA) 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +size-64 23094 25783 64 59 1 : tunables 120 60 0 : slabdata 437 437 0 +size-32(DMA) 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0 +size-128 3271 3450 128 30 1 : tunables 120 60 0 : slabdata 115 115 0 +size-32 352497 352576 32 112 1 : tunables 120 60 0 : slabdata 3148 3148 0 +kmem_cache 183 183 32896 1 16 : tunables 8 4 0 : slabdata 183 183 0 Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed - lo:267102759 105357 0 0 0 0 0 0 267102759 105357 0 0 0 0 0 0 - eth0:1013761672 1354551 0 0 0 0 0 0 245537245 966850 0 0 0 0 0 0 - pan0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + lo: 5243413 23981 0 0 0 0 0 0 5243413 23981 0 0 0 0 0 0 + eth0:25468831 318944 0 0 0 0 0 0 2048323 16057 0 0 0 0 0 0 + eth1: 1386465 18973 0 0 0 0 0 0 95634 1485 0 0 0 0 0 0 diff --git a/test/aux-fixed/exim-ca/example.net/CA/secmod.db b/test/aux-fixed/exim-ca/example.net/CA/secmod.db index c7f115bd6..f8cc0e78b 100644 Binary files a/test/aux-fixed/exim-ca/example.net/CA/secmod.db and b/test/aux-fixed/exim-ca/example.net/CA/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/expired1.example.net/ca_chain.pem index d0ee0619a..72baaa384 100644 --- a/test/aux-fixed/exim-ca/example.net/expired1.example.net/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.net/CN=clica Signing Cert issuer=/O=example.net/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY -392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a -d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit -Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo +cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e +RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW +7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ +ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh +XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.net/CN=clica CA issuer=/O=example.net/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje -SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2 -iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7 +lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO +HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x +XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb +bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca +o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h +VAtQ+ux57x052IuOi9FtrqVR -----END CERTIFICATE----- Bag Attributes friendlyName: expired1.example.net - localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37 + localKeyID: 95 17 AC C5 EF E3 7C 42 C9 E2 14 CF CC CA 19 19 06 2B F6 6C subject=/CN=expired1.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwNFoXDTEyMTIwMTEyMzQwNFowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs -ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA+LXqjv5NnRW2OlKWyYYH8ZFb -Fj4xAdg4qSa1WK/wlUUdpQldGzpDuq/BzuyQdJjp1vSnqhKjfxz0ef9xJievdwID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w -bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EA0dUUjXeu21xQo+AsptLSwmzhn+EV8ixI -757XRkCnAN0mOZZHcv+imuiEXpf62J+wNyWKNCWu2iPttov/JAcYKA== +MzQxM1oXDTEyMTIwMTEyMzQxM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs +ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlhAgxfclTrlENHgOLp +okcI0OF605Nkvp4mXu+3NkJ7hxHtw5ZemQZr8yPqxCjn8GpuL6ADWdUr0T3eELM5 +bP0EwJqmXbZ+F9rp0DAl50dtGyLFdZMXe7IXe+ej+k2cGqf0M/gNp95AOSekhuwg +8wpCRTeOP6zzK0g4SMjOcw7LAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHwYDVR0R +BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQEFBQADgYEAtoii +zSaNrMH7SDRVVF+A2Ox59vck78T8Kx/YYZz6/p4dgaVWVK6LHzL1VjiYkZwTeSxG +ZgnbqY8JNeGTUlDC0XZLwTmsIufpaeUd75JkvIniI9I9XhmOgwGOrijSqjNDgWyg +DsS34gVsXLkAlSyegGiLY4UWtKPU+oXQLdYa5Vk= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/expired1.example.net/cert8.db index 85ea01713..2d2a9c9aa 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/cert8.db and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.chain.pem index 1550cf2aa..771e2c6e5 100644 --- a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.chain.pem +++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: expired1.example.net - localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37 + localKeyID: 95 17 AC C5 EF E3 7C 42 C9 E2 14 CF CC CA 19 19 06 2B F6 6C subject=/CN=expired1.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwNFoXDTEyMTIwMTEyMzQwNFowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs -ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA+LXqjv5NnRW2OlKWyYYH8ZFb -Fj4xAdg4qSa1WK/wlUUdpQldGzpDuq/BzuyQdJjp1vSnqhKjfxz0ef9xJievdwID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w -bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EA0dUUjXeu21xQo+AsptLSwmzhn+EV8ixI -757XRkCnAN0mOZZHcv+imuiEXpf62J+wNyWKNCWu2iPttov/JAcYKA== +MzQxM1oXDTEyMTIwMTEyMzQxM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs +ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlhAgxfclTrlENHgOLp +okcI0OF605Nkvp4mXu+3NkJ7hxHtw5ZemQZr8yPqxCjn8GpuL6ADWdUr0T3eELM5 +bP0EwJqmXbZ+F9rp0DAl50dtGyLFdZMXe7IXe+ej+k2cGqf0M/gNp95AOSekhuwg +8wpCRTeOP6zzK0g4SMjOcw7LAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHwYDVR0R +BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQEFBQADgYEAtoii +zSaNrMH7SDRVVF+A2Ox59vck78T8Kx/YYZz6/p4dgaVWVK6LHzL1VjiYkZwTeSxG +ZgnbqY8JNeGTUlDC0XZLwTmsIufpaeUd75JkvIniI9I9XhmOgwGOrijSqjNDgWyg +DsS34gVsXLkAlSyegGiLY4UWtKPU+oXQLdYa5Vk= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY -392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a -d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit -Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo +cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e +RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW +7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ +ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh +XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.key b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.key index 00adfe834..5397212c4 100644 --- a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.key +++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: expired1.example.net - localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37 + localKeyID: 95 17 AC C5 EF E3 7C 42 C9 E2 14 CF CC CA 19 19 06 2B F6 6C Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIEobdAguY51UCAggA -MBQGCCqGSIb3DQMHBAjyQJzMIkx+swSCAWBoW5JocLm3XvmW7cnK8Np23KqUs4ST -MG68rJY6pLqdGkn8aK0yZfecdpuHoFCZRdxQy9ztdofB50tkr7evlTuM1u40/9b0 -ygZ9ajxESZmF5mS8r6dFGXOBq7UrMpEvod1lujpP3hwtkqJOlPFhacPUestqDjP4 -zDmEmKQYyRx4DQ3QM4T2Wuc1S8TSECcMLsOgZhOxGULIzmtxceftS/V9NYewZsne -Q05TKH7ygWGvUyYEgDlFlBAk8CAiqIBBz3fU2bmWfR5p6hoSTqGeLlAL7fTid8Vf -g4HEfthygRC28+s5r/MbMBJKwTdRHnQbmK4rOxFUhYCkV8Df28Ukx/RaA9CKjbQl -2fnuTRAms72szZRoKsdS3xVgyaOdgdhVJKWP2QAUvzblX/wpKr9BwrbqIhXOqEiv -9/yCVqUg20sjNvYyw/2Zv9t+g9u3d5CMyU37e8AT8X3DExmpleiOdX4J +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIUxc2uzk9xFgCAggA +MBQGCCqGSIb3DQMHBAjVv35cwAcHJwSCAoCFZGCfB6837klYjG3Bc4tCDax/XuNq +KLLVzyT9DH0K/vmyHDUU93GXGhNrNTRkXNZcXHFNWwY/gUi6jvkDNRz9SFmtCWXM +8wj1O9H8fTUF0qJZW8BSK5/sCHLywCLP5UfMJvr4q7Zm/p5RY1lfmrupyeR8RfTz +B+ZLDpO3TJw1fJgM/UyVvZFJsaGNgsj/gDEqSa7sngGDYy04F2PQoyAoorEiCIK1 +n+mWeE1a/rcrfIflcG324v2tHvXYncU0tt10sUsgWxS3YB2x/FJ73VyGZZWvKpsW +WUgz2+NAr/iD6MfcYeAXUT2Kz2fsV9Lbqgxj/fU0vaGops0dtp0WaV2MPUY9t3gw +Iv78OSDnIpmD5L7i7+SVrlo8DxKFjnxtJg3vBDyHbe005Ehsy5/5vcTl9rN+RjJh +meHTY6RPjko1jFKa+xsTN89EJ6ln9fGNppmA71PKiJGLDH17mNo1FuIoMB9vjTqc +gzX5B+Ao6+MH95RwDBdhaaHEJG0V54VVc6fi0agdfZKKIR7OwG/dgqaUpkykKnFh +rQqG75dpyvwK4l11Wvmgblxoxy0IqPZr22t1AKRfZ92MxmQKkmlal7cT1cIgwWc+ +zMQd/LvfEsZbMa5iC5ajATFuxXp1bXlvJviBuyBGDt5oCd5RG94NxSs533T8BAZi +e8YRULQV3JG2ADdrN3yQWX/ZHw9jI+Hgg9JseO2U2I8Q9SSwMz5tB6mdQGPwnV8f +fN/DIiF9TjTWQoJ45q8qJCr4h/UJ8GF5J8h19lh9MHi6VZYbQpjy4NbAwQ6yxNEU +DWan+ET8FLSB6SdeMi1bNBKBoOcMVhLqKIxM9lO+mj+eWlSfOsjd6AKL -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.dated.resp index 8831013ef..a21dcb5ed 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.good.resp index 3b2606daa..dbfdc65dd 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.req index c67ed9cc7..d285a1aa8 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.req and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.revoked.resp index 6b8b76373..75af81287 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.p12 b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.p12 index 84f4bf58d..bcb3fe10b 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.p12 and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.p12 differ diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.pem b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.pem index 310db9b2a..3a0150eac 100644 --- a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.pem +++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: expired1.example.net - localKeyID: 1E 0D 7E 35 C6 DD 12 8A 56 2B C8 44 4B 60 A9 95 DC 68 6F 37 + localKeyID: 95 17 AC C5 EF E3 7C 42 C9 E2 14 CF CC CA 19 19 06 2B F6 6C subject=/CN=expired1.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwNFoXDTEyMTIwMTEyMzQwNFowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs -ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA+LXqjv5NnRW2OlKWyYYH8ZFb -Fj4xAdg4qSa1WK/wlUUdpQldGzpDuq/BzuyQdJjp1vSnqhKjfxz0ef9xJievdwID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w -bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EA0dUUjXeu21xQo+AsptLSwmzhn+EV8ixI -757XRkCnAN0mOZZHcv+imuiEXpf62J+wNyWKNCWu2iPttov/JAcYKA== +MzQxM1oXDTEyMTIwMTEyMzQxM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs +ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlhAgxfclTrlENHgOLp +okcI0OF605Nkvp4mXu+3NkJ7hxHtw5ZemQZr8yPqxCjn8GpuL6ADWdUr0T3eELM5 +bP0EwJqmXbZ+F9rp0DAl50dtGyLFdZMXe7IXe+ej+k2cGqf0M/gNp95AOSekhuwg +8wpCRTeOP6zzK0g4SMjOcw7LAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHwYDVR0R +BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQEFBQADgYEAtoii +zSaNrMH7SDRVVF+A2Ox59vck78T8Kx/YYZz6/p4dgaVWVK6LHzL1VjiYkZwTeSxG +ZgnbqY8JNeGTUlDC0XZLwTmsIufpaeUd75JkvIniI9I9XhmOgwGOrijSqjNDgWyg +DsS34gVsXLkAlSyegGiLY4UWtKPU+oXQLdYa5Vk= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.unlocked.key index 77c8dad1a..45eeef77d 100644 --- a/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.unlocked.key +++ b/test/aux-fixed/exim-ca/example.net/expired1.example.net/expired1.example.net.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOgIBAAJBAPi16o7+TZ0VtjpSlsmGB/GRWxY+MQHYOKkmtViv8JVFHaUJXRs6 -Q7qvwc7skHSY6db0p6oSo38c9Hn/cSYnr3cCAwEAAQJBAK1O9tgV1Te1PXp+upxL -TZXD2FkzlSrX5QPZ+VyHnXolg8XNhx2pA1J4iJrnvooWQRZuWRhi/p8g2ygJ8B6I -60ECIQD/cO5OrdRWg3EBgoCWN7WAZ53qMmSRxAnMt95W5yujGQIhAPlBNzbQr2Z7 -DVvwCc2ERxuaFGTcLZH/x+oRhZ9jr0kPAiB/79froDSRgBPBZdNxaUWGol79RXAJ -cd5WomDBtdatQQIgAVyP1qbRLnghnIz1IMBGOypeTia9wPxqtSafWj2LKZUCID/d -8buaLYm3yYYAQwbTBtb89+gpRg0I51DFS6fNIuU4 +MIICWwIBAAKBgQDZYQIMX3JU65RDR4Di6aJHCNDhetOTZL6eJl7vtzZCe4cR7cOW +XpkGa/Mj6sQo5/Bqbi+gA1nVK9E93hCzOWz9BMCapl22fhfa6dAwJedHbRsixXWT +F3uyF3vno/pNnBqn9DP4DafeQDknpIbsIPMKQkU3jj+s8ytIOEjIznMOywIDAQAB +AoGAO3wuYVBlKxPkWJziijXA8ItbDbjc2QLCnuiFJjgOoxbGmYNk+GsemQFFYdjG +oSMHSTip07HXDVyWP8Xa8BCQ4BMkzBj/1fpasm1t3BHrS8xatukWAvW9xm4rHKo2 +bOZSkoUaJ/IICifBKmlgoyNIocnF5eLEFpmdijK4vQb+BbECQQDuoiW0oZZAAyoA +orZkvuVwfszm//MveYTHxFvcxIA2f7gvuC6JV8Auvo0OxXZ0QLT787TkJYHJnQkv +CdgVMTFnAkEA6TLhWSQH4yu4EytXcQ7V2BbLCZWDavPttGqQz/zcCCvloyDmfdUg +CoXK8H+W6CrwFz7Qyz+FGKcO3rkMa49k/QJASb3ZoQP+BjH0HNYrPt6u0CCe+RNG +9vi6S3EmYgZnCHBXXoev+ckgHlHMDTB/9lS4mNMqpwXgIYlheSO1nnbhKQJAY70N +QND2RqUmP5yj84kC0T8+a8T0xkO6ARYrBaoCecQ8nT6vFlaXM6jxmVcYtgfXVDnb +l3J9fIPHCl9e/ooACQJAGhJ1JPgzQT3QytWx8mmZwuI5JVaRGboz7UQJ+4wTp9JE +4oWHDbtGGanvpCWmMd47BHvOlWHT2iWCxMIez6ZwGg== -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/expired1.example.net/key3.db index 9919dfab3..8c9fb8dcc 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/key3.db and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.net/expired1.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/expired1.example.net/secmod.db index 4347c0d82..a9f8a4539 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired1.example.net/secmod.db and b/test/aux-fixed/exim-ca/example.net/expired1.example.net/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/expired2.example.net/ca_chain.pem index 323ae1688..9b0038b1c 100644 --- a/test/aux-fixed/exim-ca/example.net/expired2.example.net/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.net/CN=clica Signing Cert issuer=/O=example.net/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY -392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a -d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit -Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo +cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e +RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW +7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ +ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh +XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.net/CN=clica CA issuer=/O=example.net/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje -SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2 -iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7 +lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO +HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x +XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb +bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca +o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h +VAtQ+ux57x052IuOi9FtrqVR -----END CERTIFICATE----- Bag Attributes friendlyName: expired2.example.net - localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC + localKeyID: 4C 57 EE 41 10 81 8F 15 98 AD 20 D9 85 06 8B 7D A2 3A 4D 05 subject=/CN=expired2.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDVaFw0xMjEyMDExMjM0MDVaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w -bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMRPNIrjXhmHfWrc/c+K9esj -3cXECi38lpKgZyhqN8CjRvifIaMoZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUC -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt -cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAMmrnrUFZRECJcDk4BGSMQp5vvC/uHi0 -1NSP3Ki4Yu+CbXUHtgZqwOB5abU8INeLbJoab2stMFsdevzRYuuqb7s= +MjM0MTRaFw0xMjEyMDExMjM0MTRaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w +bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXEgubmOBQOTfeVoMK +VTyqO7QB9NUL0gMxPgF/Cv+r14dpuAEMmzB5w0waANwVyJ3RHeqMCx9uHCLpk37W +2LSIsx3j74Oz6Plyh+vac3HDv6Z2TapetEiwTz/XaaObAaU3WHt2pIpPkju8xlqP +s9tgzD8i3VMZqSQMC+8+HMGELwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1Ud +EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBBQUAA4GBAE6e +wvdUVSaQqtamGhj7R4SRX6606y4bG+/RUmFRLZWXzoUmCTA8za0A8fK4uxHUcGnV +LNWL5SpOxdDhRNuOgRqLG1J5h6gBDfrNz2ifsPqkrVXGkWWGSML4OLDhB5NIwT3W +76zE2YzQAfjdQGYqlJ+guw6qP503tFzletcxOk5b -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/expired2.example.net/cert8.db index 6df2cda50..afa8daa02 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/cert8.db and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.chain.pem index b8e34d0eb..f31b427e4 100644 --- a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.chain.pem +++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: expired2.example.net - localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC + localKeyID: 4C 57 EE 41 10 81 8F 15 98 AD 20 D9 85 06 8B 7D A2 3A 4D 05 subject=/CN=expired2.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDVaFw0xMjEyMDExMjM0MDVaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w -bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMRPNIrjXhmHfWrc/c+K9esj -3cXECi38lpKgZyhqN8CjRvifIaMoZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUC -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt -cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAMmrnrUFZRECJcDk4BGSMQp5vvC/uHi0 -1NSP3Ki4Yu+CbXUHtgZqwOB5abU8INeLbJoab2stMFsdevzRYuuqb7s= +MjM0MTRaFw0xMjEyMDExMjM0MTRaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w +bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXEgubmOBQOTfeVoMK +VTyqO7QB9NUL0gMxPgF/Cv+r14dpuAEMmzB5w0waANwVyJ3RHeqMCx9uHCLpk37W +2LSIsx3j74Oz6Plyh+vac3HDv6Z2TapetEiwTz/XaaObAaU3WHt2pIpPkju8xlqP +s9tgzD8i3VMZqSQMC+8+HMGELwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1Ud +EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBBQUAA4GBAE6e +wvdUVSaQqtamGhj7R4SRX6606y4bG+/RUmFRLZWXzoUmCTA8za0A8fK4uxHUcGnV +LNWL5SpOxdDhRNuOgRqLG1J5h6gBDfrNz2ifsPqkrVXGkWWGSML4OLDhB5NIwT3W +76zE2YzQAfjdQGYqlJ+guw6qP503tFzletcxOk5b -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY -392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a -d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit -Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo +cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e +RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW +7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ +ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh +XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.key b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.key index 382ad41b9..3401c126e 100644 --- a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.key +++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: expired2.example.net - localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC + localKeyID: 4C 57 EE 41 10 81 8F 15 98 AD 20 D9 85 06 8B 7D A2 3A 4D 05 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIU+oGNqBSHjcCAggA -MBQGCCqGSIb3DQMHBAjYaI7Iob+lDASCAWDAZIbvl/AbphvMZhynrCFGzj6iN309 -N+U1mQPGWD6hisPfA4aTpIQyHtVah6KCE1fbzGFgiNULsfByVj4XBRbetiVKMuWA -xs/EEcPhNRG0KOeRxzDtSpM0lG078XAC4p7wgqvhf4R9524Vq4PpYzt+tKfh0rPC -leF7VFJ5vi7Tms7q1wqtL76Wgibq4m43XoFrYMbQL2qbXl98rRAP6R6u852f4L/D -Cy1EGsgWIdGjCPQRxdwC0Vf1vIjaspXBmVhbFJR9Djp48DShbAO11cXRSIligH6t -7p+aesQM/illunmCaMzMYFAjdrMYZEO1bqVdU5Nd7/tlQQLgHSdo+iD6XLnci7dw -elQ9bRxYVMEDX16kTXd4NU6xP0Zpac5XHu4ji2PKlSOSxQh5GbPICXdEH7K/Oshv -CUIZbYnlGsOT2uFgnChtUeIwc6OXcSv3LLXIwzg0ec7yN83j0r3jQRQx +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIVx/Vy3DgJSECAggA +MBQGCCqGSIb3DQMHBAj90r/LCeWw8wSCAoB4xKSRp9hTsIfobieMallpU3Jk8Oy4 +wZieRLtvch0Bteo1H5UfnRgQo0djdTV7JGE94Kelh9o72pkv1hyIwfDhYlA4nACM +4gVUfhi2B93zLgKD2KqYWjD3xKo+ci11q0ByklsoHRsiixP5rA0dZaAvru9p8Gog +xx8vubDRer8coZLOEoaRtl7bV27d1N8GJPOCWu5SAR4xk76SAXUoUSThS1WrhKWK +ZRNSEcHN5xyi4RSRvOon1WP1mhVkW8wbgjXKHuGyIOlP9NdgGJ+1YNUH1pWngg3p +kZaMOy9A+gsE3w2owfqIpZtvbT8ByQTiwxpuTGS5O3lDF6IY1a+dYc1Hxa6KSktC +stTL/OI97sTS+g417AWlVT6rEsAHwLETE/Ve3EygkFC0LM5QmX8rtsrQT8ZLvI1B +53ocek2fIlXsCWzJL4Pd4to+CwZATHEjPCobXfNZrvuJ7PiYQQcPCzzJz7XZnPyN +Hw5hFhAKKfHXCjt/NnA8Nzqn21KHv76WVPZLlCQu8OnCRw0Zg2kK+R/km4CpCyXd +CivWV3Te8JmuISVZth6TK+5AWjpb/2MRm+1+aAsnYsK36TTxBBmC8VzhBbYdStKZ +4TOypvo0sVVQeXfGWEjrsWytbepQlSErhXZ7q6vceHEtYTdEcM2YiFPA59axF+r9 +2H4A97AKMreFchLoJHEPZ1KVzfL8SI73UfsV7vzWow8kseP9DS33/mV1LV1rzbPb +yiYZOjwYdnWqTfWmQm2AD29TTmBR85xapRDZkQXA6/FRFyFRVBpiGuiuCNOqGF9X +7Kplfv/q8aienf2ULf7lVOb6SQ5urAxcevzablwUOgG9WopZad2pfs5K -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.dated.resp index 7f6c27bf7..a75c7b15a 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.good.resp index a9ad37057..2c13bef79 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.req index 4684f0756..8e4593f88 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.req and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.revoked.resp index a9ad37057..2c13bef79 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.p12 b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.p12 index 8f9ef945b..8a8b6de5f 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.p12 and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.p12 differ diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.pem b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.pem index 8c10ace44..ffa8d6cf1 100644 --- a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.pem +++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: expired2.example.net - localKeyID: 1A 68 61 A3 03 A4 DC 65 19 7A 7E 5E 65 37 39 DB E3 CB 56 AC + localKeyID: 4C 57 EE 41 10 81 8F 15 98 AD 20 D9 85 06 8B 7D A2 3A 4D 05 subject=/CN=expired2.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDVaFw0xMjEyMDExMjM0MDVaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w -bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMRPNIrjXhmHfWrc/c+K9esj -3cXECi38lpKgZyhqN8CjRvifIaMoZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUC -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt -cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAMmrnrUFZRECJcDk4BGSMQp5vvC/uHi0 -1NSP3Ki4Yu+CbXUHtgZqwOB5abU8INeLbJoab2stMFsdevzRYuuqb7s= +MjM0MTRaFw0xMjEyMDExMjM0MTRaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w +bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXEgubmOBQOTfeVoMK +VTyqO7QB9NUL0gMxPgF/Cv+r14dpuAEMmzB5w0waANwVyJ3RHeqMCx9uHCLpk37W +2LSIsx3j74Oz6Plyh+vac3HDv6Z2TapetEiwTz/XaaObAaU3WHt2pIpPkju8xlqP +s9tgzD8i3VMZqSQMC+8+HMGELwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1Ud +EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBBQUAA4GBAE6e +wvdUVSaQqtamGhj7R4SRX6606y4bG+/RUmFRLZWXzoUmCTA8za0A8fK4uxHUcGnV +LNWL5SpOxdDhRNuOgRqLG1J5h6gBDfrNz2ifsPqkrVXGkWWGSML4OLDhB5NIwT3W +76zE2YzQAfjdQGYqlJ+guw6qP503tFzletcxOk5b -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.unlocked.key index 12a48de18..1f34a79e7 100644 --- a/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.unlocked.key +++ b/test/aux-fixed/exim-ca/example.net/expired2.example.net/expired2.example.net.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOgIBAAJBAMRPNIrjXhmHfWrc/c+K9esj3cXECi38lpKgZyhqN8CjRvifIaMo -ZaCPoXoppyC3MmtLhT5JnYe8+1vSApl9jPUCAwEAAQJAOCkksfs8B3ewlKrmXcK2 -ee/H2XUtKFzTwtzqxjAlBRHwxgSOZr4rn10t+R4j6cvLqhfbXGu0p+1oGgFCYAe6 -/QIhAOU/L1TRGgE1Q0gR+BSyWTlHNSXu1wmy0j/nVSk1fb2bAiEA2zgBX7vxRt1M -d7AKLfqjpMKolmMUyWNQdGFI/+Ch0K8CIHsFMkAgygS18XoecnOg1bKgHMxTZEBH -Hv6+BHxNwUFbAiBpXA98/Y1G69F2rMsXsiC4bT4tmU1CRVNDvAYjxMjAzQIhAOHO -1ynQHqtSfjlkpZtcNqey2SlcqXz7xI/aEXVYj5Q4 +MIICXQIBAAKBgQDXEgubmOBQOTfeVoMKVTyqO7QB9NUL0gMxPgF/Cv+r14dpuAEM +mzB5w0waANwVyJ3RHeqMCx9uHCLpk37W2LSIsx3j74Oz6Plyh+vac3HDv6Z2Tape +tEiwTz/XaaObAaU3WHt2pIpPkju8xlqPs9tgzD8i3VMZqSQMC+8+HMGELwIDAQAB +AoGBAKfLeWj1FhUg/xilkGkwZTs/h0p7dPha6oixosM2lpDAf/KYT6FBNsnY9/fV +seAA/DfZylNmnifvJcHshGok+nu6VjWekae6GP5U3HiOIThNqJRt4iky5q8Q2RKM +I29fTeOWPeYHXy/YpLuAF+ZuTTCkc/WzN9o29/8xN1SrONfRAkEA8QiBbyOnhNh7 +6e4z0rXtbI88muLGs+S27pokTf5YlZbyLuNS9cJgvkafX7mA2n6fc4aatppUC/np +WZ+s/U4KqQJBAORs1TUIQ3yStul6gc9sO5YuhXaQyNO3RYR5kCzDgfbKmXm2/+c2 +AVLgKTAJ3yOGL7ZLPmk2rzg6Pc6XX826dxcCQHTL51SAlXNFJ75yg8AuEg+R1Q9E +pn6TbKVwIfl9L1XFYDOiShf2icSKGj5beHnn88IaTqv/Woy3HAEm47+W6okCQDZ8 +44rn8rk3ghxFlct1xOz5Ier7dHxUPmfwW3ziEhFdmKiZB4gOsNglEo4b/LdLnfv9 +DOEqIzflZLLwFvFLJncCQQCdNUfRNBWn832WkGQHIwvMpMq3vjwyVUCPOq8Hz9jK +cDNuKQfw8/ZbH/IRDqgTsSWUDoZlIj3CTGeygPYEfGTg -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/expired2.example.net/key3.db index 4489ac32f..028ea9d75 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/key3.db and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.net/expired2.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/expired2.example.net/secmod.db index 372213dd5..1cfbdb2d0 100644 Binary files a/test/aux-fixed/exim-ca/example.net/expired2.example.net/secmod.db and b/test/aux-fixed/exim-ca/example.net/expired2.example.net/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/ca_chain.pem index cba5fac7b..5fe6ce547 100644 --- a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.net/CN=clica Signing Cert issuer=/O=example.net/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY -392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a -d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit -Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo +cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e +RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW +7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ +ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh +XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.net/CN=clica CA issuer=/O=example.net/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje -SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2 -iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7 +lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO +HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x +XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb +bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca +o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h +VAtQ+ux57x052IuOi9FtrqVR -----END CERTIFICATE----- Bag Attributes friendlyName: revoked1.example.net - localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5 + localKeyID: C6 B2 B8 34 FA C7 C9 8E E1 B8 07 7F B4 BD 83 C0 75 0F 5D F4 subject=/CN=revoked1.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwNFoXDTM4MDEwMTEyMzQwNFowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs -ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAr20bGUprpXdQGlk/FW+RJ19l -FZ//slFysFeG3PEVjVjCnvsoxBFZJFVyfHhyxTvVYdoC6BVZfs9HRAjgZuBImQID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w -bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EACw87yNDj6DBkvF+i1qUyw6vqijmPyOQZ -4S+UOCyyNSsJrA1VMjRjAqGTgyU0OFtfcGuhvZ1ZnlFrvVog/icGcw== +MzQxMloXDTM4MDEwMTEyMzQxMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs +ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANpxOtIHAc+C9AgJudRl +8x4gNYbKoNoAM5nzCNv7ou3KKh05w3BwBPsbEl88KWOpiEc3CbLYFZva5z34A4Gf +cwMYHjqWWThXOe4L06C3fTWT4oQM4906KloEPHFrIWyyVbFuhVpoyR/wC/BwJqCx +Mc2fMUGwN1YAFJUKxUZR62NzAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHwYDVR0R +BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQEFBQADgYEAoB/8 +WmtU0/qjy0TglfTk+etUveul1GHAKdpBxq9UkVKWxQZrek9TFHpMTnlEUZpSS5PO +1lXj9VckDNThQROcGg+bL9p6ZXeb7pOIY16TFyjycjhRPyukIprcoBvDyCoMH29y +PrtI7xLKj4UBZEoJf7/+BKV24Nk7V8yAvCI8tYM= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/cert8.db index e10dae1bc..38a8787e5 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/cert8.db and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/key3.db index 57ab10321..d70c843d6 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/key3.db and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.chain.pem index 6db70169c..7dc42a972 100644 --- a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.chain.pem +++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: revoked1.example.net - localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5 + localKeyID: C6 B2 B8 34 FA C7 C9 8E E1 B8 07 7F B4 BD 83 C0 75 0F 5D F4 subject=/CN=revoked1.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwNFoXDTM4MDEwMTEyMzQwNFowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs -ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAr20bGUprpXdQGlk/FW+RJ19l -FZ//slFysFeG3PEVjVjCnvsoxBFZJFVyfHhyxTvVYdoC6BVZfs9HRAjgZuBImQID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w -bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EACw87yNDj6DBkvF+i1qUyw6vqijmPyOQZ -4S+UOCyyNSsJrA1VMjRjAqGTgyU0OFtfcGuhvZ1ZnlFrvVog/icGcw== +MzQxMloXDTM4MDEwMTEyMzQxMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs +ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANpxOtIHAc+C9AgJudRl +8x4gNYbKoNoAM5nzCNv7ou3KKh05w3BwBPsbEl88KWOpiEc3CbLYFZva5z34A4Gf +cwMYHjqWWThXOe4L06C3fTWT4oQM4906KloEPHFrIWyyVbFuhVpoyR/wC/BwJqCx +Mc2fMUGwN1YAFJUKxUZR62NzAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHwYDVR0R +BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQEFBQADgYEAoB/8 +WmtU0/qjy0TglfTk+etUveul1GHAKdpBxq9UkVKWxQZrek9TFHpMTnlEUZpSS5PO +1lXj9VckDNThQROcGg+bL9p6ZXeb7pOIY16TFyjycjhRPyukIprcoBvDyCoMH29y +PrtI7xLKj4UBZEoJf7/+BKV24Nk7V8yAvCI8tYM= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY -392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a -d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit -Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo +cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e +RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW +7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ +ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh +XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.key b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.key index d67c105c2..67f429b59 100644 --- a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.key +++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: revoked1.example.net - localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5 + localKeyID: C6 B2 B8 34 FA C7 C9 8E E1 B8 07 7F B4 BD 83 C0 75 0F 5D F4 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQITLxrgeizo7ACAggA -MBQGCCqGSIb3DQMHBAiR0pknm91lSASCAWAoe8AKx1R5elFbE1FAZaGyPjegmgc5 -qFLKuVzK43OMKRphZJPKRSa12rzz40qRozJItXiDNL1+qt+IbOirtUlvvKu+5cdC -oHQgSjA58Is1DN6f+OqD7v7S1ZdXrtyMmtvaHLfjsgX7f9acq8Q7OrcdVcJksVRL -7yCULtR0NRxG+elh5lF9SNY+1f8Hee/dfP3LmyE+leO5ECfOWcIFLBCjLbdmMQFf -lIodgPiy1qjuGwuXZQy/3s1tZ4p2R6dQ7FrPWCyDAxkd/Vw5+BWZ/UJD8GDKtvLL -E9lyYuUg7KUaWiSSdsHmXMyrs+xdW+1GHqAVkuJqjWR2nxtXBDQ7GIaDfZr7nosR -OR5ABpVtZ0eAiJz7qX3WjxtoQJ/7RRPYOnINzyRVgHHHVekyFdYd1OiQDgVoh+08 -HOOA6ZbXLyOCGqh5Syp0RAn7d8qSfX/Z8l6wnxblNG16noDPRbNGf9rU +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIvvFLah6OKzwCAggA +MBQGCCqGSIb3DQMHBAinGg7Lbn4gWwSCAoDWgZmIa/W0nhBW4CDqAJRok/fKaTp2 +Meq5m4AwZUVJmMBX3TQa8S7Ea/18TsBaIhzL2Klbea9x0oa2m/U3af6mytzlkRWU +7UkgdsKjWa1GHvvA1EBnDteMK5Zhx8mlRw1MzFbHDRkkhaAY+qmOLU72DvKKm5iz +lFrTu9OTefxa1LGGOQ77l/oULkhpRE68uBRpu3vHFWYCJ978vdk72OwxkSyhK2OY +HOXZ/U7CzG9u8PFAb/Qdd06UGLhXPS7NpNjE82zD1tr8lKitpQqQZOKnDVksThU3 +sF6rgWkwJB4ubDpeEyNAuKXuQM5/9pdYL11iJGASMwKKhV6jqyGktWTFodg/oWcm +nRmG3HTPpqewMJ228nsmV3N1PrucW210Bp6svUyoM8OvC5yMT9b0BR3STAxW01ft +Ock7gkU4YvsaJ/tvUrifcPWuoyLm196dYOlVK9voszMBwfOjHwOaM/kloVKrYA5L +Mn6Xk8fe+tSvHMf2J81fDDzQDoaUbniKhNSfn1mfp1UGJQfBqqyAVfGikaA7NJ5/ +a96vf442lveZFBNDzoMztiDNseswGeWAKFfHJhEMGzNZm3SxIJvGNTvKjeHJ30S3 +Qgm52ckB+520VeDP+Ehtmx+zBoxPBxdIt9igh0rB0a3MhnpUsyxZwtvLVcPQ1zBg +1mrDOfK0A/OMPpy8Es9N8JGwftrcdKbXdPWHh3n4ZbKeB9Ub+mEiuXrMIB7YrcoM +Y25+nh2Qu4vRjkUI/Hmuw2UpXRWrcoGGTFcjLc1zmTs2tXS3+RVb5s8C+9fOTsdL +Skwb7ln43ONDVpOOrnisdVPNuuR9bHYHqSPPePUg+AMyfjk27Y73I5Q8 -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.dated.resp index 3c7ac6963..473e0f1ee 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.good.resp index 71c6b2daf..a2974fd8c 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.req index 829b621ec..c724cf740 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.req and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.revoked.resp index 8549f0ecf..d15f9be19 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.p12 b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.p12 index 91af59f33..41d170d31 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.p12 and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.p12 differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.pem b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.pem index 286a0ef7b..349573700 100644 --- a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.pem +++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: revoked1.example.net - localKeyID: 3A 08 2E BA 85 F0 DD 7E C5 FE 51 92 BD 0B C7 35 9D 56 6B A5 + localKeyID: C6 B2 B8 34 FA C7 C9 8E E1 B8 07 7F B4 BD 83 C0 75 0F 5D F4 subject=/CN=revoked1.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwNFoXDTM4MDEwMTEyMzQwNFowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs -ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAr20bGUprpXdQGlk/FW+RJ19l -FZ//slFysFeG3PEVjVjCnvsoxBFZJFVyfHhyxTvVYdoC6BVZfs9HRAjgZuBImQID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w -bGUubmV0MA0GCSqGSIb3DQEBBQUAA0EACw87yNDj6DBkvF+i1qUyw6vqijmPyOQZ -4S+UOCyyNSsJrA1VMjRjAqGTgyU0OFtfcGuhvZ1ZnlFrvVog/icGcw== +MzQxMloXDTM4MDEwMTEyMzQxMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs +ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANpxOtIHAc+C9AgJudRl +8x4gNYbKoNoAM5nzCNv7ou3KKh05w3BwBPsbEl88KWOpiEc3CbLYFZva5z34A4Gf +cwMYHjqWWThXOe4L06C3fTWT4oQM4906KloEPHFrIWyyVbFuhVpoyR/wC/BwJqCx +Mc2fMUGwN1YAFJUKxUZR62NzAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHwYDVR0R +BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5uZXQwDQYJKoZIhvcNAQEFBQADgYEAoB/8 +WmtU0/qjy0TglfTk+etUveul1GHAKdpBxq9UkVKWxQZrek9TFHpMTnlEUZpSS5PO +1lXj9VckDNThQROcGg+bL9p6ZXeb7pOIY16TFyjycjhRPyukIprcoBvDyCoMH29y +PrtI7xLKj4UBZEoJf7/+BKV24Nk7V8yAvCI8tYM= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.unlocked.key index 412042feb..bf81fe4b2 100644 --- a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.unlocked.key +++ b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/revoked1.example.net.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOwIBAAJBAK9tGxlKa6V3UBpZPxVvkSdfZRWf/7JRcrBXhtzxFY1Ywp77KMQR -WSRVcnx4csU71WHaAugVWX7PR0QI4GbgSJkCAwEAAQJAMvRiFqqDMgDCB6U8qaFK -bEFNP0bGIql9wrLpvWtZc0CFyhV6LSjMBQSQp92r1tMlB4NKQ7leLb7XXgrPRswY -AQIhANW94AFeO6+yIhd1OQuizl8SBQwCi0gvlMqsrf3kyDrZAiEA0hv3G/VQWPKY -n/wikupIE/8jbJvLWLRYYWn6eGg6Y8ECIQC7RN0a1cFdsqkD/IS6mS5PRa5+U0xN -NsMawCjBps14IQIhAL24JLypGSEIBYrIl8uDIwxzYGBMmSQCzJ9Bm7onmznBAiAe -YGSy1e3Vji/YwZGuEyGrVl+BEIQ1p0vUgRZ7aEpVpQ== +MIICXAIBAAKBgQDacTrSBwHPgvQICbnUZfMeIDWGyqDaADOZ8wjb+6LtyiodOcNw +cAT7GxJfPCljqYhHNwmy2BWb2uc9+AOBn3MDGB46llk4VznuC9Ogt301k+KEDOPd +OipaBDxxayFsslWxboVaaMkf8AvwcCagsTHNnzFBsDdWABSVCsVGUetjcwIDAQAB +AoGAeIrFX8MYH6/vBESBtJCx0W0KvKAylTpJP2oa+HHrHfdSuB/5FqHqTbtJrx4e +5O1X05yukG+ntQLeWpbzMGOR7hyhaVErZAzxahab6Wi5acUWcQpI/oClzqxHHswz +TaIylvaHYEwOCunrM5sj7BfB1gX1rp/0p4sLWkTKZ4o+GvECQQD8j9iG0wMutVyu +Ow2ElGbUHOXzxqKuxhUBuLah9S+28Fu/rEdQZ6qpnOHf1tvYF9VKcp3aIMD2ZF21 +AH8z23cLAkEA3Wp6/NMQ9nJ3q31ZriEHrBWtKAdXy8xb7hDV0vY+SbveyfMjtLB9 +3KDPIu2kjrSFJ83nj3n9z7NdK2QYU47mOQJAQ4dmmq4C9NMzQ7awZ5mSYPaVGXgr ++VUnOr2bv3QiXOSpc3dp3frJ6+3xivsU7xN4SR6aTD9juL2fPI00dbYhfwJAAN1p +nZM1fcD0trbGoud+IC31fzKIJUOnGEb4jtpnY+JX/HH2sb3+v93g8UH8YpJR8tXb +EbRoSWdp9cFuVuU4AQJBAIfT/Fv5fS3wunAxWoJREcZNE3QoIrZ2elqZCETkaQpE +GdF6kOzF1S9xH10p4jvrmaT9vIw5nQOtSWprWje5lcc= -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/secmod.db index d38550fce..2b46ffb24 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked1.example.net/secmod.db and b/test/aux-fixed/exim-ca/example.net/revoked1.example.net/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/ca_chain.pem index 9bd361734..97d1d5786 100644 --- a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.net/CN=clica Signing Cert issuer=/O=example.net/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY -392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a -d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit -Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo +cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e +RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW +7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ +ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh +XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.net/CN=clica CA issuer=/O=example.net/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje -SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2 -iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7 +lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO +HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x +XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb +bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca +o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h +VAtQ+ux57x052IuOi9FtrqVR -----END CERTIFICATE----- Bag Attributes friendlyName: revoked2.example.net - localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97 + localKeyID: 70 BF 9C CD 8D 0C AB 91 82 4D 75 C2 EF AF DC 82 97 0B 7D 55 subject=/CN=revoked2.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDRaFw0zODAxMDExMjM0MDRaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w -bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMj2mEnZY8N38XJ5ZLTymH2J -hBNiubBU4ddvVQ0y48E/b5fbYwJI458bKgyNhqQtO/MG15oIndFpbazcp1p8++8C -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt -cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAD46Iw05ofRAaw9+yeTDPIydjl1Pkb1/ -ma4/qSK7p8BU/pMN3SH4qxKW7z6nNregMW48d5KcSxUPBmWmDCM8u70= +MjM0MTNaFw0zODAxMDExMjM0MTNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w +bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNFaI/6qFhbiFFb+jO +60Qfp6d0KH7PKnxI1rmCQw24g4y2HyQ7cgT26mXQr3gsxj5bnRCKB9uG7DpJ1RaY +QVvVUApFdIHnLExVjNynwvKaNMZNwb6HVPVfjUTwwPdSgLxTRU2xAAmkIrbFUPuP +vhAbcmNKmq7hjr7AVHxNI4XnDwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1Ud +EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBBQUAA4GBAGEv +YIEr7x4/jtbVZHfcVk369td5KZdrozHyaZOAhluUX9Q3qHpWuubeBJ/GjiJkLMGC +v5Px5F8yI0RQmQOOxeu4vINhL1dIbksPn7oxaWpPlx+40Tuub0qQlJYyPzXSYhv0 +dcScT5CK2e0GGzk7pEwT+S7WZNtFzeeOd6gOR9dE -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/cert8.db index b05fa0166..c9893c3bd 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/cert8.db and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/key3.db index 5f70c4b8e..6e862c99f 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/key3.db and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.chain.pem index e87280122..0b71d6f38 100644 --- a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.chain.pem +++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: revoked2.example.net - localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97 + localKeyID: 70 BF 9C CD 8D 0C AB 91 82 4D 75 C2 EF AF DC 82 97 0B 7D 55 subject=/CN=revoked2.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDRaFw0zODAxMDExMjM0MDRaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w -bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMj2mEnZY8N38XJ5ZLTymH2J -hBNiubBU4ddvVQ0y48E/b5fbYwJI458bKgyNhqQtO/MG15oIndFpbazcp1p8++8C -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt -cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAD46Iw05ofRAaw9+yeTDPIydjl1Pkb1/ -ma4/qSK7p8BU/pMN3SH4qxKW7z6nNregMW48d5KcSxUPBmWmDCM8u70= +MjM0MTNaFw0zODAxMDExMjM0MTNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w +bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNFaI/6qFhbiFFb+jO +60Qfp6d0KH7PKnxI1rmCQw24g4y2HyQ7cgT26mXQr3gsxj5bnRCKB9uG7DpJ1RaY +QVvVUApFdIHnLExVjNynwvKaNMZNwb6HVPVfjUTwwPdSgLxTRU2xAAmkIrbFUPuP +vhAbcmNKmq7hjr7AVHxNI4XnDwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1Ud +EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBBQUAA4GBAGEv +YIEr7x4/jtbVZHfcVk369td5KZdrozHyaZOAhluUX9Q3qHpWuubeBJ/GjiJkLMGC +v5Px5F8yI0RQmQOOxeu4vINhL1dIbksPn7oxaWpPlx+40Tuub0qQlJYyPzXSYhv0 +dcScT5CK2e0GGzk7pEwT+S7WZNtFzeeOd6gOR9dE -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY -392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a -d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit -Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo +cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e +RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW +7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ +ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh +XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.key b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.key index 681886b9d..a23009530 100644 --- a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.key +++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: revoked2.example.net - localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97 + localKeyID: 70 BF 9C CD 8D 0C AB 91 82 4D 75 C2 EF AF DC 82 97 0B 7D 55 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIfHUUKZHRP88CAggA -MBQGCCqGSIb3DQMHBAiGHts1xOcjYASCAWA+TB8P6+MMx7kHWAIrO7eIwxXI/ivw -gKWa/XVFtZeZcBYCdjR0Ubfsv3emeWtZ72badVNNOgbUqaMsTraqYePGS9fVIk8e -Pn3PjKdd7rODvSTN647CrN6ng0x1yYW/RVo5v5CnoantSojUY5eNhO+iSGPFgbvj -h8s0uKZ3+KxlySpIJX9RU/LJQUfrdCAGkdIuPEi4graL8Z9pjyORqppYNCI+u+VG -m76zMJq9vxBcn6v3/DpVCFL7gokwD0GgMtWtTeXiP1Yn92dsn3DPVNI/ieE1ogJs -8WVWmTNBm0UuN0GiUWqQUXv3cqFpNArL/BObHJGWyHObUz3FgDpkP4crmhrFN2Ao -cT34tYaN9SGfoYA+MI2DqKQ0M8aGBvbL5CVGqJqWiVB71jG+JsdS0Q+7K5JQ5d/O -xiynUVJ8FhZBQshqPXAkPD8lOeFQ2QZp53RUSlI3d04Cy8FAZr3HzqEZ +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIlFvWRNTHWPsCAggA +MBQGCCqGSIb3DQMHBAgnEwmcCNcQrgSCAoDD+93FeCLH5UVzsfPd0zbfjfeEOZRe +4JbFS5eKLYNG5yTN7sOfaP3gFoB1V7XnTzu1SO9IjXaOKUt/Nj/XOsppARGn91ec +vHi5zyP+6irN6lpP8gaz2TTnpek/rdYHNd050+osef+c9u4nQEduCq8YWPjU0Y3F +Q3C8yPKotiUxlAYEavdG7WFqn8Ir9dgwh6VlU9HOc8LJ9q/eSJ6O8Z0Jyf9AWuKd +IMSY1251u8UoJePZgVmFfTt4q9tZVbb/i19veej8jS/um/pcYZd3WcEtRP3AE5Xh +l7mkZS/H9USiFZRYRK89dICeohIy6Lwzzv9db0kLwtdWFQ43GNiCRIwa52SK9uYr +/EGLyTUrI1gzOABqKoHTzQ5GZuG1OBRE7//gRYf7px2BtUyKEkTdhZo+XEMM9J7K +NyVBZg/YO4WTxL5RsvJ8Asfdr6dXJ2FNE110jaRyb/JKB4AXYbLw4I4wwOdirozR +mVFw6kMP0bVH2plQzntVokOW3p4M+betmQQgifD+mqWSrDSypZylkfrVaYKARiXe +IKgcD7UsDpy9T1Fjmk08KdPDLpogdM+iUcO0/sZk+Eo+wRjjtcKeq4T2HX3Zjdcp +eUMZ/1+1i+7jndpdTpLGXLVuR5S8xAw8cnkb8i0IO+lW4VGuJSSidkz/qxUqgTNw +Ilgt4Ye+0W0uVJedherpWwImyiDjdHtLtkkOpt/CPS/QRxeF6raSHsbjp4uIZGor +PNXAV5lWV+IIBHDIbIFOqcCQxJdKanWsEjkOXLLz254OGAB3vKZgWWorpsdpYMYI +Tk1jTSJxjefwzLPx+mLAesOr//4EtFmll3Im+GYQAZw3btVm6GVrXrqQ -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.dated.resp index 834df2ae2..c5ffd674a 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.good.resp index f110fab43..e0b5e3915 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.req index 0c271ad05..daad7a852 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.req and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.revoked.resp index f110fab43..e0b5e3915 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.p12 b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.p12 index 368429e92..60786663e 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.p12 and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.p12 differ diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.pem b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.pem index 8862a6b78..4e7f024c7 100644 --- a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.pem +++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: revoked2.example.net - localKeyID: 60 8E D5 FB A7 97 B2 E8 F9 84 11 4F 91 1D 3C 91 B8 19 E8 97 + localKeyID: 70 BF 9C CD 8D 0C AB 91 82 4D 75 C2 EF AF DC 82 97 0B 7D 55 subject=/CN=revoked2.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDRaFw0zODAxMDExMjM0MDRaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w -bGUubmV0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMj2mEnZY8N38XJ5ZLTymH2J -hBNiubBU4ddvVQ0y48E/b5fbYwJI458bKgyNhqQtO/MG15oIndFpbazcp1p8++8C -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5uZXQvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUubmV0LzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt -cGxlLm5ldDANBgkqhkiG9w0BAQUFAANBAD46Iw05ofRAaw9+yeTDPIydjl1Pkb1/ -ma4/qSK7p8BU/pMN3SH4qxKW7z6nNregMW48d5KcSxUPBmWmDCM8u70= +MjM0MTNaFw0zODAxMDExMjM0MTNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w +bGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNFaI/6qFhbiFFb+jO +60Qfp6d0KH7PKnxI1rmCQw24g4y2HyQ7cgT26mXQr3gsxj5bnRCKB9uG7DpJ1RaY +QVvVUApFdIHnLExVjNynwvKaNMZNwb6HVPVfjUTwwPdSgLxTRU2xAAmkIrbFUPuP +vhAbcmNKmq7hjr7AVHxNI4XnDwIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMB8GA1Ud +EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUubmV0MA0GCSqGSIb3DQEBBQUAA4GBAGEv +YIEr7x4/jtbVZHfcVk369td5KZdrozHyaZOAhluUX9Q3qHpWuubeBJ/GjiJkLMGC +v5Px5F8yI0RQmQOOxeu4vINhL1dIbksPn7oxaWpPlx+40Tuub0qQlJYyPzXSYhv0 +dcScT5CK2e0GGzk7pEwT+S7WZNtFzeeOd6gOR9dE -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.unlocked.key index 4c9010528..f75d43fe1 100644 --- a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.unlocked.key +++ b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/revoked2.example.net.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOwIBAAJBAMj2mEnZY8N38XJ5ZLTymH2JhBNiubBU4ddvVQ0y48E/b5fbYwJI -458bKgyNhqQtO/MG15oIndFpbazcp1p8++8CAwEAAQJAdkDE9A+7qLXXmejc3a0z -FgvpcA7T/XK1QjP89DtR0dAbM0tLdWyhshLNcNSW6urwYKkPmw7jPmW1wC14/Ob3 -IQIhAOg4d+nA1BNR2+L2dDJhdTPWzVWERwsMaBVMsKYg8TbjAiEA3Yq7xYMK0aNU -XTvzTnmr+y51Ce5BQK9U2q/B1kyIKIUCIDQZ902K5govo5YYlZl4JEOtPgSh2Q6x -iei9fCTJ31ThAiEAg28IQYCiDYeJyJqFmZwjxSxlsVORkO+0Nt2o8RuMeAUCIQCj -IPd5zjwu8dkolqvof1uMm3An3YhSLWSlJK1BSAk2Yw== +MIICWwIBAAKBgQDNFaI/6qFhbiFFb+jO60Qfp6d0KH7PKnxI1rmCQw24g4y2HyQ7 +cgT26mXQr3gsxj5bnRCKB9uG7DpJ1RaYQVvVUApFdIHnLExVjNynwvKaNMZNwb6H +VPVfjUTwwPdSgLxTRU2xAAmkIrbFUPuPvhAbcmNKmq7hjr7AVHxNI4XnDwIDAQAB +AoGAFrP5ZSf9O4LsjfpIhHeI8BQoNnSxLQ/f+FRE7wWrRCzT6+lgonAJ2qeyI7r5 +C8PabVvi09Tw2WvXPAsp2CsMFks/Orjhlktx15VE9ClFoRxI0kkA0MIfGgF1TEzu +sO2mZJQWF0t/Rq5oUs79xidmeb/Cu8Ij8Ly2Ac9DGV9JEzECQQD5ZOC9zivkFmL4 +7QVI4bhbE6gzBAY4xijdTHJfK6ccSwT2cHhwHb9qSIKQzTt2YQC7WRgduxeA85az +j2G0Nna5AkEA0oRL1Ui8+YSiZ3TuFjbEEnCtU570UjZWP6UD93qoYYmuMtLMUbo0 +VjrFVUdynq1VtHJp7Uc+uMNqprcxJXnoBwJAD2h1HiTrv0bGzJxQNEWFz1KylJxO +ChnsEmgTtN+Mjonv/43JUxvzZIygTHPxlYm+stR5UfTqKdRi3isgnTK0OQJAYGNQ +sXRfikOvdH02chdbSTIsOkhih633aaatnUedByPaDc003grK4dyA894F3h9xSXDF +jW38iu52y6S/LPCXSwJAGD8Su7ax9CO4CFW0giEU/km7JN0r7Y75CV+G/G8IqpJT +uo9t2r23Y9HAnCSnw2/sPyXeYv9eeiqhL2VfLB95CA== -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/secmod.db index a2fa5b666..294739ed6 100644 Binary files a/test/aux-fixed/exim-ca/example.net/revoked2.example.net/secmod.db and b/test/aux-fixed/exim-ca/example.net/revoked2.example.net/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem index 4696e4e7a..cd91a6250 100644 --- a/test/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem @@ -3,45 +3,56 @@ Bag Attributes subject=/O=example.net/CN=clica Signing Cert issuer=/O=example.net/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY -392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a -d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit -Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo +cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e +RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW +7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ +ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh +XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.net/CN=clica CA issuer=/O=example.net/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje -SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2 -iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7 +lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO +HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x +XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb +bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca +o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h +VAtQ+ux57x052IuOi9FtrqVR -----END CERTIFICATE----- Bag Attributes friendlyName: server1.example.net - localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7 + localKeyID: EF E6 02 06 86 D6 C6 E5 49 FA 05 3D AA 45 2E FE A4 7E 79 E6 subject=/CN=server1.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwNFoXDTM4MDEwMTEyMzQwNFowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl -Lm5ldDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDCtN2Y0S4oROnlfkTeUH2ULUVs -RShAIKdxlXRo+F09rEBzNKKNC4ZWIr+pc8U+iQzGGTiiCTfeq9bI0Uef1493AgMB -AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB -BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu -bmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw -Oi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl -Lm5ldDANBgkqhkiG9w0BAQUFAANBAEMi4SnbMDOvnQk2UkvvNVGyBEXNsuskNzo9 -5wAY6x0bUZ6XWZ8+kM60gbmOqwfPA6pw/w7ui3XJ1Ac3BAUverQ= +MzQxMloXDTM4MDEwMTEyMzQxMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl +Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzQuAXxpDWTI5zD1RqQJb +TzdmdFsB2Y2IXMhnysg54lBGKV4pMhglVjJUNhDCqkmops0RvIYdSLjMPsvharvx +93lNsVWn7d0rw7GS8sX/dNzUArJITOeyGFHoVK2FOgILdtmJrb9s79WweYc77VOb +R3TmqCFuDfesYmoRcRkW0KcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMGUGA1Ud +EQReMFyCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5uZXSCE3NlcnZl +cjEuZXhhbXBsZS5uZXSCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm5l +dDANBgkqhkiG9w0BAQUFAAOBgQAyeEckORsshBm4i97WDwuAi3VNbUcXDNSflE5u +hTPKZnwVNUgvt62XGy35hzI1lUNom7UzuA71T9RLza65d9s70YEfWqjqurp0Fh/a +qWILyzSdOYHPaQlvp0qqoGNY6MKHylEVfGFvAH0qgF5bTzitwp7YOmKVyVSdYsGQ +MyjouQ== -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/server1.example.net/cert8.db index 3c1b67cee..84adfbc06 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/cert8.db and b/test/aux-fixed/exim-ca/example.net/server1.example.net/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/server1.example.net/key3.db index f9104cf77..f98abb580 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/key3.db and b/test/aux-fixed/exim-ca/example.net/server1.example.net/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/server1.example.net/secmod.db index 535308747..31dd52e12 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/secmod.db and b/test/aux-fixed/exim-ca/example.net/server1.example.net/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem index 4d4431b2c..16c6d80a2 100644 --- a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem +++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem @@ -1,29 +1,37 @@ Bag Attributes friendlyName: server1.example.net - localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7 + localKeyID: EF E6 02 06 86 D6 C6 E5 49 FA 05 3D AA 45 2E FE A4 7E 79 E6 subject=/CN=server1.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwNFoXDTM4MDEwMTEyMzQwNFowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl -Lm5ldDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDCtN2Y0S4oROnlfkTeUH2ULUVs -RShAIKdxlXRo+F09rEBzNKKNC4ZWIr+pc8U+iQzGGTiiCTfeq9bI0Uef1493AgMB -AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB -BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu -bmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw -Oi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl -Lm5ldDANBgkqhkiG9w0BAQUFAANBAEMi4SnbMDOvnQk2UkvvNVGyBEXNsuskNzo9 -5wAY6x0bUZ6XWZ8+kM60gbmOqwfPA6pw/w7ui3XJ1Ac3BAUverQ= +MzQxMloXDTM4MDEwMTEyMzQxMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl +Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzQuAXxpDWTI5zD1RqQJb +TzdmdFsB2Y2IXMhnysg54lBGKV4pMhglVjJUNhDCqkmops0RvIYdSLjMPsvharvx +93lNsVWn7d0rw7GS8sX/dNzUArJITOeyGFHoVK2FOgILdtmJrb9s79WweYc77VOb +R3TmqCFuDfesYmoRcRkW0KcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMGUGA1Ud +EQReMFyCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5uZXSCE3NlcnZl +cjEuZXhhbXBsZS5uZXSCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm5l +dDANBgkqhkiG9w0BAQUFAAOBgQAyeEckORsshBm4i97WDwuAi3VNbUcXDNSflE5u +hTPKZnwVNUgvt62XGy35hzI1lUNom7UzuA71T9RLza65d9s70YEfWqjqurp0Fh/a +qWILyzSdOYHPaQlvp0qqoGNY6MKHylEVfGFvAH0qgF5bTzitwp7YOmKVyVSdYsGQ +MyjouQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY -392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a -d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit -Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo +cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e +RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW +7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ +ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh +XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.key b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.key index d01d43b71..8914141a1 100644 --- a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.key +++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: server1.example.net - localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7 + localKeyID: EF E6 02 06 86 D6 C6 E5 49 FA 05 3D AA 45 2E FE A4 7E 79 E6 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQItqv8KkyfDOECAggA -MBQGCCqGSIb3DQMHBAi+cLfRJYwdhASCAWDijpItKwM1N1Tk9po65/Et0DLcJt8h -UNc26UWxg4uGMcbyHJv5+OZDhAjla1GwFLBZDQwCsnvwfjHfpwFpSx4Mxj4SMGrx -YCwSB8smLl5cZNJpm2N3JVlrX/ZHR1plwtVccOf9Ry7MFoyj9YcXTs9N39zmpYDD -Oi81eD2CzGEP2NqyycJK3Fu0OMUNT5RYHF7Nja6mGjzyul8rDPHPOcwQ0CCEHUmF -3FaMqji+aCpJ+BeFwcVYZjiuQx4ajKXnu8g4KEa1S59KgSRiAdL8Ih1dN5qrDJB5 -dDTo37DneR1RkudMs2OcbMnbhyWQZ/AhfUqqFM7NLnDSVwhUtL9kPzjqIA1+l9V6 -27ANditdhs3fS6026sC3MMJRrPXmZGU3GuItxi1hU/CjiCb54VsK8MEhWpzU6QiS -+UXkPYKauZKsGtfn0sI8ZUCEyo2vF79KAIGK6DYQ6dIOmjvKqz2xgng/ +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIbTjOvT/3UgUCAggA +MBQGCCqGSIb3DQMHBAiB4UitE/+LGwSCAoBtoxcf7PnMIhZKauwym1cVW1HTAGoW +9RRdtk4Ymp0nZP851hKGg8DFxCLRDX2rAsSS15Rro3O3aaYLFvn/nFvgCypMYj/i +vI3feiLCg2Z2n2nIfB7iFbOvdRd6EKh3ctbQGYSWTHIHcAqINMY9wsw42LzOTvNj +TfoFZSVHVfaMC1jx3Y1lEYdqMub7DcugLOYYJAuW5gyivMgiklMzLlrPGbUCwrvq +aJAPwd1GECTFusUCe0Vhwt2eq7p0Zub2pCpS5j1fOLoFZ89keB8Y6MxmBA3SMm73 +evMJXmCcymD2ZHAYRbogT/3U7F73ubn48kmfZTNwcBryBauo1ZVatQE/d8iYJeke +q2i8ttUvTQ0nz33s/4v+rmJFfv4VkbljYc8rl/WvFKszLi5DtPcrd2klSORFVHRD +xEie/EU7V4oiYA9SznzgcEfqGU64ep49hhxTsTRwhkGfKoM6C1OeCFho2Vv3uWNs +sBWGU1+wh71jZAlhYxIRRxI7TK33fHDwWfaCZq3IfTToRtFzwbvjmXOcLrQD3zzw +Mc0FVFaBHgrZMWy9cKAXJANGHXCtK0IBZ7f7wyGtJDzbFOp2JgrZhOCzzHrBAsnW +PVALnVgLY6ydculgm0l4h4idToFfYIX7C6M5YRv0SsQ+uzZfOEpjP9BNOe+A3mTF +1Z5cO7Y8jPDZGV0WsdmitX4Me1+l359lRNER7hJKOi9Py/YCwGxxd037cwunEWGG +bWb2BKURho/r2iZcGL7PLLyRW5CKmV6qQVumlJSIFXcCenR3uSoJEvEzpwZ19KYb +rH/IRcVkOd2leegIu9cSt5unYAVAZJ6CX5SplI5+5RoNEaIvTevQ3MGi -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.dated.resp index 8dc2a098e..358599cd5 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp index b2cb446e7..268bbfb4e 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.req index 0057816d4..6f16d6d0c 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.req and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.revoked.resp index 5e9cee6f6..f7977341b 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.p12 b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.p12 index 9596af088..d8c2f85b2 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.p12 and b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.p12 differ diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem index 4d14e2003..11f82ea9e 100644 --- a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem +++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem @@ -1,18 +1,23 @@ Bag Attributes friendlyName: server1.example.net - localKeyID: 4C 81 72 95 D9 D6 9C FD 7A B1 C0 66 9F 85 A7 01 93 A4 6E D7 + localKeyID: EF E6 02 06 86 D6 C6 E5 49 FA 05 3D AA 45 2E FE A4 7E 79 E6 subject=/CN=server1.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm5ldDEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwNFoXDTM4MDEwMTEyMzQwNFowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl -Lm5ldDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDCtN2Y0S4oROnlfkTeUH2ULUVs -RShAIKdxlXRo+F09rEBzNKKNC4ZWIr+pc8U+iQzGGTiiCTfeq9bI0Uef1493AgMB -AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB -BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu -bmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw -Oi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl -Lm5ldDANBgkqhkiG9w0BAQUFAANBAEMi4SnbMDOvnQk2UkvvNVGyBEXNsuskNzo9 -5wAY6x0bUZ6XWZ8+kM60gbmOqwfPA6pw/w7ui3XJ1Ac3BAUverQ= +MzQxMloXDTM4MDEwMTEyMzQxMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl +Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzQuAXxpDWTI5zD1RqQJb +TzdmdFsB2Y2IXMhnysg54lBGKV4pMhglVjJUNhDCqkmops0RvIYdSLjMPsvharvx +93lNsVWn7d0rw7GS8sX/dNzUArJITOeyGFHoVK2FOgILdtmJrb9s79WweYc77VOb +R3TmqCFuDfesYmoRcRkW0KcCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5uZXQvMGUGA1Ud +EQReMFyCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5uZXSCE3NlcnZl +cjEuZXhhbXBsZS5uZXSCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm5l +dDANBgkqhkiG9w0BAQUFAAOBgQAyeEckORsshBm4i97WDwuAi3VNbUcXDNSflE5u +hTPKZnwVNUgvt62XGy35hzI1lUNom7UzuA71T9RLza65d9s70YEfWqjqurp0Fh/a +qWILyzSdOYHPaQlvp0qqoGNY6MKHylEVfGFvAH0qgF5bTzitwp7YOmKVyVSdYsGQ +MyjouQ== -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key index 422428342..74ed2511a 100644 --- a/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key +++ b/test/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOgIBAAJBAMK03ZjRLihE6eV+RN5QfZQtRWxFKEAgp3GVdGj4XT2sQHM0oo0L -hlYiv6lzxT6JDMYZOKIJN96r1sjRR5/Xj3cCAwEAAQJAYR333g6QeFOPWwH1dfIu -ASfnlc6U+g+PlY8XhnhDgcu2le3IQuOaI0sw/X0vZdhEKJpDHJ1hKGxIQpOB2R/P -EQIhAPUMh9+sUsZSnNbhEggO8h6F4TeLoAVJNzUtW5UvmBgvAiEAy2hlFkLXlP0t -VYwmNqyCs8Jhf0SIrnhPw3ynJhxgYzkCIQDlHd48yAZs3/k9ABu35SGEYHD/WlE4 -IAi6c7pZdrKiiQIgEH48hBuTY29L973Pc2t1haHjSfCCrLLwtMcsvnhakHECIEuy -0/MQz7IYZNJ7g36j3jjv8vFkAdDCGyKzuMGLoq9p +MIICXgIBAAKBgQDNC4BfGkNZMjnMPVGpAltPN2Z0WwHZjYhcyGfKyDniUEYpXiky +GCVWMlQ2EMKqSaimzRG8hh1IuMw+y+Fqu/H3eU2xVaft3SvDsZLyxf903NQCskhM +57IYUehUrYU6Agt22Ymtv2zv1bB5hzvtU5tHdOaoIW4N96xiahFxGRbQpwIDAQAB +AoGAQ+VME7G5nV6BPv0K/kDWhWud1GeSPDyea8K8g6w7ZpIYOXiBgaH3MwylT+XK +3+JWIy2Ccv+h0MPIdf7C3LnxS92aLrL5ur8e4kgU/rhQAFWiPFV1ulESlmZ8CbgT +o/eWMut0Qtlj98q2PIfLB+EvR7hrBL4EfGEO4GeMafTzvRkCQQD6obmU4DOkU3xt +drR+lRzfleBXI4DZXryLJLCN6Q6tu+cTp4ViKhoTD8ys+VJU2Y9xh/XfFYhNkrJr +GY8NF1X9AkEA0W/QGj3BsO1+8mQxkf9UCqkeaGD/jQXxaqaGQ8M9R/46sAKeW+IN +g+R6z4fF98t2x/D2LBs4ynGgWToXhFbwcwJBALfn3b4xOZOVsxK7bLwJfHNPjZtD +MPPPgTf0hxzKa3vuCiQw4z3huNpN2JkAJXqfXZMn+bFlImwRfZv62C359p0CQQCG +GEos0we16YoTVlVqvgkoPjoK6LgWqgx1laN3tYUCGGOpGDQebnDq1ppPUAZP7sTh +pYVonhFRhUj+eDRgdm3DAkEAhEl0G7wNvhiA1KR7Wz4lhZGj5rQnL0qgNjlIC/Wa +EobRaD0Gz6v+jHOH2ePYQWXu7ySiIoUDwtI8n1r1ePCRFw== -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem b/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem index 39e5eedc6..19aa27dea 100644 --- a/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.net/CN=clica Signing Cert issuer=/O=example.net/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY -392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a -d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit -Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo +cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e +RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW +7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ +ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh +XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.net/CN=clica CA issuer=/O=example.net/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp2tm7DhEtMNQPz23MpsxYVje -SgMgmkDx8qdr97SBBVqtPcHMMrCEZ9dQiYCFxbshxXfeova+DbLZISDlHA9xjQID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAG/rfiV0UE6Q//VIKN5CprvNXDGQFfcFCWNRCu6ZGTPpaDf2 -iPqVISD9trZrvtlUIgKjGgOQQbdNH9RBj5+6QKo= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjApMRQwEgYDVQQKEwtleGFtcGxlLm5ldDERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUSMNgU8YE8fsiB8Wm7 +lpclDOwQXJVbP/Ef2NVwoE6NnoPTWMNgvSyCddVz7709URkIy+jtrlpbyQYVdwgO +HAnI8/bx2WoGtGzWTbAM1Mp+WHtiOO7LpsldWQmeHuF9uBOghFytVyqNT2l/iG7x +XQCA6Q6P59vpb3Z+4PH8kgVlAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBACs6X9bwml5hcwf82pyb +bKOnRGP6pJsvx1yv6SULaxg4+mCelEHNPycQqidqs+84RrDma8Kkz3DVZuV11Yca +o2ibon7rWhaTc9SR0j5B8BMU1Z9VEVF5uejepHWf1iCeOhxl6tNQuTTJP0uE4h6h +VAtQ+ux57x052IuOi9FtrqVR -----END CERTIFICATE----- Bag Attributes friendlyName: server2.example.net - localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56 + localKeyID: A4 A7 36 66 9C 5A FC 72 B7 08 6B 0B 9F 20 62 78 D8 DF 1D 98 subject=/CN=server2.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDRaFw0zODAxMDExMjM0MDRaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs -ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoXux6WdUK5xq7w+eMCFo2iEE -GCUYpmqc4H6AmgxmglEfrndnKMv/fLRJpMUMe65a2fIPdMaZO6uX/fBDYSeUjwID -AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5uZXQvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs -ZS5uZXQwDQYJKoZIhvcNAQEFBQADQQBhKq+CoKmxvdEJ4+AlNsJGpByKiwsDo0Cz -mtgyGnn4a+3kkKYb2/KWosrBBLIzZbuzQ6sAjDKKioKJy7+ENuki +MjM0MTNaFw0zODAxMDExMjM0MTNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs +ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwP/FMqk/TKRQWwWsmz +rt0QEKGC8M+3ot5LrXijR1RD9DTSSCDB6tI9J4s3rpM8jYZN2in/844/zHaZPHLe +sM5/YLBWQD0YGy6eJUA+Ym/ySV0VTVZTwHwC78TvjETq1BRvi9fTNBp5P5CBN08L +7QA5ebrmrLdpUNmjSRXqQc6ZAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0R +BBcwFYITc2VydmVyMi5leGFtcGxlLm5ldDANBgkqhkiG9w0BAQUFAAOBgQAO/PIL +r1x6F86iuKP1ww7Gb/fG9KoRVdijXvwFKurrTGLlK9gq0+w+j+vxMIBW+UeeXpRt +JY/231AhPwxvMR4/MYQLrZUmtYO/FCIIdkjDFkt4wGszxEYSn5Ks94PftsJGrEm2 +yjc1w7gnzx2ybtYRZnpaTgOaWaYepc6wnfXXvw== -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/cert8.db b/test/aux-fixed/exim-ca/example.net/server2.example.net/cert8.db index 0478b4b6d..082831e14 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/cert8.db and b/test/aux-fixed/exim-ca/example.net/server2.example.net/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/key3.db b/test/aux-fixed/exim-ca/example.net/server2.example.net/key3.db index 11649e05b..0acc63165 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/key3.db and b/test/aux-fixed/exim-ca/example.net/server2.example.net/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/secmod.db b/test/aux-fixed/exim-ca/example.net/server2.example.net/secmod.db index 4bdbe54ae..410a6d0fa 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/secmod.db and b/test/aux-fixed/exim-ca/example.net/server2.example.net/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.chain.pem b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.chain.pem index 8f2b6af72..0f0e8b535 100644 --- a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.chain.pem +++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: server2.example.net - localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56 + localKeyID: A4 A7 36 66 9C 5A FC 72 B7 08 6B 0B 9F 20 62 78 D8 DF 1D 98 subject=/CN=server2.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDRaFw0zODAxMDExMjM0MDRaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs -ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoXux6WdUK5xq7w+eMCFo2iEE -GCUYpmqc4H6AmgxmglEfrndnKMv/fLRJpMUMe65a2fIPdMaZO6uX/fBDYSeUjwID -AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5uZXQvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs -ZS5uZXQwDQYJKoZIhvcNAQEFBQADQQBhKq+CoKmxvdEJ4+AlNsJGpByKiwsDo0Cz -mtgyGnn4a+3kkKYb2/KWosrBBLIzZbuzQ6sAjDKKioKJy7+ENuki +MjM0MTNaFw0zODAxMDExMjM0MTNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs +ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwP/FMqk/TKRQWwWsmz +rt0QEKGC8M+3ot5LrXijR1RD9DTSSCDB6tI9J4s3rpM8jYZN2in/844/zHaZPHLe +sM5/YLBWQD0YGy6eJUA+Ym/ySV0VTVZTwHwC78TvjETq1BRvi9fTNBp5P5CBN08L +7QA5ebrmrLdpUNmjSRXqQc6ZAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0R +BBcwFYITc2VydmVyMi5leGFtcGxlLm5ldDANBgkqhkiG9w0BAQUFAAOBgQAO/PIL +r1x6F86iuKP1ww7Gb/fG9KoRVdijXvwFKurrTGLlK9gq0+w+j+vxMIBW+UeeXpRt +JY/231AhPwxvMR4/MYQLrZUmtYO/FCIIdkjDFkt4wGszxEYSn5Ks94PftsJGrEm2 +yjc1w7gnzx2ybtYRZnpaTgOaWaYepc6wnfXXvw== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAzWhcNMzgw -MTAxMTIzNDAzWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN9lXg/7R2gY -392B325b/0eHLOrQG1px0aPuSwCBG0cKwCATtsKjYne15vNXAskVAdejY0Ujvo+a -d4jVi2qYJ8sCAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm5ldC9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EAlm29nFrjiJPaldOtHxpmWzE3Zxit -Sl4RxdeJcJ7aGL2gDOAWmiVh6UPbMm/o6Vg2PxHp2YviOhVunp1C2t85ow== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm5ldDERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDExWhcNMzgw +MTAxMTIzNDExWjAzMRQwEgYDVQQKEwtleGFtcGxlLm5ldDEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCf/Mo +cl7+ta84A85TdEcSPfv+JV6/0ynu98Z+EHaz221TGgNYkOtlBDc80kZZ2QBndE6e +RZAuIaPgTVk0mZJ7XUxAVx7AAlGSWenScV/k/VChgqddRaCmmLQoPT/wUkrDqlOW +7omdM0BTaMxdEv2QRyUCVrrZKOJkRsTILkUvaQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +P/kvw/kOJI5Yja+W8/xmbAma4NeAWE48eLDzp6AWJBUU7oIj4Ca+PqwpaxxeNioZ +ihLL5LCRrS8lsSGgyD3UzqYGCMOwqX5pBytpWXz1NRzzey9mCV55LHckBF7dRBuh +XQiz+EvE4Dr1ZikrB6UjgHW7Bal9Y5QMDs8qZAsRkJ0= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.key b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.key index 03759044e..5e9b1960a 100644 --- a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.key +++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: server2.example.net - localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56 + localKeyID: A4 A7 36 66 9C 5A FC 72 B7 08 6B 0B 9F 20 62 78 D8 DF 1D 98 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQId2/8mqWfInACAggA -MBQGCCqGSIb3DQMHBAgvDNlX6TpnZQSCAWD27NSWhbC88NONthVEEIHARSoUieXl -Hsker9qC52voq+kSQf4sFmifD9SgestoXFoxBOWi4mnO2uwUqu/yC3Igrr0DE0VH -zXapBoEbd7Yr4y5BN7M5+oQPGjxCUocP3Bp9dxvo5T3lFLtmaBvdBucVHvn6UqzX -uUZw3O1LdoMm6PqZXBh8vzhapYq5I5oMOhWJsJrauSfXaBJObeo3MgFF6WfUQlnI -fR/O7uJ00t+ArvdkQVIDT70FWWAFvt9DDtVIUcva8BfiGEjPjqso0tElTzPRqRrs -WmS1jn1Lf/EVaVSOIIecjHodxeA7R/vMlG+5U/PcgfeYMEFyn0Aj/tUvdR6tTAUy -1K5zFEGG5YCY2e0HmVyc/qvOoSPwi7f8eJEziTuv2nXlPrjd74OcGn1ffXyMeDZ6 -gDAQB9pe/7m9OZ9MAxuak4DEyFMdNJTFJ3il0ILAi8R2GOGA+TVSrGAT +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIjidyN2LNmEICAggA +MBQGCCqGSIb3DQMHBAiM9kZJAE+TJASCAoAif/peX3iuR+MZUyC89O7/xMcYAdua +bDFVrbNrdO5+XZG+U6elpnF/jWMKZUKxzrjkKEaJKWqQKthJp8Ds/ncD7Bx13qr9 +wTA7V+pVoVepG9JGHY1QkUTA9PNG4Txt0WrrjDU23iEYynh3G0QOoMhNYE50xCf/ +2CsWfIC6gSTL/OM2tb5ynwoDbAwS2Xml0Ky0USqCmsyJFqLq1QRo5l8EmWJ4HNut +yQjvCbu5PAW8pAf2neJmAVlkTzwhmN5gl3vDfVKSKx2faaua0b13kCnYu8HjkbAo +RskvJvOmOfByN04mMeUY6jhdwx7WYzvxybMFTjUlQ2ckJ3C2Yb24RrJ8m/k4GTWf +Egy4KisBe5DFeXCh31ZSfNA5wxhNETIDYw/V/Bd5F8UvLGgOysDdn8wNIDcvR/EM +AA/EKmj8+/0ayAxWCSQ5Rpnl9+XJKGmqlGynKF2LvvaGm/yRmq9apq1bS6CY+Plw +Yz8webSEdIhq7BPIt09v4AiyW7VOm/GHvacfRxXlPNHakABZA/XR5Mg2HfdxV3/V +O7lEXylQtUedyU+U36P+NtEW2PP+EkcUFkW/hno0zMWG8SdKesYTvMBz9zwPjZBz +BfpSysxoz3pZQ3FNiRCOnPjIq5Esxp0PVMGnIQqYvptbwklUKEpq2rslSgyZJYot +x5ui5RuQXKlLzU+bai557ofR6J0TZJnSIq7Wg0XSo2kFfMZFAUT8QAAD8cotDmwS +q7+ncWNWIT+c/AOrUW1W8ypK11tAvytLXPifIb6R0+SXKhOzU0DB1euZwoWtBtaa +GaKaYt+t0U/Q9umTCXXXd7gm/8+ZnpYhqNadsB2SmwGlyGU6HDsbXZW6 -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.dated.resp index edb418af1..35cb53923 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.good.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.good.resp index dcb27f250..c8a2196c4 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.req b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.req index 54d932eb2..40b924175 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.req and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.revoked.resp index dda468d12..c8a2196c4 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.p12 b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.p12 index e54fff347..d51427bda 100644 Binary files a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.p12 and b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.p12 differ diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.pem b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.pem index e973e005f..b4d00121f 100644 --- a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.pem +++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: server2.example.net - localKeyID: E6 14 E8 D3 C2 D6 33 C5 46 4A 62 47 B7 C2 BA D6 3B 26 F2 56 + localKeyID: A4 A7 36 66 9C 5A FC 72 B7 08 6B 0B 9F 20 62 78 D8 DF 1D 98 subject=/CN=server2.example.net issuer=/O=example.net/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5uZXQxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDRaFw0zODAxMDExMjM0MDRaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs -ZS5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoXux6WdUK5xq7w+eMCFo2iEE -GCUYpmqc4H6AmgxmglEfrndnKMv/fLRJpMUMe65a2fIPdMaZO6uX/fBDYSeUjwID -AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm5ldC9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5uZXQvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs -ZS5uZXQwDQYJKoZIhvcNAQEFBQADQQBhKq+CoKmxvdEJ4+AlNsJGpByKiwsDo0Cz -mtgyGnn4a+3kkKYb2/KWosrBBLIzZbuzQ6sAjDKKioKJy7+ENuki +MjM0MTNaFw0zODAxMDExMjM0MTNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs +ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwP/FMqk/TKRQWwWsmz +rt0QEKGC8M+3ot5LrXijR1RD9DTSSCDB6tI9J4s3rpM8jYZN2in/844/zHaZPHLe +sM5/YLBWQD0YGy6eJUA+Ym/ySV0VTVZTwHwC78TvjETq1BRvi9fTNBp5P5CBN08L +7QA5ebrmrLdpUNmjSRXqQc6ZAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUubmV0L2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm5ldC8wHgYDVR0R +BBcwFYITc2VydmVyMi5leGFtcGxlLm5ldDANBgkqhkiG9w0BAQUFAAOBgQAO/PIL +r1x6F86iuKP1ww7Gb/fG9KoRVdijXvwFKurrTGLlK9gq0+w+j+vxMIBW+UeeXpRt +JY/231AhPwxvMR4/MYQLrZUmtYO/FCIIdkjDFkt4wGszxEYSn5Ks94PftsJGrEm2 +yjc1w7gnzx2ybtYRZnpaTgOaWaYepc6wnfXXvw== -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.unlocked.key b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.unlocked.key index 74b350175..6cbdbf60a 100644 --- a/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.unlocked.key +++ b/test/aux-fixed/exim-ca/example.net/server2.example.net/server2.example.net.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOgIBAAJBAKF7selnVCucau8PnjAhaNohBBglGKZqnOB+gJoMZoJRH653ZyjL -/3y0SaTFDHuuWtnyD3TGmTurl/3wQ2EnlI8CAwEAAQJAGXXkRjWperrNzWV7/oC2 -BHZiK+Blc4+prmejpSZBX1hk5XFL8vMx3H1yYnYj3LLr2MzuZ7W410GXBvZkfOy5 -uQIhANSjR5qV2dgzdI7nTjPXZOVPHfh9S4RbgCa8nbm+Yg59AiEAwmnlkEP8BMHx -8GeuItJyuIQYXU/TRFIAB5N9nDWO4PsCIFvZj/OJaUlHqMCVz6T7FL0suMB+tuEc -eTXCYcs7HrYtAiEAi4ivv+xbbBq7B72SSOHcfrwoNIi/bBCifs2H4N67zpMCIBpU -fl/bfvpZ2FtBsZ1yMTgTXzaZyOllhYkaZO3bvQYU +MIICWwIBAAKBgQC8D/xTKpP0ykUFsFrJs67dEBChgvDPt6LeS614o0dUQ/Q00kgg +werSPSeLN66TPI2GTdop//OOP8x2mTxy3rDOf2CwVkA9GBsuniVAPmJv8kldFU1W +U8B8Au/E74xE6tQUb4vX0zQaeT+QgTdPC+0AOXm65qy3aVDZo0kV6kHOmQIDAQAB +AoGAI61gsCJmuUzaNU8UmilVZijTDuD5cF6lLkjrGvTW5lyR6qdt+ZDwTHw/kUC6 +BMK7EpyYY9ljyju+PU2q0xv+LIrQONRcBPbGxSrU2W3+3S3jkWZ03tMJLRqCraFV +w17thkexWZaqVP8eC27jcjgZMU6B3gtpsf/CeMaYYjrBGnUCQQD3g0lugwfG47kI +Ih7M2ImeUuI/aVov0ep/nDUboLD8ZWoJylko7JpqYVMdhmNZ7CH7stqu8ufW4KkZ +99LpZLNnAkEAwoLVEoImAJHU4uq5xjNAeklkKj5kNLvPb0ag0IkJ1pH5S5fVrgH+ +fodg2O9jvxxo4eYpbmYKbjXIx7k54QYt/wJAWM0glmaqbqAbLaDYPhReY5BHHgsV +UVzV7kzD/RKNDTDxd2vCy10AFbSvVkN197gxhRVpQiViKoTWBrwUTqpTdwJAYHSm +mrYFiFTI3/oMQ9gYikuoqzYjVO8pb4Hzr1W1ljzvBeh2YwLEJBSYFxunOBcrf5I2 +S3O4imyLc1dL92WsGwJALBziva48HYruICrk94ofAbMDqF3xNJS5YFMtXBvZDY/S +WecxphaKpVPDLsABXUgDsKUKQmHBJuOYCTPqcL5FeA== -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/CA.pem b/test/aux-fixed/exim-ca/example.org/BLANK/CA.pem index bdb4c061b..80cb29371 100644 --- a/test/aux-fixed/exim-ca/example.org/BLANK/CA.pem +++ b/test/aux-fixed/exim-ca/example.org/BLANK/CA.pem @@ -1,10 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O -x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl -LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa +/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5 +1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD +oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG +37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly ++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz +YHJSTjLx4idfdLNS+U5iir1Y -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/Signer.pem b/test/aux-fixed/exim-ca/example.org/BLANK/Signer.pem index bbcf3ac09..c0b484762 100644 --- a/test/aux-fixed/exim-ca/example.org/BLANK/Signer.pem +++ b/test/aux-fixed/exim-ca/example.org/BLANK/Signer.pem @@ -1,11 +1,14 @@ -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE -zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo -F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X -PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB +ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY +hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro +yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr +vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g +UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/cert8.db b/test/aux-fixed/exim-ca/example.org/BLANK/cert8.db index 173ac186a..ea04d85ca 100644 Binary files a/test/aux-fixed/exim-ca/example.org/BLANK/cert8.db and b/test/aux-fixed/exim-ca/example.org/BLANK/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/key3.db b/test/aux-fixed/exim-ca/example.org/BLANK/key3.db index f4cc9de79..7664d2541 100644 Binary files a/test/aux-fixed/exim-ca/example.org/BLANK/key3.db and b/test/aux-fixed/exim-ca/example.org/BLANK/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.org/BLANK/secmod.db b/test/aux-fixed/exim-ca/example.org/BLANK/secmod.db index 8a8319376..b709dd8a5 100644 Binary files a/test/aux-fixed/exim-ca/example.org/BLANK/secmod.db and b/test/aux-fixed/exim-ca/example.org/BLANK/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.org/CA/CA.pem b/test/aux-fixed/exim-ca/example.org/CA/CA.pem index bdb4c061b..80cb29371 100644 --- a/test/aux-fixed/exim-ca/example.org/CA/CA.pem +++ b/test/aux-fixed/exim-ca/example.org/CA/CA.pem @@ -1,10 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O -x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl -LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa +/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5 +1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD +oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG +37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly ++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz +YHJSTjLx4idfdLNS+U5iir1Y -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/CA/OCSP.key b/test/aux-fixed/exim-ca/example.org/CA/OCSP.key index 4248964fd..4cc0e8b39 100644 --- a/test/aux-fixed/exim-ca/example.org/CA/OCSP.key +++ b/test/aux-fixed/exim-ca/example.org/CA/OCSP.key @@ -1,14 +1,20 @@ Bag Attributes friendlyName: OCSP Signer - localKeyID: 89 7C 3C C4 3E 60 FD AA 47 69 0A 11 1B 17 C9 BD 6B D2 DA 1E + localKeyID: CA FD 34 A0 02 63 3E 50 60 F9 97 9A 4F 56 8C A5 12 90 66 00 Key Attributes: -----BEGIN PRIVATE KEY----- -MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAl1EzD7A3887Wit6D -uE5WOuTdCD4RVQFBa85RFHZd/Q3Yiw5SXh7gQaykL/4mrFHzgbKNgj6WmjBp4tNI -FQYqJQIDAQABAkBNigd/X46cef5IdRPMayAW19ZH9f5Nr/IFO1kjAjDRjfASDkBN -V/rMV+78Rh5fOAj1S74VILvKTaaLWhvkDOF1AiEAxxhzyV1rOrdo/tp7W6uD5m0g -OTxUZYn/6Ec/Kkb6SjsCIQDCkN8rSD+IkhJ3zQOvCi2Onxjon5mE4mkbhZLq84W3 -HwIhAJbbRlCbwnY5JwuEjNgG++iLY1E7D0/o4skjww7LvTalAiBCCbH1mtwVmp6y -Et/BNY8o7U8jBaixtbc/JCMto+IquQIhAI6flaLC9nQbBh6BX6GVeGu3XS9M/jFe -EK9fMWn71opJ +MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMYp+j3nm7+amKqt +uV0wTUbE3KVXBqj8TGbTm0K839Zd+ZYuAUabDhBhkvvsbGMamvv3liF3iPdHg+z0 +vSoH7b3HODevq+SzOUSNZXz9Ha50PL5oZyP87AhqbotEMp8YkNQHDhABNDNK4mOK +W3AvGfoXUkqodA2JBxRT/8IMg4mlAgMBAAECgYEAv9wMqLsBlLU9cqLYgV0utIIN +jxd/H0WHQ1dFT4xGu+ooqDrKiW2+ZCXUhY0WM62iuKmx9Z0iQyg+lsEuFO+wQQSY +Ry20gPko1qr9MfmuRITHmnojq5j5OFDfHSQj119K3vk9m6c+BPV6iL+O+a/FWWI7 +uLpi0BRlVP7nuiRjpYECQQDza+kP0qLGyDcY09NVGhcSLhJY/vXxUt+/d/y735bm +CmpbSmKq6ngg4NmVsZ3FnA+3/qw3+BunxGQsMvYxu2B5AkEA0GdhPWgy4EhBhI// +IO+7hTCMlW0Hy5Mmdu+X1MRXFZSKajVuebRfFOY5XowO3urLkPaWIsfZUiAQ60dk +0/bfjQJAdb/fb43+u5WiQVpGQkZqnpq2uWIr6l6iaWZLVT4lKoYjSKHE9NSS46Sg +3C6dGTgSynhhKnnUNuVjZ5YHTatMUQJAE+zudSqTQrJl4UDLSeDh8vgTWO4VwrcN +BG4f/C3RjbSoD0OQjn5aYOsqLQoDGfklAXUyIZ0uABYkx/oJf+KouQJALomqbA6e +2wII/ficucWliDecgCm3Q9E5iQTru+awd7nEyFmyGhNSbNlF/SmxkIl+Ust5JhhG +5Lu+UkKWJ7aK+w== -----END PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.org/CA/OCSP.p12 b/test/aux-fixed/exim-ca/example.org/CA/OCSP.p12 index e247406e2..fb84d1779 100644 Binary files a/test/aux-fixed/exim-ca/example.org/CA/OCSP.p12 and b/test/aux-fixed/exim-ca/example.org/CA/OCSP.p12 differ diff --git a/test/aux-fixed/exim-ca/example.org/CA/OCSP.pem b/test/aux-fixed/exim-ca/example.org/CA/OCSP.pem index 287e61e12..d2f6c43eb 100644 --- a/test/aux-fixed/exim-ca/example.org/CA/OCSP.pem +++ b/test/aux-fixed/exim-ca/example.org/CA/OCSP.pem @@ -1,11 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIBgDCCASqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICBTCCAW6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMloXDTM4MDEwMTEyMzQwMlowMjEUMBIGA1UEChMLZXhhbXBsZS5vcmcxGjAY -BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB -AJdRMw+wN/PO1oreg7hOVjrk3Qg+EVUBQWvOURR2Xf0N2IsOUl4e4EGspC/+JqxR -84GyjYI+lpowaeLTSBUGKiUCAwEAAaMqMCgwDgYDVR0PAQH/BAQDAgeAMBYGA1Ud -JQEB/wQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBBQUAA0EAZe2NAm2FGEJuLkyZ -AiGPi2pdu5ngE+vQhyTFR3EJ4L6HDkNGE5Mv7lrsSSWU47N3R+Oo+glEau6SyTb1 -zMIYxQ== +MzQwOFoXDTM4MDEwMTEyMzQwOFowMjEUMBIGA1UEChMLZXhhbXBsZS5vcmcxGjAY +BgNVBAMTEWNsaWNhIE9DU1AgU2lnbmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +iQKBgQDGKfo955u/mpiqrbldME1GxNylVwao/Exm05tCvN/WXfmWLgFGmw4QYZL7 +7GxjGpr795Yhd4j3R4Ps9L0qB+29xzg3r6vkszlEjWV8/R2udDy+aGcj/OwIam6L +RDKfGJDUBw4QATQzSuJjiltwLxn6F1JKqHQNiQcUU//CDIOJpQIDAQABoyowKDAO +BgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcN +AQEFBQADgYEAdbT6NKoq7DehBoMSAt8zojI26q2qR1xUmC/IN4QN3NAkmBk8R5a5 +Kn9oaimw0DvXO5+HP/B5Q64l9y/Prjm+08vQvK5zOP+IGZv0NcmORgzAo7n9ZePN +t101UYlJMKay24ksvhcW1Xv/g9S570DncOr+vTKDYjyWGHQn2Z7terE= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/CA/Signer.pem b/test/aux-fixed/exim-ca/example.org/CA/Signer.pem index bbcf3ac09..c0b484762 100644 --- a/test/aux-fixed/exim-ca/example.org/CA/Signer.pem +++ b/test/aux-fixed/exim-ca/example.org/CA/Signer.pem @@ -1,11 +1,14 @@ -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE -zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo -F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X -PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB +ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY +hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro +yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr +vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g +UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/CA/ca.conf b/test/aux-fixed/exim-ca/example.org/CA/ca.conf index 9d6d2ed78..daac83b20 100644 --- a/test/aux-fixed/exim-ca/example.org/CA/ca.conf +++ b/test/aux-fixed/exim-ca/example.org/CA/ca.conf @@ -1,5 +1,5 @@ ; Config::Simple 4.59 -; Thu Nov 1 12:34:02 2012 +; Thu Nov 1 12:34:07 2012 [CLICA] crl_url=http://crl.example.org/latest.crl @@ -13,6 +13,6 @@ ocsp_url=http://oscp/example.org/ org=example.org subject=clica CA name=Certificate Authority -bits=512 +bits=1024 diff --git a/test/aux-fixed/exim-ca/example.org/CA/cert8.db b/test/aux-fixed/exim-ca/example.org/CA/cert8.db index 7f25f8d49..6bea97721 100644 Binary files a/test/aux-fixed/exim-ca/example.org/CA/cert8.db and b/test/aux-fixed/exim-ca/example.org/CA/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.empty b/test/aux-fixed/exim-ca/example.org/CA/crl.empty index f35edb0c1..8d64127ee 100644 Binary files a/test/aux-fixed/exim-ca/example.org/CA/crl.empty and b/test/aux-fixed/exim-ca/example.org/CA/crl.empty differ diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.empty.in.txt b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.in.txt index 250311c00..114640be1 100644 --- a/test/aux-fixed/exim-ca/example.org/CA/crl.empty.in.txt +++ b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.in.txt @@ -1 +1 @@ -update=20130127152434Z +update=20140422152734Z diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.empty.pem b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.pem index 292e8712d..d86052ea1 100644 --- a/test/aux-fixed/exim-ca/example.org/CA/crl.empty.pem +++ b/test/aux-fixed/exim-ca/example.org/CA/crl.empty.pem @@ -1,6 +1,7 @@ -----BEGIN X509 CRL----- -MIGsMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5vcmcx -GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxMzAxMjcxNTI0MzRaMA0G -CSqGSIb3DQEBBQUAA0EAL3N9NbP2jClLBlaFsAFB959JN6Hm7B6H5uYdGo55Rvt6 -1BZvz36DEQemcEmzrelVOR+bCBTTBkH8SC6jv9dsAQ== +MIHtMFgCAQEwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhhbXBsZS5vcmcx +GzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydBgPMjAxNDA0MjIxNTI3MzRaMA0G +CSqGSIb3DQEBBQUAA4GBABztztS8Xe1KA+6lLFt0sZOFQGGErlzPjIzxtiG3xpFb +zLA1m8qTBZdwmGTmWw0Al0zEyPH+1ApLy8uedoJu0oiRmLCjkRUoL6XCwA+0KV5m +96f9y8AbrbdfbAK1zl8NTtJdKlCy/vuYBMLYQQn1ix63d28PcqACJrK+8tDq5G31 -----END X509 CRL----- diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.v2 b/test/aux-fixed/exim-ca/example.org/CA/crl.v2 index 8c7f4d421..f34c05a51 100644 Binary files a/test/aux-fixed/exim-ca/example.org/CA/crl.v2 and b/test/aux-fixed/exim-ca/example.org/CA/crl.v2 differ diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt index 434045ffe..2485f76b3 100644 --- a/test/aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt +++ b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.in.txt @@ -1,3 +1,3 @@ -update=20130127152437Z -addcert 102 20130127152437Z -addcert 202 20130127152437Z +update=20140422152736Z +addcert 102 20140422152736Z +addcert 202 20140422152736Z diff --git a/test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem index bff595325..5c44edfb6 100644 --- a/test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem +++ b/test/aux-fixed/exim-ca/example.org/CA/crl.v2.pem @@ -1,7 +1,9 @@ -----BEGIN X509 CRL----- -MIHcMIGHAgEBMA0GCSqGSIb3DQEBBQUAMDMxFDASBgNVBAoTC2V4YW1wbGUub3Jn -MRswGQYDVQQDExJjbGljYSBTaWduaW5nIENlcnQYDzIwMTMwMTI3MTUyNDM3WjAt -MBQCAWYYDzIwMTMwMTI3MTUyNDM3WjAVAgIAyhgPMjAxMzAxMjcxNTI0MzdaMA0G -CSqGSIb3DQEBBQUAA0EAVWskomLMAt1QAPrpuIC7WsNrAmPRG1XL+Ggm8d4rESya -WGQxA0p4ZM6THLfJ3ZWAxlMHEGVkqAUQpUnZhNHmEQ== +MIIBHTCBhwIBATANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFtcGxlLm9y +ZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0GA8yMDE0MDQyMjE1MjczNlow +LTAUAgFmGA8yMDE0MDQyMjE1MjczNlowFQICAMoYDzIwMTQwNDIyMTUyNzM2WjAN +BgkqhkiG9w0BAQUFAAOBgQAAsD6wBUQvXRStoEQu/x7SYC3K7kNU3tcvD2klq62U +svU/gRGhyOCD3/iamcoUHkTZeCGdNjJmGG4U52zUUSvlY6qMFBe75xHDL7/8BMsl +Db5VpBobfmDJOzyL4pJ7/Zrn7pAEuUEDT/ZUBD5Slk5IMsAvnKIrzYpN5EyYB62Z +MA== -----END X509 CRL----- diff --git a/test/aux-fixed/exim-ca/example.org/CA/key3.db b/test/aux-fixed/exim-ca/example.org/CA/key3.db index e11319ff8..5b7103c05 100644 Binary files a/test/aux-fixed/exim-ca/example.org/CA/key3.db and b/test/aux-fixed/exim-ca/example.org/CA/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.org/CA/noise.file b/test/aux-fixed/exim-ca/example.org/CA/noise.file index 864164815..08d68b11a 100644 --- a/test/aux-fixed/exim-ca/example.org/CA/noise.file +++ b/test/aux-fixed/exim-ca/example.org/CA/noise.file @@ -1,301 +1,244 @@ processor : 0 vendor_id : GenuineIntel cpu family : 6 -model : 26 -model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz -stepping : 5 -cpu MHz : 2260.628 -cache size : 8192 KB +model : 13 +model name : QEMU Virtual CPU version (cpu64-rhel6) +stepping : 3 +cpu MHz : 1994.999 +cache size : 4096 KB fpu : yes fpu_exception : yes -cpuid level : 11 +cpuid level : 4 wp : yes -flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts -bogomips : 4521.25 +flags : fpu de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pse36 clflush mmx fxsr sse sse2 syscall nx lm up unfair_spinlock pni cx16 hypervisor lahf_lm +bogomips : 3989.99 clflush size : 64 cache_alignment : 64 -address sizes : 40 bits physical, 48 bits virtual +address sizes : 38 bits physical, 48 bits virtual power management: -processor : 1 -vendor_id : GenuineIntel -cpu family : 6 -model : 26 -model name : Intel(R) Xeon(R) CPU E5520 @ 2.27GHz -stepping : 5 -cpu MHz : 2260.628 -cache size : 8192 KB -fpu : yes -fpu_exception : yes -cpuid level : 11 -wp : yes -flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni ssse3 cx16 sse4_1 sse4_2 x2apic popcnt hypervisor lahf_lm ida dts -bogomips : 4521.25 -clflush size : 64 -cache_alignment : 64 -address sizes : 40 bits physical, 48 bits virtual -power management: - - CPU0 CPU1 - 0: 2481 0 IO-APIC-edge timer - 1: 21441 346 IO-APIC-edge i8042 - 3: 1 0 IO-APIC-edge - 4: 1 0 IO-APIC-edge - 7: 0 0 IO-APIC-edge parport0 - 8: 1 0 IO-APIC-edge rtc0 - 9: 0 0 IO-APIC-fasteoi acpi - 12: 78986 1718 IO-APIC-edge i8042 - 14: 0 0 IO-APIC-edge ata_piix - 15: 2423330 1435 IO-APIC-edge ata_piix - 16: 1025 0 IO-APIC-fasteoi Ensoniq AudioPCI - 17: 239850 2559 IO-APIC-fasteoi ehci_hcd:usb1, ioc0 - 18: 246 0 IO-APIC-fasteoi uhci_hcd:usb2 - 19: 1868741 51479 IO-APIC-fasteoi eth0 - 24: 0 0 PCI-MSI-edge pciehp - 25: 0 0 PCI-MSI-edge pciehp - 26: 0 0 PCI-MSI-edge pciehp - 27: 0 0 PCI-MSI-edge pciehp - 28: 0 0 PCI-MSI-edge pciehp - 29: 0 0 PCI-MSI-edge pciehp - 30: 0 0 PCI-MSI-edge pciehp - 31: 0 0 PCI-MSI-edge pciehp - 32: 0 0 PCI-MSI-edge pciehp - 33: 0 0 PCI-MSI-edge pciehp - 34: 0 0 PCI-MSI-edge pciehp - 35: 0 0 PCI-MSI-edge pciehp - 36: 0 0 PCI-MSI-edge pciehp - 37: 0 0 PCI-MSI-edge pciehp - 38: 0 0 PCI-MSI-edge pciehp - 39: 0 0 PCI-MSI-edge pciehp - 40: 0 0 PCI-MSI-edge pciehp - 41: 0 0 PCI-MSI-edge pciehp - 42: 0 0 PCI-MSI-edge pciehp - 43: 0 0 PCI-MSI-edge pciehp - 44: 0 0 PCI-MSI-edge pciehp - 45: 0 0 PCI-MSI-edge pciehp - 46: 0 0 PCI-MSI-edge pciehp - 47: 0 0 PCI-MSI-edge pciehp - 48: 0 0 PCI-MSI-edge pciehp - 49: 0 0 PCI-MSI-edge pciehp - 50: 0 0 PCI-MSI-edge pciehp - 51: 0 0 PCI-MSI-edge pciehp - 52: 0 0 PCI-MSI-edge pciehp - 53: 0 0 PCI-MSI-edge pciehp - 54: 0 0 PCI-MSI-edge pciehp - 55: 0 0 PCI-MSI-edge pciehp - 56: 1 0 PCI-MSI-edge vmci - 57: 0 0 PCI-MSI-edge vmci -NMI: 0 0 Non-maskable interrupts -LOC: 12398298 14241637 Local timer interrupts -SPU: 0 0 Spurious interrupts -PMI: 0 0 Performance monitoring interrupts -IWI: 0 0 IRQ work interrupts -RES: 282673 309097 Rescheduling interrupts -CAL: 1955 163548 Function call interrupts -TLB: 17977 15562 TLB shootdowns -TRM: 0 0 Thermal event interrupts -THR: 0 0 Threshold APIC interrupts -MCE: 0 0 Machine check exceptions -MCP: 2310 2310 Machine check polls + CPU0 + 0: 258 IO-APIC-edge timer + 1: 6 IO-APIC-edge i8042 + 4: 1 IO-APIC-edge + 8: 0 IO-APIC-edge rtc0 + 9: 0 IO-APIC-fasteoi acpi + 10: 953 IO-APIC-fasteoi virtio3 + 11: 62 IO-APIC-fasteoi uhci_hcd:usb1, snd_hda_intel + 12: 104 IO-APIC-edge i8042 + 14: 0 IO-APIC-edge ata_piix + 15: 106 IO-APIC-edge ata_piix + 24: 0 PCI-MSI-edge virtio2-config + 25: 48993 PCI-MSI-edge virtio2-requests + 26: 0 PCI-MSI-edge virtio0-config + 27: 296865 PCI-MSI-edge virtio0-input + 28: 1 PCI-MSI-edge virtio0-output + 29: 0 PCI-MSI-edge virtio1-config + 30: 18867 PCI-MSI-edge virtio1-input + 31: 1 PCI-MSI-edge virtio1-output +NMI: 0 Non-maskable interrupts +LOC: 774993 Local timer interrupts +SPU: 0 Spurious interrupts +PMI: 0 Performance monitoring interrupts +IWI: 0 IRQ work interrupts +RES: 0 Rescheduling interrupts +CAL: 0 Function call interrupts +TLB: 0 TLB shootdowns +TRM: 0 Thermal event interrupts +THR: 0 Threshold APIC interrupts +MCE: 0 Machine check exceptions +MCP: 271 Machine check polls ERR: 0 MIS: 0 -MemTotal: 1914844 kB -MemFree: 134216 kB -Buffers: 142048 kB -Cached: 952796 kB -SwapCached: 108 kB -Active: 981384 kB -Inactive: 540556 kB -Active(anon): 287092 kB -Inactive(anon): 143480 kB -Active(file): 694292 kB -Inactive(file): 397076 kB +MemTotal: 487904 kB +MemFree: 73484 kB +Buffers: 73812 kB +Cached: 141708 kB +SwapCached: 0 kB +Active: 132460 kB +Inactive: 119036 kB +Active(anon): 15152 kB +Inactive(anon): 21900 kB +Active(file): 117308 kB +Inactive(file): 97136 kB Unevictable: 0 kB Mlocked: 0 kB -SwapTotal: 4194296 kB -SwapFree: 4193560 kB -Dirty: 1732 kB +SwapTotal: 524280 kB +SwapFree: 524280 kB +Dirty: 1628 kB Writeback: 0 kB -AnonPages: 427116 kB -Mapped: 70924 kB -Shmem: 3400 kB -Slab: 190944 kB -SReclaimable: 125404 kB -SUnreclaim: 65540 kB -KernelStack: 2312 kB -PageTables: 23536 kB +AnonPages: 35928 kB +Mapped: 15596 kB +Shmem: 1128 kB +Slab: 136308 kB +SReclaimable: 83924 kB +SUnreclaim: 52384 kB +KernelStack: 752 kB +PageTables: 3412 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB -CommitLimit: 5151716 kB -Committed_AS: 973184 kB +CommitLimit: 768232 kB +Committed_AS: 116976 kB VmallocTotal: 34359738367 kB -VmallocUsed: 280772 kB -VmallocChunk: 34359441168 kB +VmallocUsed: 12116 kB +VmallocChunk: 34359713232 kB HardwareCorrupted: 0 kB -AnonHugePages: 249856 kB +AnonHugePages: 2048 kB HugePages_Total: 0 HugePages_Free: 0 HugePages_Rsvd: 0 HugePages_Surp: 0 Hugepagesize: 2048 kB -DirectMap4k: 8192 kB -DirectMap2M: 2088960 kB +DirectMap4k: 7156 kB +DirectMap2M: 1492992 kB slabinfo - version: 2.1 # name : tunables : slabdata -bridge_fdb_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -fuse_request 0 0 632 6 1 : tunables 54 27 8 : slabdata 0 0 0 -fuse_inode 0 0 768 5 1 : tunables 54 27 8 : slabdata 0 0 0 -rpc_buffers 8 8 2048 2 1 : tunables 24 12 8 : slabdata 4 4 0 -rpc_tasks 8 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0 -rpc_inode_cache 8 8 832 4 1 : tunables 54 27 8 : slabdata 2 2 0 -hgfsInodeCache 1 6 640 6 1 : tunables 54 27 8 : slabdata 1 1 0 -AF_VMCI 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 8 : slabdata 0 0 0 -nf_conntrack_ffffffff8200cec0 22 26 304 13 1 : tunables 54 27 8 : slabdata 2 2 0 -fib6_nodes 22 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0 -ip6_dst_cache 13 30 384 10 1 : tunables 54 27 8 : slabdata 3 3 0 -ndisc_cache 1 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0 -ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0 -RAWv6 67 68 1024 4 1 : tunables 54 27 8 : slabdata 17 17 0 -UDPLITEv6 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -UDPv6 4 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0 -tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 8 : slabdata 0 0 0 -request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0 -TCPv6 9 10 1856 2 1 : tunables 24 12 8 : slabdata 5 5 0 -jbd2_1k 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -avtab_node 502203 502416 24 144 1 : tunables 120 60 8 : slabdata 3489 3489 0 -ext4_inode_cache 74816 74820 1024 4 1 : tunables 54 27 8 : slabdata 18705 18705 0 -ext4_xattr 9 44 88 44 1 : tunables 120 60 8 : slabdata 1 1 0 -ext4_free_block_extents 32 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0 -ext4_alloc_context 28 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0 -ext4_prealloc_space 18 37 104 37 1 : tunables 120 60 8 : slabdata 1 1 0 -ext4_system_zone 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0 -jbd2_journal_handle 32 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0 -jbd2_journal_head 74 102 112 34 1 : tunables 120 60 8 : slabdata 3 3 0 -jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 8 : slabdata 1 1 0 -jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0 -dm_crypt_io 50 50 152 25 1 : tunables 120 60 8 : slabdata 2 2 0 -sd_ext_cdb 2 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0 -scsi_sense_cache 25 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0 -scsi_cmd_cache 28 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0 -dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 8 : slabdata 0 0 0 -kcopyd_job 0 0 3240 2 2 : tunables 24 12 8 : slabdata 0 0 0 -io 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -dm_uevent 0 0 2608 3 2 : tunables 24 12 8 : slabdata 0 0 0 -dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 8 : slabdata 0 0 0 -dm_rq_target_io 0 0 392 10 1 : tunables 54 27 8 : slabdata 0 0 0 -dm_target_io 844 864 24 144 1 : tunables 120 60 8 : slabdata 6 6 0 -dm_io 828 828 40 92 1 : tunables 120 60 8 : slabdata 9 9 0 -flow_cache 0 0 96 40 1 : tunables 120 60 8 : slabdata 0 0 0 -uhci_urb_priv 6 67 56 67 1 : tunables 120 60 8 : slabdata 1 1 0 -cfq_io_context 4 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0 -cfq_queue 5 16 240 16 1 : tunables 120 60 8 : slabdata 1 1 0 -bsg_cmd 0 0 312 12 1 : tunables 54 27 8 : slabdata 0 0 0 -mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 8 : slabdata 1 1 0 -isofs_inode_cache 0 0 640 6 1 : tunables 54 27 8 : slabdata 0 0 0 -hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 8 : slabdata 1 1 0 -dquot 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 -kioctx 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0 -kiocb 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 -inotify_event_private_data 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0 -inotify_inode_mark_entry 186 204 112 34 1 : tunables 120 60 8 : slabdata 6 6 0 -dnotify_mark_entry 1 34 112 34 1 : tunables 120 60 8 : slabdata 1 1 0 -dnotify_struct 1 112 32 112 1 : tunables 120 60 8 : slabdata 1 1 0 -fasync_cache 6 144 24 144 1 : tunables 120 60 8 : slabdata 1 1 0 -khugepaged_mm_slot 83 92 40 92 1 : tunables 120 60 8 : slabdata 1 1 0 -ksm_mm_slot 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0 -ksm_stable_node 0 0 40 92 1 : tunables 120 60 8 : slabdata 0 0 0 -ksm_rmap_item 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -utrace_engine 0 0 56 67 1 : tunables 120 60 8 : slabdata 0 0 0 -utrace 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -pid_namespace 0 0 2120 3 2 : tunables 24 12 8 : slabdata 0 0 0 -nsproxy 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0 -posix_timers_cache 0 0 176 22 1 : tunables 120 60 8 : slabdata 0 0 0 -uid_cache 10 60 128 30 1 : tunables 120 60 8 : slabdata 2 2 0 -UNIX 459 480 768 5 1 : tunables 54 27 8 : slabdata 96 96 0 -ip_mrt_cache 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0 -UDP-Lite 0 0 832 9 2 : tunables 54 27 8 : slabdata 0 0 0 -tcp_bind_bucket 15 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0 -inet_peer_cache 4 59 64 59 1 : tunables 120 60 8 : slabdata 1 1 0 -secpath_cache 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -xfrm_dst_cache 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0 -ip_fib_alias 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0 -ip_fib_hash 10 106 72 53 1 : tunables 120 60 8 : slabdata 2 2 0 -ip_dst_cache 29 50 384 10 1 : tunables 54 27 8 : slabdata 5 5 0 -arp_cache 4 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0 -RAW 65 72 832 9 2 : tunables 54 27 8 : slabdata 8 8 0 -UDP 6 18 832 9 2 : tunables 54 27 8 : slabdata 2 2 0 -tw_sock_TCP 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 -request_sock_TCP 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0 -TCP 20 24 1664 4 2 : tunables 24 12 8 : slabdata 6 6 0 -eventpoll_pwq 126 212 72 53 1 : tunables 120 60 8 : slabdata 4 4 0 -eventpoll_epi 126 180 128 30 1 : tunables 120 60 8 : slabdata 6 6 0 -sgpool-128 2 2 4096 1 1 : tunables 24 12 8 : slabdata 2 2 0 -sgpool-64 2 2 2048 2 1 : tunables 24 12 8 : slabdata 1 1 0 -sgpool-32 2 4 1024 4 1 : tunables 54 27 8 : slabdata 1 1 0 -sgpool-16 2 8 512 8 1 : tunables 54 27 8 : slabdata 1 1 0 -sgpool-8 15 15 256 15 1 : tunables 120 60 8 : slabdata 1 1 0 -scsi_data_buffer 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0 -blkdev_integrity 0 0 112 34 1 : tunables 120 60 8 : slabdata 0 0 0 -blkdev_queue 29 30 2856 2 2 : tunables 24 12 8 : slabdata 15 15 0 -blkdev_requests 42 66 352 11 1 : tunables 54 27 8 : slabdata 5 6 0 -blkdev_ioc 5 48 80 48 1 : tunables 120 60 8 : slabdata 1 1 0 -fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 8 : slabdata 0 0 0 -fsnotify_event 0 0 104 37 1 : tunables 120 60 8 : slabdata 0 0 0 -bio-0 180 180 192 20 1 : tunables 120 60 8 : slabdata 9 9 0 -biovec-256 66 66 4096 1 1 : tunables 24 12 8 : slabdata 66 66 0 -biovec-128 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0 -biovec-64 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -biovec-16 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 +nf_conntrack_expect 0 0 240 16 1 : tunables 120 60 0 : slabdata 0 0 0 +nf_conntrack_ffffffff81b18540 36 36 312 12 1 : tunables 54 27 0 : slabdata 3 3 0 +fib6_nodes 42 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0 +ip6_dst_cache 24 40 384 10 1 : tunables 54 27 0 : slabdata 4 4 0 +ndisc_cache 21 30 256 15 1 : tunables 120 60 0 : slabdata 2 2 0 +ip6_mrt_cache 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +RAWv6 4 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0 +UDPLITEv6 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0 +UDPv6 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0 +tw_sock_TCPv6 0 0 320 12 1 : tunables 54 27 0 : slabdata 0 0 0 +request_sock_TCPv6 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0 +TCPv6 9 10 1920 2 1 : tunables 24 12 0 : slabdata 5 5 0 +jbd2_1k 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0 +avtab_node 551039 551088 24 144 1 : tunables 120 60 0 : slabdata 3827 3827 0 +ext4_inode_cache 36173 36888 1016 4 1 : tunables 54 27 0 : slabdata 9222 9222 0 +ext4_xattr 5 44 88 44 1 : tunables 120 60 0 : slabdata 1 1 0 +ext4_free_block_extents 16 67 56 67 1 : tunables 120 60 0 : slabdata 1 1 0 +ext4_alloc_context 16 28 136 28 1 : tunables 120 60 0 : slabdata 1 1 0 +ext4_prealloc_space 3 37 104 37 1 : tunables 120 60 0 : slabdata 1 1 0 +ext4_system_zone 0 0 40 92 1 : tunables 120 60 0 : slabdata 0 0 0 +jbd2_journal_handle 16 144 24 144 1 : tunables 120 60 0 : slabdata 1 1 0 +jbd2_journal_head 68 68 112 34 1 : tunables 120 60 0 : slabdata 2 2 0 +jbd2_revoke_table 4 202 16 202 1 : tunables 120 60 0 : slabdata 1 1 0 +jbd2_revoke_record 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0 +scsi_sense_cache 2 30 128 30 1 : tunables 120 60 0 : slabdata 1 1 0 +scsi_cmd_cache 2 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0 +dm_raid1_read_record 0 0 1064 7 2 : tunables 24 12 0 : slabdata 0 0 0 +kcopyd_job 0 0 3240 2 2 : tunables 24 12 0 : slabdata 0 0 0 +io 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +dm_uevent 0 0 2608 3 2 : tunables 24 12 0 : slabdata 0 0 0 +dm_rq_clone_bio_info 0 0 16 202 1 : tunables 120 60 0 : slabdata 0 0 0 +dm_rq_target_io 0 0 392 10 1 : tunables 54 27 0 : slabdata 0 0 0 +dm_target_io 576 576 24 144 1 : tunables 120 60 0 : slabdata 4 4 0 +dm_io 552 552 40 92 1 : tunables 120 60 0 : slabdata 6 6 0 +flow_cache 0 0 104 37 1 : tunables 120 60 0 : slabdata 0 0 0 +uhci_urb_priv 0 0 56 67 1 : tunables 120 60 0 : slabdata 0 0 0 +cfq_io_context 0 0 136 28 1 : tunables 120 60 0 : slabdata 0 0 0 +cfq_queue 0 0 240 16 1 : tunables 120 60 0 : slabdata 0 0 0 +bsg_cmd 0 0 312 12 1 : tunables 54 27 0 : slabdata 0 0 0 +mqueue_inode_cache 1 4 896 4 1 : tunables 54 27 0 : slabdata 1 1 0 +isofs_inode_cache 0 0 640 6 1 : tunables 54 27 0 : slabdata 0 0 0 +hugetlbfs_inode_cache 1 6 608 6 1 : tunables 54 27 0 : slabdata 1 1 0 +dquot 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0 +kioctx 0 0 384 10 1 : tunables 54 27 0 : slabdata 0 0 0 +kiocb 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0 +inotify_event_private_data 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0 +inotify_inode_mark_entry 110 136 112 34 1 : tunables 120 60 0 : slabdata 4 4 0 +dnotify_mark_entry 0 0 112 34 1 : tunables 120 60 0 : slabdata 0 0 0 +dnotify_struct 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0 +dio 0 0 640 6 1 : tunables 54 27 0 : slabdata 0 0 0 +fasync_cache 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0 +khugepaged_mm_slot 17 92 40 92 1 : tunables 120 60 0 : slabdata 1 1 0 +ksm_mm_slot 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +ksm_stable_node 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +ksm_rmap_item 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +utrace_engine 0 0 56 67 1 : tunables 120 60 0 : slabdata 0 0 0 +utrace 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +pid_namespace 0 0 2168 3 2 : tunables 24 12 0 : slabdata 0 0 0 +posix_timers_cache 0 0 176 22 1 : tunables 120 60 0 : slabdata 0 0 0 +uid_cache 3 30 128 30 1 : tunables 120 60 0 : slabdata 1 1 0 +UNIX 107 110 768 5 1 : tunables 54 27 0 : slabdata 22 22 0 +ip_mrt_cache 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +UDP-Lite 0 0 832 9 2 : tunables 54 27 0 : slabdata 0 0 0 +tcp_bind_bucket 9 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0 +inet_peer_cache 2 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0 +secpath_cache 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +xfrm_dst_cache 0 0 448 8 1 : tunables 54 27 0 : slabdata 0 0 0 +ip_fib_alias 1 112 32 112 1 : tunables 120 60 0 : slabdata 1 1 0 +ip_fib_hash 14 53 72 53 1 : tunables 120 60 0 : slabdata 1 1 0 +ip_dst_cache 26 30 384 10 1 : tunables 54 27 0 : slabdata 3 3 0 +arp_cache 6 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0 +PING 0 0 832 9 2 : tunables 54 27 0 : slabdata 0 0 0 +RAW 2 9 832 9 2 : tunables 54 27 0 : slabdata 1 1 0 +UDP 1 9 832 9 2 : tunables 54 27 0 : slabdata 1 1 0 +tw_sock_TCP 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0 +request_sock_TCP 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +TCP 10 12 1728 4 2 : tunables 24 12 0 : slabdata 3 3 0 +eventpoll_pwq 59 106 72 53 1 : tunables 120 60 0 : slabdata 2 2 0 +eventpoll_epi 59 90 128 30 1 : tunables 120 60 0 : slabdata 3 3 0 +sgpool-128 2 2 4096 1 1 : tunables 24 12 0 : slabdata 2 2 0 +sgpool-64 2 2 2048 2 1 : tunables 24 12 0 : slabdata 1 1 0 +sgpool-32 2 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0 +sgpool-16 2 8 512 8 1 : tunables 54 27 0 : slabdata 1 1 0 +sgpool-8 2 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0 +scsi_data_buffer 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0 +blkdev_integrity 0 0 112 34 1 : tunables 120 60 0 : slabdata 0 0 0 +blkdev_queue 28 28 2864 2 2 : tunables 24 12 0 : slabdata 14 14 0 +blkdev_requests 22 22 352 11 1 : tunables 54 27 0 : slabdata 2 2 0 +blkdev_ioc 3 48 80 48 1 : tunables 120 60 0 : slabdata 1 1 0 +fsnotify_event_holder 0 0 24 144 1 : tunables 120 60 0 : slabdata 0 0 0 +fsnotify_event 0 0 104 37 1 : tunables 120 60 0 : slabdata 0 0 0 +bio-0 80 80 192 20 1 : tunables 120 60 0 : slabdata 4 4 0 +biovec-256 34 34 4096 1 1 : tunables 24 12 0 : slabdata 34 34 0 +biovec-128 0 0 2048 2 1 : tunables 24 12 0 : slabdata 0 0 0 +biovec-64 2 4 1024 4 1 : tunables 54 27 0 : slabdata 1 1 0 +biovec-16 7 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0 bip-256 2 2 4224 1 2 : tunables 8 4 0 : slabdata 2 2 0 -bip-128 0 0 2176 3 2 : tunables 24 12 8 : slabdata 0 0 0 -bip-64 0 0 1152 7 2 : tunables 24 12 8 : slabdata 0 0 0 -bip-16 0 0 384 10 1 : tunables 54 27 8 : slabdata 0 0 0 -bip-4 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0 -bip-1 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0 -sock_inode_cache 667 685 704 5 1 : tunables 54 27 8 : slabdata 137 137 0 -skbuff_fclone_cache 35 35 512 7 1 : tunables 54 27 8 : slabdata 5 5 0 -skbuff_head_cache 302 450 256 15 1 : tunables 120 60 8 : slabdata 30 30 0 -file_lock_cache 38 44 176 22 1 : tunables 120 60 8 : slabdata 2 2 0 -net_namespace 0 0 2112 3 2 : tunables 24 12 8 : slabdata 0 0 0 -shmem_inode_cache 774 775 800 5 1 : tunables 54 27 8 : slabdata 155 155 0 -Acpi-Operand 4563 4664 72 53 1 : tunables 120 60 8 : slabdata 88 88 0 -Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 8 : slabdata 0 0 0 -Acpi-Parse 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0 -Acpi-State 0 0 80 48 1 : tunables 120 60 8 : slabdata 0 0 0 -Acpi-Namespace 3311 3312 40 92 1 : tunables 120 60 8 : slabdata 36 36 0 -task_delay_info 332 340 112 34 1 : tunables 120 60 8 : slabdata 10 10 0 -taskstats 5 12 328 12 1 : tunables 54 27 8 : slabdata 1 1 0 -proc_inode_cache 1008 1008 640 6 1 : tunables 54 27 8 : slabdata 168 168 0 -sigqueue 35 48 160 24 1 : tunables 120 60 8 : slabdata 2 2 0 -bdev_cache 32 36 832 4 1 : tunables 54 27 8 : slabdata 9 9 0 -sysfs_dir_cache 11356 11367 144 27 1 : tunables 120 60 8 : slabdata 421 421 0 -mnt_cache 37 45 256 15 1 : tunables 120 60 8 : slabdata 3 3 0 -filp 4614 4700 192 20 1 : tunables 120 60 8 : slabdata 235 235 0 -inode_cache 6883 7308 592 6 1 : tunables 54 27 8 : slabdata 1218 1218 0 -dentry 61120 63960 192 20 1 : tunables 120 60 8 : slabdata 3198 3198 0 -names_cache 26 26 4096 1 1 : tunables 24 12 8 : slabdata 26 26 0 -avc_node 518 1239 64 59 1 : tunables 120 60 8 : slabdata 21 21 0 -selinux_inode_security 84146 86072 72 53 1 : tunables 120 60 8 : slabdata 1624 1624 0 -radix_tree_node 11579 11781 560 7 1 : tunables 54 27 8 : slabdata 1683 1683 0 -key_jar 11 20 192 20 1 : tunables 120 60 8 : slabdata 1 1 0 -buffer_head 221286 230214 104 37 1 : tunables 120 60 8 : slabdata 6222 6222 0 -vm_area_struct 12992 13034 200 19 1 : tunables 120 60 8 : slabdata 686 686 60 -mm_struct 145 145 1408 5 2 : tunables 24 12 8 : slabdata 29 29 0 -fs_cache 177 177 64 59 1 : tunables 120 60 8 : slabdata 3 3 0 -files_cache 162 165 704 11 2 : tunables 54 27 8 : slabdata 15 15 0 -signal_cache 208 208 1024 4 1 : tunables 54 27 8 : slabdata 52 52 0 -sighand_cache 198 198 2112 3 2 : tunables 24 12 8 : slabdata 66 66 0 -task_xstate 232 232 512 8 1 : tunables 54 27 8 : slabdata 29 29 0 -task_struct 303 303 2656 3 2 : tunables 24 12 8 : slabdata 101 101 0 -cred_jar 580 580 192 20 1 : tunables 120 60 8 : slabdata 29 29 0 -anon_vma_chain 7904 8162 48 77 1 : tunables 120 60 8 : slabdata 106 106 60 -anon_vma 5773 5888 40 92 1 : tunables 120 60 8 : slabdata 64 64 0 -pid 322 330 128 30 1 : tunables 120 60 8 : slabdata 11 11 0 -shared_policy_node 0 0 48 77 1 : tunables 120 60 8 : slabdata 0 0 0 -numa_policy 1 28 136 28 1 : tunables 120 60 8 : slabdata 1 1 0 -idr_layer_cache 428 434 544 7 1 : tunables 54 27 8 : slabdata 62 62 0 +bip-128 0 0 2176 3 2 : tunables 24 12 0 : slabdata 0 0 0 +bip-64 0 0 1152 7 2 : tunables 24 12 0 : slabdata 0 0 0 +bip-16 0 0 384 10 1 : tunables 54 27 0 : slabdata 0 0 0 +bip-4 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0 +bip-1 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +sock_inode_cache 150 160 704 5 1 : tunables 54 27 0 : slabdata 32 32 0 +skbuff_fclone_cache 7 7 512 7 1 : tunables 54 27 0 : slabdata 1 1 0 +skbuff_head_cache 66 105 256 15 1 : tunables 120 60 0 : slabdata 7 7 0 +file_lock_cache 21 22 176 22 1 : tunables 120 60 0 : slabdata 1 1 0 +net_namespace 0 0 2432 3 2 : tunables 24 12 0 : slabdata 0 0 0 +shmem_inode_cache 654 655 784 5 1 : tunables 54 27 0 : slabdata 131 131 0 +Acpi-Operand 1211 1219 72 53 1 : tunables 120 60 0 : slabdata 23 23 0 +Acpi-ParseExt 0 0 72 53 1 : tunables 120 60 0 : slabdata 0 0 0 +Acpi-Parse 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +Acpi-State 0 0 80 48 1 : tunables 120 60 0 : slabdata 0 0 0 +Acpi-Namespace 407 460 40 92 1 : tunables 120 60 0 : slabdata 5 5 0 +task_delay_info 102 102 112 34 1 : tunables 120 60 0 : slabdata 3 3 0 +taskstats 0 0 328 12 1 : tunables 54 27 0 : slabdata 0 0 0 +proc_inode_cache 408 408 656 6 1 : tunables 54 27 0 : slabdata 68 68 0 +sigqueue 9 24 160 24 1 : tunables 120 60 0 : slabdata 1 1 0 +bdev_cache 31 32 832 4 1 : tunables 54 27 0 : slabdata 8 8 0 +sysfs_dir_cache 7588 7614 144 27 1 : tunables 120 60 0 : slabdata 282 282 0 +mnt_cache 27 30 256 15 1 : tunables 120 60 0 : slabdata 2 2 0 +filp 840 840 192 20 1 : tunables 120 60 0 : slabdata 42 42 0 +inode_cache 5826 5826 592 6 1 : tunables 54 27 0 : slabdata 971 971 0 +dentry 189420 189420 192 20 1 : tunables 120 60 0 : slabdata 9471 9471 0 +names_cache 1 1 4096 1 1 : tunables 24 12 0 : slabdata 1 1 0 +avc_node 514 708 64 59 1 : tunables 120 60 0 : slabdata 12 12 0 +selinux_inode_security 43259 46799 72 53 1 : tunables 120 60 0 : slabdata 883 883 0 +radix_tree_node 2991 3598 560 7 1 : tunables 54 27 0 : slabdata 514 514 0 +key_jar 5 20 192 20 1 : tunables 120 60 0 : slabdata 1 1 0 +buffer_head 24272 25493 104 37 1 : tunables 120 60 0 : slabdata 689 689 0 +nsproxy 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +vm_area_struct 2565 2565 200 19 1 : tunables 120 60 0 : slabdata 135 135 0 +mm_struct 40 40 1408 5 2 : tunables 24 12 0 : slabdata 8 8 0 +fs_cache 59 59 64 59 1 : tunables 120 60 0 : slabdata 1 1 0 +files_cache 44 44 704 11 2 : tunables 54 27 0 : slabdata 4 4 0 +signal_cache 91 91 1088 7 2 : tunables 24 12 0 : slabdata 13 13 0 +sighand_cache 90 90 2112 3 2 : tunables 24 12 0 : slabdata 30 30 0 +task_xstate 48 48 512 8 1 : tunables 54 27 0 : slabdata 6 6 0 +task_struct 96 96 2656 3 2 : tunables 24 12 0 : slabdata 32 32 0 +cred_jar 240 240 192 20 1 : tunables 120 60 0 : slabdata 12 12 0 +anon_vma_chain 1795 2079 48 77 1 : tunables 120 60 0 : slabdata 27 27 0 +anon_vma 1209 1380 40 92 1 : tunables 120 60 0 : slabdata 15 15 0 +pid 107 120 128 30 1 : tunables 120 60 0 : slabdata 4 4 0 +shared_policy_node 0 0 48 77 1 : tunables 120 60 0 : slabdata 0 0 0 +numa_policy 0 0 136 28 1 : tunables 120 60 0 : slabdata 0 0 0 +idr_layer_cache 281 287 544 7 1 : tunables 54 27 0 : slabdata 41 41 0 size-4194304(DMA) 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0 size-4194304 0 0 4194304 1 1024 : tunables 1 1 0 : slabdata 0 0 0 size-2097152(DMA) 0 0 2097152 1 512 : tunables 1 1 0 : slabdata 0 0 0 @@ -307,36 +250,36 @@ size-524288 0 0 524288 1 128 : tunables 1 1 0 : sla size-262144(DMA) 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0 size-262144 0 0 262144 1 64 : tunables 1 1 0 : slabdata 0 0 0 size-131072(DMA) 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0 -size-131072 1 1 131072 1 32 : tunables 8 4 0 : slabdata 1 1 0 +size-131072 0 0 131072 1 32 : tunables 8 4 0 : slabdata 0 0 0 size-65536(DMA) 0 0 65536 1 16 : tunables 8 4 0 : slabdata 0 0 0 size-65536 2 2 65536 1 16 : tunables 8 4 0 : slabdata 2 2 0 size-32768(DMA) 0 0 32768 1 8 : tunables 8 4 0 : slabdata 0 0 0 size-32768 3 3 32768 1 8 : tunables 8 4 0 : slabdata 3 3 0 size-16384(DMA) 0 0 16384 1 4 : tunables 8 4 0 : slabdata 0 0 0 -size-16384 12 12 16384 1 4 : tunables 8 4 0 : slabdata 12 12 0 +size-16384 7 7 16384 1 4 : tunables 8 4 0 : slabdata 7 7 0 size-8192(DMA) 0 0 8192 1 2 : tunables 8 4 0 : slabdata 0 0 0 -size-8192 27 27 8192 1 2 : tunables 8 4 0 : slabdata 27 27 0 -size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 8 : slabdata 0 0 0 -size-4096 425 425 4096 1 1 : tunables 24 12 8 : slabdata 425 425 0 -size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 8 : slabdata 0 0 0 -size-2048 578 578 2048 2 1 : tunables 24 12 8 : slabdata 289 289 0 -size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 8 : slabdata 0 0 0 -size-1024 1332 1332 1024 4 1 : tunables 54 27 8 : slabdata 333 333 0 -size-512(DMA) 0 0 512 8 1 : tunables 54 27 8 : slabdata 0 0 0 -size-512 1123 1176 512 8 1 : tunables 54 27 8 : slabdata 147 147 0 -size-256(DMA) 0 0 256 15 1 : tunables 120 60 8 : slabdata 0 0 0 -size-256 930 930 256 15 1 : tunables 120 60 8 : slabdata 62 62 0 -size-192(DMA) 0 0 192 20 1 : tunables 120 60 8 : slabdata 0 0 0 -size-192 2119 2160 192 20 1 : tunables 120 60 8 : slabdata 108 108 0 -size-128(DMA) 0 0 128 30 1 : tunables 120 60 8 : slabdata 0 0 0 -size-64(DMA) 0 0 64 59 1 : tunables 120 60 8 : slabdata 0 0 0 -size-64 33063 40887 64 59 1 : tunables 120 60 8 : slabdata 693 693 60 -size-32(DMA) 0 0 32 112 1 : tunables 120 60 8 : slabdata 0 0 0 -size-128 3921 4800 128 30 1 : tunables 120 60 8 : slabdata 160 160 0 -size-32 332419 332976 32 112 1 : tunables 120 60 8 : slabdata 2973 2973 60 -kmem_cache 191 191 32896 1 16 : tunables 8 4 0 : slabdata 191 191 0 +size-8192 12 12 8192 1 2 : tunables 8 4 0 : slabdata 12 12 0 +size-4096(DMA) 0 0 4096 1 1 : tunables 24 12 0 : slabdata 0 0 0 +size-4096 119 119 4096 1 1 : tunables 24 12 0 : slabdata 119 119 0 +size-2048(DMA) 0 0 2048 2 1 : tunables 24 12 0 : slabdata 0 0 0 +size-2048 200 200 2048 2 1 : tunables 24 12 0 : slabdata 100 100 0 +size-1024(DMA) 0 0 1024 4 1 : tunables 54 27 0 : slabdata 0 0 0 +size-1024 578 588 1024 4 1 : tunables 54 27 0 : slabdata 147 147 0 +size-512(DMA) 0 0 512 8 1 : tunables 54 27 0 : slabdata 0 0 0 +size-512 608 608 512 8 1 : tunables 54 27 0 : slabdata 76 76 0 +size-256(DMA) 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0 +size-256 815 825 256 15 1 : tunables 120 60 0 : slabdata 55 55 0 +size-192(DMA) 0 0 192 20 1 : tunables 120 60 0 : slabdata 0 0 0 +size-192 1256 1260 192 20 1 : tunables 120 60 0 : slabdata 63 63 0 +size-128(DMA) 0 0 128 30 1 : tunables 120 60 0 : slabdata 0 0 0 +size-64(DMA) 0 0 64 59 1 : tunables 120 60 0 : slabdata 0 0 0 +size-64 23094 25783 64 59 1 : tunables 120 60 0 : slabdata 437 437 0 +size-32(DMA) 0 0 32 112 1 : tunables 120 60 0 : slabdata 0 0 0 +size-128 3271 3450 128 30 1 : tunables 120 60 0 : slabdata 115 115 0 +size-32 352497 352576 32 112 1 : tunables 120 60 0 : slabdata 3148 3148 0 +kmem_cache 183 183 32896 1 16 : tunables 8 4 0 : slabdata 183 183 0 Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed - lo:267102759 105357 0 0 0 0 0 0 267102759 105357 0 0 0 0 0 0 - eth0:1013758516 1354506 0 0 0 0 0 0 245531629 966810 0 0 0 0 0 0 - pan0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + lo: 5243413 23981 0 0 0 0 0 0 5243413 23981 0 0 0 0 0 0 + eth0:25465657 318897 0 0 0 0 0 0 2043751 16011 0 0 0 0 0 0 + eth1: 1386405 18972 0 0 0 0 0 0 95634 1485 0 0 0 0 0 0 diff --git a/test/aux-fixed/exim-ca/example.org/CA/secmod.db b/test/aux-fixed/exim-ca/example.org/CA/secmod.db index c7f115bd6..f8cc0e78b 100644 Binary files a/test/aux-fixed/exim-ca/example.org/CA/secmod.db and b/test/aux-fixed/exim-ca/example.org/CA/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/expired1.example.org/ca_chain.pem index 45c5c6329..819071978 100644 --- a/test/aux-fixed/exim-ca/example.org/expired1.example.org/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.org/CN=clica Signing Cert issuer=/O=example.org/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE -zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo -F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X -PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB +ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY +hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro +yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr +vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g +UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.org/CN=clica CA issuer=/O=example.org/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O -x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl -LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa +/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5 +1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD +oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG +37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly ++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz +YHJSTjLx4idfdLNS+U5iir1Y -----END CERTIFICATE----- Bag Attributes friendlyName: expired1.example.org - localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6 + localKeyID: 99 C2 8F 9C 7D C1 19 76 88 B2 B0 83 4D 00 ED C9 E9 2B 7E EB subject=/CN=expired1.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwM1oXDTEyMTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs -ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA4TTv655lwyf5lL4RkuLHqPdg -mXI36dkjEL/864WoszwLRYYfnlOj4hmKfjq9VoslfDRnOoZSm0NebJJ9Y/ea2wID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w -bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EABG4yReI+VPyFc3kEejJr31rOi3BpgEfP -FsN+9WoTa0B+VW125F47/FySYat+M6KBSW8fe6HFexU6FXQF+mCNvQ== +MzQwOVoXDTEyMTIwMTEyMzQwOVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs +ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL3J/GWAVGm/d/nUnwDr +3zeq85l1l1Zmp9r9XLUcw9cDbLM1hg4Ej557Cg9bXDZ7yCoa9tZnMUr6yKw1AxiV +6DaoRt2HcPdAdge448/s96F8TtpfU9FOOm4iW2gAhhQVy/L0py76SPxadjI+IxwL +MoaaIHevy6v+8wdafJVHe3cNAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHwYDVR0R +BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADgYEAChRl +3S8Jylp0qbbYnIfnGFYgmzExHYuBkJv81j19n74NeD6cwmIE+rBL2+g459o1f3TZ +ngfnX16kXvG2xCRozPbv8VAOiF7kGHg4RdQqS3GTlnxeDuGqTTZXhMkRHeEHNp1N +J7d7YZlHna/txyMBbrg4oUESHhtUBzHC7zixHzo= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/expired1.example.org/cert8.db index 133a82f80..e119e990d 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/cert8.db and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.chain.pem index d4f9ee3f3..8a36b7744 100644 --- a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.chain.pem +++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: expired1.example.org - localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6 + localKeyID: 99 C2 8F 9C 7D C1 19 76 88 B2 B0 83 4D 00 ED C9 E9 2B 7E EB subject=/CN=expired1.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwM1oXDTEyMTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs -ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA4TTv655lwyf5lL4RkuLHqPdg -mXI36dkjEL/864WoszwLRYYfnlOj4hmKfjq9VoslfDRnOoZSm0NebJJ9Y/ea2wID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w -bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EABG4yReI+VPyFc3kEejJr31rOi3BpgEfP -FsN+9WoTa0B+VW125F47/FySYat+M6KBSW8fe6HFexU6FXQF+mCNvQ== +MzQwOVoXDTEyMTIwMTEyMzQwOVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs +ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL3J/GWAVGm/d/nUnwDr +3zeq85l1l1Zmp9r9XLUcw9cDbLM1hg4Ej557Cg9bXDZ7yCoa9tZnMUr6yKw1AxiV +6DaoRt2HcPdAdge448/s96F8TtpfU9FOOm4iW2gAhhQVy/L0py76SPxadjI+IxwL +MoaaIHevy6v+8wdafJVHe3cNAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHwYDVR0R +BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADgYEAChRl +3S8Jylp0qbbYnIfnGFYgmzExHYuBkJv81j19n74NeD6cwmIE+rBL2+g459o1f3TZ +ngfnX16kXvG2xCRozPbv8VAOiF7kGHg4RdQqS3GTlnxeDuGqTTZXhMkRHeEHNp1N +J7d7YZlHna/txyMBbrg4oUESHhtUBzHC7zixHzo= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE -zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo -F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X -PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB +ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY +hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro +yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr +vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g +UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.key b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.key index fab90976d..3f77147ff 100644 --- a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.key +++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: expired1.example.org - localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6 + localKeyID: 99 C2 8F 9C 7D C1 19 76 88 B2 B0 83 4D 00 ED C9 E9 2B 7E EB Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIL+kummor3pQCAggA -MBQGCCqGSIb3DQMHBAhpvl78t5As+QSCAWBlOt1XpYY+o5G0MSANfiL7BfKlwwYh -MDpKzsNWfwxrNZNmeT293TKVlXEav4FsEnbU0yVJ0HSLC1peXM32mjdezDdMQAwq -QPrIRj5r5m4mTTWhUPnDUrzdwrYbD4flg0H6eO7gX1w2gJw8E/LS8nhAy6ZOfEvL -jlghGljcALDPVDvNEAtcx+Wd4p71vp6wm/3kl3SAl7WXO1HcKwYYIEEL9DFZ/P4n -kqlgCu3pcgKbH9HHjImOkYRWP2Poy3OLJ7h+i/rIEaxiaJFt/1zTm+DxkkM6nbwR -2C0VnX6/gSbpz58xBlJUMiZqvh9ciFhuLCYeiJx+HnKKzTEIfnSyKV7Y7GSzqkUE -kKPVa6NTXq0nlH1fuecTGv3iUE4AXWJPmGNYS0caR8oTFd5pFlOQGazRjLDxTIb/ -N6zXiTCpQt4MWHi71a/GnfUrv0e/Bl24ARJnVWcP4brT8jA/oiPeQGEq +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIEOl5NEvFezQCAggA +MBQGCCqGSIb3DQMHBAgdwEOOYf+K8ASCAoCngEY2Iy7JaI0Pq/wcmj5CBp1cTDS3 ++CvdphRSw9W2LBNbCNjwQmyZptgDva4umoS3ex0vhiDiak+XzeBtHTdkDBhI5yW1 +H8+4+JgvEBphHYDOtMu6c27DeshuWUhh5xSJ42E+P7WDQXRB3ZbSPeR/WwpQWuc1 +Kf39b8M9dSNeOFkWuZ6lZSLVapNxZsQ1YmdOFIbzC31B94jdvKs5WL17sOO5P50b +lUomYEs981S09uyt/Jaot7fNR6AAgZR8tZtA/Lf5sEr2H2OxLhyhX5GGHuM6kY1B +BbX85yg2eZjw/XVREdmUHd7dO4eLAtYYY2wNOBllwfVY0+3Bi8YjAUJwwlgPwBmO +0/MGDAYluRh8xApI/gdKxOnDhqY4Q85n3o7iczEyJDw5FtXORPaEGQ01zie2RT86 +LyUd2e6w6wtC+GNBPb15LwNMPmFFhhBfW/LnqFhb9xydquUPeH6Vs2veDWaqflnf +cHR0ZXqfs3l/QWFtDOuvUoPxZoRSoKPxQtTsc3b8Mh6b69MgFsIu84vJHDGi2fbw +vLFXscoEanMP2BRhBSjHHcIcoMcZHOgT915zDJArolc3aDhmf/qU1lOr7hXcPyW4 +ijixkJSRJV8Cvx3Qx62ToNzmXVYc2P/b1dG7wgms6vl+GFk5HUCrkV+D3OABuaKi +f2BqzuoKTp5AUjPdFC9kFQ+7dApR6YI+MqWqAvBvSZmTYyGRuYVtuvvNxNK5qlKF +pJMDA49V3WA2Dr3DLhOPo2ZbFUjj+1Ojm667Z+ls6TWinMoQKx+VbbBudbYHMj5h +JLSjR9Y67quErC/yogcWfTdgQ/yN5LE4UPm7GaQEcvwQAzt6BQtN/U9i -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.dated.resp index 0825ec70a..6610c66e5 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.good.resp index e786da6b8..1805fb2c7 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.req index 75ffacf13..9acafda55 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.req and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.revoked.resp index f8709f45d..15dd3bdc6 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.p12 b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.p12 index f7ef5e605..c420895a2 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.p12 and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.p12 differ diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.pem b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.pem index 13da50bbc..ef0d0e2c6 100644 --- a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.pem +++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: expired1.example.org - localKeyID: 0B 77 EA 83 E1 31 8B 71 88 DB 88 4E DE 08 91 19 A5 4A 4D A6 + localKeyID: 99 C2 8F 9C 7D C1 19 76 88 B2 B0 83 4D 00 ED C9 E9 2B 7E EB subject=/CN=expired1.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZzANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwM1oXDTEyMTIwMTEyMzQwM1owHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs -ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA4TTv655lwyf5lL4RkuLHqPdg -mXI36dkjEL/864WoszwLRYYfnlOj4hmKfjq9VoslfDRnOoZSm0NebJJ9Y/ea2wID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFGV4cGlyZWQxLmV4YW1w -bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EABG4yReI+VPyFc3kEejJr31rOi3BpgEfP -FsN+9WoTa0B+VW125F47/FySYat+M6KBSW8fe6HFexU6FXQF+mCNvQ== +MzQwOVoXDTEyMTIwMTEyMzQwOVowHzEdMBsGA1UEAxMUZXhwaXJlZDEuZXhhbXBs +ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL3J/GWAVGm/d/nUnwDr +3zeq85l1l1Zmp9r9XLUcw9cDbLM1hg4Ej557Cg9bXDZ7yCoa9tZnMUr6yKw1AxiV +6DaoRt2HcPdAdge448/s96F8TtpfU9FOOm4iW2gAhhQVy/L0py76SPxadjI+IxwL +MoaaIHevy6v+8wdafJVHe3cNAgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHwYDVR0R +BBgwFoIUZXhwaXJlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADgYEAChRl +3S8Jylp0qbbYnIfnGFYgmzExHYuBkJv81j19n74NeD6cwmIE+rBL2+g459o1f3TZ +ngfnX16kXvG2xCRozPbv8VAOiF7kGHg4RdQqS3GTlnxeDuGqTTZXhMkRHeEHNp1N +J7d7YZlHna/txyMBbrg4oUESHhtUBzHC7zixHzo= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.unlocked.key index 132d2da54..945254528 100644 --- a/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.unlocked.key +++ b/test/aux-fixed/exim-ca/example.org/expired1.example.org/expired1.example.org.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOgIBAAJBAOE07+ueZcMn+ZS+EZLix6j3YJlyN+nZIxC//OuFqLM8C0WGH55T -o+IZin46vVaLJXw0ZzqGUptDXmySfWP3mtsCAwEAAQJAbjXB08TIeCDv+uKpJwDk -RMQK+gzzX/VrO5843umiDVPBs3FoDJJMMI1YIxiqmj61BNvh6YdTeYMbgsqdvUT/ -AQIhAP2hXPtUNCfSMbDZujRe7weCDynq2SdT9v5GwCABKNRLAiEA40+XExCBf3zV -Eibj6fEWBlJjQPjCEvFLkbeOi44UmbECIF8u9qkvkZ88J//ZxiKvWf80VSKDC1nS -DgihXqrkJIF/AiAhsUBhUQcA0I38fMs3d8ad9URE8xpBGIbs+FomkU64YQIhALds -zCAiNfSE9O4vQvnSlbPdKT5KSbux/uGuPIhK+RA0 +MIICWwIBAAKBgQC9yfxlgFRpv3f51J8A6983qvOZdZdWZqfa/Vy1HMPXA2yzNYYO +BI+eewoPW1w2e8gqGvbWZzFK+sisNQMYleg2qEbdh3D3QHYHuOPP7PehfE7aX1PR +TjpuIltoAIYUFcvy9Kcu+kj8WnYyPiMcCzKGmiB3r8ur/vMHWnyVR3t3DQIDAQAB +AoGAE9BUk1w0c93Tbret6fC2Gx+z0t+d7x1EhO5SkW3xXC81V/hMiIYdYFREFppZ +JC8EFLE/995KHSPVc3UNX7G2zl/j5ArHzer4E3AcFPGmp1VbY0rhzN+quoK5ihzQ +u58vR2XzIv1XPxZcfgCy7IB7Hq2kiq2dFwpK5VBlBpLuI8ECQQDp9bVXD4V9XQ/+ +YNsI7APATQpg9CXQS3tIkwCJE1hDMYT6rFrYFg6qmSlSKeYvcJKFQ4qdC/vUmaJ0 +/N8nXqn1AkEAz6sIXDzmeJCu/Cg4jIHQUgShvMeyBbGBRrx5fOEYKxh/4+Jl9pAn +LCzKxEcj68krND8rGmPrdJW5LwvCsufxuQJAePDRGv4lDVcMK305/PS0Q7YPhWrw +GSrLwgprnnBnkeSJT2PFWiqczkd6esS5/w/8TfNKNkC5n38D4eHOIXXn+QJARExp +2XwmCGz9P+0ye/ONwgvH7cB3qiuw6sS95/ZX7oSGOzqQckECwSKSJW+IPtnQncRQ +tsM6AwPi/bgOdqyV8QJAcCGZoUWDmiMpnYl5XScX/5oVlEdD+PvFn6DAH6Y/IYtV +5GM7VZpSvK9pZi0JpgdHEOIz3FjVyIV8U9RD1LGqZw== -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/expired1.example.org/key3.db index 4122a84e9..374d1f76d 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/key3.db and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.org/expired1.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/expired1.example.org/secmod.db index fb955213b..b1dfe2826 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired1.example.org/secmod.db and b/test/aux-fixed/exim-ca/example.org/expired1.example.org/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/expired2.example.org/ca_chain.pem index 1ca5e2884..bda02a41a 100644 --- a/test/aux-fixed/exim-ca/example.org/expired2.example.org/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.org/CN=clica Signing Cert issuer=/O=example.org/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE -zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo -F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X -PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB +ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY +hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro +yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr +vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g +UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.org/CN=clica CA issuer=/O=example.org/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O -x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl -LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa +/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5 +1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD +oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG +37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly ++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz +YHJSTjLx4idfdLNS+U5iir1Y -----END CERTIFICATE----- Bag Attributes friendlyName: expired2.example.org - localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3 + localKeyID: BB 61 99 E6 F7 7B 14 59 32 E1 10 99 42 D0 42 05 CB 5C E4 7F subject=/CN=expired2.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w -bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK1KoNb3Cu3dTkQQssg1cXUb -0Oo/o0v/BCm5A9JjE8eL0K694hJrk2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUC -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt -cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAATDk4AOeRU7z4FPpjK6J2BvKeStcuon -xoli6qipNnf95JXgo4ZOktbGD5eankcp4QRFEUMQ79DJuTCkOl/Zgs4= +MjM0MTFaFw0xMjEyMDExMjM0MTFaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w +bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUaWxrKTL6SzYcTEyX +FVJZqEYxiTWmks5kA//fGFICyMaOIeBUgk4m+8jHrXqfSZh7hnzk9RuTp+/bbROh +pUKnJWbMvjbQ2bxuCeRgzvvJYtGfVRqYA7dARY0cQuTa1lo9YsGFW6ojLUvbrhMp +gXxrrOQx2+omKoYulM76Une5sQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1Ud +EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBBQUAA4GBAJE7 +jNxIZvZcwM6UIWS8qYG93YfOdNNvzk6JfxGA4jyUFmdbTYYThKK7X6q+cStAWcpd +8AQsYqlfuUqwwXgeEDkdtMKdB4N/sz8Cbj0UfuHJSVxIiJ/22QNnUk8lrH2+llQz +y3Ahp9noeQCXD/eplTuTSlksu8rvMddKMvSA9p3C -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/expired2.example.org/cert8.db index 24ee82e52..96054ff4a 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/cert8.db and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.chain.pem index 3bbfb4cda..690fd9d35 100644 --- a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.chain.pem +++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: expired2.example.org - localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3 + localKeyID: BB 61 99 E6 F7 7B 14 59 32 E1 10 99 42 D0 42 05 CB 5C E4 7F subject=/CN=expired2.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w -bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK1KoNb3Cu3dTkQQssg1cXUb -0Oo/o0v/BCm5A9JjE8eL0K694hJrk2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUC -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt -cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAATDk4AOeRU7z4FPpjK6J2BvKeStcuon -xoli6qipNnf95JXgo4ZOktbGD5eankcp4QRFEUMQ79DJuTCkOl/Zgs4= +MjM0MTFaFw0xMjEyMDExMjM0MTFaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w +bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUaWxrKTL6SzYcTEyX +FVJZqEYxiTWmks5kA//fGFICyMaOIeBUgk4m+8jHrXqfSZh7hnzk9RuTp+/bbROh +pUKnJWbMvjbQ2bxuCeRgzvvJYtGfVRqYA7dARY0cQuTa1lo9YsGFW6ojLUvbrhMp +gXxrrOQx2+omKoYulM76Une5sQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1Ud +EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBBQUAA4GBAJE7 +jNxIZvZcwM6UIWS8qYG93YfOdNNvzk6JfxGA4jyUFmdbTYYThKK7X6q+cStAWcpd +8AQsYqlfuUqwwXgeEDkdtMKdB4N/sz8Cbj0UfuHJSVxIiJ/22QNnUk8lrH2+llQz +y3Ahp9noeQCXD/eplTuTSlksu8rvMddKMvSA9p3C -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE -zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo -F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X -PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB +ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY +hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro +yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr +vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g +UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.key b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.key index 6bbf07ef7..962727203 100644 --- a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.key +++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: expired2.example.org - localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3 + localKeyID: BB 61 99 E6 F7 7B 14 59 32 E1 10 99 42 D0 42 05 CB 5C E4 7F Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIqYRYZdwd4cwCAggA -MBQGCCqGSIb3DQMHBAguS/XNjyFFMASCAWBxEYbvvuvMpVOunc6orT3lMpGxNbCV -kNeLvBHH2LkW1lQfLoo0zgqzyvjF7hTbeNm9NS8dL3ZzMG7Xb3hiR22ypuP7gdaA -NFxt7XfO7pCLsFScmOthYseIBvuxAGN8Qze2KDrXTVnOyrgPGk2q6XTIblUnGekt -MuxJAJIIGW0le9Ci23Z+156zv7BAPWiAR7qL4Lm6V3T4ppfSeGkpBhGVpCmdjnT1 -IhR4rcrLjvqE+QhqEY/gA4chFcnkZsmcLNjMAMgHXdsGgpkrv8WrbS4nTsNY71p5 -d+qA6Z6ORVyUOrxzr34NpAM9tpsvHniMEvlJAq5DMz64qnG/iZymTKH8tOhgvD9d -a7pENj+x1Eo+qb/2g6zut4+O5WnkWfXQXtuh+rnUOB09IteV33o8OYOlLR0eQxqJ -BOLi5FgNVfoSJuCZrR9oqufOb4ue7x7lmOw0r3EQYUp0weYLvDyh0ih+ +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQISqiwtlVu2dUCAggA +MBQGCCqGSIb3DQMHBAgI9HkegsmvpQSCAoA3dgmkiQthpGrdWwOEUqZpajmMqivG +RQv9Qxg4JoTSoHm9WkR+0x4vHahAaqYKDq6ca9uIHFx2dOTXH589F0lrGf+osmiB +L44C1z8aqYjJcYBPmeVHtSJsr5XFpBSWv88OQ85Z/qqtXL3jdRC98IywmDRqjYa/ +xoJyfGlLuz530Rv1iLcNQ3XGkoxmxlbV1WrmhkRythD7psUVHClt/InkFX4I6iQl +msOkNP5RBIn8BED4mHhZ2PTDAIyANgpWTeBwBOEilb/mVdctzqM1XgyzZ2469zJ+ +ZFoPTN7gtXmuNXSOBCvAJQT0vL8GYQNIkdfWi+cfhC3azq2MZcdWzIPjvSyht42c +4O4of89tUqrgLkvUiVaO74WqLtmwtTdgQg4ZIin8HPXNsVm7tYB5LMvHPKdoFOZ8 +FTD0XWWgDwoZ5tTOp31Kz5Tczab3eJ+lgPK4bqqtLusobwfI8YmCZGYrS6V+S6RZ +Qk0xrYo8mYjpjmjmpr2xkEiQ4YQiEwmuwzw4eNT1bAGL2V+hwDuxjD7f+pMQfKai +5VChf0VEHb+1pwIjnMfY4ua99IhP5bj/7Z2327CkehtzLF4ineRkVnVXy9ELomn+ +8bIFt5qBeaHfijX1MPn2Lugs8bY0xhQaRR15yBI4fQ62ekvxntLSmp5BLnaSLFsW +gjxjzRL5X4jtjSZtoxypHWBxKMW7fdxbqxAVKba1rLygqAt5QmsS5kKUDjEJBv0q +0yrdjo2Tb8UtY75oNw59cF9hgfV6xtyGLgyjw8f3eQQ88i8nKBQ+iLpHOF5t/waf +1vopHqu/zJEDskIwJpkEM3L3/wy//NMDCpop3BF7Si/aqy/j7mZUtUFV -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.dated.resp index 44f9d0057..cf6d41b60 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.good.resp index 0760bb3fd..ae70bcfa3 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.req index 96cb53d16..0ba8c85de 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.req and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.revoked.resp index 0760bb3fd..ae70bcfa3 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.p12 b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.p12 index 5bd498bcc..43717ed91 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.p12 and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.p12 differ diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.pem b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.pem index a2cdafe6d..01e01abb9 100644 --- a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.pem +++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: expired2.example.org - localKeyID: C5 6F 48 06 54 0E B3 BB 1A BF 6D F3 86 B8 E6 D7 37 A4 65 F3 + localKeyID: BB 61 99 E6 F7 7B 14 59 32 E1 10 99 42 D0 42 05 CB 5C E4 7F subject=/CN=expired2.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMswDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDNaFw0xMjEyMDExMjM0MDNaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w -bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK1KoNb3Cu3dTkQQssg1cXUb -0Oo/o0v/BCm5A9JjE8eL0K694hJrk2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUC -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRleHBpcmVkMi5leGFt -cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAATDk4AOeRU7z4FPpjK6J2BvKeStcuon -xoli6qipNnf95JXgo4ZOktbGD5eankcp4QRFEUMQ79DJuTCkOl/Zgs4= +MjM0MTFaFw0xMjEyMDExMjM0MTFaMB8xHTAbBgNVBAMTFGV4cGlyZWQyLmV4YW1w +bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUaWxrKTL6SzYcTEyX +FVJZqEYxiTWmks5kA//fGFICyMaOIeBUgk4m+8jHrXqfSZh7hnzk9RuTp+/bbROh +pUKnJWbMvjbQ2bxuCeRgzvvJYtGfVRqYA7dARY0cQuTa1lo9YsGFW6ojLUvbrhMp +gXxrrOQx2+omKoYulM76Une5sQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1Ud +EQQYMBaCFGV4cGlyZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBBQUAA4GBAJE7 +jNxIZvZcwM6UIWS8qYG93YfOdNNvzk6JfxGA4jyUFmdbTYYThKK7X6q+cStAWcpd +8AQsYqlfuUqwwXgeEDkdtMKdB4N/sz8Cbj0UfuHJSVxIiJ/22QNnUk8lrH2+llQz +y3Ahp9noeQCXD/eplTuTSlksu8rvMddKMvSA9p3C -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.unlocked.key index 873f59f33..aa5a97fc1 100644 --- a/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.unlocked.key +++ b/test/aux-fixed/exim-ca/example.org/expired2.example.org/expired2.example.org.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBPAIBAAJBAK1KoNb3Cu3dTkQQssg1cXUb0Oo/o0v/BCm5A9JjE8eL0K694hJr -k2pSmI+nF1ujtC+0Ilylzd2JyXvyu6jZqRUCAwEAAQJBAIKMYjcPzW/89OVaHxWt -DVhIKE8Quhiaeaxk8Xgho9kDQXb9VUnY9uY+hQFL8jAlmr1xyqPL1ztA8Rx7b7DH -toECIQDifcfwxsjaF2XMdkDdEtmoYlEow5sRoGzgNz29EQtUiQIhAMPedhNwRb2J -0Vc6OgL4DCwu4oyjxcyGU3TywinwhCUtAiAnnYaGR87DzsngfGKWCIEHocK+VZBf -AedpRGBJHJ0VuQIhALHy6Ylthh7WGBfMcaoC22RE0FR/8hOHskjcyGQ7/IKdAiEA -lLVprJ0QmF5Z1+6RbIOcWwRWNOHEqAz4xY6HR65E2HE= +MIICXAIBAAKBgQCUaWxrKTL6SzYcTEyXFVJZqEYxiTWmks5kA//fGFICyMaOIeBU +gk4m+8jHrXqfSZh7hnzk9RuTp+/bbROhpUKnJWbMvjbQ2bxuCeRgzvvJYtGfVRqY +A7dARY0cQuTa1lo9YsGFW6ojLUvbrhMpgXxrrOQx2+omKoYulM76Une5sQIDAQAB +AoGAGASPpS//rf3p/d5jLrgmoZfX9EBOTGzJtennyMT40LaJW4sj8Mk9uJVawuXS +SGDyqlrzb2IzWkv9Rzd5y9kg1gjiJ675pVl1Z0vDhZZWYGVI3VKJh1TmYC2lPra3 +53t9N788B7fgT6bTW8KRfk2rCp0UU+hIffDgmv9wK9l/RPkCQQDEbF9VoFlVFRxX +nLBdU9IHLSZQzIgUV/OVvL8gAIJycTupT3H6CINMDfFZHcFfaKNytzzXBS2jKzSh +Fzl2s+ofAkEAwW0dMnz4VhlG84cKhxdFCjic2dneWMNACc/GnfopGIlkrSQW3AGz +yjDFQj8BIqwhPhyFGpu7nxfgtBBOW/SCLwJACMXKUDm0I6+or2UJH3Hx7G4gyvUH +ktkGwQZIBvbe3JugDYTF02Pz8T6iK9e/XjJ/Mk1qwzOxARuZ4yP1Zg7NAwJAO6mj +gupHU49ycjWqSqcj1ZZG02+/hNOdEimz0xDR0k627i0em/guc+R9RATZHc/IZTc4 +209EHTupRQFumjCeYwJBAI38tud4nIYB2/x53KOG18eBtc+QQM8gX7XwRaiK936V +mvNng2HahharF0WKqhkmLNCOR4c7nGhUs2OHoi7vDNQ= -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/expired2.example.org/key3.db index 22278dd28..a88c033d0 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/key3.db and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.org/expired2.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/expired2.example.org/secmod.db index 7201c7262..864618ea8 100644 Binary files a/test/aux-fixed/exim-ca/example.org/expired2.example.org/secmod.db and b/test/aux-fixed/exim-ca/example.org/expired2.example.org/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/ca_chain.pem index 6e4689902..09fa73605 100644 --- a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.org/CN=clica Signing Cert issuer=/O=example.org/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE -zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo -F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X -PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB +ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY +hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro +yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr +vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g +UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.org/CN=clica CA issuer=/O=example.org/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O -x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl -LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa +/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5 +1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD +oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG +37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly ++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz +YHJSTjLx4idfdLNS+U5iir1Y -----END CERTIFICATE----- Bag Attributes friendlyName: revoked1.example.org - localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8 + localKeyID: BD BF 30 04 34 2D 03 C9 AA FE 25 10 2C DB 7C 74 89 B0 9A C9 subject=/CN=revoked1.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMloXDTM4MDEwMTEyMzQwMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs -ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtH5k2k62LbnSi/B5Bgxk+zMn -GiOYjeojLffbE73oSIws/sAwigOroZRxeDCK1Bvqlt3CsRlh1j7qGHTdf3JPEQID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w -bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EAh2MZRLrAaQlspQCSvzB8GauDjhyc1ZMz -/YeE550dEXzC3YtnTK6PKmDfm0xw/eVcSnwlsYUdLFzB5xBGbkxQbg== +MzQwOVoXDTM4MDEwMTEyMzQwOVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs +ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOKMcTBoKYBCz8Sxb/B +5/RGvTdDMmkNO/e91ni4S/3OjvvksMmg38fv1e4DQOazkE4dp9ttllheaw0O6lEO +cpuFSFC6BLDlaDEaJqDAlm9++vTZ+azhM1nUIKbUhmlPSMnagL1GhWBX1w3EVP2F +n02386NEAY/kPJMoR2r/4Kb5AgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHwYDVR0R +BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADgYEAc4B0 +aoj+H7UoNbV39uIQIV3Z//V+AqQuOaBtUTf3izNDG/r3tpJ+La6s6FxH55dRvQdc +lvF6WdHgD++J5Vx7MUVcXMyVmpJrLpnJk4BBSFMn/fgvoPFfONL1p9Z33HnIUrY1 +hCmJrHtAqS0pztH5YioEH97ihYz5Teoc6mws/Yc= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/cert8.db index 276490b07..5d8a28d98 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/cert8.db and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/key3.db index d0a1a89ea..6c973df58 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/key3.db and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.chain.pem index 44a69f441..997cebf47 100644 --- a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.chain.pem +++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: revoked1.example.org - localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8 + localKeyID: BD BF 30 04 34 2D 03 C9 AA FE 25 10 2C DB 7C 74 89 B0 9A C9 subject=/CN=revoked1.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMloXDTM4MDEwMTEyMzQwMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs -ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtH5k2k62LbnSi/B5Bgxk+zMn -GiOYjeojLffbE73oSIws/sAwigOroZRxeDCK1Bvqlt3CsRlh1j7qGHTdf3JPEQID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w -bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EAh2MZRLrAaQlspQCSvzB8GauDjhyc1ZMz -/YeE550dEXzC3YtnTK6PKmDfm0xw/eVcSnwlsYUdLFzB5xBGbkxQbg== +MzQwOVoXDTM4MDEwMTEyMzQwOVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs +ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOKMcTBoKYBCz8Sxb/B +5/RGvTdDMmkNO/e91ni4S/3OjvvksMmg38fv1e4DQOazkE4dp9ttllheaw0O6lEO +cpuFSFC6BLDlaDEaJqDAlm9++vTZ+azhM1nUIKbUhmlPSMnagL1GhWBX1w3EVP2F +n02386NEAY/kPJMoR2r/4Kb5AgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHwYDVR0R +BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADgYEAc4B0 +aoj+H7UoNbV39uIQIV3Z//V+AqQuOaBtUTf3izNDG/r3tpJ+La6s6FxH55dRvQdc +lvF6WdHgD++J5Vx7MUVcXMyVmpJrLpnJk4BBSFMn/fgvoPFfONL1p9Z33HnIUrY1 +hCmJrHtAqS0pztH5YioEH97ihYz5Teoc6mws/Yc= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE -zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo -F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X -PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB +ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY +hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro +yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr +vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g +UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.key b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.key index cd759c412..5e21cbfed 100644 --- a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.key +++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: revoked1.example.org - localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8 + localKeyID: BD BF 30 04 34 2D 03 C9 AA FE 25 10 2C DB 7C 74 89 B0 9A C9 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIYvHqW0ndOlQCAggA -MBQGCCqGSIb3DQMHBAgXAj3LlhSYaQSCAVhHtecAjwqd7AvQnGWaErxhdo/AMfio -SWCovkatfN0ExC0Q43QX2P7HKcP6ysQDg+oLHWiIP+2N6lOkQLBxF4KCAfEa9hcR -GJhbBDLiL5mNgfxdPzM+NUfxGainUfwiGFM5ZZg4vZgvP8hMoVeCRJ+sBP4rHzyw -0AdAMzAeJym8MVONUMadr/D7ReMGgxQdGGl/GrrmwOAeJNCh8KJVfI7hQZE0Ell7 -XWWZPl1VafuzErUz0Lm4NdbstlfpVE/ZWWuXCxGgJ5cPyMu5oloHPpPm+x0oR4Ik -NxPkXZ74OZtc58nTgh+SEVe/myWTujMdj9jCxfJknyAlMwZCv/wu/EwcRFopvo16 -zLCsb2x4+sW5Uhduv0mQYEIPBjl+9Eg5eHrX6z+E/AhikE3C7OmQ7MM/8PLPqoUo -xoXYK2O5seWWA5IjCbm7I9mMQpmZi847H9WpHLEaoh8gew== +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIT05M1SXZo7oCAggA +MBQGCCqGSIb3DQMHBAgKjXdFWgevnASCAoDJx6CMm3lv2+3DdMJOrODuXYc04hqm +OYUHWPas6aMaE9ZU2WQ+05envov/obUhJ3T1laRTnAhbMIrIuQDDkR4Tx+njdpS0 +WwEmGxlv4JL7bW+TG2g9LfpMUGTcK+pTNmM7pNSylnN6E1EvqTrMLqc6VaPG2Ohc +KCPbWiqDKyM3WHxrgRkhg3sQmW0KyyU1QT9nNHZAW2ip1sJVzRKbiIsx+t020kH2 +abemY+ZDpfwKJKZpzm5CjeWLP/zO0q07ZkEgLjjhXAtLwCEfkt7SiShOOYFaYQUo +psk9WSDU/ieF1Uywz6nrqWSH/TBDbbqrYXPshTXeFE2UzCvSdPYHPEvOnQTIVya5 +T9P54rWQKIo3GnPxJaEXo+tzCnV9B4kyFcEtjwKrh9jWu2MMLzLMdRrm1VKcjgts +kXHbeyfrZouWOdoPUNRSdc004oWYvvweG3DmObUQBxKh+PojMCbaBpJFkE+bbfxo +JZ49baXcqXx7vph8PszJBzS2FgmN/r3eMgYQDqzydfnoTPhyjsU8ompeHVbH53VU +PKUkNyeac7lAwj6JwcXOMDnc51KFQ80i+/0gHwrRSd+bmgmnpwO1TTiEeIUaYCQa +/Ic7LxXhi/gWrQg4U8bIsibXBHEefcwtWWuDD1uUlxezuqdFrSUUC0Da5AmD516Q +8aznlBljvQUpiQQHH3KB7eQEp+bbgYZJagFeZIn9FiLlHzPpIZetsB+ynPSvjz/V +zVszLHuLaswKcC1N66LAOqyCKcPYI35+OqE8/6SCe9iJFOoIYlJkxDBKwZk/NhvD +/CRD6hsaeUnAHpNEuus5qrRICbDAoi1LoK8hDadb7Zv+wSLY/uo0JzxL -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.dated.resp index 5a1246638..b2d520f2f 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.good.resp index 30c30f669..11deee270 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.req index 90263fdd8..dce81ee66 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.req and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.revoked.resp index 6273c03e4..0fae5d0ac 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.p12 b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.p12 index c4392fc62..9be063361 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.p12 and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.p12 differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.pem b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.pem index 70bea88ca..96d856f1a 100644 --- a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.pem +++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: revoked1.example.org - localKeyID: CB 4F CF EE 43 43 65 BB 23 74 E0 40 65 36 FE 99 31 DF AB A8 + localKeyID: BD BF 30 04 34 2D 03 C9 AA FE 25 10 2C DB 7C 74 89 B0 9A C9 subject=/CN=revoked1.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBDCCAa6gAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIICiTCCAfKgAwIBAgIBZjANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMloXDTM4MDEwMTEyMzQwMlowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs -ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtH5k2k62LbnSi/B5Bgxk+zMn -GiOYjeojLffbE73oSIws/sAwigOroZRxeDCK1Bvqlt3CsRlh1j7qGHTdf3JPEQID -AQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1UdEQQYMBaCFHJldm9rZWQxLmV4YW1w -bGUub3JnMA0GCSqGSIb3DQEBBQUAA0EAh2MZRLrAaQlspQCSvzB8GauDjhyc1ZMz -/YeE550dEXzC3YtnTK6PKmDfm0xw/eVcSnwlsYUdLFzB5xBGbkxQbg== +MzQwOVoXDTM4MDEwMTEyMzQwOVowHzEdMBsGA1UEAxMUcmV2b2tlZDEuZXhhbXBs +ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOKMcTBoKYBCz8Sxb/B +5/RGvTdDMmkNO/e91ni4S/3OjvvksMmg38fv1e4DQOazkE4dp9ttllheaw0O6lEO +cpuFSFC6BLDlaDEaJqDAlm9++vTZ+azhM1nUIKbUhmlPSMnagL1GhWBX1w3EVP2F +n02386NEAY/kPJMoR2r/4Kb5AgMBAAGjgcAwgb0wDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHwYDVR0R +BBgwFoIUcmV2b2tlZDEuZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADgYEAc4B0 +aoj+H7UoNbV39uIQIV3Z//V+AqQuOaBtUTf3izNDG/r3tpJ+La6s6FxH55dRvQdc +lvF6WdHgD++J5Vx7MUVcXMyVmpJrLpnJk4BBSFMn/fgvoPFfONL1p9Z33HnIUrY1 +hCmJrHtAqS0pztH5YioEH97ihYz5Teoc6mws/Yc= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.unlocked.key index 47e917b54..39fc0e598 100644 --- a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.unlocked.key +++ b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/revoked1.example.org.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOQIBAAJBALR+ZNpOti250ovweQYMZPszJxojmI3qIy332xO96EiMLP7AMIoD -q6GUcXgwitQb6pbdwrEZYdY+6hh03X9yTxECAwEAAQJADLoAyHfWVqEMnHtnPSrw -j9nKfwhVgGQq+NnKI7k3QK4rQX1Z+wfSw0rxpE5sFqDUVheeFY/IMolXD32zJwUM -pQIhAOEb6HbVqVqYr5lgN7CoRSVRXJEm1PvxmI6RKewtAPGTAiEAzUMl+oAfRboT -tywwc4N8MdvAAapLnP9u7NmhG7fP80sCIHkXgCdcrCs180/4ODzpZ7i5WagjUXLt -9XjLkdegJd/NAiAweI7bXK4F1S8arkCyxnXpgC8TNZetd1RGcg3tcbaViQIgIDmb -d9wZOnDeMg3BlC5X+zfOyiGk3+/Jnp7Msya+nfc= +MIICXgIBAAKBgQDDijHEwaCmAQs/EsW/wef0Rr03QzJpDTv3vdZ4uEv9zo775LDJ +oN/H79XuA0Dms5BOHafbbZZYXmsNDupRDnKbhUhQugSw5WgxGiagwJZvfvr02fms +4TNZ1CCm1IZpT0jJ2oC9RoVgV9cNxFT9hZ9Nt/OjRAGP5DyTKEdq/+Cm+QIDAQAB +AoGBAKShEB/QybmZ/WcAHh/BWNHwUNRbLfEGZGvDl/ORbuFkbDulojZPzLjfsySt +9pGFssQh8bYrwL3r2INpAFx4JoJRjdBOrFsrB+xZhW+GyHJamd7dDEOqFz8zW/z+ +yhELiLeifXcJBBRrC5X4+rgbYVVb6A2y36SJTf5TPjo1PRoVAkEA845G/VVs66X9 +h1XmHM58kU2qOrLypTT4c6UrXKZrN7KFfl9BCWQSOShLW5S5/Oz/3ypkrDZSqggj +30y0goZjzwJBAM2H3arwjg8mxJnkShmrTHamtdpzByEyF5hM+SDsdb/onWETf8M+ +BIj1J/x8r/rXx4r0ZQ5BbnMDsoCxpDd5UrcCQQCVdIFrg7hLApkJK1UB6FPYdmg3 +jQgJCPBNRtXNDPJOQ2ZXnewy7w2ftXJIyIM5CdYaA9GzO8KORGB+7nr2fbFRAkBQ +YaWo+AGnHVNgmG7+kQcLlHGk6L3OFsgxkVERtkjq8C+0yqp6EmQ1qCOmVKGCqidp +SeHH7IEkzDpgqJj/9RwLAkEAlu/rjtfcW3PRsSqNGbwvtPreeM/TWSfBH2wwMb0l +9kd1lEpfJeqUkX9B9qCVighX7pJ6y1FJbwuW9xgvbo9mbA== -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/secmod.db index 762183024..0c4efea95 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked1.example.org/secmod.db and b/test/aux-fixed/exim-ca/example.org/revoked1.example.org/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/ca_chain.pem index d36ac20bd..1268bbaa2 100644 --- a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.org/CN=clica Signing Cert issuer=/O=example.org/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE -zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo -F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X -PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB +ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY +hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro +yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr +vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g +UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.org/CN=clica CA issuer=/O=example.org/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O -x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl -LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa +/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5 +1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD +oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG +37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly ++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz +YHJSTjLx4idfdLNS+U5iir1Y -----END CERTIFICATE----- Bag Attributes friendlyName: revoked2.example.org - localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C + localKeyID: 0E 81 86 02 8B 4D 55 65 C2 E8 26 F3 9B C2 9F 15 B0 6C 9C F1 subject=/CN=revoked2.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDNaFw0zODAxMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w -bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLUlL/Fx0qhl0rhRZ3HTr+d -wbKi0cDyZa97S5EDr3Dq1qurHmEs92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sC -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt -cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAC0aZSfdH/PlvY+jfQnVAkmmYyawPdSu -Osv4lwZYhBo2FSJdlufbwo3ElD4JK/BIHHTGiphM9++hpGLWaAcvT4k= +MjM0MTBaFw0zODAxMDExMjM0MTBaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w +bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcWJ1VXZJIIYfk/S5f +VL5bDZdjajlmC/gSkq8Q8hm5oKG72+VvGaZzwphT86Sc66BLauR4wcazmHO+TJvF +1AIKFA+yzd48iux3Rb1StoPqdSdJ1BplPQuJgWg2DG/Mglhgc2IDbWSbNhnVqLrQ +kc0HiOMZGktm0CaL6IjayzFFEQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1Ud +EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBBQUAA4GBAAlw +6O54t5HfF6TqyO1C4PX7Cibt1qFXR1fFPeExBoWlLhowWzTLUipwG2DqT6s04Lcz +HodtDZ4pTUO6mt65VvudvZDmLjvvmTWtaFtDLnm5E+Y5BV3yLwqcjL9ztdH+P5r7 +qMFLL3hqlFvOVisbDfOP85ALGAjew1pNMWX9P0VC -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/cert8.db index e1c3daeb5..fd2ec27ea 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/cert8.db and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/key3.db index 52cfbc2ab..41a959d0a 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/key3.db and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.chain.pem index 7bc3981d3..9ee54fae7 100644 --- a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.chain.pem +++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: revoked2.example.org - localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C + localKeyID: 0E 81 86 02 8B 4D 55 65 C2 E8 26 F3 9B C2 9F 15 B0 6C 9C F1 subject=/CN=revoked2.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDNaFw0zODAxMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w -bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLUlL/Fx0qhl0rhRZ3HTr+d -wbKi0cDyZa97S5EDr3Dq1qurHmEs92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sC -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt -cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAC0aZSfdH/PlvY+jfQnVAkmmYyawPdSu -Osv4lwZYhBo2FSJdlufbwo3ElD4JK/BIHHTGiphM9++hpGLWaAcvT4k= +MjM0MTBaFw0zODAxMDExMjM0MTBaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w +bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcWJ1VXZJIIYfk/S5f +VL5bDZdjajlmC/gSkq8Q8hm5oKG72+VvGaZzwphT86Sc66BLauR4wcazmHO+TJvF +1AIKFA+yzd48iux3Rb1StoPqdSdJ1BplPQuJgWg2DG/Mglhgc2IDbWSbNhnVqLrQ +kc0HiOMZGktm0CaL6IjayzFFEQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1Ud +EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBBQUAA4GBAAlw +6O54t5HfF6TqyO1C4PX7Cibt1qFXR1fFPeExBoWlLhowWzTLUipwG2DqT6s04Lcz +HodtDZ4pTUO6mt65VvudvZDmLjvvmTWtaFtDLnm5E+Y5BV3yLwqcjL9ztdH+P5r7 +qMFLL3hqlFvOVisbDfOP85ALGAjew1pNMWX9P0VC -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE -zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo -F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X -PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB +ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY +hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro +yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr +vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g +UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.key b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.key index 3c2d61283..8c4ccaf19 100644 --- a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.key +++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: revoked2.example.org - localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C + localKeyID: 0E 81 86 02 8B 4D 55 65 C2 E8 26 F3 9B C2 9F 15 B0 6C 9C F1 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIatK6XJ1l+7MCAggA -MBQGCCqGSIb3DQMHBAjUZXz3pKENmgSCAWDbQs9Kd21OIstOoQdgYviX33loF2bH -wpn0IP4P/2dFUmK07M146AEwPgXTI/mCewMgJ/cRQqnFAyoE1hjbZnk3WRi2SRXs -dmIWAveseDuDsL7og72bHSvHIqsvcYs9SS8KBPCH6wY14a40QO1X26t7S8ZLTspu -4V/YSNNiug6n8Z3N1Y2tuWPC8CQ9bBtL2jcqZT0WBJ8BXtn69jmVSWNm1DBaByET -M4dqHGC//hFk1jnKBXaJ/VvBS5E6lOANwfUAr0gQT08NaJ7qJ6WUhpca7Rtky/KQ -/passZZKeu7/R8VyQLvfk+vH2wW+5EX8+WtutWQJycW57+pnoXORrvIz3lc6B/6+ -Q91EJzABv5n93nynoZgEEr4vKiCCmLGYYJEciqQTERzCDNw3P73R+sd9PiTrku9g -pKp12ieWWHZjeHcAMUZl8xWSytVT1fkeSPXcA43KoW93s78DegMh/HTr +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIrlpJvn2t12oCAggA +MBQGCCqGSIb3DQMHBAjluKGzhc3i+QSCAoCwOwH/u1apPvqKoEcKjI2lED1f3rs5 +yGDzUuQpHbQhWByTtOW5wF1GvO2J8tA35wbWvLlxWt3+fLzRk2rPju0mncVskOyK +vhu362BkOPODTRmoEQEVXSthQQWFuWicM/DgWgD5rSkDmy8A3YH2lPd0z+0ngIbC +jl5VtDJoBw1zZPK8K+REw4bZI2Ok+SemtWMfO4krTcq4BltfOfIWky2hwPjPUzB3 +l32ioabUIxes5QaPekclFfqg54QNgInygQv5w7UOAJdfNyM952RycyTfS0YdTuhM +a72VWT50nQzypNMK1giXlRq+qTfTZGeRAsYFdknMbq8UEYHDOG9XJP94+JushawI +b1L6+Pv284bRPaTfdxDBn8cPj/mck3wIPiyh3wEVr3ozi9EDh2H0X3y98WtnCfHI +VBIbZaTq6wuTjtdFMNA4gdkgry36sXOH3K9e0+iCqG3BKKjYi8oIPxj/mSdTdSiU +TePpjZFWvScWZiq57g31pX4rZnw7wdXKhNtEdC6uifM73PuwlNO52t42Zy+n9GZ7 ++jalk+c4pe4bw58SBT/vIS9H4RUiGjAaNKfcesRYh7LYkTKRLF6CH5Q3I8yh61Mo +e0tvr+pliI7OqbwVyYxiqf7r1XCU8FfXyQPs8YROwKhe1MtFH5xYPa37FVIPkn1D +1zm6IrKw/CGbS+5MASC2ALyiadvDhNijfYtuVzuAzJDH1C+daGwh17oNnYMzGUUy +yEOIyQvGU0to8dyS0ngPXK6kTc0XvPaqhH8wgu5nNVnFaZjZYkzVOF77cYQMBmFx +S/Ypn+OoKON/PNG6/MuWP1fg3WdgzAW/xcgZrUSVjeIu6u1VgyApDZJd -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.dated.resp index 00a0d1c15..eadb8bbe1 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.good.resp index 3e2585aa8..8152a6c4c 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.req index 0348f9836..43c9ebdfd 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.req and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.revoked.resp index 3e2585aa8..8152a6c4c 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.p12 b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.p12 index f71eda598..801271440 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.p12 and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.p12 differ diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.pem b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.pem index 9e24c7ce9..56d0ac72e 100644 --- a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.pem +++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: revoked2.example.org - localKeyID: B9 99 5C A3 65 F8 67 93 A4 96 45 B2 7C B6 64 28 CB 71 1D 6C + localKeyID: 0E 81 86 02 8B 4D 55 65 C2 E8 26 F3 9B C2 9F 15 B0 6C 9C F1 subject=/CN=revoked2.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICBTCCAa+gAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICijCCAfOgAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDNaFw0zODAxMDExMjM0MDNaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w -bGUub3JnMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLUlL/Fx0qhl0rhRZ3HTr+d -wbKi0cDyZa97S5EDr3Dq1qurHmEs92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sC -AwEAAaOBwDCBvTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUH -AwEGCCsGAQUFBwMCMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwuZXhhbXBs -ZS5vcmcvbGF0ZXN0LmNybDA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0 -dHA6Ly9vc2NwL2V4YW1wbGUub3JnLzAfBgNVHREEGDAWghRyZXZva2VkMi5leGFt -cGxlLm9yZzANBgkqhkiG9w0BAQUFAANBAC0aZSfdH/PlvY+jfQnVAkmmYyawPdSu -Osv4lwZYhBo2FSJdlufbwo3ElD4JK/BIHHTGiphM9++hpGLWaAcvT4k= +MjM0MTBaFw0zODAxMDExMjM0MTBaMB8xHTAbBgNVBAMTFHJldm9rZWQyLmV4YW1w +bGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcWJ1VXZJIIYfk/S5f +VL5bDZdjajlmC/gSkq8Q8hm5oKG72+VvGaZzwphT86Sc66BLauR4wcazmHO+TJvF +1AIKFA+yzd48iux3Rb1StoPqdSdJ1BplPQuJgWg2DG/Mglhgc2IDbWSbNhnVqLrQ +kc0HiOMZGktm0CaL6IjayzFFEQIDAQABo4HAMIG9MA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMB8GA1Ud +EQQYMBaCFHJldm9rZWQyLmV4YW1wbGUub3JnMA0GCSqGSIb3DQEBBQUAA4GBAAlw +6O54t5HfF6TqyO1C4PX7Cibt1qFXR1fFPeExBoWlLhowWzTLUipwG2DqT6s04Lcz +HodtDZ4pTUO6mt65VvudvZDmLjvvmTWtaFtDLnm5E+Y5BV3yLwqcjL9ztdH+P5r7 +qMFLL3hqlFvOVisbDfOP85ALGAjew1pNMWX9P0VC -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.unlocked.key index c6895f73c..1478b51c1 100644 --- a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.unlocked.key +++ b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/revoked2.example.org.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOwIBAAJBANLUlL/Fx0qhl0rhRZ3HTr+dwbKi0cDyZa97S5EDr3Dq1qurHmEs -92C6P27df1r6ltVT7O1xH1+s40hTL5yzQ3sCAwEAAQJBALGnYBCY3+4LbCk02iyx -nbHphSa5/HXRy82q32o66MMEGIfyMaluRfMoQHS9n3yieOn2i41s7+4w52ormZEx -hEECIQDpSgUGrakvx2mqhAxIkfYTJgS3bMUINlRveYpYNvL65QIhAOda2XxChB3H -TxTgJURPl1i4LOEm9ecMHlBNhzhadn7fAiEA0pp8BxdnkTaY8dLbs/fxCkBcKasM -BOnnN+ulNRYGLPECIDrXJFEyKZ/ZPQe2KkRBaeCqlt98pTXqIxuRXD684z5JAiBi -aAtGEXlUtwnseKyflSrEh0bAwnOsEEA7qEUCl/ExPw== +MIICWwIBAAKBgQDcWJ1VXZJIIYfk/S5fVL5bDZdjajlmC/gSkq8Q8hm5oKG72+Vv +GaZzwphT86Sc66BLauR4wcazmHO+TJvF1AIKFA+yzd48iux3Rb1StoPqdSdJ1Bpl +PQuJgWg2DG/Mglhgc2IDbWSbNhnVqLrQkc0HiOMZGktm0CaL6IjayzFFEQIDAQAB +AoGAFWS5Kd+i40P2KMJ4LSNSNA72wt0+Y20IEe2R98g5vS8eZNntxcKsyZJ8LbJ7 +Kg0qjAf91Mejni5QForjmOqDo/6odwLAaBaUZjfGMQ5hwUZOHZSF95Nkq6f6ek3J +5berAyW5wdju+n5SpcxdTxhZ6s34JtKKR5uOIT4DYDW25gECQQD8Thv4aIqGyJd1 +mJwCerJrKbugla1hJJ7xxXyryHIamAGsq3qzMwwt72uTZR+LobPsVGfH3FpSN3Vh +MGCGdcVhAkEA35Kw+e8VZCfdjZUMxydyiOiZUemJfx2hbq4EpFtp89oqr4CuCQ51 +bo1NHYmxmdzTmJN9HMy0TwiF7U9036ntsQJAV67tmY77VYww1vWKgnIRv5xpUI20 +C6amdm+jvC+VOBjLvC58HfsHqI8kW70xEV3JIcDTsGmsGhab/ILLiO81AQJASnlr ++KW6w3VAKTSYYBL05UROJmocAjsVlm/jXfiRj8iB5ZqA3sVxOtVY9djzT2SvG6kt +yRUrjxQwwL9yGDtb0QJAfgt36rEFyKnmP+rOqXE6P1/iq+5n/fxvlsHsAFitavvp +30+KhXbetYydYaOsJQbN779gSdyAYLyhmMpUCRA3aw== -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/secmod.db index f7a91aa77..765195495 100644 Binary files a/test/aux-fixed/exim-ca/example.org/revoked2.example.org/secmod.db and b/test/aux-fixed/exim-ca/example.org/revoked2.example.org/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem index 6cdbee1d5..cf949c889 100644 --- a/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/ca_chain.pem @@ -3,45 +3,56 @@ Bag Attributes subject=/O=example.org/CN=clica Signing Cert issuer=/O=example.org/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE -zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo -F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X -PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB +ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY +hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro +yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr +vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g +UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.org/CN=clica CA issuer=/O=example.org/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O -x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl -LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa +/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5 +1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD +oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG +37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly ++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz +YHJSTjLx4idfdLNS+U5iir1Y -----END CERTIFICATE----- Bag Attributes friendlyName: server1.example.org - localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D + localKeyID: 88 14 08 19 07 0E 31 A2 11 CA 6A F9 94 D0 81 D2 E2 C4 6C A0 subject=/CN=server1.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl -Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk -mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB -AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB -BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu -b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw -Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl -Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69 -Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A= +MzQwOVoXDTM4MDEwMTEyMzQwOVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl +Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqEYtZQEwUPQUjTUDYJDb +mFhMifuXoKfmFsGIYoy99JG36tQLzgFET+lkEoKXmXf/MRecneA0TtiL3bac/ZT5 +us46SnYCqpIhw9PAuvjUjpfe0gc7KOAv9DDdVr5n11XOuNYPak/SThICGOlAQlkk +ih47uzqcuTpnJb/t+kuuNMsCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMGUGA1Ud +EQReMFyCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5vcmeCE3NlcnZl +cjEuZXhhbXBsZS5vcmeCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm9y +ZzANBgkqhkiG9w0BAQUFAAOBgQBDuJv1EXKwOrrY2CShqo9tUuB6rzAItWbLFEmW +kbTkmeG3W2IlHUco86NJPKu70CEmAkxEUTbWYoJLSVkq1LSgc8NGbuXPiQxQdiAc +QXUrDYWeFYMuejZmFRd4gHOHRUQ07YmFr2IXEEitq5UG/AZTYoSIVF3UI7jL4gHS +fpDLrg== -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db index c9c908afb..858e4cecf 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db and b/test/aux-fixed/exim-ca/example.org/server1.example.org/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db index db816ef71..a79f54285 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db and b/test/aux-fixed/exim-ca/example.org/server1.example.org/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/server1.example.org/secmod.db index ac46b4820..64cb03c20 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/secmod.db and b/test/aux-fixed/exim-ca/example.org/server1.example.org/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem index da4304077..69a490721 100644 --- a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem +++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.chain.pem @@ -1,29 +1,37 @@ Bag Attributes friendlyName: server1.example.org - localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D + localKeyID: 88 14 08 19 07 0E 31 A2 11 CA 6A F9 94 D0 81 D2 E2 C4 6C A0 subject=/CN=server1.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl -Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk -mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB -AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB -BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu -b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw -Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl -Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69 -Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A= +MzQwOVoXDTM4MDEwMTEyMzQwOVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl +Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqEYtZQEwUPQUjTUDYJDb +mFhMifuXoKfmFsGIYoy99JG36tQLzgFET+lkEoKXmXf/MRecneA0TtiL3bac/ZT5 +us46SnYCqpIhw9PAuvjUjpfe0gc7KOAv9DDdVr5n11XOuNYPak/SThICGOlAQlkk +ih47uzqcuTpnJb/t+kuuNMsCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMGUGA1Ud +EQReMFyCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5vcmeCE3NlcnZl +cjEuZXhhbXBsZS5vcmeCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm9y +ZzANBgkqhkiG9w0BAQUFAAOBgQBDuJv1EXKwOrrY2CShqo9tUuB6rzAItWbLFEmW +kbTkmeG3W2IlHUco86NJPKu70CEmAkxEUTbWYoJLSVkq1LSgc8NGbuXPiQxQdiAc +QXUrDYWeFYMuejZmFRd4gHOHRUQ07YmFr2IXEEitq5UG/AZTYoSIVF3UI7jL4gHS +fpDLrg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE -zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo -F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X -PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB +ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY +hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro +yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr +vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g +UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key index 6e41e5008..16885cc17 100644 --- a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key +++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: server1.example.org - localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D + localKeyID: 88 14 08 19 07 0E 31 A2 11 CA 6A F9 94 D0 81 D2 E2 C4 6C A0 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIhfu7ElRn7TUCAggA -MBQGCCqGSIb3DQMHBAggde7b8jzc2ASCAWCNar4Td+ZM5Elbb16QeDTfzMoKoScb -jQo/GS7f5h4An9vh/aTaKBoWDQ8gLcvbTUlpGxRznGt9mmOk9AOWsd03rTJ3TUud -+Cm4GfyEslvF8zXSPgJOz4YMiMMNZF3sEGGxs+D6Dav7isMrAIE/Se4Uh3pBY3Fg -kio9fZfJSWorb3XO6LY9wyg33sz0ZxfhLfhenpeuveQfGuwc9l/DtYuhorqa4xXv -+T5W6HQ7g7nB/GMQF0rkm7BUSqawuLPK7ippBjpNg07iGOYNvQ5GKPahuBTbKyDc -7LYzGNjZ+mNyL8vDNkwcdnUUqIbYsdMqmEZX+cu2wugXF1GshI9krcDHBXGcZH4G -sogntcL8qR5KpPfBQCcp9An7TfLJkJtZOH6IYVZVy3/wb+OEou3UNckMe7PF8PWa -T6/N9/zs49U6RxiYn+Vz/x0hQmRbLvLEsbotT1WStJq8LkcI0Zu9cJab +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI6QbC42AGV6YCAggA +MBQGCCqGSIb3DQMHBAjv7nw+WSc5QwSCAoAHFMKm+elgjvRxlzMIxSgLKDyo/Npr +aiodIy+5/YM0QkvpYpkZIExjgpaUovVFKHxvBOgNX7+mjofDixNjRkBwOFbY0v8j +e5rsuO4LlKkRf30wAqJZOUCNDU9KrthdfsgF7QXj3fv2crQzolZ8Ab7vH8+S/FpR +edS4mK7klvm08Dy4zzF1T+RIzcl0hJjpk4Lnqx8xdLUOKeTotV1kF4S1kKeRiV9T +zAVZtnj8iA2QFKBM2Kz8Npcu3965EPdTQl8ZCRSbzvqKcCvRNZF6RWcp2qxgoNF8 +6ghEOZeRni74dvnoafXrqQE8LmF2lARQkT/zU0OCULvihBQ85eRkxzk/fe5ndUZ2 +LuH/Zd9E0cDj+qiqlYbfb4LmL30E/cq6r76prz8HPK2JTYONgV8efGZrLb3UfAle +jSfJu1LyZtAAIT+2AXWIDH2GmGTB3X2MLeBjwPnKgiPH7uzW7aRFMMnCExBAmORE +KnYRnOVIuN9IlMYMf4YIX3PTrjqO4OIhgh7kBPO5wzgMcp8KseJCFlQG1h5JWgFN +31Po6IHdp8/gR05QPBWgJ9l2DMNnhuJmvrcpsNq5kLkN8cKBS+xGeXKrHJoGEWIq +f5X50QqWw/poUrArRW3K3SsAImLOMi7SMypBofRt7f0N8FlC/25+Vgd+ZCrETKlS +Hz4c21CyV1qxtSy19i8RUrhUDj8Mn/nRYbIOsX/Et1Rpe/QVyqRaf8unjwp7bJPj +eTDuEKEuAZ5dbHBVYBKHF0kPF7ha92h78wzQKDKr7gmx/QS2iXTx+Xy0yfdNuijr +HEBPUmLZpE5fhuKdIKNCm7MAwmCm5jusPyPNga5c1p1Mq1GqUfyhvjGu -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp index 43bb173cc..075a52bb1 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp index 752147977..7bcf7aee4 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req index 6ec207d4f..b100cdadf 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp index 90cd6fad1..5cc8a57c5 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12 b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12 index 585738ec8..52672e3be 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12 and b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.p12 differ diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem index 81679f826..eba3e6fda 100644 --- a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem +++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.pem @@ -1,18 +1,23 @@ Bag Attributes friendlyName: server1.example.org - localKeyID: 5E 7F 83 85 31 F1 CA DC 88 07 2C 58 95 FA 36 16 65 F6 BB 8D + localKeyID: 88 14 08 19 07 0E 31 A2 11 CA 6A F9 94 D0 81 D2 E2 C4 6C A0 subject=/CN=server1.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAjCCAaygAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt +MIIC0DCCAjmgAwIBAgIBZTANBgkqhkiG9w0BAQUFADAzMRQwEgYDVQQKEwtleGFt cGxlLm9yZzEbMBkGA1UEAxMSY2xpY2EgU2lnbmluZyBDZXJ0MB4XDTEyMTEwMTEy -MzQwMloXDTM4MDEwMTEyMzQwMlowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl -Lm9yZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFIpfEcK4d3IEq3F7B6AIpepZk -mKln9pcCm0RbAxm77YlhHucDzyVu9rmW7XSW/c4Dv3clwzHLpaoF2KURKLZ7AgMB -AAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMB -BggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmV4YW1wbGUu -b3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw -Oi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl -Lm9yZzANBgkqhkiG9w0BAQUFAANBACfk1MYCSbT2gbaT1Dv9FrMEybkFZtxUfz69 -Gnx/55Wfw936z2en+RImD3qF1qQxUwIMlWGm6SaitfmlQ5qVJ1A= +MzQwOVoXDTM4MDEwMTEyMzQwOVowHjEcMBoGA1UEAxMTc2VydmVyMS5leGFtcGxl +Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqEYtZQEwUPQUjTUDYJDb +mFhMifuXoKfmFsGIYoy99JG36tQLzgFET+lkEoKXmXf/MRecneA0TtiL3bac/ZT5 +us46SnYCqpIhw9PAuvjUjpfe0gc7KOAv9DDdVr5n11XOuNYPak/SThICGOlAQlkk +ih47uzqcuTpnJb/t+kuuNMsCAwEAAaOCAQcwggEDMA4GA1UdDwEB/wQEAwIE8DAg +BgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWg +I4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEB +BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29zY3AvZXhhbXBsZS5vcmcvMGUGA1Ud +EQReMFyCImFsdGVybmF0ZW5hbWUyLnNlcnZlcjEuZXhhbXBsZS5vcmeCE3NlcnZl +cjEuZXhhbXBsZS5vcmeCIWFsdGVybmF0ZW5hbWUuc2VydmVyMS5leGFtcGxlLm9y +ZzANBgkqhkiG9w0BAQUFAAOBgQBDuJv1EXKwOrrY2CShqo9tUuB6rzAItWbLFEmW +kbTkmeG3W2IlHUco86NJPKu70CEmAkxEUTbWYoJLSVkq1LSgc8NGbuXPiQxQdiAc +QXUrDYWeFYMuejZmFRd4gHOHRUQ07YmFr2IXEEitq5UG/AZTYoSIVF3UI7jL4gHS +fpDLrg== -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key index 1b83abc63..1c045ae7c 100644 --- a/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key +++ b/test/aux-fixed/exim-ca/example.org/server1.example.org/server1.example.org.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBPQIBAAJBAMUil8Rwrh3cgSrcXsHoAil6lmSYqWf2lwKbRFsDGbvtiWEe5wPP -JW72uZbtdJb9zgO/dyXDMculqgXYpREotnsCAwEAAQJBAKDzsX4NkduHoV5hNmyT -BNDg6dGQYyAi0QCrzI+SZHxt8ZYksM//or03aXE7xUUAeFmlSQYc9KfhADAB+mL8 -3YECIQDi4Q5nPCDr99odHTguDlTDi9vEEIiY2N7g8jsGAZH6KwIhAN5wME90eCX/ -oIzlAVqCbq9JuO8Zt3lxvqbasOGT3pzxAiEAwXcifhvDAxUGNF9vQa7Mzzca/vUO -VjBQ1kcY18VNAqMCIQCxMe/aK67WnldYRcmZP1RLANB4cCUPcoPsyUOkvzXUEQIh -AJEKAaavDZzn70+xnPw/8QPzHExNxIRtYrxBnc0Kv74r +MIICXAIBAAKBgQCoRi1lATBQ9BSNNQNgkNuYWEyJ+5egp+YWwYhijL30kbfq1AvO +AURP6WQSgpeZd/8xF5yd4DRO2Ivdtpz9lPm6zjpKdgKqkiHD08C6+NSOl97SBzso +4C/0MN1WvmfXVc641g9qT9JOEgIY6UBCWSSKHju7Opy5Omclv+36S640ywIDAQAB +AoGBAJ4OvNjg0vdXLG6uWuu7ZOimF86LqZLX4kGBq4+Vz18H+I70edoYSogdG0hf +rfITSnpcSVnpnHhq4oVw3+k4o5ATbgCcDsYuxbB5hd28ZDW9L97KO+67ruaAdJe+ +et+tACJooOhVgbQIfhv22vMe2q9+/wzgkXpdHJwYc9L6nwORAkEA2svVm0NeOtO0 +BFohczUU7PU/Zde5WyWe2a8CvoErO/5jhfFCNYGKMiLnGsLAhZIxetIr0XPLXprD +3+QgPOZ21QJBAMTjH7e992fy0K0mApo3in8D1s6wqIUoiG2u5aPzOPbSzlPOI8BH +qNee1Tr6ZHNKbLFbuHvFzIlrUFAS2oFJDR8CQGKhNlZ6ZPTx0BmSI7gSeq9i0sRv +HaBn8hbBHOSRx9KQl36exjDmh0yYjUNz/WN5BpMOQTB3GXs5GwlHhfzOC00CQAHE +N+iiH7IjD5Q+Hw/bJ7b0Bd1c4GYxcufpBc5uxDgStB80XkW/XthwaGFbFcOjC06c +EA+sOqWQ/Ot6/9LhIOkCQCIb1PetefpIBtCEx4AIVibiIuwnQGlS0786nSWTxskD +SAE8HLJwbdsohGK0iSTE840gvUtaH+57TSg6YAVTFPo= -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem b/test/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem index 35a92fb61..1f483f09e 100644 --- a/test/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem +++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/ca_chain.pem @@ -3,45 +3,54 @@ Bag Attributes subject=/O=example.org/CN=clica Signing Cert issuer=/O=example.org/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE -zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo -F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X -PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB +ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY +hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro +yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr +vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g +UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU= -----END CERTIFICATE----- Bag Attributes friendlyName: Certificate Authority subject=/O=example.org/CN=clica CA issuer=/O=example.org/CN=clica CA -----BEGIN CERTIFICATE----- -MIIBaTCCAROgAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp -Y2EgQ0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxY7JyBAI+e4vb4bz0HcjtE+O -x0nLBB19Kz04yNARj1z/ZvY2c+uvOR3muHROCgFUQxGobP3n2HaTS/cmv2SVPwID -AQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjANBgkq -hkiG9w0BAQUFAANBAJLhs/m5Jx4oV++aylcAvIHa0vHSK4eh3zX1HqWwqK9I0/nl -LqwwPgtgHQOpe7nd2g2B9wPZ82i6LiqY76A+9hI= +MIIB7jCCAVegAwIBAgIBATANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjApMRQwEgYDVQQKEwtleGFtcGxlLm9yZzERMA8GA1UEAxMIY2xp +Y2EgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmGE/1NBbn57y9RAMTa +/jWgErk9jUKo+z0vzO5me7MUE+C3Jhk2YFF+w3ryEny3DikQOZEdRU4NFrQKZKu5 +1jjYg5ilg8EJTP6h9GzZmacH9olW3hdMvVqMkiLuZF97H41AYx95XPDibxwrpMgD +oDVoYTQIPBwdjj8d88SdbgYjAgMBAAGjJjAkMBIGA1UdEwEB/wQIMAYBAf8CAQEw +DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAINsDZLZin7u8iOLguRG +37mUDNhAQ9qUAtiFV8JnjJU9DZGb0TvSpYmOkjK2iH4cH6AsEXptB6duvkkpp6ly ++aGvlqy69D/MfPpLjLX7e6WOISshaWCGB7/rQqbRtAePFpa07gijUqxM22LfiHXz +YHJSTjLx4idfdLNS+U5iir1Y -----END CERTIFICATE----- Bag Attributes friendlyName: server2.example.org - localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77 + localKeyID: 86 EB 3E FE 4D A0 AA B2 44 D0 9C 33 41 91 11 0F E4 B5 77 94 subject=/CN=server2.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDNaFw0zODAxMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs -ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1bNd+LEj7UV8Riahrn/3TL1n -NwaIvqkqCFscP5ae3dB5rJ8vdfIc0hOzh782zpXxJxYa7S340zjxfgdUzMAeWQID -AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5vcmcvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs -ZS5vcmcwDQYJKoZIhvcNAQEFBQADQQBCORy4CO4MMENsEtYwU7xE0Ck5i8VefJ6D -txODMnRUzsthdbfjgXm3BfVPrhOuT0/bIKfyJtoSdCtN1SRPTJxO +MjM0MTBaFw0zODAxMDExMjM0MTBaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs +ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALLE1hEpg5JGIpYSHMWN +E/s8UpUxBYBqQI0cecr5uwwoNfBybw6cpEwP1XMHlVqlz4nP9Gfo7XLI3dE/GQ0H +4/Urlw8tP/hydlP8LxXG3ZDyL7f4yYvoHCxsUy7jC3yv9Z0lQx59gvdTho3OZkIW +he3mmSY/aH7pXrP+Y0CcPdNvAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0R +BBcwFYITc2VydmVyMi5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQUFAAOBgQCOfWb9 +Dt+2W6GH3500f4QJ8ORluURIEn1rtZaT+Nz9AliREjhBgMInwYhkvzESGqbpeZHG +mnE8zGHlXBs2H8BAp0jpXpm0BCrCe9B2NPa98CLUuNlraTr+eWoMmf85DHmML/rl +8N6BKUMgUFBP1KKvDthUFbQ/S+IcsuP2tRH6tg== -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/cert8.db b/test/aux-fixed/exim-ca/example.org/server2.example.org/cert8.db index 2f8358eea..6c3f09858 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/cert8.db and b/test/aux-fixed/exim-ca/example.org/server2.example.org/cert8.db differ diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/key3.db b/test/aux-fixed/exim-ca/example.org/server2.example.org/key3.db index df1625755..337589a9e 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/key3.db and b/test/aux-fixed/exim-ca/example.org/server2.example.org/key3.db differ diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/secmod.db b/test/aux-fixed/exim-ca/example.org/server2.example.org/secmod.db index 92af259c1..b42fbb600 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/secmod.db and b/test/aux-fixed/exim-ca/example.org/server2.example.org/secmod.db differ diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.chain.pem b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.chain.pem index 5bcc299df..ae185f28d 100644 --- a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.chain.pem +++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.chain.pem @@ -1,29 +1,35 @@ Bag Attributes friendlyName: server2.example.org - localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77 + localKeyID: 86 EB 3E FE 4D A0 AA B2 44 D0 9C 33 41 91 11 0F E4 B5 77 94 subject=/CN=server2.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDNaFw0zODAxMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs -ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1bNd+LEj7UV8Riahrn/3TL1n -NwaIvqkqCFscP5ae3dB5rJ8vdfIc0hOzh782zpXxJxYa7S340zjxfgdUzMAeWQID -AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5vcmcvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs -ZS5vcmcwDQYJKoZIhvcNAQEFBQADQQBCORy4CO4MMENsEtYwU7xE0Ck5i8VefJ6D -txODMnRUzsthdbfjgXm3BfVPrhOuT0/bIKfyJtoSdCtN1SRPTJxO +MjM0MTBaFw0zODAxMDExMjM0MTBaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs +ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALLE1hEpg5JGIpYSHMWN +E/s8UpUxBYBqQI0cecr5uwwoNfBybw6cpEwP1XMHlVqlz4nP9Gfo7XLI3dE/GQ0H +4/Urlw8tP/hydlP8LxXG3ZDyL7f4yYvoHCxsUy7jC3yv9Z0lQx59gvdTho3OZkIW +he3mmSY/aH7pXrP+Y0CcPdNvAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0R +BBcwFYITc2VydmVyMi5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQUFAAOBgQCOfWb9 +Dt+2W6GH3500f4QJ8ORluURIEn1rtZaT+Nz9AliREjhBgMInwYhkvzESGqbpeZHG +mnE8zGHlXBs2H8BAp0jpXpm0BCrCe9B2NPa98CLUuNlraTr+eWoMmf85DHmML/rl +8N6BKUMgUFBP1KKvDthUFbQ/S+IcsuP2tRH6tg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBpzCCAVGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt -cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDAyWhcNMzgw -MTAxMTIzNDAyWjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp -Y2EgU2lnbmluZyBDZXJ0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ2Y6E5WBXQE -zFsWgxK4JXrpPWGEQZ+KNy3iXgmupAA6Yy0umCLu+eGCekkwZ0WfFhhd+Qy7P+qo -F0mre7VDDHECAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB -Af8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxlLm9yZy9s -YXRlc3QuY3JsMA0GCSqGSIb3DQEBBQUAA0EATmemAFFWLNA8natXhFyhrDYmTv8X -PEJ3UVt0DmOMxmEBahIeDfplfTfj/NYvy/on7YCZO7F5PwVY2pNJqm8Tmw== +MIICLDCCAZWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADApMRQwEgYDVQQKEwtleGFt +cGxlLm9yZzERMA8GA1UEAxMIY2xpY2EgQ0EwHhcNMTIxMTAxMTIzNDA4WhcNMzgw +MTAxMTIzNDA4WjAzMRQwEgYDVQQKEwtleGFtcGxlLm9yZzEbMBkGA1UEAxMSY2xp +Y2EgU2lnbmluZyBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrlUzB +ANKQi0cI+jOYOVy2EYu2LOXihiMHi3dX/boaZ2+rIwbWaaAy7gMXLvfay/ml+pyY +hnxQbnfADZN0xXQoHZ3AjBIU6YP2CWpOk/3jrnjW7P84fCie/6SXhfH2l6ZZFaro +yRw10jnO/kgEtFKBQpN7eZ2oPDaGGwuyBVaXqQIDAQABo1owWDAOBgNVHQ8BAf8E +BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAjhiFodHRw +Oi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwDQYJKoZIhvcNAQEFBQADgYEA +n2I9uY34QxYLfMCIwI3oMkR+v0ehEmjLcF3S2SILybtKFOxHUvFx10IiYJOCjPKr +vTwbprTp4R9HffQyiGoe9jLYu+8Tfjf86hDcoChOg8SZm1u3rXCgXPus+19XON0g +UWiJmIBAWDhz8+0vQ3QyrgtLuweoX4tTcbYOlTzO5KU= -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.key b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.key index 6f62ee00e..acc3f1a5a 100644 --- a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.key +++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.key @@ -1,15 +1,21 @@ Bag Attributes friendlyName: server2.example.org - localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77 + localKeyID: 86 EB 3E FE 4D A0 AA B2 44 D0 9C 33 41 91 11 0F E4 B5 77 94 Key Attributes: -----BEGIN ENCRYPTED PRIVATE KEY----- -MIIBpjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIjfdds7UVEY0CAggA -MBQGCCqGSIb3DQMHBAiY22+2lkjkEASCAWDm5MmTuUgMOkSWscoH1Qn/GVM2sawP -TsknGm/HMV+bJlpGLCXwBrAKe6RDC+zlEmGVUSWJoxoPz1qQT9fcooyEFSCS8asN -omSw+8wrxXTSB57b1OqpHoV8VlTT60/sdVV8l9B1Ef/vsdjKB0NDwqUwDVg4Xw32 -wV3Tv8pFRLg3CBCEDeykcJ+FkodSope9UL6E95Ukhae335bTmWsxbrR4IZCUhI2t -/MOLyPnd6huPGlti2SH8PRRnei6TM/O8mH1uUzdSAqxoDA6wV+P6pIDI8GY1k61q -53oeq9ocSJOQ+q3kIyBQlGgApME47hog3sVZ/WsU3r071g9VKhzlFUFPOOkbUR9+ -gl7MDV/r/6IjOAHEaLFBQrnRVKbs93sTtf8pNhIHJLJtTWjDV/nBbiHxsNFIWqGU -ZlH0FU2DENHZqPiLxsfH1J9EmtTiHXgu/naD0m7RbmPm6ffIDPuYPVMw +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI/rBIbDk6nrECAggA +MBQGCCqGSIb3DQMHBAjeDfpn4LPrpgSCAoAqkEeSEHhFDrXw2s6WkSJurj4Pr7+J +ZliDli+SjbfZfx6aDUEzYmkqQqi2emuNmPirCzE/Ue42+Gd4WA2Yiyj8Rm+oAym6 +y528ujQNEP3w4ItkDT1W2E5IqgXrFfTsnXhFUegDVt2XY//ByYSJTQqn3/Fjm0bC +ttNoRdnpVhmJYwKJOfrvPLuyZEA0Y/zcY0hJ8oFGWZkvJ6aPx3FqDy1o30i3tJax +t+plehWN6pxOMwNIwOLZRsMjn1gX+d4XzTlDEk+foX8bSNi1AzClPsF/haU5kjfr +lcnww7VOU5rXz6r8RJhlLDqyYyNGPrl4oxORoVtBZGBJHqkHB0pPdC39gdrtc8P1 +IDY2GC0hd+QAQCTwb/wmqLTmJXRFQSmvQFGB0/jym2GQxeZHzuXYftY/oGaoOIll +dy8vrtsMEzz37PZxsT8vJs/aPkqULBI30PpHLiPsJqUd2MeB+w0LNzZokkg44XQU +o208UXKD90UjyUplv1XdvTHW2uIkL9X5ssVZOcQC1eHZ2Z2ahphDx3mU9hqqW8aI +43ToptxzxlBMbRU5SJtOWKSzUqXpXAha1T5LDwqE0tgF5H99s6qvdaLN1iTUsCav ++DfkrniH34WzmeE+u5SxvKT0h4XsRW4TOLEdTnoaAF4qIK/1rzcp/X7XxgDsJd3z +RJBxAogwmaKoxa3GQJjJSjg5qw9EFHUnI9g8Ct+rm5lgHFR0amBHGumqwzTelJ09 +/IZfEMkpgJYJkWkDbvT1NNHNiAgh1VGOUmVsLCoQNhurdHKrF7Uw5QrVOlsrj/pz +ojArIa6IkJJ85RyzGNToZTwlXHxGyltsosEOt0R5pn176ILRFcWDhguk -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.dated.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.dated.resp index b15606af3..355b0e876 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.dated.resp and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.dated.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.good.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.good.resp index 8fc3f99e1..f1ee52598 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.good.resp and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.good.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.req b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.req index f8731d0c1..aa1f97e7f 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.req and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.req differ diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.revoked.resp b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.revoked.resp index 8fc3f99e1..f1ee52598 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.revoked.resp and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.ocsp.revoked.resp differ diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.p12 b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.p12 index f2f2fe8a9..bc2069e57 100644 Binary files a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.p12 and b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.p12 differ diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem index ed55c33bf..e0bd03094 100644 --- a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem +++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.pem @@ -1,18 +1,21 @@ Bag Attributes friendlyName: server2.example.org - localKeyID: 86 3E B2 BF BC 60 4F 3F C4 EA AA FE 97 44 A9 48 6B 4F C1 77 + localKeyID: 86 EB 3E FE 4D A0 AA B2 44 D0 9C 33 41 91 11 0F E4 B5 77 94 subject=/CN=server2.example.org issuer=/O=example.org/CN=clica Signing Cert -----BEGIN CERTIFICATE----- -MIICAzCCAa2gAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh +MIICiDCCAfGgAwIBAgICAMkwDQYJKoZIhvcNAQEFBQAwMzEUMBIGA1UEChMLZXhh bXBsZS5vcmcxGzAZBgNVBAMTEmNsaWNhIFNpZ25pbmcgQ2VydDAeFw0xMjExMDEx -MjM0MDNaFw0zODAxMDExMjM0MDNaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs -ZS5vcmcwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1bNd+LEj7UV8Riahrn/3TL1n -NwaIvqkqCFscP5ae3dB5rJ8vdfIc0hOzh782zpXxJxYa7S340zjxfgdUzMAeWQID -AQABo4G/MIG8MA4GA1UdDwEB/wQEAwIE8DAgBgNVHSUBAf8EFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5leGFtcGxl -Lm9yZy9sYXRlc3QuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 -cDovL29zY3AvZXhhbXBsZS5vcmcvMB4GA1UdEQQXMBWCE3NlcnZlcjIuZXhhbXBs -ZS5vcmcwDQYJKoZIhvcNAQEFBQADQQBCORy4CO4MMENsEtYwU7xE0Ck5i8VefJ6D -txODMnRUzsthdbfjgXm3BfVPrhOuT0/bIKfyJtoSdCtN1SRPTJxO +MjM0MTBaFw0zODAxMDExMjM0MTBaMB4xHDAaBgNVBAMTE3NlcnZlcjIuZXhhbXBs +ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALLE1hEpg5JGIpYSHMWN +E/s8UpUxBYBqQI0cecr5uwwoNfBybw6cpEwP1XMHlVqlz4nP9Gfo7XLI3dE/GQ0H +4/Urlw8tP/hydlP8LxXG3ZDyL7f4yYvoHCxsUy7jC3yv9Z0lQx59gvdTho3OZkIW +he3mmSY/aH7pXrP+Y0CcPdNvAgMBAAGjgb8wgbwwDgYDVR0PAQH/BAQDAgTwMCAG +A1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAyBgNVHR8EKzApMCegJaAj +hiFodHRwOi8vY3JsLmV4YW1wbGUub3JnL2xhdGVzdC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb3NjcC9leGFtcGxlLm9yZy8wHgYDVR0R +BBcwFYITc2VydmVyMi5leGFtcGxlLm9yZzANBgkqhkiG9w0BAQUFAAOBgQCOfWb9 +Dt+2W6GH3500f4QJ8ORluURIEn1rtZaT+Nz9AliREjhBgMInwYhkvzESGqbpeZHG +mnE8zGHlXBs2H8BAp0jpXpm0BCrCe9B2NPa98CLUuNlraTr+eWoMmf85DHmML/rl +8N6BKUMgUFBP1KKvDthUFbQ/S+IcsuP2tRH6tg== -----END CERTIFICATE----- diff --git a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key index 38b2718e0..18327f50f 100644 --- a/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key +++ b/test/aux-fixed/exim-ca/example.org/server2.example.org/server2.example.org.unlocked.key @@ -1,9 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOwIBAAJBANWzXfixI+1FfEYmoa5/90y9ZzcGiL6pKghbHD+Wnt3QeayfL3Xy -HNITs4e/Ns6V8ScWGu0t+NM48X4HVMzAHlkCAwEAAQJATzDe2+/Y3m5ndR+PvriR -DhEKFKwJNI4/k0UgHLhWOt/+y02ZfO5zhZaLvYG1BQbGKyhypdAGS8QP19xRVjI9 -uQIhAPs7Ql00hIvZvfRMmgh90otggbrWIrkW8Oh10BMFBdkTAiEA2cG+l36A5NAs -PlA7sOlQyFs5F4XNXzEy76vPsGR/pGMCIBjo3UGkjWfYZQ8t8S/aWd/b58EArlyv -u58w3zqjitrlAiEAsJeqlPkGVolsF+zBO6s61AEGv8jG0Ff50twmxgn6abkCIQDJ -pUSYU/YF7bYj5QuHRyemhzDytTQcAB7A4IEWZsSL9A== +MIICWwIBAAKBgQCyxNYRKYOSRiKWEhzFjRP7PFKVMQWAakCNHHnK+bsMKDXwcm8O +nKRMD9VzB5Vapc+Jz/Rn6O1yyN3RPxkNB+P1K5cPLT/4cnZT/C8Vxt2Q8i+3+MmL +6BwsbFMu4wt8r/WdJUMefYL3U4aNzmZCFoXt5pkmP2h+6V6z/mNAnD3TbwIDAQAB +AoGAHxMYIuOUe1i1qmB7n9tmHcXelRBwZGIT1nOcuCuw1+wldCZwJ5oS9SXLdLNc +wuUPrmT3lxhmLg28gSL2t80nUqxTiVGBJhP17hHlOpVqVYSuJTSk9nAPOh21WfOo +ghHEwK6bUiMvrOo9jzNzYozqZ1aJsFc7kh3WugXvsBLGvAECQQDeTIyF5EDPBkgx +8Uhznw5kzn/UfcFGQIbAUupSo9hSlGtxIQl6nZZx7lZpUbQz/IGrx9avrG0x8CGf +kRh5XN5LAkEAzd7gviJg3zZ46uLqNaaIr9B1M+NF2GHj8WgBfDb5WOloo68CWSW8 +WALKbabBp0eHiNEn/X1MHKBfY6LrrScY7QJAJA56hIUfVfUI5MDkJYzZAtTTux2i +qchxkuRgCYN15P8Z5kGbjf3dlyE3duG/vuboCXrigaAQHhd6/KzGMXk0vQJAFmKD +oWjvi5XKtA+UU90Vw7gw5kFyGMMcG+WpM65ukmJexF2FLdhSkGdNR3r4V44JiLDl +XkS/f+VYOec/JQa5SQJAPaND0R38kuFxDDngET/1Lh2vXTpza7Xi0/1ec3i4jXe0 +HckZVHpVE7PWt1iqKRShoZmXI+ccIGLDdFTDYPSMMg== -----END RSA PRIVATE KEY----- diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall index 63a3618ee..d1901fe7e 100755 --- a/test/aux-fixed/exim-ca/genall +++ b/test/aux-fixed/exim-ca/genall @@ -7,8 +7,11 @@ echo hit return when ready read junk for tld in com org net do - clica -D example.$tld -p password -B 512 -I -N example.$tld -F -C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/ - clica -D example.$tld -p password -s 101 -S server1.example.$tld + clica -D example.$tld -p password -B 1024 -I -N example.$tld -F \ + -C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/ + + clica -D example.$tld -p password -s 101 -S server1.example.$tld \ + -8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld clica -D example.$tld -p password -s 102 -S revoked1.example.$tld clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1 clica -D example.$tld -p password -s 201 -S server2.example.$tld @@ -49,16 +52,17 @@ EOF do SPFX=example.$tld/$server.example.$tld/$server.example.$tld openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -reqout $SPFX.ocsp.req - openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp - openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp - openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp + openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp + openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp + openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp done done # and loop again to generate unlocked keys and client cert bundles for tld in com org net do - for server in server1 revoked1 expired1 server2 revoked2 expired2 do + for server in server1 revoked1 expired1 server2 revoked2 expired2 + do SDIR=example.$tld/$server.example.$tld SPFX=$SDIR/$server.example.$tld openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key @@ -98,4 +102,7 @@ do openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem done +find example.* -type d -print0 | xargs -0 chmod 755 +find example.* -type f -print0 | xargs -0 chmod 644 + echo "CA, Certificate, CRL and OSCP Response generation complete" diff --git a/test/aux-fixed/ocsp_file.der b/test/aux-fixed/ocsp_file.der deleted file mode 100644 index f629d53e3..000000000 Binary files a/test/aux-fixed/ocsp_file.der and /dev/null differ diff --git a/test/configure.ac b/test/configure.ac index 83f1aa05d..a38b5b0ae 100644 --- a/test/configure.ac +++ b/test/configure.ac @@ -48,6 +48,11 @@ case $host_os in ;; esac +dnl Solaris requires additional libraries for networking functions. + +AC_SEARCH_LIBS([inet_addr], [nsl]) +AC_SEARCH_LIBS([connect], [socket]) + dnl "Export" these variables AC_SUBST(BIND_8_COMPAT) @@ -55,6 +60,7 @@ AC_SUBST(CLIENT_SSL) AC_SUBST(CLIENT_GNUTLS) AC_SUBST(LOADED) AC_SUBST(LOADED_OPT) +AC_SUBST(LIBS) dnl This must be last; it determines what files are written diff --git a/test/confs/0096 b/test/confs/0096 index 1ee9b746f..a182a9303 100644 --- a/test/confs/0096 +++ b/test/confs/0096 @@ -21,7 +21,8 @@ localuser: driver = accept local_parts = userx headers_add = "${if def:h_x-rbl-warning: {Added: xxxx}fail}" - headers_remove = "${if def:h_x-rbl-warning: {subject}fail}" + # Colon-sep list! + headers_remove = "${if def::h_x-rbl-warning:: {subject}fail}" transport = local_delivery diff --git a/test/confs/0097 b/test/confs/0097 index c8e773fc2..ad88aee09 100644 --- a/test/confs/0097 +++ b/test/confs/0097 @@ -21,7 +21,8 @@ localuser: driver = accept local_parts = userx headers_add = "${if def:h_x-rbl-warning: {Added: by router}}" - headers_remove = "${if def:h_x-rbl-warning: {subject}}" + # Colon-sep list! + headers_remove = "${if def::h_x-rbl-warning:: {subject}}" transport = local_delivery @@ -35,7 +36,7 @@ local_delivery: envelope_to_add file = DIR/test-mail/$local_part headers_add = "${if def:h_tadd: {Added: by transport}}" - headers_remove = "${if def:h_tadd: {tadd}}" + headers_remove = "${if def::h_tadd:: {tadd}}" return_path_add user = CALLER diff --git a/test/confs/0166 b/test/confs/0166 index b94331b44..7d2f06611 100644 --- a/test/confs/0166 +++ b/test/confs/0166 @@ -30,6 +30,9 @@ user: headers_add = X-Delivered-To: $local_part@$domain retry_use_local_part transport = local_delivery + headers_add = X-rtr-hdr: 1 + headers_add = ${if bool{false} {X-rtr-hdr: 2}} + headers_add = X-rtr-hdr: 3 # ----- Transports ----- @@ -41,6 +44,9 @@ local_delivery: envelope_to_add file = DIR/test-mail/$local_part user = CALLER + headers_add = X-tpt-hdr: 1 + headers_add = ${if bool{false} {X-tpt-hdr: 2}} + headers_add = X-tpt-hdr: 3 # End diff --git a/test/confs/0569 b/test/confs/0569 new file mode 100644 index 000000000..0987e7ed0 --- /dev/null +++ b/test/confs/0569 @@ -0,0 +1,34 @@ +# Exim test configuration 0569 + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +acl_smtp_mail = check_from +acl_smtp_rcpt = accept +acl_smtp_data = check_message + +recipient_unqualified_hosts = V4NET.10.10.9 + +# ----- ACL ----- + +begin acl + +check_from: + accept senders = usery@exim.test.ex + set acl_m_message = I do not like your message + accept + +check_message: + require message = ${if def:acl_m_message {$acl_m_message}} + verify = header_names_ascii + accept + +# End diff --git a/test/confs/0600 b/test/confs/0600 new file mode 100644 index 000000000..0347e4c60 --- /dev/null +++ b/test/confs/0600 @@ -0,0 +1,69 @@ +# Exim test configuration 0005 + +exim_path = EXIM_PATH +host_lookup_order = bydns +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +domainlist local_domains = @ + +acl_smtp_rcpt = accept +acl_smtp_data = check_data + +trusted_users = CALLER + + +# ----- ACL ----- + +begin acl + +check_data: + accept logwrite = \ + x-test-header-good1: ${utf8clean:$h_x-test-header-good1:} + logwrite = \ + x-test-header-good2: ${utf8clean:$h_x-test-header-good2:} + logwrite = \ + x-test-header-too-short: ${utf8clean:$h_x-test-header-too-short:} + logwrite = \ + x-test-header-too-long: ${utf8clean:$h_x-test-header-too-long:} + logwrite = \ + x-test-header-too-big: ${utf8clean:$h_x-test-header-too-big:} + + + +# ----- Routers ----- + +begin routers + +fail_remote_domains: + driver = redirect + domains = ! +local_domains + data = :fail: unrouteable mail domain "$domain" + +localuser: + driver = accept + check_local_user + transport = local_delivery + headers_add = X-local-user: uid=$local_user_uid gid=$local_user_gid + + +# ----- Transports ----- + +begin transports + +local_delivery: + driver = appendfile + delivery_date_add + envelope_to_add + file = DIR/test-mail/$local_part + headers_add = "X-body-linecount: $body_linecount\n\ + X-message-linecount: $message_linecount\n\ + X-received-count: $received_count" + return_path_add + +# End diff --git a/test/confs/2002 b/test/confs/2002 index e8358da25..9f664e8f7 100644 --- a/test/confs/2002 +++ b/test/confs/2002 @@ -20,11 +20,11 @@ queue_run_in_order tls_advertise_hosts = 127.0.0.1 : HOSTIPV4 -tls_certificate = DIR/aux-fixed/cert1 -tls_privatekey = DIR/aux-fixed/cert1 +tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem +tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key tls_verify_hosts = HOSTIPV4 -tls_verify_certificates = DIR/aux-fixed/cert2 +tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem # ------ ACL ------ @@ -41,7 +41,28 @@ check_recipient: DHE_RSA_AES_256_CBC_SHA1 : \ DHE_RSA_3DES_EDE_CBC_SHA : \ RSA_AES_256_CBC_SHA1 - accept + warn logwrite = ${if def:tls_in_ourcert \ + {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \ + {We did not present a cert}} + accept condition = ${if !def:tls_in_peercert} + logwrite = Peer did not present a cert + accept logwrite = Peer cert: + logwrite = ver ${certextract {version}{$tls_in_peercert}} + logwrite = SR <${certextract {serial_number}{$tls_in_peercert}}> + logwrite = SN <${certextract {subject} {$tls_in_peercert}}> + logwrite = IN <${certextract {issuer} {$tls_in_peercert}}> + logwrite = IN/O <${certextract {issuer,O} {$tls_in_peercert}}> + logwrite = NB <${certextract {notbefore} {$tls_in_peercert}}> + logwrite = NB/i <${certextract {notbefore,int}{$tls_in_peercert}}> + logwrite = NA <${certextract {notafter} {$tls_in_peercert}}> + logwrite = SA <${certextract {sig_algorithm}{$tls_in_peercert}}> + logwrite = SG <${certextract {signature} {$tls_in_peercert}}> + logwrite = ${certextract {subj_altname} {$tls_in_peercert} {SAN <$value>}{(no SAN)}} +# logwrite = ${certextract {ocsp_uri} {$tls_in_peercert} {OCU <$value>}{(no OCU)}} + logwrite = ${certextract {crl_uri} {$tls_in_peercert} {CRU <$value>}{(no CRU)}} + logwrite = md5 fingerprint ${md5:$tls_in_peercert} + logwrite = sha1 fingerprint ${sha1:$tls_in_peercert} + logwrite = sha256 fingerprint ${sha256:$tls_in_peercert} # ----- Routers ----- diff --git a/test/confs/2012 b/test/confs/2012 index 75fa54a1c..97dc25e75 100644 --- a/test/confs/2012 +++ b/test/confs/2012 @@ -1,4 +1,5 @@ # Exim test configuration 2012 +# TLS client: verify certificate from server - fails SERVER= @@ -11,6 +12,16 @@ log_file_path = DIR/spool/log/SERVER%slog gecos_pattern = "" gecos_name = CALLER_NAME +FX = DIR/aux-fixed +S1 = FX/exim-ca/example.com/server1.example.com + +CA1 = S1/ca_chain.pem +CERT1 = S1/server1.example.com.pem +KEY1 = S1/server1.example.com.unlocked.key +CA2 = FX/cert2 +CERT2 = FX/cert2 +KEY2 = FX/cert2 + # ----- Main settings ----- acl_smtp_rcpt = accept @@ -24,36 +35,138 @@ tls_advertise_hosts = * # Set certificate only if server -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} +tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} tls_verify_hosts = * -tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} +tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} # ----- Routers ----- begin routers -client: +server_dump: + driver = redirect + condition = ${if eq {SERVER}{server}{yes}{no}} + data = :blackhole: + +client_x: + driver = accept + local_parts = userx + retry_use_local_part + transport = send_to_server_failcert + errors_to = "" + +client_y: + driver = accept + local_parts = usery + retry_use_local_part + transport = send_to_server_retry + +client_z: + driver = accept + local_parts = userz + retry_use_local_part + transport = send_to_server_crypt + +client_q: + driver = accept + local_parts = userq + retry_use_local_part + transport = send_to_server_req_fail + +client_r: + driver = accept + local_parts = userr + retry_use_local_part + transport = send_to_server_req_failname + +client_s: driver = accept - condition = ${if eq {SERVER}{server}{no}{yes}} + local_parts = users retry_use_local_part - transport = send_to_server + transport = send_to_server_req_passname # ----- Transports ----- begin transports -send_to_server: +# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement +send_to_server_failcert: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok +send_to_server_retry: driver = smtp allow_localhost hosts = HOSTIPV4 : 127.0.0.1 hosts_require_tls = HOSTIPV4 port = PORT_D - tls_certificate = DIR/aux-fixed/cert2 + tls_certificate = CERT2 + tls_privatekey = CERT2 + tls_verify_certificates = \ - ${if eq{$host_address}{127.0.0.1}{DIR/aux-fixed/cert1}{DIR/aux-fixed/cert2}} + ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + +# this will fail to verify the cert but continue unverified though crypted +send_to_server_crypt: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_try_verify_hosts = * + +# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted +send_to_server_req_fail: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_verify_hosts = * + +# # this will fail to verify the cert name and fallback to unencrypted +# send_to_server_req_failname: +# driver = smtp +# allow_localhost +# hosts = HOSTIPV4 +# port = PORT_D +# tls_certificate = CERT2 +# tls_privatekey = CERT2 +# +# tls_verify_certificates = CA1 +# tls_verify_cert_hostnames = server1.example.net : server1.example.org +# tls_verify_hosts = * +# +# # this will pass the cert verify including name check +# send_to_server_req_passname: +# driver = smtp +# allow_localhost +# hosts = HOSTIPV4 +# port = PORT_D +# tls_certificate = CERT2 +# tls_privatekey = CERT2 +# +# tls_verify_certificates = CA1 +# tls_verify_cert_hostnames = noway.example.com : server1.example.com +# tls_verify_hosts = * # End diff --git a/test/confs/2024 b/test/confs/2024 index a677c4c86..c59e975de 100644 --- a/test/confs/2024 +++ b/test/confs/2024 @@ -24,6 +24,7 @@ tls_certificate = CERT tls_privatekey = CERT tls_verify_hosts = HOSTIPV4 -tls_verify_certificates = TVC +#tls_verify_certificates = TVC +tls_verify_certificates = CERT # End diff --git a/test/confs/2025 b/test/confs/2025 index b84407202..c19f65e9d 100644 --- a/test/confs/2025 +++ b/test/confs/2025 @@ -23,7 +23,7 @@ queue_run_in_order tls_advertise_hosts = * tls_require_ciphers = ${if eq{$sender_host_address}{HOSTIPV4}\ - {IDEA-CBC-MD5}{!RSA_AES_256:DES-CBC3-SHA}} + {NONE}{SECURE256}} # Set certificate only if server diff --git a/test/confs/2026 b/test/confs/2026 index 4185e0b79..d70c5a2db 100644 --- a/test/confs/2026 +++ b/test/confs/2026 @@ -5,7 +5,11 @@ host_lookup_order = bydns primary_hostname = myhost.test.ex rfc1413_query_timeout = 0s spool_directory = DIR/spool +.ifdef SERVER log_file_path = DIR/spool/log/%slog +.else +log_file_path = DIR/spool/log/%D-%slog +.endif gecos_pattern = "" gecos_name = CALLER_NAME @@ -14,6 +18,7 @@ gecos_name = CALLER_NAME acl_smtp_rcpt = check_rcpt log_selector = +tls_peerdn + tls_advertise_hosts = HOSTIPV4 tls_certificate = DIR/aux-fixed/cert1 tls_privatekey = DIR/aux-fixed/cert1 @@ -25,12 +30,12 @@ begin acl check_rcpt: accept local_parts = userx + control = queue_only defer local_parts = usery hosts = 127.0.0.1 - accept - + accept control = queue_only # ----- Routers ----- diff --git a/test/confs/2102 b/test/confs/2102 index 7f5771c0e..7d5d13a5a 100644 --- a/test/confs/2102 +++ b/test/confs/2102 @@ -20,11 +20,11 @@ queue_run_in_order tls_advertise_hosts = 127.0.0.1 : HOSTIPV4 -tls_certificate = DIR/aux-fixed/cert1 -tls_privatekey = DIR/aux-fixed/cert1 +tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem +tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key tls_verify_hosts = HOSTIPV4 -tls_verify_certificates = DIR/aux-fixed/cert2 +tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem # ------ ACL ------ @@ -42,7 +42,28 @@ check_recipient: DHE-RSA-AES256-GCM-SHA384 : \ DHE_RSA_AES_256_CBC_SHA1 : \ DHE_RSA_3DES_EDE_CBC_SHA - accept + warn logwrite = ${if def:tls_in_ourcert \ + {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \ + {We did not present a cert}} + accept condition = ${if !def:tls_in_peercert} + logwrite = Peer did not present a cert + accept logwrite = Peer cert: + logwrite = ver ${certextract {version}{$tls_in_peercert}} + logwrite = SR <${certextract {serial_number}{$tls_in_peercert}}> + logwrite = SN <${certextract {subject} {$tls_in_peercert}}> + logwrite = IN <${certextract {issuer} {$tls_in_peercert}}> + logwrite = IN/O <${certextract {issuer,O} {$tls_in_peercert}}> + logwrite = NB <${certextract {notbefore} {$tls_in_peercert}}> + logwrite = NB/i <${certextract {notbefore,int}{$tls_in_peercert}}> + logwrite = NA <${certextract {notafter} {$tls_in_peercert}}> + logwrite = SA <${certextract {sig_algorithm}{$tls_in_peercert}}> + logwrite = SG <${certextract {signature} {$tls_in_peercert}}> + logwrite = ${certextract {subj_altname} {$tls_in_peercert} {SAN <$value>}{(no SAN)}} + logwrite = ${certextract {ocsp_uri} {$tls_in_peercert} {OCU <$value>}{(no OCU)}} + logwrite = ${certextract {crl_uri} {$tls_in_peercert} {CRU <$value>}{(no CRU)}} + logwrite = md5 fingerprint ${md5:$tls_in_peercert} + logwrite = sha1 fingerprint ${sha1:$tls_in_peercert} + logwrite = sha256 fingerprint ${sha256:$tls_in_peercert} # ----- Routers ----- diff --git a/test/confs/2112 b/test/confs/2112 index 78733513e..4751e6015 100644 --- a/test/confs/2112 +++ b/test/confs/2112 @@ -1,4 +1,5 @@ # Exim test configuration 2112 +# TLS client: verify certificate from server - fails SERVER= @@ -11,6 +12,16 @@ log_file_path = DIR/spool/log/SERVER%slog gecos_pattern = "" gecos_name = CALLER_NAME +FX = DIR/aux-fixed +S1 = FX/exim-ca/example.com/server1.example.com + +CA1 = S1/ca_chain.pem +CERT1 = S1/server1.example.com.pem +KEY1 = S1/server1.example.com.unlocked.key +CA2 = FX/cert2 +CERT2 = FX/cert2 +KEY2 = FX/cert2 + # ----- Main settings ----- acl_smtp_rcpt = accept @@ -24,36 +35,138 @@ tls_advertise_hosts = * # Set certificate only if server -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} +tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} tls_verify_hosts = * -tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} +tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} # ----- Routers ----- begin routers -client: +server_dump: + driver = redirect + condition = ${if eq {SERVER}{server}{yes}{no}} + data = :blackhole: + +client_x: + driver = accept + local_parts = userx + retry_use_local_part + transport = send_to_server_failcert + errors_to = "" + +client_y: + driver = accept + local_parts = usery + retry_use_local_part + transport = send_to_server_retry + +client_z: + driver = accept + local_parts = userz + retry_use_local_part + transport = send_to_server_crypt + +client_q: + driver = accept + local_parts = userq + retry_use_local_part + transport = send_to_server_req_fail + +client_r: + driver = accept + local_parts = userr + retry_use_local_part + transport = send_to_server_req_failname + +client_s: driver = accept - condition = ${if eq {SERVER}{server}{no}{yes}} + local_parts = users retry_use_local_part - transport = send_to_server + transport = send_to_server_req_passname # ----- Transports ----- begin transports -send_to_server: +# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement +send_to_server_failcert: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok +send_to_server_retry: driver = smtp allow_localhost hosts = HOSTIPV4 : 127.0.0.1 hosts_require_tls = HOSTIPV4 port = PORT_D - tls_certificate = DIR/aux-fixed/cert2 + tls_certificate = CERT2 + tls_privatekey = CERT2 + tls_verify_certificates = \ - ${if eq{$host_address}{127.0.0.1}{DIR/aux-fixed/cert1}{DIR/aux-fixed/cert2}} + ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + +# this will fail to verify the cert but continue unverified though crypted +send_to_server_crypt: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_try_verify_hosts = * + +# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted +send_to_server_req_fail: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_verify_hosts = * + +# # this will fail to verify the cert name and fallback to unencrypted +# send_to_server_req_failname: +# driver = smtp +# allow_localhost +# hosts = HOSTIPV4 +# port = PORT_D +# tls_certificate = CERT2 +# tls_privatekey = CERT2 +# +# tls_verify_certificates = CA1 +# tls_verify_cert_hostnames = server1.example.net : server1.example.org +# tls_verify_hosts = * +# +# # this will pass the cert verify including name check +# send_to_server_req_passname: +# driver = smtp +# allow_localhost +# hosts = HOSTIPV4 +# port = PORT_D +# tls_certificate = CERT2 +# tls_privatekey = CERT2 +# +# tls_verify_certificates = CA1 +# tls_verify_cert_hostnames = noway.example.com : server1.example.com +# tls_verify_hosts = * # End diff --git a/test/confs/3465 b/test/confs/3465 index 161fff526..83592a678 100644 --- a/test/confs/3465 +++ b/test/confs/3465 @@ -70,5 +70,9 @@ t1: hosts_require_auth = * allow_localhost + # These can be made visible by adding "-d-all+deliver+transport+tls" to the script 1st queuerun + headers_add = X-tls-cipher: <$tls_cipher> + headers_add = X-tls-out-cipher: <$tls_out_cipher> + # End diff --git a/test/confs/5400 b/test/confs/5400 index 8f2e8b585..62466983c 100644 --- a/test/confs/5400 +++ b/test/confs/5400 @@ -34,6 +34,8 @@ all: route_list = * 127.0.0.1 self = send transport = smtp + headers_remove = X-hdr-rtr + headers_add = X-hdr-rtr-new: $h_X-hdr-rtr:+++ no_more @@ -45,6 +47,7 @@ smtp: driver = smtp interface = HOSTIPV4 port = PORT_S + headers_add = ${if def:h_X-hdr-rtr {X-hdr-tpt-new: new} {}} # End diff --git a/test/confs/5440 b/test/confs/5440 new file mode 100644 index 000000000..955641246 --- /dev/null +++ b/test/confs/5440 @@ -0,0 +1,172 @@ +# Exim test configuration 2012 +# TLS client: verify certificate from server - fails + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +FX = DIR/aux-fixed +S1 = FX/exim-ca/example.com/server1.example.com + +CA1 = S1/ca_chain.pem +CERT1 = S1/server1.example.com.pem +KEY1 = S1/server1.example.com.unlocked.key +CA2 = FX/cert2 +CERT2 = FX/cert2 +KEY2 = FX/cert2 + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +tls_peerdn+tls_certificate_verified + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +# Set certificate only if server + +tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} +tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} + +tls_verify_hosts = * +tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} + + +# ----- Routers ----- + +begin routers + +server_dump: + driver = redirect + condition = ${if eq {SERVER}{server}{yes}{no}} + data = :blackhole: + +client_x: + driver = accept + local_parts = userx + retry_use_local_part + transport = send_to_server_failcert + errors_to = "" + +client_y: + driver = accept + local_parts = usery + retry_use_local_part + transport = send_to_server_retry + +client_z: + driver = accept + local_parts = userz + retry_use_local_part + transport = send_to_server_crypt + +client_q: + driver = accept + local_parts = userq + retry_use_local_part + transport = send_to_server_req_fail + +client_r: + driver = accept + local_parts = userr + retry_use_local_part + transport = send_to_server_req_failname + +client_s: + driver = accept + local_parts = users + retry_use_local_part + transport = send_to_server_req_passname + + +# ----- Transports ----- + +begin transports + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement +send_to_server_failcert: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok +send_to_server_retry: + driver = smtp + allow_localhost + hosts = HOSTIPV4 : 127.0.0.1 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = \ + ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + +# this will fail to verify the cert but continue unverified though crypted +send_to_server_crypt: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_try_verify_hosts = * + +# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted +send_to_server_req_fail: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_verify_hosts = * + +# this will fail to verify the cert name and fallback to unencrypted +send_to_server_req_failname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = server1.example.net : server1.example.org + tls_verify_hosts = * + +# this will pass the cert verify including name check +send_to_server_req_passname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = noway.example.com : server1.example.com + tls_verify_hosts = * + +# End diff --git a/test/confs/5450 b/test/confs/5450 new file mode 100644 index 000000000..398871c64 --- /dev/null +++ b/test/confs/5450 @@ -0,0 +1,172 @@ +# Exim test configuration 2112 +# TLS client: verify certificate from server - fails + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +FX = DIR/aux-fixed +S1 = FX/exim-ca/example.com/server1.example.com + +CA1 = S1/ca_chain.pem +CERT1 = S1/server1.example.com.pem +KEY1 = S1/server1.example.com.unlocked.key +CA2 = FX/cert2 +CERT2 = FX/cert2 +KEY2 = FX/cert2 + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +tls_peerdn+tls_certificate_verified + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +# Set certificate only if server + +tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} +tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} + +tls_verify_hosts = * +tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} + + +# ----- Routers ----- + +begin routers + +server_dump: + driver = redirect + condition = ${if eq {SERVER}{server}{yes}{no}} + data = :blackhole: + +client_x: + driver = accept + local_parts = userx + retry_use_local_part + transport = send_to_server_failcert + errors_to = "" + +client_y: + driver = accept + local_parts = usery + retry_use_local_part + transport = send_to_server_retry + +client_z: + driver = accept + local_parts = userz + retry_use_local_part + transport = send_to_server_crypt + +client_q: + driver = accept + local_parts = userq + retry_use_local_part + transport = send_to_server_req_fail + +client_r: + driver = accept + local_parts = userr + retry_use_local_part + transport = send_to_server_req_failname + +client_s: + driver = accept + local_parts = users + retry_use_local_part + transport = send_to_server_req_passname + + +# ----- Transports ----- + +begin transports + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement +send_to_server_failcert: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok +send_to_server_retry: + driver = smtp + allow_localhost + hosts = HOSTIPV4 : 127.0.0.1 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = \ + ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + +# this will fail to verify the cert but continue unverified though crypted +send_to_server_crypt: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_try_verify_hosts = * + +# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted +send_to_server_req_fail: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_verify_hosts = * + +# this will fail to verify the cert name and fallback to unencrypted +send_to_server_req_failname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = server1.example.net : server1.example.org + tls_verify_hosts = * + +# this will pass the cert verify including name check +send_to_server_req_passname: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = noway.example.com : server1.example.com + tls_verify_hosts = * + +# End diff --git a/test/confs/5600 b/test/confs/5600 index 8b26ee7fa..018ee3a78 100644 --- a/test/confs/5600 +++ b/test/confs/5600 @@ -14,6 +14,8 @@ gecos_name = CALLER_NAME # ----- Main settings ----- +acl_smtp_connect = check_connect +acl_smtp_mail = check_mail acl_smtp_rcpt = check_recipient log_selector = +tls_peerdn @@ -37,6 +39,16 @@ tls_ocsp_file = OCSP begin acl +check_connect: + accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + +check_mail: + accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + check_recipient: deny message = certificate not verified: peerdn=$tls_peerdn ! verify = certificate diff --git a/test/confs/5601 b/test/confs/5601 index 5172ff279..3e97fcbea 100644 --- a/test/confs/5601 +++ b/test/confs/5601 @@ -18,6 +18,8 @@ gecos_name = CALLER_NAME domainlist local_domains = test.ex : *.test.ex acl_smtp_rcpt = check_recipient +acl_smtp_data = check_data + log_selector = +tls_peerdn remote_max_parallel = 1 @@ -47,6 +49,10 @@ check_recipient: accept domains = +local_domains deny message = relay not permitted +check_data: + warn condition = ${if def:h_X-TLS-out:} + logwrite = client claims: $h_X-TLS-out: + accept # ----- Routers ----- @@ -57,8 +63,9 @@ client: condition = ${if eq {SERVER}{server}{no}{yes}} retry_use_local_part transport = send_to_server${if eq{$local_part}{nostaple}{1} \ - {${if eq{$local_part}{smtps} {3}{2}}} \ - } + {${if eq{$local_part}{norequire} {2} \ + {${if eq{$local_part}{smtps} {4}{3}}} \ + }}} server: driver = redirect @@ -84,30 +91,49 @@ send_to_server1: port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * -# note no ocsp here + hosts_request_ocsp = : + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) send_to_server2: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * +# note no ocsp mention here + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + +send_to_server3: driver = smtp allow_localhost hosts = 127.0.0.1 port = PORT_D helo_data = helo.data.changed - #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * hosts_require_ocsp = * + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) -send_to_server3: +send_to_server4: driver = smtp allow_localhost hosts = 127.0.0.1 port = PORT_D helo_data = helo.data.changed - #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem protocol = smtps hosts_require_tls = * hosts_require_ocsp = * + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) # ----- Retry ----- diff --git a/test/confs/5608 b/test/confs/5608 new file mode 100644 index 000000000..55d9a2015 --- /dev/null +++ b/test/confs/5608 @@ -0,0 +1,157 @@ +# Exim test configuration 5601 +# OCSP stapling, client, tpda + +SERVER = + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = server1.example.com +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + + +# ----- Main settings ----- + +domainlist local_domains = test.ex : *.test.ex + +acl_smtp_rcpt = check_recipient +acl_smtp_data = check_data + +log_selector = +tls_peerdn +remote_max_parallel = 1 + +tls_advertise_hosts = * + +# Set certificate only if server + +tls_certificate = ${if eq {SERVER}{server}\ +{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\ +fail\ +} + +#{DIR/aux-fixed/exim-ca/example.com/CA/CA.pem}\ + +tls_privatekey = ${if eq {SERVER}{server}\ +{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\ +fail} + +tls_ocsp_file = OCSP + + +# ------ ACL ------ + +begin acl + +check_recipient: + accept domains = +local_domains + deny message = relay not permitted + +check_data: + warn condition = ${if def:h_X-TLS-out:} + logwrite = client claims: $h_X-TLS-out: + accept + +logger: + warn logwrite = client ocsp status: $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + accept + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server${if eq{$local_part}{nostaple}{1} \ + {${if eq{$local_part}{norequire} {2} \ + {${if eq{$local_part}{smtps} {4}{3}}} \ + }}} + +server: + driver = redirect + data = :blackhole: + #retry_use_local_part + #transport = local_delivery + + +# ----- Transports ----- + +begin transports + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +# nostaple: deliberately do not request cert-status +send_to_server1: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * + hosts_request_ocsp = : + headers_add = X-TLS-out: ocsp status $tls_out_ocsp + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +# norequire: request stapling but do not verify +send_to_server2: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * +# note no ocsp mention here + headers_add = X-TLS-out: ocsp status $tls_out_ocsp + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +# (any other name): request and verify +send_to_server3: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + helo_data = helo.data.changed + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: ocsp status $tls_out_ocsp + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +# (any other name): request and verify, ssl-on-connect +send_to_server4: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + helo_data = helo.data.changed + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + protocol = smtps + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: ocsp status $tls_out_ocsp + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + + +# ----- Retry ----- + + +begin retry + +* * F,5d,1s + + +# End diff --git a/test/confs/5650 b/test/confs/5650 new file mode 100644 index 000000000..2b8960366 --- /dev/null +++ b/test/confs/5650 @@ -0,0 +1,77 @@ +# Exim test configuration 5650 +# OCSP stapling, server + +CRL= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = server1.example.com +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +acl_smtp_connect = check_connect +acl_smtp_mail = check_mail +acl_smtp_rcpt = check_recipient + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem +tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key +tls_crl = CRL +tls_ocsp_file = OCSP + +#tls_verify_hosts = HOSTIPV4 +#tls_try_verify_hosts = * +#tls_verify_certificates = DIR/aux-fixed/cert2 + + + +# ------ ACL ------ + +begin acl + +check_connect: + accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + +check_mail: + accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + +check_recipient: + accept + + +# ----- Routers ----- + +begin routers + +abc: + driver = accept + retry_use_local_part + transport = local_delivery + + +# ----- Transports ----- + +begin transports + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +# End diff --git a/test/confs/5651 b/test/confs/5651 new file mode 100644 index 000000000..6b70d33b2 --- /dev/null +++ b/test/confs/5651 @@ -0,0 +1,147 @@ +# Exim test configuration 5651 +# OCSP stapling, client + +SERVER = + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = server1.example.com +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + + +# ----- Main settings ----- + +domainlist local_domains = test.ex : *.test.ex + +acl_smtp_rcpt = check_recipient +acl_smtp_data = check_data + +log_selector = +tls_peerdn +remote_max_parallel = 1 + +tls_advertise_hosts = * + +# Set certificate only if server +tls_certificate = ${if eq {SERVER}{server}\ +{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\ +fail\ +} +tls_privatekey = ${if eq {SERVER}{server}\ +{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\ +fail} + +# from cmdline define +tls_ocsp_file = OCSP + + +# ------ ACL ------ + +begin acl + +check_recipient: + accept domains = +local_domains + deny message = relay not permitted + +check_data: + warn condition = ${if def:h_X-TLS-out:} + logwrite = client claims: $h_X-TLS-out: + accept + + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server${if eq{$local_part}{nostaple}{1} \ + {${if eq{$local_part}{norequire} {2} \ + {${if eq{$local_part}{smtps} {4}{3}}} \ + }}} + +server: + driver = redirect + data = :blackhole: + #retry_use_local_part + #transport = local_delivery + + +# ----- Transports ----- + +begin transports + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +send_to_server1: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * + hosts_request_ocsp = : + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + +send_to_server2: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * +# note no ocsp mention here + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + +send_to_server3: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + helo_data = helo.data.changed + #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + +send_to_server4: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + helo_data = helo.data.changed + #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + protocol = smtps + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + + +# ----- Retry ----- + + +begin retry + +* * F,5d,1s + + +# End diff --git a/test/confs/5658 b/test/confs/5658 new file mode 100644 index 000000000..e8f2494f6 --- /dev/null +++ b/test/confs/5658 @@ -0,0 +1,161 @@ +# Exim test configuration 5658 +# OCSP stapling, client, tpda + +SERVER = + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = server1.example.com +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + + +# ----- Main settings ----- + +domainlist local_domains = test.ex : *.test.ex + +acl_smtp_rcpt = check_recipient +acl_smtp_data = check_data + +log_selector = +tls_peerdn +remote_max_parallel = 1 + +tls_advertise_hosts = * + +# Set certificate only if server +tls_certificate = ${if eq {SERVER}{server}\ +{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\ +fail\ +} +tls_privatekey = ${if eq {SERVER}{server}\ +{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\ +fail} + +# from cmdline define +tls_ocsp_file = OCSP + + +# ------ ACL ------ + +begin acl + +check_recipient: + accept domains = +local_domains + deny message = relay not permitted + +check_data: + warn condition = ${if def:h_X-TLS-out:} + logwrite = client claims: $h_X-TLS-out: + accept + +logger: + warn logwrite = client ocsp status: $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + accept + + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server${if eq{$local_part}{nostaple}{1} \ + {${if eq{$local_part}{norequire} {2} \ + {${if eq{$local_part}{smtps} {4}{3}}} \ + }}} + +server: + driver = redirect + data = :blackhole: + #retry_use_local_part + #transport = local_delivery + + +# ----- Transports ----- + +begin transports + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +send_to_server1: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * + hosts_request_ocsp = : + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +send_to_server2: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * +# note no ocsp mention here + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +send_to_server3: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + helo_data = helo.data.changed + #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +send_to_server4: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + helo_data = helo.data.changed + #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + protocol = smtps + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + + +# ----- Retry ----- + + +begin retry + +* * F,5d,1s + + +# End diff --git a/test/confs/5750 b/test/confs/5750 new file mode 100644 index 000000000..a8ff60350 --- /dev/null +++ b/test/confs/5750 @@ -0,0 +1,95 @@ +# Exim test configuration 5750 (dup of 5760) +# $tls_out_peercert - GnuTLS + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem +tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key + +tls_verify_hosts = * +tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem + +# + +begin acl +logger: + warn logwrite = $acl_arg1 $tpda_delivery_local_part + warn logwrite = ${if !def:tls_out_ourcert \ + {NO CLENT CERT presented} \ + {Our cert SN: ${certextract{subject}{$tls_out_ourcert}}}} + accept condition = ${if !def:tls_out_peercert} + logwrite = No Peer cert + accept logwrite = Peer cert: + logwrite = ver <${certextract {version} {$tls_out_peercert}}> + logwrite = SN <${certextract {subject} {$tls_out_peercert}}> + logwrite = IN <${certextract {issuer} {$tls_out_peercert}}> + logwrite = NB <${certextract {notbefore} {$tls_out_peercert}}> + logwrite = NA <${certextract {notafter} {$tls_out_peercert}}> + logwrite = SA <${certextract {sig_algorithm} {$tls_out_peercert}}> + logwrite = SG <${certextract {signature} {$tls_out_peercert}}> + logwrite = ${certextract {subj_altname} {$tls_out_peercert}{SAN <$value>}{(no SAN)}} +# logwrite = ${certextract {ocsp_uri} {$tls_out_peercert} {OCU <$value>}{(no OCU)}} + logwrite = ${certextract {crl_uri} {$tls_out_peercert} {CRU <$value>}{(no CRU)}} + + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server + + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + + tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem + tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key + + tls_verify_certificates = DIR/aux-fixed/exim-ca/\ + ${if eq {$local_part}{good}\ +{example.com/server1.example.com/ca_chain.pem}\ +{example.net/server1.example.net/ca_chain.pem}} + + tpda_delivery_action = ${acl {logger} {delivery} {$domain} } + tpda_host_defer_action = ${acl {logger} {deferral} {$domain} } + +# ----- Retry ----- + + +begin retry + +* * F,5d,10s + + +# End diff --git a/test/confs/5760 b/test/confs/5760 new file mode 100644 index 000000000..e9868d109 --- /dev/null +++ b/test/confs/5760 @@ -0,0 +1,95 @@ +# Exim test configuration 5760 (dup of 5750) +# $tls_out_peercert - OpenSSL + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem +tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key + +tls_verify_hosts = * +tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem + +# + +begin acl +logger: + warn logwrite = $acl_arg1 $tpda_delivery_local_part + warn logwrite = ${if !def:tls_out_ourcert \ + {NO CLENT CERT presented} \ + {Our cert SN: ${certextract{subject}{$tls_out_ourcert}}}} + accept condition = ${if !def:tls_out_peercert} + logwrite = No Peer cert + accept logwrite = Peer cert: + logwrite = ver <${certextract {version} {$tls_out_peercert}}> + logwrite = SN <${certextract {subject} {$tls_out_peercert}}> + logwrite = IN <${certextract {issuer} {$tls_out_peercert}}> + logwrite = NB <${certextract {notbefore} {$tls_out_peercert}}> + logwrite = NA <${certextract {notafter} {$tls_out_peercert}}> + logwrite = SA <${certextract {sig_algorithm} {$tls_out_peercert}}> + logwrite = SG <${certextract {signature} {$tls_out_peercert}}> + logwrite = ${certextract {subj_altname,>;}{$tls_out_peercert}{SAN <$value>}{(no SAN)}} + logwrite = ${certextract {ocsp_uri} {$tls_out_peercert} {OCU <$value>}{(no OCU)}} + logwrite = ${certextract {crl_uri} {$tls_out_peercert} {CRU <$value>}{(no CRU)}} + + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server + + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + + tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem + tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key + + tls_verify_certificates = DIR/aux-fixed/exim-ca/\ + ${if eq {$local_part}{good}\ +{example.com/server1.example.com/ca_chain.pem}\ +{example.net/server1.example.net/ca_chain.pem}} + + tpda_delivery_action = ${acl {logger} {delivery} {$domain} } + tpda_host_defer_action = ${acl {logger} {deferral} {$domain} } + +# ----- Retry ----- + + +begin retry + +* * F,5d,10s + + +# End diff --git a/test/log/0023 b/test/log/0023 index 9880fbd92..422944aee 100644 --- a/test/log/0023 +++ b/test/log/0023 @@ -42,17 +42,20 @@ 1999-03-02 09:44:33 10HmbK-0005vi-00 => cond-yes R=r1 T=t1 1999-03-02 09:44:33 10HmbK-0005vi-00 Completed 1999-03-02 09:44:33 H=[56.56.57.57] U=CALLER F= temporarily rejected RCPT : invalid "condition" value "rhubarb" -1999-03-02 09:44:33 10HmbL-0005vi-00 <= userx@test.ex H=[56.56.56.56] U=CALLER P=smtp S=sss -1999-03-02 09:44:33 10HmbL-0005vi-00 => cond-rhubarb R=r1 T=t1 +1999-03-02 09:44:33 10HmbL-0005vi-00 <= userx@test.ex H=[56.56.57.57] U=CALLER P=smtp S=sss +1999-03-02 09:44:33 10HmbL-0005vi-00 => cond--1 R=r1 T=t1 1999-03-02 09:44:33 10HmbL-0005vi-00 Completed +1999-03-02 09:44:33 10HmbM-0005vi-00 <= userx@test.ex H=[56.56.56.56] U=CALLER P=smtp S=sss +1999-03-02 09:44:33 10HmbM-0005vi-00 => cond-rhubarb R=r1 T=t1 +1999-03-02 09:44:33 10HmbM-0005vi-00 Completed 1999-03-02 09:44:33 H=[56.56.58.58] U=CALLER F= rejected RCPT 1999-03-02 09:44:33 H=[56.56.58.58] U=CALLER F= rejected RCPT 1999-03-02 09:44:33 H=[56.56.58.58] U=CALLER F= rejected RCPT -1999-03-02 09:44:33 10HmbM-0005vi-00 <= rcpttest@test.ex H=[56.56.58.58] U=CALLER P=smtp S=sss -1999-03-02 09:44:33 10HmbM-0005vi-00 => ok1 R=r0 T=t2 -1999-03-02 09:44:33 10HmbM-0005vi-00 -> ok2 R=r0 T=t2 -1999-03-02 09:44:33 10HmbM-0005vi-00 -> ok3 R=r0 T=t2 -1999-03-02 09:44:33 10HmbM-0005vi-00 Completed +1999-03-02 09:44:33 10HmbN-0005vi-00 <= rcpttest@test.ex H=[56.56.58.58] U=CALLER P=smtp S=sss +1999-03-02 09:44:33 10HmbN-0005vi-00 => ok1 R=r0 T=t2 +1999-03-02 09:44:33 10HmbN-0005vi-00 -> ok2 R=r0 T=t2 +1999-03-02 09:44:33 10HmbN-0005vi-00 -> ok3 R=r0 T=t2 +1999-03-02 09:44:33 10HmbN-0005vi-00 Completed 1999-03-02 09:44:33 H=[56.56.59.59] U=CALLER F= rejected RCPT : here is a fail message 1999-03-02 09:44:33 H=[V4NET.11.12.13] U=CALLER F= rejected RCPT : DNSLIST (rbl.test.ex: This is a test blacklisting message) 1999-03-02 09:44:33 H=[V4NET.11.12.13] U=CALLER F= rejected RCPT : DNSLIST (rbl.test.ex: This is a test blacklisting message) diff --git a/test/log/0027 b/test/log/0027 index 9aade8869..3dbfa0258 100644 --- a/test/log/0027 +++ b/test/log/0027 @@ -3,7 +3,7 @@ 1999-03-02 09:44:33 U=CALLER F= rejected RCPT : Sender verify failed 1999-03-02 09:44:33 U=CALLER F= rejected RCPT : deny for userx 1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny verify = header_syntax"@test.ex>: cannot verify header_syntax in ACL for RCPT -1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny verify = junk"@test.ex>: expected "sender[=address]", "recipient", "helo", "header_syntax", "header_sender" or "reverse_host_lookup" at start of ACL condition "verify junk" +1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny verify = junk"@test.ex>: expected "sender[=address]", "recipient", "helo", "header_syntax", "header_sender", "header_names_ascii" or "reverse_host_lookup" at start of ACL condition "verify junk" 1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny vorify = junk"@test.ex>: unknown ACL condition/modifier in "deny vorify = junk" 1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"dony verify = junk"@test.ex>: unknown ACL verb "dony" in "dony verify = junk" 1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny !message = abcd"@test.ex>: ACL error: negation is not allowed with "message" diff --git a/test/log/0600 b/test/log/0600 new file mode 100644 index 000000000..8fc8cfc36 --- /dev/null +++ b/test/log/0600 @@ -0,0 +1,18 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 x-test-header-good1: 1234567890qwertzuiopasdfghjklyxcvbnm,.-QWERTZUIOP+*ASDFGHJKL#'YXCVBNM,.-;:_ +1999-03-02 09:44:33 10HmaX-0005vi-00 x-test-header-good2: \303\237\303\274\303\266\303\244\342\202\254\303\234\303\226\303\204\302\264\340\244\221\340\244\225\340\244\234\341\220\201\341\221\214\341\221\225\360\253\235\206\360\253\237\230 +1999-03-02 09:44:33 10HmaX-0005vi-00 x-test-header-too-short: ?.?.?.\303\244-?.-\303\234.?..?.-?.-?..-?.-?.-?.-?.-?..-?..?. +1999-03-02 09:44:33 10HmaX-0005vi-00 x-test-header-too-long: ?????-\303\244-?????--\303\226-\303\204-\302\264-\340\244\221-\340\244\225-\340\244\234-\341\220\201-\341\221\214-\341\221\225-?????\360\253\237\206 +1999-03-02 09:44:33 10HmaX-0005vi-00 x-test-header-too-big: ?-----\363\200\200\200 +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@the.local.host.name U=CALLER P=local-smtp S=sss +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER R=localuser T=local_delivery +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 x-test-header-good1: +1999-03-02 09:44:33 10HmaY-0005vi-00 x-test-header-good2: +1999-03-02 09:44:33 10HmaY-0005vi-00 x-test-header-too-short: +1999-03-02 09:44:33 10HmaY-0005vi-00 x-test-header-too-long: +1999-03-02 09:44:33 10HmaY-0005vi-00 x-test-header-too-big: +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@the.local.host.name U=CALLER P=local-smtp S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER R=localuser T=local_delivery +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 Start queue run: pid=pppp +1999-03-02 09:44:33 End queue run: pid=pppp diff --git a/test/log/2000 b/test/log/2000 index 6c690bf9e..6685d5944 100644 --- a/test/log/2000 +++ b/test/log/2000 @@ -1,6 +1,6 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): invalid +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate invalid 1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls) 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed diff --git a/test/log/2001 b/test/log/2001 index a6a3ea8b4..da5a78a93 100644 --- a/test/log/2001 +++ b/test/log/2001 @@ -1,10 +1,10 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): invalid +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate invalid 1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@test.ex R=client T=send_to_server defer (-37): failure while setting up TLS session 1999-03-02 09:44:33 End queue run: pid=pppp -qf 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): invalid +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate invalid 1999-03-02 09:44:33 10HmaX-0005vi-00 == CALLER@test.ex R=client T=send_to_server defer (-37): failure while setting up TLS session 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/log/2002 b/test/log/2002 index 774495514..73c76baf1 100644 --- a/test/log/2002 +++ b/test/log/2002 @@ -1,8 +1,29 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 Peer did not present a cert 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 Peer did not present a cert 1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate. -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 Peer cert: +1999-03-02 09:44:33 ver 3 +1999-03-02 09:44:33 SR +1999-03-02 09:44:33 SN +1999-03-02 09:44:33 IN +1999-03-02 09:44:33 IN/O +1999-03-02 09:44:33 NB +1999-03-02 09:44:33 NB/i <1351773246> +1999-03-02 09:44:33 NA +1999-03-02 09:44:33 SA +1999-03-02 09:44:33 SG <6c 37 41 26 4d 5d f4 b5 31 10 67 ca fb 64 b6 22 98 62 f7 1e 95 7b 6c e6 74 47 21 f4 5e 89 36 3e b9 9c 8a c5 52 bb c4 af 12 93 26 3b d7 3d e0 56 71 1e 1d 21 20 02 ed f0 4e d5 5e 45 42 fd 3c 38 41 54 83 86 0b 3b bf c5 47 39 ff 15 ea 93 dc fd c7 3d 18 58 59 ca dd 2a d8 b9 f9 2f b9 76 93 f4 ae e3 91 56 80 2f 8c 04 2f ad 57 ef d2 51 19 f4 b4 ef 32 9c ac 3a 7c 0d b8 39 db b1 e3 30 73 1a> +1999-03-02 09:44:33 SAN +1999-03-02 09:44:33 CRU +1999-03-02 09:44:33 md5 fingerprint C5FA6C8B1BE926DBC4E436AF08F92B55 +1999-03-02 09:44:33 sha1 fingerprint 40B2135E6B67AE36A397696DA328423685E74CE3 +1999-03-02 09:44:33 sha256 fingerprint 6064D93E235FBA6FC66788F2AAC087752D856ECC7901FFCB8B53B21A09D232D2 +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server2.example.com" S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER R=abc T=local_delivery 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed diff --git a/test/log/2003 b/test/log/2003 index f6d0a987d..8c1c5c1ff 100644 --- a/test/log/2003 +++ b/test/log/2003 @@ -1,5 +1,5 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] F= rejected RCPT : unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 +1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 F= rejected RCPT : unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=(rhu.barb) [127.0.0.1] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx R=abc T=local_delivery diff --git a/test/log/2012 b/test/log/2012 index b4bceb688..bcb1e6fd8 100644 --- a/test/log/2012 +++ b/test/log/2012 @@ -1,12 +1,32 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): invalid -1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid +1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@test.ex: retry timeout exceeded +1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid +1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbA-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid +1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00" +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad 1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad +1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad +1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex diff --git a/test/log/2014 b/test/log/2014 index feaf4be4c..39531ddc3 100644 --- a/test/log/2014 +++ b/test/log/2014 @@ -1,8 +1,8 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 TLS error on connection from (rhu1.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate. -1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] F= rejected RCPT : certificate not verified: peerdn= -1999-03-02 09:44:33 TLS error on connection from (rhu5.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): invalid -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock +1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 F= rejected RCPT : certificate not verified: peerdn= +1999-03-02 09:44:33 TLS error on connection from (rhu5.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid +1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from (rhu7.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): revoked -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock +1999-03-02 09:44:33 TLS error on connection from (rhu7.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate revoked +1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock diff --git a/test/log/2024 b/test/log/2024 index c45da6e89..117382b5a 100644 --- a/test/log/2024 +++ b/test/log/2024 @@ -1,4 +1,4 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate. +1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (cert/key setup: cert=/non/exist key=/non/exist): Error while reading file. diff --git a/test/log/2025 b/test/log/2025 index 0b602bde1..fafc68d5b 100644 --- a/test/log/2025 +++ b/test/log/2025 @@ -1,11 +1,11 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (gnutls_handshake): A TLS packet with unexpected length was received. -1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_3DES_EDE_CBC_SHA1:192 CV=no DN="C=UK,L=Cambridge,O=University of Cambridge,OU=Computing Service,CN=Philip Hazel" +1999-03-02 09:44:33 10HmaX-0005vi-00 a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed +1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (gnutls_handshake): No supported cipher suites have been found. -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.2:RSA_3DES_EDE_CBC_SHA1:192 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (gnutls_handshake): Could not negotiate a supported cipher suite. +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex diff --git a/test/log/2026 b/test/log/2026 index 8c8ab7af0..f01644496 100644 --- a/test/log/2026 +++ b/test/log/2026 @@ -1,13 +1,6 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 H=localhost (myhost.test.ex) [127.0.0.1] F= temporarily rejected RCPT -1999-03-02 09:44:33 10HmaX-0005vi-00 SMTP error from remote mail server after RCPT TO:: host 127.0.0.1 [127.0.0.1]: 451 Temporary local problem - please try later -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmaY-0005vi-00 => userx R=r0 T=t2 -1999-03-02 09:44:33 10HmaY-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaX-0005vi-00@myhost.test.ex -1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@myhost.test.ex R=r1 T=t1 H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00" -1999-03-02 09:44:33 10HmaX-0005vi-00 => usery@myhost.test.ex R=r1 T=t1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00" -1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 => usery R=r0 T=t2 -1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaX-0005vi-00 no immediate delivery: queued by ACL +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 no immediate delivery: queued by ACL diff --git a/test/log/2027 b/test/log/2027 index 547303822..a54d4a5a9 100644 --- a/test/log/2027 +++ b/test/log/2027 @@ -3,7 +3,7 @@ 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (gnutls_handshake): A TLS packet with unexpected length was received. +1999-03-02 09:44:33 10HmaY-0005vi-00 a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed 1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) 1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed diff --git a/test/log/2029 b/test/log/2029 index fc79930b2..e4510feb1 100644 --- a/test/log/2029 +++ b/test/log/2029 @@ -1,3 +1,3 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection from [127.0.0.1] (recv): A TLS packet with unexpected length was received. +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated. 1999-03-02 09:44:33 10HmaX-0005vi-00 SMTP connection lost after final dot H=[127.0.0.1] P=smtps diff --git a/test/log/2102 b/test/log/2102 index da4ee49d7..25bef1864 100644 --- a/test/log/2102 +++ b/test/log/2102 @@ -1,9 +1,31 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 Peer did not present a cert 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 Peer did not present a cert 1999-03-02 09:44:33 10HmaY-0005vi-00 <= "name with spaces"@test.ex H=[127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss +1999-03-02 09:44:33 Our cert SN: +1999-03-02 09:44:33 Peer cert: +1999-03-02 09:44:33 ver 2 +1999-03-02 09:44:33 SR +1999-03-02 09:44:33 SN +1999-03-02 09:44:33 IN +1999-03-02 09:44:33 IN/O +1999-03-02 09:44:33 NB +1999-03-02 09:44:33 NB/i <1351773246> +1999-03-02 09:44:33 NA +1999-03-02 09:44:33 SA +1999-03-02 09:44:33 SG < Signature Algorithm: sha1WithRSAEncryption\n 6c:37:41:26:4d:5d:f4:b5:31:10:67:ca:fb:64:b6:22:98:62:\n f7:1e:95:7b:6c:e6:74:47:21:f4:5e:89:36:3e:b9:9c:8a:c5:\n 52:bb:c4:af:12:93:26:3b:d7:3d:e0:56:71:1e:1d:21:20:02:\n ed:f0:4e:d5:5e:45:42:fd:3c:38:41:54:83:86:0b:3b:bf:c5:\n 47:39:ff:15:ea:93:dc:fd:c7:3d:18:58:59:ca:dd:2a:d8:b9:\n f9:2f:b9:76:93:f4:ae:e3:91:56:80:2f:8c:04:2f:ad:57:ef:\n d2:51:19:f4:b4:ef:32:9c:ac:3a:7c:0d:b8:39:db:b1:e3:30:\n 73:1a\n> +1999-03-02 09:44:33 SAN +1999-03-02 09:44:33 OCU +1999-03-02 09:44:33 CRU +1999-03-02 09:44:33 md5 fingerprint C5FA6C8B1BE926DBC4E436AF08F92B55 +1999-03-02 09:44:33 sha1 fingerprint 40B2135E6B67AE36A397696DA328423685E74CE3 +1999-03-02 09:44:33 sha256 fingerprint 6064D93E235FBA6FC66788F2AAC087752D856ECC7901FFCB8B53B21A09D232D2 +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@test.ex H=[ip4.ip4.ip4.ip4] P=smtps X=TLSv1:AES256-SHA:256 DN="/CN=server2.example.com" S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER R=abc T=local_delivery 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed diff --git a/test/log/2103 b/test/log/2103 index bc6230d0f..e1d7eac9d 100644 --- a/test/log/2103 +++ b/test/log/2103 @@ -1,5 +1,5 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] F= rejected RCPT : unacceptable cipher TLSv1:AES256-SHA:256 +1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 F= rejected RCPT : unacceptable cipher TLSv1:AES256-SHA:256 1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=(rhu.barb) [127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx R=abc T=local_delivery diff --git a/test/log/2112 b/test/log/2112 index bee2f6fe3..ea09dd9a9 100644 --- a/test/log/2112 +++ b/test/log/2112 @@ -1,13 +1,38 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com 1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <> -1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@test.ex: retry timeout exceeded +1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com +1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com +1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=certificate not trusted cert=/CN=server1.example.com +1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=server1.example.com +1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com +1999-03-02 09:44:33 10HmbA-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00" +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex diff --git a/test/log/2114 b/test/log/2114 index 862f93f1d..09738fd14 100644 --- a/test/log/2114 +++ b/test/log/2114 @@ -1,16 +1,16 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) -1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] F= rejected RCPT : certificate not verified: peerdn= +1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] X=TLSv1:AES256-SHA:256 F= rejected RCPT : certificate not verified: peerdn= 1999-03-02 09:44:33 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) 1999-03-02 09:44:33 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 SSL verify error: depth=0 error=certificate revoked cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) 1999-03-02 09:44:33 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock 1999-03-02 09:44:33 SSL verify error: depth=0 error=CRL signature failure cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock diff --git a/test/log/3454 b/test/log/3454 index cb4757977..e6e0cb963 100644 --- a/test/log/3454 +++ b/test/log/3454 @@ -1,5 +1,5 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): A TLS packet with unexpected length was received. +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated. 1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason. 1999-03-02 09:44:33 no MAIL in SMTP connection from [127.0.0.1] D=0s X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C=EHLO,STARTTLS,AUTH 1999-03-02 09:44:33 no MAIL in SMTP connection from (foobar) [127.0.0.1] D=0s A=plain:userx X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C=EHLO,STARTTLS,EHLO,AUTH,QUIT diff --git a/test/log/5100 b/test/log/5100 index ec4a807ff..5c4f5ce46 100644 --- a/test/log/5100 +++ b/test/log/5100 @@ -86,12 +86,12 @@ DATA QUIT <<< QUIT 250 OK -1999-03-02 09:44:33 10HmbD-0005vi-00 => userx R=smartuser T=lmtp +1999-03-02 09:44:33 10HmbD-0005vi-00 => userx R=smartuser T=lmtp C="250 Number 1 is OK" 1999-03-02 09:44:33 10HmbD-0005vi-00 == jack@myhost.test.ex R=smartuser T=lmtp defer (-46): LMTP error after end of data: 450 Number 2 is now delayed 1999-03-02 09:44:33 10HmbD-0005vi-00 ** jill@myhost.test.ex R=smartuser T=lmtp: LMTP error after end of data: 550 Number 3 is now rejected 1999-03-02 09:44:33 10HmbD-0005vi-00 == tom@myhost.test.ex R=smartuser T=lmtp defer (-44): LMTP error after RCPT TO:: 450 This one is delayed on RCPT 1999-03-02 09:44:33 10HmbD-0005vi-00 ** dick@myhost.test.ex R=smartuser T=lmtp: LMTP error after RCPT TO:: 550 This one is unknown on RCPT -1999-03-02 09:44:33 10HmbD-0005vi-00 -> harry R=smartuser T=lmtp +1999-03-02 09:44:33 10HmbD-0005vi-00 -> harry R=smartuser T=lmtp C="250 Number 6 is OK" 1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> R=10HmbD-0005vi-00 U=EXIMUSER P=local S=sss 1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: R=bounces 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed @@ -137,7 +137,7 @@ DATA <<< This is a test message. <<< . 250 Number 1 is OK -1999-03-02 09:44:33 10HmbF-0005vi-00 => userx R=smartuser T=lmtp +1999-03-02 09:44:33 10HmbF-0005vi-00 => userx R=smartuser T=lmtp C="250 Number 1 is OK" 1999-03-02 09:44:33 10HmbF-0005vi-00 == jack@myhost.test.ex R=smartuser T=lmtp defer (-1): LMTP timeout after end of data (ddd bytes written) 1999-03-02 09:44:33 10HmbF-0005vi-00 == jill@myhost.test.ex R=smartuser T=lmtp defer (-1): LMTP timeout after end of data (ddd bytes written) 1999-03-02 09:44:33 10HmbF-0005vi-00 == tom@myhost.test.ex R=smartuser T=lmtp defer (-44): LMTP error after RCPT TO:: 450 This one is delayed on RCPT @@ -214,8 +214,8 @@ DATA QUIT <<< QUIT 220 OK -1999-03-02 09:44:33 10HmbI-0005vi-00 => jack R=smartuser T=lmtp -1999-03-02 09:44:33 10HmbI-0005vi-00 -> jill R=smartuser T=lmtp +1999-03-02 09:44:33 10HmbI-0005vi-00 => jack R=smartuser T=lmtp C="250 OK" +1999-03-02 09:44:33 10HmbI-0005vi-00 -> jill R=smartuser T=lmtp C="250 OK" 1999-03-02 09:44:33 10HmbI-0005vi-00 Completed 1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 220 Welcome to this LMTP simulation @@ -252,8 +252,8 @@ DATA QUIT <<< QUIT 220 OK -1999-03-02 09:44:33 10HmbJ-0005vi-00 => jack R=smartuser T=lmtp -1999-03-02 09:44:33 10HmbJ-0005vi-00 -> jill R=smartuser T=lmtp +1999-03-02 09:44:33 10HmbJ-0005vi-00 => jack R=smartuser T=lmtp C="250 OK" +1999-03-02 09:44:33 10HmbJ-0005vi-00 -> jill R=smartuser T=lmtp C="250 OK" 1999-03-02 09:44:33 10HmbJ-0005vi-00 Completed 1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 220 Welcome to this LMTP simulation diff --git a/test/log/5101 b/test/log/5101 index a24a5aae8..091db6679 100644 --- a/test/log/5101 +++ b/test/log/5101 @@ -37,9 +37,9 @@ DATA QUIT <<< QUIT 250 OK -1999-03-02 09:44:33 10HmaX-0005vi-00 => userx R=smartuser T=lmtp ST=local_delivery +1999-03-02 09:44:33 10HmaX-0005vi-00 => userx R=smartuser T=lmtp ST=local_delivery C="250 Number 1 is OK" 1999-03-02 09:44:33 10HmaX-0005vi-00 ** jack@myhost.test.ex R=smartuser T=lmtp: LMTP error after end of data: 550 Number 2 fails -1999-03-02 09:44:33 10HmaX-0005vi-00 -> jill R=smartuser T=lmtp ST=local_delivery +1999-03-02 09:44:33 10HmaX-0005vi-00 -> jill R=smartuser T=lmtp ST=local_delivery C="250 Number 3 is OK" 1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> R=10HmaX-0005vi-00 U=EXIMUSER P=local S=sss 1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER R=bounces T=local_delivery 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed @@ -82,9 +82,9 @@ DATA QUIT <<< QUIT 250 OK -1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx R=smartuser T=lmtp ST=local_delivery (mailbox TESTSUITE/test-mail/ has too many links (2)) +1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx R=smartuser T=lmtp ST=local_delivery (mailbox TESTSUITE/test-mail/ has too many links (2)) C="250 Number 1 is OK" 1999-03-02 09:44:33 10HmaZ-0005vi-00 ** jack@myhost.test.ex R=smartuser T=lmtp: LMTP error after end of data: 550 Number 2 fails -1999-03-02 09:44:33 10HmaZ-0005vi-00 -> jill R=smartuser T=lmtp ST=local_delivery (mailbox TESTSUITE/test-mail/ has too many links (2)) +1999-03-02 09:44:33 10HmaZ-0005vi-00 -> jill R=smartuser T=lmtp ST=local_delivery (mailbox TESTSUITE/test-mail/ has too many links (2)) C="250 Number 3 is OK" 1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> R=10HmaZ-0005vi-00 U=EXIMUSER P=local S=sss 1999-03-02 09:44:33 10HmbA-0005vi-00 => CALLER R=bounces T=local_delivery 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed diff --git a/test/log/5102 b/test/log/5102 index 66076a0b0..ea6a0bfb7 100644 --- a/test/log/5102 +++ b/test/log/5102 @@ -1,5 +1,5 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaX-0005vi-00 => userx R=smartuser T=lmtp +1999-03-02 09:44:33 10HmaX-0005vi-00 => userx R=smartuser T=lmtp C="250 OK" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmaY-0005vi-00 == userx@myhost.test.ex R=smartuser T=lmtp defer (-1): LMTP timeout after initial connection @@ -14,12 +14,12 @@ 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbA-0005vi-00 => lp1 R=smartuser T=lmtp +1999-03-02 09:44:33 10HmbA-0005vi-00 => lp1 R=smartuser T=lmtp C="250 Number 1 is OK" 1999-03-02 09:44:33 10HmbA-0005vi-00 == lp2@myhost.test.ex R=smartuser T=lmtp defer (-46): LMTP error after end of data: 450 Number 2 is now delayed 1999-03-02 09:44:33 10HmbA-0005vi-00 ** lp3@myhost.test.ex R=smartuser T=lmtp: LMTP error after end of data: 550 Number 3 is now rejected 1999-03-02 09:44:33 10HmbA-0005vi-00 == lp4@myhost.test.ex R=smartuser T=lmtp defer (-44): LMTP error after RCPT TO:: 450 This one is delayed on RCPT 1999-03-02 09:44:33 10HmbA-0005vi-00 ** lp5@myhost.test.ex R=smartuser T=lmtp: LMTP error after RCPT TO:: 550 This one is unknown on RCPT -1999-03-02 09:44:33 10HmbA-0005vi-00 -> lp6 R=smartuser T=lmtp +1999-03-02 09:44:33 10HmbA-0005vi-00 -> lp6 R=smartuser T=lmtp C="250 Number 6 is OK" 1999-03-02 09:44:33 10HmbB-0005vi-00 <= <> R=10HmbA-0005vi-00 U=EXIMUSER P=local S=sss 1999-03-02 09:44:33 10HmbB-0005vi-00 => :blackhole: R=bounces 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed diff --git a/test/log/5400 b/test/log/5400 index 59f948c5f..6b51348c3 100644 --- a/test/log/5400 +++ b/test/log/5400 @@ -12,3 +12,7 @@ 1999-03-02 09:44:33 10HmaZ-0005vi-00 => usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK" 1999-03-02 09:44:33 10HmaZ-0005vi-00 -> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 rcpt for userx@domain.com +1999-03-02 09:44:33 10HmbA-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK" +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed diff --git a/test/log/5440 b/test/log/5440 new file mode 100644 index 000000000..4d600ebc6 --- /dev/null +++ b/test/log/5440 @@ -0,0 +1,17 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (certificate verification failed) +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad +1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex diff --git a/test/log/5450 b/test/log/5450 new file mode 100644 index 000000000..2a8aec4e7 --- /dev/null +++ b/test/log/5450 @@ -0,0 +1,28 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com" + +1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex diff --git a/test/log/5600 b/test/log/5600 index 869883f06..a680612a7 100644 --- a/test/log/5600 +++ b/test/log/5600 @@ -1,6 +1,7 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; responding +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) +1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified) 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 [ip4.ip4.ip4.ip4] Recieved OCSP stapling req; not responding +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) diff --git a/test/log/5601 b/test/log/5601 index 40caa0f88..7c9a3b976 100644 --- a/test/log/5601 +++ b/test/log/5601 @@ -1,41 +1,46 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaX-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmaZ-0005vi-00 => CALLER@test.ex R=client T=send_to_server2 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbB-0005vi-00 Received TLS status response, null content -1999-03-02 09:44:33 10HmbB-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> -1999-03-02 09:44:33 10HmbB-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session -1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbC-0005vi-00 Server certificate revoked; reason: superseded -1999-03-02 09:44:33 10HmbC-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> -1999-03-02 09:44:33 10HmbC-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss -1999-03-02 09:44:33 10HmbD-0005vi-00 Server OSCP dates invalid +1999-03-02 09:44:33 10HmbD-0005vi-00 Received TLS status callback, null content 1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> -1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server2 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbE-0005vi-00 Server certificate revoked; reason: superseded +1999-03-02 09:44:33 10HmbE-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbF-0005vi-00 Server OSCP dates invalid +1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1 (notresp) 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@server1.example.com -1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com -1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: ocsp status 0 (notreq) +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 4 (verified) +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbB-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; not responding 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 [127.0.0.1] Recieved OCSP stapling req; responding 1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) diff --git a/test/log/5608 b/test/log/5608 new file mode 100644 index 000000000..a7115ad1e --- /dev/null +++ b/test/log/5608 @@ -0,0 +1,60 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp) +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 4 (verified) +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbB-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 client ocsp status: 0 (notreq) +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbD-0005vi-00 => good@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbD-0005vi-00 client ocsp status: 4 (verified) +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbF-0005vi-00 Received TLS status callback, null content +1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 1 (notresp) +1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbG-0005vi-00 Server certificate revoked; reason: superseded +1999-03-02 09:44:33 10HmbG-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmbG-0005vi-00 client ocsp status: 3 (failed) +1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbH-0005vi-00 Server OSCP dates invalid +1999-03-02 09:44:33 10HmbH-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmbH-0005vi-00 client ocsp status: 3 (failed) +1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: ocsp status 1 +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaX-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: ocsp status 4 +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: ocsp status 0 +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbB-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 10HmbE-0005vi-00 client claims: ocsp status 4 +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmbD-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbE-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from (helo.data.changed) [127.0.0.1] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) diff --git a/test/log/5650 b/test/log/5650 new file mode 100644 index 000000000..6bb550248 --- /dev/null +++ b/test/log/5650 @@ -0,0 +1,11 @@ +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) +1999-03-02 09:44:33 acl_mail: ocsp in status: 2 (vfynotdone) +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) +1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated. +1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq) +1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated. +1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason. diff --git a/test/log/5651 b/test/log/5651 new file mode 100644 index 000000000..f19900e9e --- /dev/null +++ b/test/log/5651 @@ -0,0 +1,43 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbD-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed) +1999-03-02 09:44:33 10HmbD-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbE-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate revoked +1999-03-02 09:44:33 10HmbE-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed) +1999-03-02 09:44:33 10HmbF-0005vi-00 == CALLER@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp) +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaX-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: OCSP status 0 (notreq) +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 4 (verified) +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbB-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated. +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): A TLS fatal alert has been received.: Certificate is bad +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated. +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason. diff --git a/test/log/5658 b/test/log/5658 new file mode 100644 index 000000000..16f5b31f2 --- /dev/null +++ b/test/log/5658 @@ -0,0 +1,57 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp) +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 1 (notresp) +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbB-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 client ocsp status: 0 (notreq) +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbD-0005vi-00 => good@test.ex R=client T=send_to_server3 H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbD-0005vi-00 client ocsp status: 4 (verified) +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbF-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed) +1999-03-02 09:44:33 10HmbF-0005vi-00 client ocsp status: 3 (failed) +1999-03-02 09:44:33 10HmbF-0005vi-00 == failrequire@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbG-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate revoked +1999-03-02 09:44:33 10HmbG-0005vi-00 client ocsp status: 1 (notresp) +1999-03-02 09:44:33 10HmbG-0005vi-00 == failrevoked@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbH-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate status check failed) +1999-03-02 09:44:33 10HmbH-0005vi-00 client ocsp status: 3 (failed) +1999-03-02 09:44:33 10HmbH-0005vi-00 == failexpired@test.ex R=client T=send_to_server3 defer (-37): failure while setting up TLS session + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp) +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaX-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: OCSP status 1 (notresp) +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaZ-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbC-0005vi-00 client claims: OCSP status 0 (notreq) +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbB-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 10HmbE-0005vi-00 client claims: OCSP status 4 (verified) +1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@server1.example.com H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmbD-0005vi-00@server1.example.com +1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbE-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated. +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): A TLS fatal alert has been received.: Certificate is bad +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated. +1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (send): The specified session has been invalidated for some reason. diff --git a/test/log/5750 b/test/log/5750 new file mode 100644 index 000000000..845624676 --- /dev/null +++ b/test/log/5750 @@ -0,0 +1,44 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (certificate verification failed): certificate invalid +1999-03-02 09:44:33 10HmaX-0005vi-00 deferral bad +1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLENT CERT presented +1999-03-02 09:44:33 10HmaX-0005vi-00 Peer cert: +1999-03-02 09:44:33 10HmaX-0005vi-00 ver <3> +1999-03-02 09:44:33 10HmaX-0005vi-00 SN +1999-03-02 09:44:33 10HmaX-0005vi-00 IN +1999-03-02 09:44:33 10HmaX-0005vi-00 NB +1999-03-02 09:44:33 10HmaX-0005vi-00 NA +1999-03-02 09:44:33 10HmaX-0005vi-00 SA +1999-03-02 09:44:33 10HmaX-0005vi-00 SG <56 3a a4 3c cb eb b8 27 c2 90 08 74 13 88 dc 48 c6 b5 2c e5 26 be 5b 91 d4 67 e7 3c 49 12 d7 47 30 df 98 db 58 ed 18 a8 7d 4b db 97 48 f5 5c 7f 70 b9 37 63 33 f1 24 62 72 92 60 f5 6e da b6 bc 73 c8 c2 dc d6 95 9a bd 16 16 a2 ef 0a f1 d7 41 68 f6 ad 98 5a d0 ff d9 1b 51 9f 59 ce 2f 3d 84 d0 ee e8 2b eb 9b 32 1a 0e 02 3e cc 30 89 44 09 2a 75 81 46 a7 b6 ed 7d 41 eb 5a 63 fa 9c 58 ef> +1999-03-02 09:44:33 10HmaX-0005vi-00 SAN +1999-03-02 09:44:33 10HmaX-0005vi-00 CRU +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 delivery bad +1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLENT CERT presented +1999-03-02 09:44:33 10HmaX-0005vi-00 No Peer cert +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 => good@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 delivery good +1999-03-02 09:44:33 10HmaY-0005vi-00 Our cert SN: CN=server2.example.com +1999-03-02 09:44:33 10HmaY-0005vi-00 Peer cert: +1999-03-02 09:44:33 10HmaY-0005vi-00 ver <3> +1999-03-02 09:44:33 10HmaY-0005vi-00 SN +1999-03-02 09:44:33 10HmaY-0005vi-00 IN +1999-03-02 09:44:33 10HmaY-0005vi-00 NB +1999-03-02 09:44:33 10HmaY-0005vi-00 NA +1999-03-02 09:44:33 10HmaY-0005vi-00 SA +1999-03-02 09:44:33 10HmaY-0005vi-00 SG <56 3a a4 3c cb eb b8 27 c2 90 08 74 13 88 dc 48 c6 b5 2c e5 26 be 5b 91 d4 67 e7 3c 49 12 d7 47 30 df 98 db 58 ed 18 a8 7d 4b db 97 48 f5 5c 7f 70 b9 37 63 33 f1 24 62 72 92 60 f5 6e da b6 bc 73 c8 c2 dc d6 95 9a bd 16 16 a2 ef 0a f1 d7 41 68 f6 ad 98 5a d0 ff d9 1b 51 9f 59 ce 2f 3d 84 d0 ee e8 2b eb 9b 32 1a 0e 02 3e cc 30 89 44 09 2a 75 81 46 a7 b6 ed 7d 41 eb 5a 63 fa 9c 58 ef> +1999-03-02 09:44:33 10HmaY-0005vi-00 SAN +1999-03-02 09:44:33 10HmaY-0005vi-00 CRU +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (recv): A TLS fatal alert has been received.: Certificate is bad +1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="CN=server2.example.com" S=sss id=E10HmaY-0005vi-00@myhost.test.ex diff --git a/test/log/5760 b/test/log/5760 new file mode 100644 index 000000000..a59190fa2 --- /dev/null +++ b/test/log/5760 @@ -0,0 +1,47 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=2 error=self signed certificate in certificate chain cert=/O=example.com/CN=clica CA +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to 127.0.0.1 [127.0.0.1] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmaX-0005vi-00 deferral bad +1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLENT CERT presented +1999-03-02 09:44:33 10HmaX-0005vi-00 Peer cert: +1999-03-02 09:44:33 10HmaX-0005vi-00 ver <2> +1999-03-02 09:44:33 10HmaX-0005vi-00 SN +1999-03-02 09:44:33 10HmaX-0005vi-00 IN +1999-03-02 09:44:33 10HmaX-0005vi-00 NB +1999-03-02 09:44:33 10HmaX-0005vi-00 NA +1999-03-02 09:44:33 10HmaX-0005vi-00 SA +1999-03-02 09:44:33 10HmaX-0005vi-00 SG < Signature Algorithm: sha1WithRSAEncryption\n 89:fd:fb:cb:b2:42:d6:aa:f2:c0:44:a2:14:e5:ab:22:50:41:\n e6:64:e7:1c:5a:20:b6:0f:fe:b0:88:c5:cf:b3:e5:f8:0e:87:\n eb:ac:07:d6:9d:6a:20:f6:dd:13:ee:b8:3f:cf:d9:cd:d4:a8:\n 72:50:5a:a2:14:4e:ee:3a:78:e2:a7:f4:ae:d7:ee:77:48:1f:\n 75:a7:68:2f:ee:e2:7c:ac:2f:e4:88:02:e8:3b:db:f9:35:04:\n 05:46:35:0b:f2:35:03:21:b6:1e:82:7d:94:e0:63:4b:60:71:\n 2d:19:45:21:f2:85:b4:c3:d0:77:a2:24:32:36:f3:50:68:38:\n 98:e6\n> +1999-03-02 09:44:33 10HmaX-0005vi-00 (no SAN) +1999-03-02 09:44:33 10HmaX-0005vi-00 (no OCU) +1999-03-02 09:44:33 10HmaX-0005vi-00 (no CRU) +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaX-0005vi-00 => bad@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 delivery bad +1999-03-02 09:44:33 10HmaX-0005vi-00 NO CLENT CERT presented +1999-03-02 09:44:33 10HmaX-0005vi-00 No Peer cert +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 => good@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 delivery good +1999-03-02 09:44:33 10HmaY-0005vi-00 Our cert SN: CN=server2.example.com +1999-03-02 09:44:33 10HmaY-0005vi-00 Peer cert: +1999-03-02 09:44:33 10HmaY-0005vi-00 ver <2> +1999-03-02 09:44:33 10HmaY-0005vi-00 SN +1999-03-02 09:44:33 10HmaY-0005vi-00 IN +1999-03-02 09:44:33 10HmaY-0005vi-00 NB +1999-03-02 09:44:33 10HmaY-0005vi-00 NA +1999-03-02 09:44:33 10HmaY-0005vi-00 SA +1999-03-02 09:44:33 10HmaY-0005vi-00 SG < Signature Algorithm: sha1WithRSAEncryption\n 56:3a:a4:3c:cb:eb:b8:27:c2:90:08:74:13:88:dc:48:c6:b5:\n 2c:e5:26:be:5b:91:d4:67:e7:3c:49:12:d7:47:30:df:98:db:\n 58:ed:18:a8:7d:4b:db:97:48:f5:5c:7f:70:b9:37:63:33:f1:\n 24:62:72:92:60:f5:6e:da:b6:bc:73:c8:c2:dc:d6:95:9a:bd:\n 16:16:a2:ef:0a:f1:d7:41:68:f6:ad:98:5a:d0:ff:d9:1b:51:\n 9f:59:ce:2f:3d:84:d0:ee:e8:2b:eb:9b:32:1a:0e:02:3e:cc:\n 30:89:44:09:2a:75:81:46:a7:b6:ed:7d:41:eb:5a:63:fa:9c:\n 58:ef\n> +1999-03-02 09:44:33 10HmaY-0005vi-00 SAN +1999-03-02 09:44:33 10HmaY-0005vi-00 OCU +1999-03-02 09:44:33 10HmaY-0005vi-00 CRU +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 DN="/CN=server2.example.com" S=sss id=E10HmaY-0005vi-00@myhost.test.ex diff --git a/test/mail/0023.cond--1 b/test/mail/0023.cond--1 new file mode 100644 index 000000000..ef08691a3 --- /dev/null +++ b/test/mail/0023.cond--1 @@ -0,0 +1,9 @@ +From userx@test.ex Tue Mar 02 09:44:33 1999 +Received: from [56.56.57.57] (ident=CALLER) + by myhost.test.ex with smtp (Exim x.yz) + (envelope-from ) + id 10HmbL-0005vi-00 + for cond--1@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 +X-message-body-size: 0 + + diff --git a/test/mail/0023.cond-rhubarb b/test/mail/0023.cond-rhubarb index c8b40c730..798c40f0e 100644 --- a/test/mail/0023.cond-rhubarb +++ b/test/mail/0023.cond-rhubarb @@ -11,7 +11,7 @@ From userx@test.ex Tue Mar 02 09:44:33 1999 Received: from [56.56.56.56] (ident=CALLER) by myhost.test.ex with smtp (Exim x.yz) (envelope-from ) - id 10HmbL-0005vi-00 + id 10HmbM-0005vi-00 for cond-rhubarb@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 X-message-body-size: 0 diff --git a/test/mail/0023.okbatch b/test/mail/0023.okbatch index eae8de28b..16b2f7388 100644 --- a/test/mail/0023.okbatch +++ b/test/mail/0023.okbatch @@ -5,7 +5,7 @@ Envelope-to: ok1@test.ex, Received: from [56.56.58.58] (ident=CALLER) by myhost.test.ex with smtp (Exim x.yz) (envelope-from ) - id 10HmbM-0005vi-00; Tue, 2 Mar 1999 09:44:33 +0000 + id 10HmbN-0005vi-00; Tue, 2 Mar 1999 09:44:33 +0000 xx: rcpt_count = 1 rcpt_defer_count = 0 rcpt_fail_count = 0 diff --git a/test/mail/0046.userx b/test/mail/0046.userx index cf7f26ea0..05c078ec0 100644 Binary files a/test/mail/0046.userx and b/test/mail/0046.userx differ diff --git a/test/mail/0166.userx b/test/mail/0166.userx index 3c58c0da1..d07630976 100644 --- a/test/mail/0166.userx +++ b/test/mail/0166.userx @@ -12,5 +12,9 @@ X-Delivered-To: b@test.ex X-Delivered-To: c@test.ex X-Delivered-To: d@test.ex X-Delivered-To: userx@test.ex +X-rtr-hdr: 1 +X-rtr-hdr: 3 +X-tpt-hdr: 1 +X-tpt-hdr: 3 diff --git a/test/mail/0166.usery b/test/mail/0166.usery index 529767368..8076ae65d 100644 --- a/test/mail/0166.usery +++ b/test/mail/0166.usery @@ -11,5 +11,9 @@ X-Delivered-To: a@test.ex X-Delivered-To: bb@test.ex X-Delivered-To: e@test.ex X-Delivered-To: usery@test.ex +X-rtr-hdr: 1 +X-rtr-hdr: 3 +X-tpt-hdr: 1 +X-tpt-hdr: 3 diff --git a/test/mail/0351.userx b/test/mail/0351.userx index 50bfd7d6c..41b34c002 100644 --- a/test/mail/0351.userx +++ b/test/mail/0351.userx @@ -19,7 +19,6 @@ Resent-From: CALLER_NAME Found: yes Found2: yes FOUND-found2: !! - TO: userx@test.ex, usery@test.ex -------------------------------- diff --git a/test/mail/0412.CALLER b/test/mail/0412.CALLER index 260252beb..410121dae 100644 --- a/test/mail/0412.CALLER +++ b/test/mail/0412.CALLER @@ -7,7 +7,6 @@ From: CALLER_NAME Message-Id: Date: Tue, 2 Mar 1999 09:44:33 +0000 Found: no - FROM: CALLER_NAME -------------------------------- REPLY_ADDRESS: CALLER_NAME @@ -25,7 +24,6 @@ From: CALLER_NAME Message-Id: Date: Tue, 2 Mar 1999 09:44:33 +0000 Found: no - FROM: CALLER_NAME -------------------------------- REPLY_ADDRESS: CALLER_NAME @@ -43,7 +41,6 @@ From: CALLER_NAME Message-Id: Date: Tue, 2 Mar 1999 09:44:33 +0000 Found: no - FROM: CALLER_NAME -------------------------------- REPLY_ADDRESS: usery@test.ex @@ -61,7 +58,6 @@ Message-Id: Sender: CALLER_NAME Date: Tue, 2 Mar 1999 09:44:33 +0000 Found: no - FROM: -------------------------------- REPLY_ADDRESS: diff --git a/test/mail/0600.CALLER b/test/mail/0600.CALLER new file mode 100644 index 000000000..e9a50054e --- /dev/null +++ b/test/mail/0600.CALLER @@ -0,0 +1,45 @@ +From CALLER@the.local.host.name Tue Mar 02 09:44:33 1999 +Return-path: +Envelope-to: CALLER@the.local.host.name +Delivery-date: Tue, 2 Mar 1999 09:44:33 +0000 +Received: from CALLER by the.local.host.name with local-smtp (Exim x.yz) + (envelope-from ) + id 10HmaX-0005vi-00 + for CALLER@the.local.host.name; Tue, 2 Mar 1999 09:44:33 +0000 +x-test-header-good1: 1234567890qwertzuiopasdfghjklyxcvbnm,.-QWERTZUIOP+*ASDFGHJKL#'YXCVBNM,.-;:_ +x-test-header-good2: ßüöä€ÜÖÄ´ऑकजᐁᑌᑕ𫝆𫟘 +x-test-header-too-short: Ã.Ã.Ã.ä-â‚.-Ü.Ã..Ã.-Â.-à..-à¤.-à¤.-á.-á‘.-á..-ð«..ð«Ÿ. +x-test-header-too-long: øˆˆˆˆ-ä-øˆˆˆˆ--Ö-Ä-´-ऑ-क-ज-ᐁ-ᑌ-ᑕ-ø€€€€ð«Ÿ† +x-test-header-too-big: ÷€€€-----󀀀 +Subject: This is a test message. +Message-Id: +From: CALLER@the.local.host.name +Date: Tue, 2 Mar 1999 09:44:33 +0000 +X-local-user: uid=CALLER_UID gid=CALLER_GID +X-body-linecount: 3 +X-message-linecount: 16 +X-received-count: 1 + +This is a test message. +It has three lines. +This is the last line. + +From CALLER@the.local.host.name Tue Mar 02 09:44:33 1999 +Return-path: +Envelope-to: CALLER@the.local.host.name +Delivery-date: Tue, 2 Mar 1999 09:44:33 +0000 +Received: from CALLER by the.local.host.name with local-smtp (Exim x.yz) + (envelope-from ) + id 10HmaY-0005vi-00 + for CALLER@the.local.host.name; Tue, 2 Mar 1999 09:44:33 +0000 +Subject: second +Message-Id: +From: CALLER@the.local.host.name +Date: Tue, 2 Mar 1999 09:44:33 +0000 +X-local-user: uid=CALLER_UID gid=CALLER_GID +X-body-linecount: 1 +X-message-linecount: 9 +X-received-count: 1 + +This is a second test message. + diff --git a/test/mail/2002.CALLER b/test/mail/2002.CALLER index a4e0dd526..23b5f61a5 100644 --- a/test/mail/2002.CALLER +++ b/test/mail/2002.CALLER @@ -30,7 +30,7 @@ Received: from [ip4.ip4.ip4.ip4] id 10HmaZ-0005vi-00 for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 tls-certificate-verified: 1 -TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock +TLS: cipher=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 peerdn=CN=server2.example.com This is a test encrypted message from a verified host. diff --git a/test/mail/2102.CALLER b/test/mail/2102.CALLER index e4be6a342..42c189f78 100644 --- a/test/mail/2102.CALLER +++ b/test/mail/2102.CALLER @@ -30,7 +30,7 @@ Received: from [ip4.ip4.ip4.ip4] id 10HmaZ-0005vi-00 for CALLER@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 tls-certificate-verified: 1 -TLS: cipher=TLSv1:AES256-SHA:256 peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +TLS: cipher=TLSv1:AES256-SHA:256 peerdn=/CN=server2.example.com This is a test encrypted message from a verified host. diff --git a/test/rejectlog/0027 b/test/rejectlog/0027 index 24bcc70e9..b80e61635 100644 --- a/test/rejectlog/0027 +++ b/test/rejectlog/0027 @@ -3,7 +3,7 @@ 1999-03-02 09:44:33 U=CALLER F= rejected RCPT : Sender verify failed 1999-03-02 09:44:33 U=CALLER F= rejected RCPT : deny for userx 1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny verify = header_syntax"@test.ex>: cannot verify header_syntax in ACL for RCPT -1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny verify = junk"@test.ex>: expected "sender[=address]", "recipient", "helo", "header_syntax", "header_sender" or "reverse_host_lookup" at start of ACL condition "verify junk" +1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny verify = junk"@test.ex>: expected "sender[=address]", "recipient", "helo", "header_syntax", "header_sender", "header_names_ascii" or "reverse_host_lookup" at start of ACL condition "verify junk" 1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny vorify = junk"@test.ex>: unknown ACL condition/modifier in "deny vorify = junk" 1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"dony verify = junk"@test.ex>: unknown ACL verb "dony" in "dony verify = junk" 1999-03-02 09:44:33 U=CALLER F=<> temporarily rejected RCPT <"deny !message = abcd"@test.ex>: ACL error: negation is not allowed with "message" diff --git a/test/rejectlog/2003 b/test/rejectlog/2003 index 04c9f95c3..d495cde10 100644 --- a/test/rejectlog/2003 +++ b/test/rejectlog/2003 @@ -1 +1 @@ -1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] F= rejected RCPT : unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 +1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 F= rejected RCPT : unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 diff --git a/test/rejectlog/2014 b/test/rejectlog/2014 index fb9f7cd99..e9ccac71c 100644 --- a/test/rejectlog/2014 +++ b/test/rejectlog/2014 @@ -1,3 +1,3 @@ -1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] F= rejected RCPT : certificate not verified: peerdn= -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock +1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 F= rejected RCPT : certificate not verified: peerdn= +1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock +1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock diff --git a/test/rejectlog/2103 b/test/rejectlog/2103 index 49eab8415..b505fccbd 100644 --- a/test/rejectlog/2103 +++ b/test/rejectlog/2103 @@ -1 +1 @@ -1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] F= rejected RCPT : unacceptable cipher TLSv1:AES256-SHA:256 +1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 F= rejected RCPT : unacceptable cipher TLSv1:AES256-SHA:256 diff --git a/test/rejectlog/2114 b/test/rejectlog/2114 index 143828731..c8becde39 100644 --- a/test/rejectlog/2114 +++ b/test/rejectlog/2114 @@ -1,3 +1,3 @@ -1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] F= rejected RCPT : certificate not verified: peerdn= -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] X=TLSv1:AES256-SHA:256 F= rejected RCPT : certificate not verified: peerdn= +1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock diff --git a/test/runtest b/test/runtest index 443d7fcf4..5216eaded 100755 --- a/test/runtest +++ b/test/runtest @@ -498,6 +498,7 @@ RESET_AFTER_EXTRA_LINE_READ: # treat the standard algorithms the same. # So far, have seen: # TLSv1:AES256-SHA:256 + # TLSv1.1:AES256-SHA:256 # TLSv1.2:AES256-GCM-SHA384:256 # TLSv1.2:DHE-RSA-AES256-SHA:256 # TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128 @@ -507,11 +508,13 @@ RESET_AFTER_EXTRA_LINE_READ: # Mail headers (...), log-lines X=..., client-ssl output ... # (and \b doesn't match between ' ' and '(' ) - s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.2:/$1TLSv1:/xg; + s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.[12]:/$1TLSv1:/xg; s/\bAES256-GCM-SHA384\b/AES256-SHA/g; s/\bDHE-RSA-AES256-SHA\b/AES256-SHA/g; # GnuTLS have seen: + # TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 + # TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 # TLS1.2:RSA_AES_256_CBC_SHA1:256 (canonical) # TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128 # @@ -520,12 +523,29 @@ RESET_AFTER_EXTRA_LINE_READ: # X=TLS1.1:RSA_AES_256_CBC_SHA1:256 # X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256 # and as stand-alone cipher: + # ECDHE-RSA-AES256-SHA # DHE-RSA-AES256-SHA256 # DHE-RSA-AES256-SHA # picking latter as canonical simply because regex easier that way. s/\bDHE_RSA_AES_128_CBC_SHA1:128/RSA_AES_256_CBC_SHA1:256/g; - s/TLS1.[012]:(DHE_)?RSA_AES_256_CBC_SHA(1|256):256/TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256/g; - s/\bDHE-RSA-AES256-SHA256\b/DHE-RSA-AES256-SHA/g; + s/TLS1.[012]:((EC)?DHE_)?RSA_AES_(256|128)_(CBC|GCM)_SHA(1|256|384):(256|128)/TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256/g; + s/\b(ECDHE-RSA-AES256-SHA|DHE-RSA-AES256-SHA256)\b/AES256-SHA/g; + + # GnuTLS library error message changes + s/No certificate was found/The peer did not send any certificate/g; +#(dodgy test?) s/\(certificate verification failed\): invalid/\(gnutls_handshake\): The peer did not send any certificate./g; + s/\(gnutls_priority_set\): No or insufficient priorities were set/\(gnutls_handshake\): Could not negotiate a supported cipher suite/g; + + # (this new one is a generic channel-read error, but the testsuite + # only hits it in one place) + s/TLS error on connection to \d{1,3}(.\d{1,3}){3} \[\d{1,3}(.\d{1,3}){3}\] \(gnutls_handshake\): Error in the pull function\./a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed/g; + + # (replace old with new, hoping that old only happens in one situation) + s/TLS error on connection to \d{1,3}(.\d{1,3}){3} \[\d{1,3}(.\d{1,3}){3}\] \(gnutls_handshake\): A TLS packet with unexpected length was received./a TLS session is required for ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4], but an attempt to start TLS failed/g; + s/TLS error on connection from \[127.0.0.1\] \(recv\): A TLS packet with unexpected length was received./TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated./g; + + # signature algorithm names + s/RSA-SHA1/RSA-SHA/; # ======== Caller's login, uid, gid, home, gecos ======== diff --git a/test/scripts/0000-Basic/0002 b/test/scripts/0000-Basic/0002 index b924a0934..7b6c34b3e 100644 --- a/test/scripts/0000-Basic/0002 +++ b/test/scripts/0000-Basic/0002 @@ -75,6 +75,13 @@ listcount: ${listcount:} listcount: ${listcount:<;a;b;c} listcount: ${listcount:${listnamed:dlist}} +listextract: ${listextract{ 2}{a:b:c:d}} +listextract: ${listextract{-2}{<,a,b,c,d}{X${value}X}} +listextract: ${listextract{ 5}{a:b:c:d}} +listextract: ${listextract{-5}{a:b:c:d}} +listextract: ${listextract{ 5}{a:b:c:d}{}{fail}} +listextract: ${listextract{ 5}{a:b:c:d}{}fail} + # Tests with iscntrl() and illegal separators map: ${map{<\n a\n\nb\nc}{'$item'}} @@ -595,7 +602,7 @@ abcdea abc z ${tr{abcdea}{abc}{z}} " yes" ${if bool{ yes}{true}{false}} EXPECT: true " no" ${if bool{ no}{true}{false}} EXPECT: false "yes " ${if bool{yes }{true}{false}} EXPECT: true -"-1" ${if bool{-1}{true}{false}} EXPECT: error +"-1" ${if bool{-1}{true}{false}} EXPECT: true "0" ${if bool{0}{true}{false}} EXPECT: false "1" ${if bool{1}{true}{false}} EXPECT: true " 0 " ${if bool{ 0 }{true}{false}} EXPECT: false @@ -605,6 +612,7 @@ abcdea abc z ${tr{abcdea}{abc}{z}} " " ${if bool{ }{true}{false}} EXPECT: false "text" ${if bool{text}{true}{false}} EXPECT: error " text" ${if bool{ text}{true}{false}} EXPECT: error +"-text" ${if bool{-text}{true}{false}} EXPECT: error "text " ${if bool{text }{true}{false}} EXPECT: error " text " ${if bool{ text }{true}{false}} EXPECT: error "00" ${if bool{00}{true}{false}} EXPECT: false diff --git a/test/scripts/0000-Basic/0023 b/test/scripts/0000-Basic/0023 index 28c6ec97a..51e7123d0 100644 --- a/test/scripts/0000-Basic/0023 +++ b/test/scripts/0000-Basic/0023 @@ -299,6 +299,11 @@ data . mail from: rcpt to: +rset +mail from: +rcpt to: +data +. quit **** exim -DLOG_SELECTOR=log_selector=-acl_warn_skipped -odi -bs -oMa 56.56.56.56 diff --git a/test/scripts/0000-Basic/0040 b/test/scripts/0000-Basic/0040 index 3353ec233..12d675043 100644 --- a/test/scripts/0000-Basic/0040 +++ b/test/scripts/0000-Basic/0040 @@ -1,3 +1,12 @@ # Checking -oMa etc exim -odi -f jc@rome -F 'Julius Caesar' -oMa 1.1.1.1 -oMi 2.2.2.2 -oMr latin -oMs forum.rome -oMt jc44bc userx@test.ex This is a test message. +**** +1 +exim -odi -f jc@rome -F 'Julius Caesar' -oMm 123456-67890-11 -oMt jc44bc userx@test.x +This is a test message. +**** +1 +exim -odi -f jc@rome -F 'Julius Caesar' -oMm 10HmaX-0005vi-00 -oMt jc44bc userx@test.x +This is a test message. +**** diff --git a/test/scripts/0000-Basic/0481 b/test/scripts/0000-Basic/0481 index d1a9a4a70..e1b8574db 100644 --- a/test/scripts/0000-Basic/0481 +++ b/test/scripts/0000-Basic/0481 @@ -1,4 +1,4 @@ -# multiple remove_headers and trailing colons +# multiple remove_headers in routers, and trailing colons exim -odi userx Remove-Me: this header is to be removed Another: This is another header diff --git a/test/scripts/0000-Basic/0569 b/test/scripts/0000-Basic/0569 new file mode 100644 index 000000000..41cdb8731 --- /dev/null +++ b/test/scripts/0000-Basic/0569 @@ -0,0 +1,147 @@ +# verify = header_names_ascii +# 1. Headers are good, make sure no misfires. +exim -bh V4NET.10.10.10 +mail from: +rcpt to: +data +Received: from mail.example.com([10.11.12.13] helo=mail.example.com) + by mail1-int.example.com with esmtp (Exim 4.80) + envelope-from + id 1WIJRL-0005Dw-MW + for XX@YY; Tue, 25 Feb 2014 15:57:00 +0000 +Received: from mail1-int.example.com([10.120.12.12] helo=mail1-int.example.com) + by webmail1.example.com with esmtp (Exim 4.80) + envelope-from + id 1WIJRK-0005Dw-MW + for XX@YY; Tue, 25 Feb 2014 15:56:58 +0000 +From: userx@exim.test.ex +To: userx@test.ex +Cc: +rcpt to: +data +Received: from mail.example.com([10.11.12.13] helo=mail.example.com) + by mail1-int.example.com with esmtp (Exim 4.80) + envelope-from + id 1WIJRL-0005Dw-MW + for XX@YY; Tue, 25 Feb 2014 15:57:00 +0000 +Received: from mail1-int.example.com([10.120.12.12] helo=mail1-int.example.com) + by webmail1.example.com with esmtp (Exim 4.80) + envelope-from + id 1WIJRK-0005Dw-MW + for XX@YY; Tue, 25 Feb 2014 15:56:58 +0000 +From: userx@exim.test.ex +To: userx@test.ex +Cc: +Subject: testing + +. +QUIT +**** +# 3. A non-ASCII character in header name, different from sets an acl variable +# causing custom log message +exim -bh V4NET.10.10.10 +mail from: +rcpt to: +data +Received: from mail.example.com([10.11.12.13] helo=mail.example.com) + by mail1-int.example.com with esmtp (Exim 4.80) + envelope-from + id 1WIJRL-0005Dw-MW + for XX@YY; Tue, 25 Feb 2014 15:57:00 +0000 +Received: from mail1-int.example.com([10.120.12.12] helo=mail1-int.example.com) + by webmail1.example.com with esmtp (Exim 4.80) + envelope-from + id 1WIJRK-0005Dw-MW + for XX@YY; Tue, 25 Feb 2014 15:56:58 +0000 +From: userx@exim.test.ex +To: userx@test.ex +Cc: +Subjec⍅: testing + +. +QUIT +**** +# 4. A non-ASCII character in header name, uses default rejection message +exim -bh V4NET.10.10.10 +mail from: +rcpt to: +data +Received: from mail.example.com([10.11.12.13] helo=mail.example.com) + by mail1-int.example.com with esmtp (Exim 4.80) + envelope-from + id 1WIJRL-0005Dw-MW + for XX@YY; Tue, 25 Feb 2014 15:57:00 +0000 +Received: from mail1-int.example.com([10.120.12.12] helo=mail1-int.example.com) + by webmail1.example.com with esmtp (Exim 4.80) + envelope-from + id 1WIJRK-0005Dw-MW + for XX@YY; Tue, 25 Feb 2014 15:56:58 +0000 +From: userx@exim.test.ex +To: userx@test.ex +Cc: +Subjec⍅: testing + +. +QUIT +**** +# 5. Headers are good, Unicode in message body, make sure no misfires. +exim -bh V4NET.10.10.10 +mail from: +rcpt to: +data +Received: from mail.example.com([10.11.12.13] helo=mail.example.com) + by mail1-int.example.com with esmtp (Exim 4.80) + envelope-from + id 1WIJRL-0005Dw-MW + for XX@YY; Tue, 25 Feb 2014 15:57:00 +0000 +Received: from mail1-int.example.com([10.120.12.12] helo=mail1-int.example.com) + by webmail1.example.com with esmtp (Exim 4.80) + envelope-from + id 1WIJRK-0005Dw-MW + for XX@YY; Tue, 25 Feb 2014 15:56:58 +0000 +From: userx@exim.test.ex +To: userx@test.ex +Cc: +Subject: testing + +Some unicode characters: 顷晦٦ +This email should be accepted because the headers are ok. +. +QUIT +**** +# 6. Headers are good, Unicode in a header content *and* message body, +# make sure no misfires. +exim -bh V4NET.10.10.10 +mail from: +rcpt to: +data +Received: from mail.example.com([10.11.12.13] helo=mail.example.com) + by mail1-int.example.com with esmtp (Exim 4.80) + envelope-from + id 1WIJRL-0005Dw-MW + for XX@YY; Tue, 25 Feb 2014 15:57:00 +0000 +Received: from mail1-int.example.com([10.120.12.12] helo=mail1-int.example.com) + by webmail1.example.com with esmtp (Exim 4.80) + envelope-from + id 1WIJRK-0005Dw-MW + for XX@YY; Tue, 25 Feb 2014 15:56:58 +0000 +From: userx@exim.test.ex +To: userx@test.ex +Cc: +Subject: testing + +Some unicode characters: 顷晦٦ +This email should be accepted because the headers are ok even though the +content of one of the headers has unicode. +. +QUIT +**** +no_msglog_check diff --git a/test/scripts/0000-Basic/0600 b/test/scripts/0000-Basic/0600 new file mode 100644 index 000000000..9d5e67b5b --- /dev/null +++ b/test/scripts/0000-Basic/0600 @@ -0,0 +1,32 @@ +# ${utf8clean:string} +# +# -bs to simple local delivery +exim -bs -odi +mail from:CALLER@HOSTNAME +rcpt to:CALLER@HOSTNAME +data +x-test-header-good1: 1234567890qwertzuiopasdfghjklyxcvbnm,.-QWERTZUIOP+*ASDFGHJKL#'YXCVBNM,.-;:_ +x-test-header-good2: ßüöä€ÜÖÄ´ऑकजᐁᑌᑕ𫝆𫟘 +x-test-header-too-short: Ã.Ã.Ã.ä-â‚.-Ü.Ã..Ã.-Â.-à..-à¤.-à¤.-á.-á‘.-á..-ð«..ð«Ÿ. +x-test-header-too-long: øˆˆˆˆ-ä-øˆˆˆˆ--Ö-Ä-´-ऑ-क-ज-ᐁ-ᑌ-ᑕ-ø€€€€ð«Ÿ† +x-test-header-too-big: ÷€€€-----󀀀 +Subject: This is a test message. + +This is a test message. +It has three lines. +This is the last line. +. +quit +**** +exim -bs -odi +mail from:CALLER@HOSTNAME +rcpt to:CALLER@HOSTNAME +data +Subject: second + +This is a second test message. +. +quit +**** +exim -q +**** diff --git a/test/scripts/2000-GnuTLS/2002 b/test/scripts/2000-GnuTLS/2002 index 06a7b31d0..49f841e56 100644 --- a/test/scripts/2000-GnuTLS/2002 +++ b/test/scripts/2000-GnuTLS/2002 @@ -1,4 +1,4 @@ -# TLS server: general +# TLS server: general ops and certificate extractions gnutls exim -DSERVER=server -bd -oX PORT_D **** @@ -60,7 +60,7 @@ ehlo rhu.barb starttls ??? 220 **** -client-gnutls HOSTIPV4 PORT_D DIR/aux-fixed/cert2 DIR/aux-fixed/cert2 +client-gnutls HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key ??? 220 ehlo rhu.barb ??? 250- diff --git a/test/scripts/2000-GnuTLS/2012 b/test/scripts/2000-GnuTLS/2012 index e86bf1707..3b25ba206 100644 --- a/test/scripts/2000-GnuTLS/2012 +++ b/test/scripts/2000-GnuTLS/2012 @@ -5,6 +5,15 @@ exim -DSERVER=server -bd -oX PORT_D exim userx@test.ex Testing **** +exim usery@test.ex +Testing +**** +exim userz@test.ex +Testing +**** +exim userq@test.ex +Testing +**** exim -qf **** killdaemon diff --git a/test/scripts/2000-GnuTLS/2026 b/test/scripts/2000-GnuTLS/2026 index 18361c62f..e94d7c5d0 100644 --- a/test/scripts/2000-GnuTLS/2026 +++ b/test/scripts/2000-GnuTLS/2026 @@ -7,3 +7,4 @@ exim -odi userx usery # Wait to allow delivery to finish before killing the daemon sleep 1 killdaemon +no_msglog_check diff --git a/test/scripts/2100-OpenSSL/2102 b/test/scripts/2100-OpenSSL/2102 index 2e7dca0a6..cbb9ce393 100644 --- a/test/scripts/2100-OpenSSL/2102 +++ b/test/scripts/2100-OpenSSL/2102 @@ -1,4 +1,4 @@ -# TLS server: general +# TLS server: general ops and certificate extractions exim -DSERVER=server -bd -oX PORT_D **** client-ssl 127.0.0.1 PORT_D @@ -59,7 +59,7 @@ ehlo rhu.barb starttls ??? 220 **** -client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/cert2 DIR/aux-fixed/cert2 +client-ssl HOSTIPV4 PORT_D DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key ??? 220 ehlo rhu.barb ??? 250- diff --git a/test/scripts/2100-OpenSSL/2112 b/test/scripts/2100-OpenSSL/2112 index 4793929bc..98ea4cb17 100644 --- a/test/scripts/2100-OpenSSL/2112 +++ b/test/scripts/2100-OpenSSL/2112 @@ -4,6 +4,15 @@ exim -DSERVER=server -bd -oX PORT_D exim userx@test.ex Testing **** +exim usery@test.ex +Testing +**** +exim userz@test.ex +Testing +**** +exim userq@test.ex +Testing +**** exim -qf **** killdaemon diff --git a/test/scripts/5400-cutthrough/5400 b/test/scripts/5400-cutthrough/5400 index 56d6fec77..3e56b43b8 100644 --- a/test/scripts/5400-cutthrough/5400 +++ b/test/scripts/5400-cutthrough/5400 @@ -26,8 +26,6 @@ DATA QUIT **** # cutthrough_delivery into HELO-only server -need_ipv4 -# server PORT_S 220 SMTP only spoken here EHLO @@ -92,3 +90,36 @@ DATA QUIT **** sleep 1 +# +# +# +# +# +# cutthrough_delivery basic operation, again +server PORT_S +220 ESMTP +EHLO +250 OK +MAIL FROM: +250 Sender OK +RCPT TO: +250 Recipient OK +DATA +354 Send data +. +250 OK +QUIT +250 OK +**** +exim -d-all+acl+transport -bs +EHLO myhost.test.ex +MAIL FROM: +RCPT TO: +DATA +X-hdr-rtr: qqq +X-hdr-tpt: zzz + +body +. +QUIT +**** diff --git a/test/scripts/5410-cutthrough-OpenSSL/5410 b/test/scripts/5410-cutthrough-OpenSSL/5410 index 9f5ff7196..5c9598c66 100644 --- a/test/scripts/5410-cutthrough-OpenSSL/5410 +++ b/test/scripts/5410-cutthrough-OpenSSL/5410 @@ -1,4 +1,4 @@ -# cutthrough_delivery to target oferring TLS +# cutthrough_delivery to target offerring TLS exim -DSERVER=server -bd -oX PORT_D **** # this one should succeed diff --git a/test/scripts/5440-certnames-GnuTLS/5440 b/test/scripts/5440-certnames-GnuTLS/5440 new file mode 100644 index 000000000..fea9551c0 --- /dev/null +++ b/test/scripts/5440-certnames-GnuTLS/5440 @@ -0,0 +1,14 @@ +# TLS client: verify certificate from server - fails +gnutls +exim -DSERVER=server -bd -oX PORT_D +**** +exim userr@test.ex +Testing +**** +exim users@test.ex +Testing +**** +exim -qf +**** +killdaemon +no_msglog_check diff --git a/test/scripts/5440-certnames-GnuTLS/REQUIRES b/test/scripts/5440-certnames-GnuTLS/REQUIRES new file mode 100644 index 000000000..5a5fac1f1 --- /dev/null +++ b/test/scripts/5440-certnames-GnuTLS/REQUIRES @@ -0,0 +1,3 @@ +support GnuTLS +support Experimental_Certnames +running IPv4 diff --git a/test/scripts/5450-certnames-OpenSSL/5450 b/test/scripts/5450-certnames-OpenSSL/5450 new file mode 100644 index 000000000..c94d1a5b2 --- /dev/null +++ b/test/scripts/5450-certnames-OpenSSL/5450 @@ -0,0 +1,16 @@ +# TLS client: verify certificate from server - fails +exim -DSERVER=server -bd -oX PORT_D +**** +exim userq@test.ex +Testing +**** +exim userr@test.ex +Testing +**** +exim users@test.ex +Testing +**** +exim -qf +**** +killdaemon +no_msglog_check diff --git a/test/scripts/5450-certnames-OpenSSL/REQUIRES b/test/scripts/5450-certnames-OpenSSL/REQUIRES new file mode 100644 index 000000000..663b390a9 --- /dev/null +++ b/test/scripts/5450-certnames-OpenSSL/REQUIRES @@ -0,0 +1,3 @@ +support OpenSSL +support Experimental_Certnames +running IPv4 diff --git a/test/scripts/5500-PRDR/REQUIRES b/test/scripts/5500-PRDR/REQUIRES index b3c99396a..e69de29bb 100644 --- a/test/scripts/5500-PRDR/REQUIRES +++ b/test/scripts/5500-PRDR/REQUIRES @@ -1 +0,0 @@ -support Experimental_PRDR diff --git a/test/scripts/5600-OCSP-OpenSSL/5600 b/test/scripts/5600-OCSP-OpenSSL/5600 index 464da693c..c7a700fde 100644 --- a/test/scripts/5600-OCSP-OpenSSL/5600 +++ b/test/scripts/5600-OCSP-OpenSSL/5600 @@ -1,4 +1,4 @@ -# TLS server: OCSP stapling +# OCSP stapling, server # # # diff --git a/test/scripts/5600-OCSP-OpenSSL/5601 b/test/scripts/5600-OCSP-OpenSSL/5601 index b2983eb0d..521f8fd71 100644 --- a/test/scripts/5600-OCSP-OpenSSL/5601 +++ b/test/scripts/5600-OCSP-OpenSSL/5601 @@ -1,10 +1,10 @@ # OCSP stapling, client # # -# Client works when we don't demand OCSP stapling +# Client works when we request but don't require OCSP stapling and none comes exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null **** -exim nostaple@test.ex +exim norequire@test.ex test message. **** sleep 1 @@ -13,10 +13,19 @@ killdaemon # # # -# Client accepts good stapled info +# Client works when we don't request OCSP stapling exim -bd -oX PORT_D -DSERVER=server \ -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp **** +exim nostaple@test.ex +test message. +**** +millisleep 500 +# +# +# +# +# Client accepts good stapled info exim CALLER@test.ex test message. **** @@ -25,7 +34,7 @@ killdaemon # # # -# Client fails on lack of requested stapled info +# Client fails on lack of required stapled info exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null **** exim CALLER@test.ex diff --git a/test/scripts/5600-OCSP-OpenSSL/REQUIRES b/test/scripts/5600-OCSP-OpenSSL/REQUIRES index 3d15ede9e..73788d383 100644 --- a/test/scripts/5600-OCSP-OpenSSL/REQUIRES +++ b/test/scripts/5600-OCSP-OpenSSL/REQUIRES @@ -1,3 +1,3 @@ support OpenSSL -support Experimental_OCSP +support OCSP running IPv4 diff --git a/test/scripts/5608-OCSP-OpenSSL-TPDA/5608 b/test/scripts/5608-OCSP-OpenSSL-TPDA/5608 new file mode 100644 index 000000000..8010507dc --- /dev/null +++ b/test/scripts/5608-OCSP-OpenSSL-TPDA/5608 @@ -0,0 +1,84 @@ +# OCSP stapling, client, tpda +# duplicate of 5601 +# +# +# Client works when we request but don't require OCSP stapling and none comes +exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null +**** +exim norequire@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# +# Client works when we request but don't require OCSP stapling and some arrives +exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp +**** +exim norequire@test.ex +test message. +**** +millisleep 500 +# +# +# +# +# Client works when we don't request OCSP stapling +exim nostaple@test.ex +test message. +**** +millisleep 500 +# +# +# +# +# Client accepts good stapled info +exim good@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# Client fails on lack of required stapled info +exim -bd -oX PORT_D -DSERVER=server -DOCSP=/dev/null +**** +exim failrequire@test.ex +test message. +**** +sleep 1 +killdaemon +no_msglog_check +# +# +# +# Client fails on revoked stapled info +EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp +**** +exim failrevoked@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# +# Client fails on expired stapled info +EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp +**** +exim failexpired@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# diff --git a/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES b/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES new file mode 100644 index 000000000..492da8f2c --- /dev/null +++ b/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES @@ -0,0 +1,4 @@ +support OpenSSL +support OCSP +support Experimental_TPDA +running IPv4 diff --git a/test/scripts/5650-OCSP-GnuTLS/5650 b/test/scripts/5650-OCSP-GnuTLS/5650 new file mode 100644 index 000000000..440053ecb --- /dev/null +++ b/test/scripts/5650-OCSP-GnuTLS/5650 @@ -0,0 +1,80 @@ +# OCSP stapling, server +# +# +# +# 1: Server sends good staple on request +exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp +**** +client-gnutls \ + -ocsp aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \ + HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2 +??? 220 +ehlo rhu.barb +??? 250- +??? 250- +??? 250- +??? 250- +??? 250- +??? 250 +starttls +??? 220 +mail from: +??? 250 +rcpt to: +??? 250 +quit +??? 221 +**** +killdaemon +# +# +# +# 2: Server does not staple an outdated response +exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp +**** +# XXX test sequence might not be quite right; this is for a server refusal +# and we're expecting a client refusal. +client-gnutls -ocsp aux-fixed/exim-ca/expired1.example.com/CA.pem HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2 +??? 220 +ehlo rhu.barb +??? 250- +??? 250- +??? 250- +??? 250- +??? 250- +??? 250 +starttls +??? 220 +**** +killdaemon +# +# +# +# +# +# 3: Server does not staple a response for a revoked cert +exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp +**** +client-gnutls \ + -ocsp aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \ + HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2 +??? 220 +ehlo rhu.barb +??? 250- +??? 250- +??? 250- +??? 250- +??? 250- +??? 250 +starttls +??? 220 +**** +killdaemon +# +# +# +# +# diff --git a/test/scripts/5650-OCSP-GnuTLS/5651 b/test/scripts/5650-OCSP-GnuTLS/5651 new file mode 100644 index 000000000..2015d43b9 --- /dev/null +++ b/test/scripts/5650-OCSP-GnuTLS/5651 @@ -0,0 +1,74 @@ +# OCSP stapling, client +# +# +# Client works when we request but don't require OCSP stapling and none comes +exim -bd -oX PORT_D -DSERVER=server -DOCSP="" +**** +exim norequire@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# +# Client works when we don't request OCSP stapling +exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp +**** +exim nostaple@test.ex +test message. +**** +millisleep 500 +# +# +# +# +# Client accepts good stapled info +exim CALLER@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# Client fails on lack of required stapled info +exim -bd -oX PORT_D -DSERVER=server -DOCSP="" +**** +exim CALLER@test.ex +test message. +**** +sleep 1 +killdaemon +no_msglog_check +# +# +# +# Client fails on revoked stapled info +EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp +**** +exim CALLER@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# +# Client fails on expired stapled info +EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp +**** +exim CALLER@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# diff --git a/test/scripts/5650-OCSP-GnuTLS/REQUIRES b/test/scripts/5650-OCSP-GnuTLS/REQUIRES new file mode 100644 index 000000000..70ce2de51 --- /dev/null +++ b/test/scripts/5650-OCSP-GnuTLS/REQUIRES @@ -0,0 +1,3 @@ +support GnuTLS +support OCSP +running IPv4 diff --git a/test/scripts/5658-OCSP-GnuTLS-TPDA/5658 b/test/scripts/5658-OCSP-GnuTLS-TPDA/5658 new file mode 100644 index 000000000..759810613 --- /dev/null +++ b/test/scripts/5658-OCSP-GnuTLS-TPDA/5658 @@ -0,0 +1,84 @@ +# OCSP stapling, client, tpda +# duplicate of 5651 +# +# +# Client works when we request but don't require OCSP stapling and none comes +exim -bd -oX PORT_D -DSERVER=server -DOCSP="" +**** +exim norequire@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# +# Client works when we request but don't require OCSP stapling and some arrives +exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp +**** +exim norequire@test.ex +test message. +**** +millisleep 500 +# +# +# +# +# Client works when we don't request OCSP stapling +exim nostaple@test.ex +test message. +**** +millisleep 500 +# +# +# +# +# Client accepts good stapled info +exim good@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# Client fails on lack of required stapled info +exim -bd -oX PORT_D -DSERVER=server -DOCSP="" +**** +exim failrequire@test.ex +test message. +**** +sleep 1 +killdaemon +no_msglog_check +# +# +# +# Client fails on revoked stapled info +EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.revoked.resp +**** +exim failrevoked@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# +# Client fails on expired stapled info +EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK=y exim -bd -oX PORT_D -DSERVER=server \ + -DOCSP=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp +**** +exim failexpired@test.ex +test message. +**** +sleep 1 +killdaemon +# +# +# +# diff --git a/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES b/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES new file mode 100644 index 000000000..379807959 --- /dev/null +++ b/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES @@ -0,0 +1,4 @@ +support GnuTLS +support OCSP +support Experimental_TPDA +running IPv4 diff --git a/test/scripts/5750-GnuTLS-TPDA/5750 b/test/scripts/5750-GnuTLS-TPDA/5750 new file mode 100644 index 000000000..903c79525 --- /dev/null +++ b/test/scripts/5750-GnuTLS-TPDA/5750 @@ -0,0 +1,13 @@ +# TLS client: GnuTLS $tls_out_peercert +exim -DSERVER=server -bd -oX PORT_D +**** +exim bad@test.ex +Testing +**** +exim good@test.ex +Testing +**** +exim -qf +**** +killdaemon +no_msglog_check diff --git a/test/scripts/5750-GnuTLS-TPDA/REQUIRES b/test/scripts/5750-GnuTLS-TPDA/REQUIRES new file mode 100644 index 000000000..af1eb46f7 --- /dev/null +++ b/test/scripts/5750-GnuTLS-TPDA/REQUIRES @@ -0,0 +1,2 @@ +support Experimental_TPDA +support GnuTLS diff --git a/test/scripts/5760-OpenSSL-TPDA/5760 b/test/scripts/5760-OpenSSL-TPDA/5760 new file mode 100644 index 000000000..8fa8bd04b --- /dev/null +++ b/test/scripts/5760-OpenSSL-TPDA/5760 @@ -0,0 +1,13 @@ +# TLS client: OpenSSL certificates and extractions +exim -DSERVER=server -bd -oX PORT_D +**** +exim bad@test.ex +Testing +**** +exim good@test.ex +Testing +**** +exim -qf +**** +killdaemon +no_msglog_check diff --git a/test/scripts/5760-OpenSSL-TPDA/REQUIRES b/test/scripts/5760-OpenSSL-TPDA/REQUIRES new file mode 100644 index 000000000..5b4892059 --- /dev/null +++ b/test/scripts/5760-OpenSSL-TPDA/REQUIRES @@ -0,0 +1,2 @@ +support Experimental_TPDA +support OpenSSL diff --git a/test/src/client.c b/test/src/client.c index 3b782f3fd..e7210f223 100644 --- a/test/src/client.c +++ b/test/src/client.c @@ -1,8 +1,8 @@ /* A little hacked up program that makes a TCP/IP call and reads a script to drive it, for testing Exim server code running as a daemon. It's got a bit messy with the addition of support for either OpenSSL or GnuTLS. The code for -those was hacked out of Exim itself, then code for OCSP stapling was ripped -from the openssl ocsp and s_client utilities. */ +those was hacked out of Exim itself, then code for OpenSSL OCSP stapling was +ripped from the openssl ocsp and s_client utilities. */ /* ANSI C standard includes */ @@ -60,25 +60,27 @@ static int sigalrm_seen = 0; latter needs a whole pile of tables. */ #ifdef HAVE_OPENSSL -#define HAVE_TLS -#include -#include -#include -#include -#include -#include -#include - -char * ocsp_stapling = NULL; +# define HAVE_TLS +# include +# include +# include +# include +# include +# include +# include #endif #ifdef HAVE_GNUTLS -#define HAVE_TLS -#include -#include +# define HAVE_TLS +# include +# include +# if GNUTLS_VERSION_NUMBER >= 0x030103 +# define HAVE_OCSP +# include +# endif -#define DH_BITS 768 +# define DH_BITS 768 /* Local static variables for GNUTLS */ @@ -114,10 +116,14 @@ static const int mac_priority[16] = { static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 }; static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 }; -#endif +#endif /*HAVE_GNUTLS*/ +#ifdef HAVE_TLS +char * ocsp_stapling = NULL; +#endif + /************************************************* * SIGALRM handler - crash out * @@ -238,7 +244,8 @@ return ret; * Start an OpenSSL TLS session * *************************************************/ -int tls_start(int sock, SSL **ssl, SSL_CTX *ctx) +int +tls_start(int sock, SSL **ssl, SSL_CTX *ctx) { int rc; static const char *sid_ctx = "exim"; @@ -416,6 +423,11 @@ if (certificate != NULL) /* Associate the parameters with the x509 credentials structure. */ gnutls_certificate_set_dh_params(x509_cred, dh_params); + +/* set the CA info for server-cert verify */ +if (ocsp_stapling) + gnutls_certificate_set_x509_trust_file(x509_cred, ocsp_stapling, + GNUTLS_X509_FMT_PEM); } @@ -514,7 +526,7 @@ while (argc >= argi + 1 && argv[argi][0] == '-') tls_on_connect = 1; argi++; } -#ifdef HAVE_OPENSSL +#ifdef HAVE_TLS else if (strcmp(argv[argi], "-ocsp") == 0) { if (argc < ++argi + 1) @@ -524,6 +536,7 @@ while (argc >= argi + 1 && argv[argi][0] == '-') } ocsp_stapling = argv[argi++]; } + #endif else if (argv[argi][1] == 't' && isdigit(argv[argi][2])) { @@ -757,6 +770,10 @@ if (certfile != NULL) printf("Certificate file = %s\n", certfile); if (keyfile != NULL) printf("Key file = %s\n", keyfile); tls_init(certfile, keyfile); tls_session = tls_session_init(); +#ifdef HAVE_OCSP +if (ocsp_stapling) + gnutls_ocsp_status_request_enable_client(tls_session, NULL, 0, NULL); +#endif gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)sock); /* When the server asks for a certificate and the client does not have one, @@ -791,6 +808,11 @@ if (tls_on_connect) if (!tls_active) printf("Failed to start TLS\n"); + #if defined(HAVE_GNUTLS) && defined(HAVE_OCSP) + else if ( ocsp_stapling + && gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0) + printf("Failed to verify certificate status\n"); + #endif else printf("Succeeded in starting TLS\n"); } @@ -865,6 +887,9 @@ while (fgets(outbuffer, sizeof(outbuffer), stdin) != NULL) { if (lineptr[0] == '2') { +int rc; + unsigned int verify; + printf("Attempting to start TLS\n"); fflush(stdout); @@ -884,6 +909,44 @@ while (fgets(outbuffer, sizeof(outbuffer), stdin) != NULL) printf("Failed to start TLS\n"); fflush(stdout); } + #ifdef HAVE_GNUTLS + else if (ocsp_stapling) + { + if ((rc= gnutls_certificate_verify_peers2(tls_session, &verify)) < 0) + { + printf("Failed to verify certificate: %s\n", gnutls_strerror(rc)); + fflush(stdout); + } + else if (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) + { + printf("Bad certificate\n"); + fflush(stdout); + } + #ifdef HAVE_OCSP + else if (gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0) + { + printf("Failed to verify certificate status\n"); + { + gnutls_datum_t stapling; + gnutls_ocsp_resp_t resp; + gnutls_datum_t printed; + if ( (rc= gnutls_ocsp_status_request_get(tls_session, &stapling)) == 0 + && (rc= gnutls_ocsp_resp_init(&resp)) == 0 + && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0 + && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0 + ) + { + fprintf(stderr, "%.4096s", printed.data); + gnutls_free(printed.data); + } + else + (void) fprintf(stderr,"ocsp decode: %s", gnutls_strerror(rc)); + } + fflush(stdout); + } + #endif + } + #endif else printf("Succeeded in starting TLS\n"); } diff --git a/test/stderr/0002 b/test/stderr/0002 index 7a6632bfe..023c001bd 100644 --- a/test/stderr/0002 +++ b/test/stderr/0002 @@ -254,6 +254,7 @@ search_tidyup called LOG: 10HmaX-0005vi-00 Subject is: "" >>> warn: condition test succeeded in ACL "check_data" >>> processing "deny" +>>> message: reply_address=<$reply_address> >>> deny: condition test succeeded in ACL "check_data" LOG: 10HmaX-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=<> >>> processing "accept" @@ -266,6 +267,7 @@ LOG: 10HmaX-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=<> LOG: 10HmaY-0005vi-00 Subject is: "" >>> warn: condition test succeeded in ACL "check_data" >>> processing "deny" +>>> message: reply_address=<$reply_address> >>> deny: condition test succeeded in ACL "check_data" LOG: 10HmaY-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address= >>> processing "accept" @@ -278,6 +280,7 @@ LOG: 10HmaY-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=>> warn: condition test succeeded in ACL "check_data" >>> processing "deny" +>>> message: reply_address=<$reply_address> >>> deny: condition test succeeded in ACL "check_data" LOG: 10HmaZ-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address= >>> processing "accept" @@ -290,6 +293,7 @@ LOG: 10HmaZ-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=>> warn: condition test succeeded in ACL "check_data" >>> processing "deny" +>>> message: reply_address=<$reply_address> >>> deny: condition test succeeded in ACL "check_data" LOG: 10HmbA-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=<> >>> processing "accept" @@ -302,6 +306,7 @@ LOG: 10HmbA-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=<> LOG: 10HmbB-0005vi-00 Subject is: "" >>> warn: condition test succeeded in ACL "check_data" >>> processing "deny" +>>> message: reply_address=<$reply_address> >>> deny: condition test succeeded in ACL "check_data" LOG: 10HmbB-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address= >>> host in hosts_connection_nolog? no (option unset) @@ -325,6 +330,7 @@ LOG: 10HmbB-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=>> warn: condition test succeeded in ACL "check_data" >>> processing "deny" +>>> message: reply_address=<$reply_address> >>> deny: condition test succeeded in ACL "check_data" LOG: 10HmbC-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=<> >>> host in hosts_connection_nolog? no (option unset) @@ -348,6 +354,7 @@ LOG: 10HmbC-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=<> LOG: 10HmbD-0005vi-00 Subject is: " here we go: a string that is going to be encoded: it will go over the 75-char limit by a long way; in fact this one will go over the 150 character limit" >>> warn: condition test succeeded in ACL "check_data" >>> processing "deny" +>>> message: reply_address=<$reply_address> >>> deny: condition test succeeded in ACL "check_data" LOG: 10HmbD-0005vi-00 H=[V4NET.0.0.0] F=<> rejected after DATA: reply_address=<> Exim version x.yz .... diff --git a/test/stderr/0018 b/test/stderr/0018 index 27aa6bc6d..6ab981441 100644 --- a/test/stderr/0018 +++ b/test/stderr/0018 @@ -16,6 +16,7 @@ MUNGED: ::1 will be omitted in what follows >>> host in "!localhost"? no (matched "!localhost") >>> deny: condition test failed in ACL "check_etrn" >>> processing "warn" +>>> l_message: accepted $smtp_command >>> warn: condition test succeeded in ACL "check_etrn" LOG: H=[127.0.0.1] Warning: accepted etrn #some.random.domain >>> processing "accept" diff --git a/test/stderr/0021 b/test/stderr/0021 index 64c72d2bf..3dbb81639 100644 --- a/test/stderr/0021 +++ b/test/stderr/0021 @@ -18,6 +18,7 @@ check hosts = : 10.9.8.7 host in ": 10.9.8.7"? no (end of list) deny: condition test failed in ACL "connect" processing "drop" +l_message: forcibly dropped check hosts = 10.9.8.9 host in "10.9.8.9"? no (end of list) drop: condition test failed in ACL "connect" @@ -29,6 +30,7 @@ LOG: MAIN accept: condition test succeeded in ACL "connect" using ACL "mail" processing "warn" + message: added header line check senders = ok@test3 address match test: subject=bad@test1 pattern=ok@test3 bad@test1 in "ok@test3"? no (end of list) @@ -44,6 +46,7 @@ LOG: MAIN REJECT H=[10.9.8.8] U=CALLER rejected MAIL using ACL "mail" processing "warn" + message: added header line check senders = ok@test3 address match test: subject=ok@test1 pattern=ok@test3 test1 in "test3"? no (end of list) @@ -116,6 +119,7 @@ check hosts = : 10.9.8.7 host in ": 10.9.8.7"? no (end of list) deny: condition test failed in ACL "connect" processing "drop" +l_message: forcibly dropped check hosts = 10.9.8.9 host in "10.9.8.9"? no (end of list) drop: condition test failed in ACL "connect" @@ -127,6 +131,7 @@ LOG: MAIN accept: condition test succeeded in ACL "connect" using ACL "mail" processing "warn" + message: added header line check senders = ok@test3 address match test: subject=ok@test3 pattern=ok@test3 test3 in "test3"? yes (matched "test3") diff --git a/test/stderr/0022 b/test/stderr/0022 index b486e0afd..864e19762 100644 --- a/test/stderr/0022 +++ b/test/stderr/0022 @@ -92,6 +92,7 @@ SMTP>> 250 OK SMTP<< rcpt to: using ACL "warn_log" processing "warn" +l_message: warn log message warn: condition test succeeded in ACL "warn_log" LOG: MAIN H=[V4NET.9.8.7] Warning: warn log message @@ -157,6 +158,7 @@ SMTP>> 250 OK SMTP<< rcpt to: using ACL "warn_user" processing "warn" + message: warn user message warn: condition test succeeded in ACL "warn_user" processing "accept" accept: condition test succeeded in ACL "warn_user" @@ -203,6 +205,7 @@ LOG: SMTP connection from [V4NET.9.8.7] >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "defer" >>> processing "defer" +>>> message: forcibly deferred >>> defer: condition test succeeded in ACL "defer" LOG: H=[V4NET.9.8.7] F= temporarily rejected RCPT : forcibly deferred >>> using ACL "accept" @@ -210,6 +213,7 @@ LOG: H=[V4NET.9.8.7] F= temporarily rejected RCPT : forcibly defer >>> accept: condition test succeeded in ACL "accept" >>> using ACL "drop" >>> processing "drop" +>>> message: forcibly dropped >>> drop: condition test succeeded in ACL "drop" LOG: H=[V4NET.9.8.7] F= rejected RCPT : forcibly dropped LOG: SMTP connection from [V4NET.9.8.7] closed by DROP in ACL @@ -266,16 +270,19 @@ LOG: SMTP connection from [V4NET.9.8.7] >>> processing "deny" >>> check hosts = net-lsearch;TESTSUITE/aux-var/0022.hosts >>> host in "net-lsearch;TESTSUITE/aux-var/0022.hosts"? yes (matched "net-lsearch;TESTSUITE/aux-var/0022.hosts") +>>> message: host data >$host_data< >>> deny: condition test succeeded in ACL "host_check" LOG: H=[V4NET.9.8.7] F= rejected RCPT : host data >A host-specific message< >>> using ACL "host_check" >>> processing "deny" >>> check hosts = net-lsearch;TESTSUITE/aux-var/0022.hosts >>> host in "net-lsearch;TESTSUITE/aux-var/0022.hosts"? yes (matched "net-lsearch;TESTSUITE/aux-var/0022.hosts") +>>> message: host data >$host_data< >>> deny: condition test succeeded in ACL "host_check" LOG: H=[V4NET.9.8.7] F= rejected RCPT : host data >A host-specific message< >>> using ACL "host_check2" >>> processing "deny" +>>> message: host data >$host_data< >>> check hosts = +some_hosts >>> host in "net-lsearch;TESTSUITE/aux-var/0022.hosts"? yes (matched "net-lsearch;TESTSUITE/aux-var/0022.hosts") >>> host in "+some_hosts"? yes (matched "+some_hosts") @@ -283,6 +290,7 @@ LOG: H=[V4NET.9.8.7] F= rejected RCPT : host data >A host-spe LOG: H=[V4NET.9.8.7] F= rejected RCPT : host data >A host-specific message< >>> using ACL "host_check2" >>> processing "deny" +>>> message: host data >$host_data< >>> check hosts = +some_hosts >>> host in "+some_hosts"? yes (matched "+some_hosts" - cached) >>> deny: condition test succeeded in ACL "host_check2" @@ -330,6 +338,7 @@ LOG: SMTP connection from [V4NET.9.8.7] >>> check acl = drop >>> using ACL "drop" >>> processing "drop" +>>> message: forcibly dropped >>> drop: condition test succeeded in ACL "drop" >>> accept: condition test yielded "drop" in ACL "nested_drop" >>> accept: endpass encountered - denying access @@ -349,6 +358,7 @@ LOG: SMTP connection from [V4NET.9.8.7] >>> check acl = drop >>> using ACL "drop" >>> processing "drop" +>>> message: forcibly dropped >>> drop: condition test succeeded in ACL "drop" >>> require: condition test yielded "drop" in ACL "nested_drop_require" LOG: H=[V4NET.9.8.7] F= rejected RCPT : forcibly dropped diff --git a/test/stderr/0023 b/test/stderr/0023 index b9894240b..01994efe6 100644 --- a/test/stderr/0023 +++ b/test/stderr/0023 @@ -12,10 +12,13 @@ >>> test.ex in "!nopass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "require" +>>> message: $local_part@$domain shall not pass >>> check domains = !wontpass >>> test.ex in "!wontpass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "deny" +>>> message: domain explicitly denied +>>> l_message: DOMAIN EXPLICITLY DENIED >>> check continue = this value is not used >>> check domains = deny.test.ex >>> test.ex in "deny.test.ex"? no (end of list) @@ -24,6 +27,7 @@ >>> check domains = +local_domains >>> test.ex in "test.ex : *.test.ex"? yes (matched "test.ex") >>> test.ex in "+local_domains"? yes (matched "+local_domains") +>>> message: $domain gets refused >>> check domains = !refuse.test.ex >>> test.ex in "!refuse.test.ex"? yes (end of list) >>> accept: condition test succeeded in ACL "acl_1_2_3" @@ -33,10 +37,13 @@ >>> z in "!nopass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "require" +>>> message: $local_part@$domain shall not pass >>> check domains = !wontpass >>> z in "!wontpass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "deny" +>>> message: domain explicitly denied +>>> l_message: DOMAIN EXPLICITLY DENIED >>> check continue = this value is not used >>> check domains = deny.test.ex >>> z in "deny.test.ex"? no (end of list) @@ -63,10 +70,13 @@ LOG: H=[1.2.3.4] F= rejected RCPT >>> test.ex in "!nopass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "require" +>>> message: $local_part@$domain shall not pass >>> check domains = !wontpass >>> test.ex in "!wontpass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "deny" +>>> message: domain explicitly denied +>>> l_message: DOMAIN EXPLICITLY DENIED >>> check continue = this value is not used >>> check domains = deny.test.ex >>> test.ex in "deny.test.ex"? no (end of list) @@ -75,6 +85,7 @@ LOG: H=[1.2.3.4] F= rejected RCPT >>> check domains = +local_domains >>> test.ex in "test.ex : *.test.ex"? yes (matched "test.ex") >>> test.ex in "+local_domains"? yes (matched "+local_domains") +>>> message: $domain gets refused >>> check domains = !refuse.test.ex >>> test.ex in "!refuse.test.ex"? yes (end of list) >>> accept: condition test succeeded in ACL "acl_1_2_3" @@ -84,10 +95,13 @@ LOG: H=[1.2.3.4] F= rejected RCPT >>> test.ex in "!nopass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "require" +>>> message: $local_part@$domain shall not pass >>> check domains = !wontpass >>> test.ex in "!wontpass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "deny" +>>> message: domain explicitly denied +>>> l_message: DOMAIN EXPLICITLY DENIED >>> check continue = this value is not used >>> check domains = deny.test.ex >>> test.ex in "deny.test.ex"? no (end of list) @@ -96,6 +110,7 @@ LOG: H=[1.2.3.4] F= rejected RCPT >>> check domains = +local_domains >>> test.ex in "test.ex : *.test.ex"? yes (matched "test.ex") >>> test.ex in "+local_domains"? yes (matched "+local_domains") +>>> message: $domain gets refused >>> check domains = !refuse.test.ex >>> test.ex in "!refuse.test.ex"? yes (end of list) >>> accept: condition test succeeded in ACL "acl_1_2_3" @@ -105,10 +120,13 @@ LOG: H=[1.2.3.4] F= rejected RCPT >>> relay.test.ex in "!nopass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "require" +>>> message: $local_part@$domain shall not pass >>> check domains = !wontpass >>> relay.test.ex in "!wontpass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "deny" +>>> message: domain explicitly denied +>>> l_message: DOMAIN EXPLICITLY DENIED >>> check continue = this value is not used >>> check domains = deny.test.ex >>> relay.test.ex in "deny.test.ex"? no (end of list) @@ -117,6 +135,7 @@ LOG: H=[1.2.3.4] F= rejected RCPT >>> check domains = +local_domains >>> relay.test.ex in "test.ex : *.test.ex"? yes (matched "*.test.ex") >>> relay.test.ex in "+local_domains"? yes (matched "+local_domains") +>>> message: $domain gets refused >>> check domains = !refuse.test.ex >>> relay.test.ex in "!refuse.test.ex"? yes (end of list) >>> accept: condition test succeeded in ACL "acl_1_2_3" @@ -126,10 +145,13 @@ LOG: H=[1.2.3.4] F= rejected RCPT >>> deny.test.ex in "!nopass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "require" +>>> message: $local_part@$domain shall not pass >>> check domains = !wontpass >>> deny.test.ex in "!wontpass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "deny" +>>> message: domain explicitly denied +>>> l_message: DOMAIN EXPLICITLY DENIED >>> check continue = this value is not used >>> check domains = deny.test.ex >>> deny.test.ex in "deny.test.ex"? yes (matched "deny.test.ex") @@ -141,10 +163,13 @@ LOG: H=[1.2.3.4] F= rejected RCPT : DOMAIN EXPLICITLY DENIE >>> refuse.test.ex in "!nopass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "require" +>>> message: $local_part@$domain shall not pass >>> check domains = !wontpass >>> refuse.test.ex in "!wontpass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "deny" +>>> message: domain explicitly denied +>>> l_message: DOMAIN EXPLICITLY DENIED >>> check continue = this value is not used >>> check domains = deny.test.ex >>> refuse.test.ex in "deny.test.ex"? no (end of list) @@ -153,6 +178,7 @@ LOG: H=[1.2.3.4] F= rejected RCPT : DOMAIN EXPLICITLY DENIE >>> check domains = +local_domains >>> refuse.test.ex in "test.ex : *.test.ex"? yes (matched "*.test.ex") >>> refuse.test.ex in "+local_domains"? yes (matched "+local_domains") +>>> message: $domain gets refused >>> check domains = !refuse.test.ex >>> refuse.test.ex in "!refuse.test.ex"? no (matched "!refuse.test.ex") >>> accept: condition test failed in ACL "acl_1_2_3" @@ -170,6 +196,7 @@ LOG: H=[1.2.3.4] F= rejected RCPT >>> wontpass in "!nopass"? yes (end of list) >>> require: condition test succeeded in ACL "acl_1_2_3" >>> processing "require" +>>> message: $local_part@$domain shall not pass >>> check domains = !wontpass >>> wontpass in "!wontpass"? no (matched "!wontpass") >>> require: condition test failed in ACL "acl_1_2_3" @@ -246,6 +273,7 @@ LOG: H=[5.6.7.8] F= rejected RCPT >>> host in "+ok9_hosts"? no (end of list) >>> accept: condition test failed in ACL "acl_9_9_9" >>> processing "deny" +>>> message: don't like this host >>> check hosts = 9.9.9.0/26 >>> host in "9.9.9.0/26"? yes (matched "9.9.9.0/26") >>> deny: condition test succeeded in ACL "acl_9_9_9" @@ -256,6 +284,7 @@ LOG: H=[9.9.9.8] F= rejected RCPT : don't like this host >>> host in "+ok9_hosts"? no (end of list) >>> accept: condition test failed in ACL "acl_9_9_9" >>> processing "deny" +>>> message: don't like this host >>> check hosts = 9.9.9.0/26 >>> host in "9.9.9.0/26"? yes (matched "9.9.9.0/26") >>> deny: condition test succeeded in ACL "acl_9_9_9" @@ -275,6 +304,7 @@ LOG: H=[9.9.9.8] F= rejected RCPT : don't like this host >>> host in "+ok9_hosts"? no (end of list) >>> accept: condition test failed in ACL "acl_9_9_9" >>> processing "deny" +>>> message: don't like this host >>> check hosts = 9.9.9.0/26 >>> host in "9.9.9.0/26"? no (end of list) >>> deny: condition test failed in ACL "acl_9_9_9" @@ -288,6 +318,7 @@ LOG: H=[9.9.9.8] F= rejected RCPT : don't like this host >>> host in "+ok9_hosts"? no (end of list) >>> accept: condition test failed in ACL "acl_9_9_9" >>> processing "deny" +>>> message: don't like this host >>> check hosts = 9.9.9.0/26 >>> host in "9.9.9.0/26"? no (end of list) >>> deny: condition test failed in ACL "acl_9_9_9" @@ -381,6 +412,7 @@ LOG: H=[5.6.8.1] F= rejected RCPT >>> = no >>> accept: condition test failed in ACL "acl_5_6_11" >>> processing "deny" +>>> message: "local part of wrong type\n(quotes are literal) >>> deny: condition test succeeded in ACL "acl_5_6_11" LOG: H=[5.6.11.1] F= rejected RCPT : "local part of wrong type >>> host in hosts_connection_nolog? no (option unset) @@ -395,6 +427,7 @@ LOG: H=[5.6.11.1] F= rejected RCPT : "local part of wrong type >>> processing "accept" >>> check hosts = 5.6.12.1 >>> host in "5.6.12.1"? yes (matched "5.6.12.1") +>>> message: failed nested acl >>> check acl = acl_5_6_12A >>> using ACL "acl_5_6_12A" >>> processing "accept" @@ -406,6 +439,7 @@ LOG: H=[5.6.11.1] F= rejected RCPT : "local part of wrong type >>> processing "accept" >>> check hosts = 5.6.12.1 >>> host in "5.6.12.1"? yes (matched "5.6.12.1") +>>> message: failed nested acl >>> check acl = acl_5_6_12A >>> using ACL "acl_5_6_12A" >>> processing "accept" @@ -588,6 +622,8 @@ LOG: H=[5.6.13.1] F= rejected RCPT >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl_V4NET_11_12" >>> processing "deny" +>>> message: host in DNS list $dnslist_domain: $dnslist_text +>>> l_message: DNSLIST ($dnslist_domain: $dnslist_text) >>> check dnslists = rbl.test.ex >>> DNS list check: rbl.test.ex >>> new DNS lookup for 13.12.11.V4NET.rbl.test.ex @@ -597,6 +633,8 @@ LOG: H=[5.6.13.1] F= rejected RCPT LOG: H=[V4NET.11.12.13] F= rejected RCPT : DNSLIST (rbl.test.ex: This is a test blacklisting message) >>> using ACL "acl_V4NET_11_12" >>> processing "deny" +>>> message: host in DNS list $dnslist_domain: $dnslist_text +>>> l_message: DNSLIST ($dnslist_domain: $dnslist_text) >>> check dnslists = rbl.test.ex >>> DNS list check: rbl.test.ex >>> using result of previous DNS lookup @@ -614,6 +652,8 @@ LOG: H=[V4NET.11.12.13] F= rejected RCPT : DNSLIST (rbl.test.ex: This >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl_V4NET_11_12" >>> processing "deny" +>>> message: host in DNS list $dnslist_domain: $dnslist_text +>>> l_message: DNSLIST ($dnslist_domain: $dnslist_text) >>> check dnslists = rbl.test.ex >>> DNS list check: rbl.test.ex >>> new DNS lookup for 12.12.11.V4NET.rbl.test.ex @@ -624,6 +664,8 @@ LOG: H=[V4NET.11.12.13] F= rejected RCPT : DNSLIST (rbl.test.ex: This >>> accept: condition test succeeded in ACL "acl_V4NET_11_12" >>> using ACL "acl_V4NET_11_12" >>> processing "deny" +>>> message: host in DNS list $dnslist_domain: $dnslist_text +>>> l_message: DNSLIST ($dnslist_domain: $dnslist_text) >>> check dnslists = rbl.test.ex >>> DNS list check: rbl.test.ex >>> using result of previous DNS lookup @@ -642,6 +684,7 @@ LOG: H=[V4NET.11.12.13] F= rejected RCPT : DNSLIST (rbl.test.ex: This >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl_20_20_20" >>> processing "accept" +>>> message: sender verify failure >>> check verify = sender >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing x@y @@ -656,6 +699,7 @@ LOG: H=[20.20.20.20] sender verify fail for : Unrouteable address LOG: H=[20.20.20.20] F= rejected RCPT : Sender verify failed >>> using ACL "acl_20_20_20" >>> processing "accept" +>>> message: sender verify failure >>> check verify = sender >>> using cached sender verify result >>> accept: condition test failed in ACL "acl_20_20_20" @@ -671,6 +715,7 @@ LOG: H=[20.20.20.20] F= rejected RCPT : Sender verify failed >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl_20_20_20" >>> processing "accept" +>>> message: sender verify failure >>> check verify = sender >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing userx@y @@ -679,6 +724,7 @@ LOG: H=[20.20.20.20] F= rejected RCPT : Sender verify failed >>> calling r1 router >>> routed by r1 router >>> ----------- end verify ------------ +>>> message: recipient verify failure >>> check verify = recipient >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing x1@y @@ -692,8 +738,10 @@ LOG: H=[20.20.20.20] F= rejected RCPT : Sender verify failed LOG: H=[20.20.20.20] F= rejected RCPT : Unrouteable address >>> using ACL "acl_20_20_20" >>> processing "accept" +>>> message: sender verify failure >>> check verify = sender >>> using cached sender verify result +>>> message: recipient verify failure >>> check verify = recipient >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing userx@y @@ -831,6 +879,7 @@ LOG: H=[22.22.22.22] F= rejected RCPT >>> processing "deny" >>> check hosts = 23.23.23.0 >>> host in "23.23.23.0"? yes (matched "23.23.23.0") +>>> message: sender must verify >>> check !verify = sender >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing x@y @@ -846,6 +895,7 @@ LOG: H=[23.23.23.0] F= rejected RCPT : Sender verify failed >>> processing "deny" >>> check hosts = 23.23.23.0 >>> host in "23.23.23.0"? yes (matched "23.23.23.0") +>>> message: sender must verify >>> check !verify = sender >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing userx@y @@ -882,6 +932,7 @@ LOG: H=[23.23.23.0] F= rejected RCPT : Sender verify failed >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl_24_24_24" >>> processing "warn" +>>> message: X-Warn: sender didn't verify >>> check condition = yes >>> warn: condition test succeeded in ACL "acl_24_24_24" >>> end of ACL "acl_24_24_24": implicit DENY @@ -896,6 +947,7 @@ LOG: H=[24.24.24.24] F= rejected RCPT >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl_25_25_25" >>> processing "deny" +>>> message: denying domains=x >>> check domains = x >>> y in "x"? no (end of list) >>> deny: condition test failed in ACL "acl_25_25_25" @@ -913,6 +965,7 @@ LOG: H=[25.25.25.25] F= rejected RCPT >>> processing "deny" >>> check senders = : >>> in ":"? yes (matched "") +>>> message: bounce messages can have only one recipient >>> check condition = ${if > {$recipients_count}{0}{yes}{no}} >>> = no >>> deny: condition test failed in ACL "acl_26_26_26" @@ -922,6 +975,7 @@ LOG: H=[25.25.25.25] F= rejected RCPT >>> processing "deny" >>> check senders = : >>> in ":"? yes (matched "") +>>> message: bounce messages can have only one recipient >>> check condition = ${if > {$recipients_count}{0}{yes}{no}} >>> = yes >>> deny: condition test succeeded in ACL "acl_26_26_26" @@ -930,6 +984,7 @@ LOG: H=[26.26.26.26] F=<> rejected RCPT : bounce messages can have only one >>> processing "deny" >>> check senders = : >>> in ":"? yes (matched "") +>>> message: bounce messages can have only one recipient >>> check condition = ${if > {$recipients_count}{0}{yes}{no}} >>> = yes >>> deny: condition test succeeded in ACL "acl_26_26_26" @@ -1058,6 +1113,7 @@ LOG: H=[29.29.29.29] F= rejected RCPT >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl_30_30_30" >>> processing "deny" +>>> message: domain=$dnslist_domain\nvalue=$dnslist_value\nmatched=$dnslist_matched\ntext="$dnslist_text" >>> check dnslists = test.ex=V4NET.0.0.1,127.0.0.2/$sender_address_domain >>> = test.ex=V4NET.0.0.1,127.0.0.2/ten-1 >>> DNS list check: test.ex=V4NET.0.0.1,127.0.0.2/ten-1 @@ -1068,6 +1124,7 @@ LOG: H=[29.29.29.29] F= rejected RCPT LOG: H=[30.30.30.30] F= rejected RCPT : domain=test.ex >>> using ACL "acl_30_30_30" >>> processing "deny" +>>> message: domain=$dnslist_domain\nvalue=$dnslist_value\nmatched=$dnslist_matched\ntext="$dnslist_text" >>> check dnslists = test.ex=V4NET.0.0.1,127.0.0.2/$sender_address_domain >>> = test.ex=V4NET.0.0.1,127.0.0.2/ten-2 >>> DNS list check: test.ex=V4NET.0.0.1,127.0.0.2/ten-2 @@ -1081,6 +1138,7 @@ LOG: H=[30.30.30.30] F= rejected RCPT : domain=test.ex >>> host in smtp_accept_max_nonmail_hosts? yes (matched "*") >>> using ACL "acl_30_30_30" >>> processing "deny" +>>> message: domain=$dnslist_domain\nvalue=$dnslist_value\nmatched=$dnslist_matched\ntext="$dnslist_text" >>> check dnslists = test.ex=V4NET.0.0.1,127.0.0.2/$sender_address_domain >>> = test.ex=V4NET.0.0.1,127.0.0.2/13.12.11.V4NET.rbl >>> DNS list check: test.ex=V4NET.0.0.1,127.0.0.2/13.12.11.V4NET.rbl @@ -1116,6 +1174,7 @@ LOG: dnslist query is too long (ignored): y+extra+extra+extra+extra+extra+extra+ >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl_33_33_33" >>> processing "accept" +>>> message: sender verify failure >>> check verify = sender/no_details >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing x@y @@ -1129,6 +1188,7 @@ LOG: dnslist query is too long (ignored): y+extra+extra+extra+extra+extra+extra+ LOG: H=[33.33.33.33] F= rejected RCPT : Sender verify failed >>> using ACL "acl_33_33_33" >>> processing "accept" +>>> message: sender verify failure >>> check verify = sender/no_details >>> using cached sender verify result >>> accept: condition test failed in ACL "acl_33_33_33" diff --git a/test/stderr/0026 b/test/stderr/0026 index c33875c88..328b169bd 100644 --- a/test/stderr/0026 +++ b/test/stderr/0026 @@ -11,6 +11,7 @@ >>> host in ignore_fromline_hosts? no (option unset) >>> using ACL "acl_data" >>> processing "deny" +>>> l_message: body contains trigger >>> check condition = ${if match{$message_body}{trigger}{yes}{no}} >>> = no >>> deny: condition test failed in ACL "acl_data" @@ -31,6 +32,7 @@ LOG: 10HmbH-0005vi-00 H=[10.0.0.0] F= rejected after DATA: domain missing o >>> host in ignore_fromline_hosts? no (option unset) >>> using ACL "acl_data" >>> processing "deny" +>>> l_message: body contains trigger >>> check condition = ${if match{$message_body}{trigger}{yes}{no}} >>> = yes >>> deny: condition test succeeded in ACL "acl_data" diff --git a/test/stderr/0038 b/test/stderr/0038 index 141a1121d..727c1c6c3 100644 --- a/test/stderr/0038 +++ b/test/stderr/0038 @@ -16,6 +16,7 @@ >>> ratelimit initializing new key's rate data >>> ratelimit db updated >>> ratelimit computed rate 1.0 +>>> l_message: RCPT: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period >>> warn: condition test succeeded in ACL "check_rcpt" LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=1.0 sender_rate_limit=0 sender_rate_period=1h >>> processing "accept" @@ -26,6 +27,7 @@ LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=1.0 sender_rate_limit= >>> check ratelimit = 0/1h/per_byte/strict >>> ratelimit condition count=19 0.0/1h/per_mail/V4NET.9.8.7 >>> ratelimit found pre-computed rate 1.0 +>>> l_message: DATA: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period >>> warn: condition test succeeded in ACL "check_data" LOG: 10HmaX-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=1.0 sender_rate_limit=0 sender_rate_period=1h >>> processing "deny" @@ -48,6 +50,7 @@ LOG: 10HmaX-0005vi-00 H=(test.ex) [V4NET.9.8.7] F=<> rejected after DATA >>> ratelimit found key in database >>> ratelimit db updated >>> ratelimit computed rate 2.0 +>>> l_message: RCPT: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period >>> warn: condition test succeeded in ACL "check_rcpt" LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=2.0 sender_rate_limit=0 sender_rate_period=1h >>> processing "accept" @@ -58,6 +61,7 @@ LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=2.0 sender_rate_limit= >>> check ratelimit = 0/1h/per_byte/strict >>> ratelimit condition count=19 0.0/1h/per_mail/V4NET.9.8.7 >>> ratelimit found pre-computed rate 2.0 +>>> l_message: DATA: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period >>> warn: condition test succeeded in ACL "check_data" LOG: 10HmaY-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=2.0 sender_rate_limit=0 sender_rate_period=1h >>> processing "deny" @@ -81,6 +85,7 @@ LOG: 10HmaY-0005vi-00 H=(test.ex) [V4NET.9.8.7] F=<> rejected after DATA >>> ratelimit initializing new key's rate data >>> ratelimit db updated >>> ratelimit computed rate 1.0 +>>> l_message: RCPT: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period >>> warn: condition test succeeded in ACL "check_rcpt" LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=1.0 sender_rate_limit=0 sender_rate_period=1h >>> processing "accept" @@ -91,6 +96,7 @@ LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=1.0 sender_rate_limit= >>> check ratelimit = 0/1h/per_conn/strict >>> ratelimit condition count=1 0.0/1h/per_conn/V4NET.9.8.7 >>> ratelimit found pre-computed rate 1.0 +>>> l_message: DATA: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period >>> warn: condition test succeeded in ACL "check_data" LOG: 10HmaZ-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=1.0 sender_rate_limit=0 sender_rate_period=1h >>> processing "deny" @@ -113,6 +119,7 @@ LOG: 10HmaZ-0005vi-00 H=(test.ex) [V4NET.9.8.7] F=<> rejected after DATA >>> ratelimit found key in database >>> ratelimit db updated >>> ratelimit computed rate 2.0 +>>> l_message: RCPT: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period >>> warn: condition test succeeded in ACL "check_rcpt" LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=2.0 sender_rate_limit=0 sender_rate_period=1h >>> processing "accept" @@ -123,6 +130,7 @@ LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=2.0 sender_rate_limit= >>> check ratelimit = 0/1h/per_conn/strict >>> ratelimit condition count=1 0.0/1h/per_conn/V4NET.9.8.7 >>> ratelimit found pre-computed rate 2.0 +>>> l_message: DATA: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period >>> warn: condition test succeeded in ACL "check_data" LOG: 10HmbA-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=2.0 sender_rate_limit=0 sender_rate_period=1h >>> processing "deny" @@ -146,6 +154,7 @@ LOG: 10HmbA-0005vi-00 H=(test.ex) [V4NET.9.8.7] F=<> rejected after DATA >>> ratelimit initializing new key's rate data >>> ratelimit db not updated: over the limit, but leaky >>> ratelimit computed rate 1.0 +>>> l_message: RCPT: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period >>> warn: condition test succeeded in ACL "check_rcpt" LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=1.0 sender_rate_limit=0 sender_rate_period=1h >>> processing "accept" @@ -158,6 +167,7 @@ LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=1.0 sender_rate_limit= >>> ratelimit initializing new key's rate data >>> ratelimit db not updated: over the limit, but leaky >>> ratelimit computed rate 1.0 +>>> l_message: RCPT: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period >>> warn: condition test succeeded in ACL "check_rcpt" >>> processing "accept" >>> accept: condition test succeeded in ACL "check_rcpt" @@ -169,6 +179,7 @@ LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=1.0 sender_rate_limit= >>> ratelimit initializing new key's rate data >>> ratelimit db not updated: over the limit, but leaky >>> ratelimit computed rate 1.0 +>>> l_message: RCPT: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period >>> warn: condition test succeeded in ACL "check_rcpt" >>> processing "accept" >>> accept: condition test succeeded in ACL "check_rcpt" @@ -180,6 +191,7 @@ LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=1.0 sender_rate_limit= >>> ratelimit found key in database >>> ratelimit db not updated: over the limit, but leaky >>> ratelimit computed rate 3.0 +>>> l_message: DATA: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period >>> warn: condition test succeeded in ACL "check_data" LOG: 10HmbB-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=3.0 sender_rate_limit=0 sender_rate_period=1h >>> processing "deny" @@ -236,6 +248,7 @@ LOG: 10HmbB-0005vi-00 H=(test.ex) [V4NET.9.8.7] F=<> rejected after DATA >>> ratelimit initializing new key's rate data >>> ratelimit db updated >>> ratelimit computed rate 19.0 +>>> l_message: DATA: sender_rate=$sender_rate sender_rate_limit=$sender_rate_limit sender_rate_period=$sender_rate_period >>> warn: condition test succeeded in ACL "check_data" LOG: 10HmbC-0005vi-00 H=(test.ex) [V4NET.9.8.6] Warning: DATA: sender_rate=19.0 sender_rate_limit=0 sender_rate_period=1h >>> processing "deny" diff --git a/test/stderr/0040 b/test/stderr/0040 new file mode 100644 index 000000000..f72bc868b --- /dev/null +++ b/test/stderr/0040 @@ -0,0 +1,2 @@ +-oMm must be a valid message ID +-oMm must be called by a trusted user/config diff --git a/test/stderr/0043 b/test/stderr/0043 index fdbc34231..31ba8d9ce 100644 --- a/test/stderr/0043 +++ b/test/stderr/0043 @@ -53,6 +53,7 @@ LOG: H=(exim.test.ex) [V4NET.0.0.97] incomplete transaction (RSET) from >> ----------- end verify ------------ >>> require: condition test succeeded in ACL "check_recipient" >>> processing "deny" +>>> message: unrouteable address >>> check !verify = recipient >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing postmaster@exim.test.ex @@ -86,6 +87,7 @@ LOG: H=(exim.test.ex) [V4NET.0.0.97] incomplete transaction (RSET) from >> using cached sender verify result >>> require: condition test succeeded in ACL "check_recipient" >>> processing "deny" +>>> message: unrouteable address >>> check !verify = recipient >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing junkjunk@exim.test.ex @@ -108,6 +110,7 @@ LOG: H=(exim.test.ex) [V4NET.0.0.97] F= rejected RCPT j >>> using cached sender verify result >>> require: condition test succeeded in ACL "check_recipient" >>> processing "deny" +>>> message: unrouteable address >>> check !verify = recipient >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing fail@exim.test.ex diff --git a/test/stderr/0044 b/test/stderr/0044 index 83c757833..d8b7ebe80 100644 --- a/test/stderr/0044 +++ b/test/stderr/0044 @@ -32,6 +32,7 @@ >>> postmaster@exim.test.ex in "myfriend@*"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: host is listed in $dnslist_domain >>> check dnslists = rbl.test.ex >>> DNS list check: rbl.test.ex >>> new DNS lookup for 13.12.11.V4NET.rbl.test.ex diff --git a/test/stderr/0057 b/test/stderr/0057 index 6a5ec62f9..483ca182c 100644 --- a/test/stderr/0057 +++ b/test/stderr/0057 @@ -26,6 +26,7 @@ >>> anotherhost.example.com in "+relay_domains"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.0.0.1] F= rejected RCPT : relay not permitted >>> 3rdhost.example.com in percent_hack_domains? no (end of list) @@ -41,6 +42,7 @@ LOG: H=[V4NET.0.0.1] F= rejected RCPT >> 3rdhost.example.com in "+relay_domains"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.0.0.1] F= rejected RCPT : relay not permitted LOG: 10HmaX-0005vi-00 <= userx@somehost.example.com H=[V4NET.0.0.1] P=smtp S=sss diff --git a/test/stderr/0059 b/test/stderr/0059 index 1ccdb7afd..34fffb580 100644 --- a/test/stderr/0059 +++ b/test/stderr/0059 @@ -29,6 +29,7 @@ >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.0.0.1] F= rejected RCPT : relay not permitted LOG: 10HmaX-0005vi-00 <= userx@somehost.example.com H=[V4NET.0.0.1] P=smtp S=sss diff --git a/test/stderr/0060 b/test/stderr/0060 index da4ae4810..7e3e5672f 100644 --- a/test/stderr/0060 +++ b/test/stderr/0060 @@ -70,6 +70,7 @@ MUNGED: ::1 will be omitted in what follows >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.0.0.2] F= rejected RCPT : relay not permitted LOG: 10HmaY-0005vi-00 <= userx@somehost.example.com H=[V4NET.0.0.2] P=smtp S=sss @@ -180,6 +181,7 @@ LOG: 10HmbA-0005vi-00 <= userx@somehost.example.com H=[V4NET.0.0.6] P=smtp S=sss >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.255.0.1] F= rejected RCPT : relay not permitted LOG: 10HmbB-0005vi-00 <= userx@somehost.example.com H=[V4NET.255.0.1] P=smtp S=sss @@ -214,6 +216,7 @@ LOG: 10HmbB-0005vi-00 <= userx@somehost.example.com H=[V4NET.255.0.1] P=smtp S=s >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.255.0.2] F= rejected RCPT : relay not permitted LOG: 10HmbC-0005vi-00 <= userx@somehost.example.com H=[V4NET.255.0.2] P=smtp S=sss @@ -248,6 +251,7 @@ LOG: 10HmbC-0005vi-00 <= userx@somehost.example.com H=[V4NET.255.0.2] P=smtp S=s >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.255.0.3] F= rejected RCPT : relay not permitted LOG: 10HmbD-0005vi-00 <= userx@somehost.example.com H=[V4NET.255.0.3] P=smtp S=sss @@ -282,6 +286,7 @@ LOG: 10HmbD-0005vi-00 <= userx@somehost.example.com H=[V4NET.255.0.3] P=smtp S=s >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.255.0.4] F= rejected RCPT : relay not permitted LOG: 10HmbE-0005vi-00 <= userx@somehost.example.com H=[V4NET.255.0.4] P=smtp S=sss diff --git a/test/stderr/0061 b/test/stderr/0061 index 99511950e..8e178fbc5 100644 --- a/test/stderr/0061 +++ b/test/stderr/0061 @@ -66,6 +66,7 @@ MUNGED: ::1 will be omitted in what follows >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.0.0.2] F= rejected RCPT : relay not permitted LOG: 10HmaY-0005vi-00 <= userx@somehost.example.com H=[V4NET.0.0.2] P=smtp S=sss diff --git a/test/stderr/0062 b/test/stderr/0062 index d5386dd62..7343d7df2 100644 --- a/test/stderr/0062 +++ b/test/stderr/0062 @@ -37,6 +37,7 @@ MUNGED: ::1 will be omitted in what follows >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=ten-1.test.ex [V4NET.0.0.1] F= rejected RCPT : relay not permitted >>> using ACL "check_message" diff --git a/test/stderr/0063 b/test/stderr/0063 index f158b6490..2eb0b3160 100644 --- a/test/stderr/0063 +++ b/test/stderr/0063 @@ -37,6 +37,7 @@ MUNGED: ::1 will be omitted in what follows >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=ten-1.test.ex [V4NET.0.0.1] F= rejected RCPT : relay not permitted LOG: 10HmaX-0005vi-00 <= userx@somehost.example.com H=ten-1.test.ex [V4NET.0.0.1] P=smtp S=sss diff --git a/test/stderr/0064 b/test/stderr/0064 index 60b8b18c5..6790f9495 100644 --- a/test/stderr/0064 +++ b/test/stderr/0064 @@ -37,6 +37,7 @@ MUNGED: ::1 will be omitted in what follows >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=ten-1.test.ex [V4NET.0.0.1] F= rejected RCPT : relay not permitted LOG: 10HmaX-0005vi-00 <= userx@somehost.example.com H=ten-1.test.ex [V4NET.0.0.1] P=smtp S=sss diff --git a/test/stderr/0065 b/test/stderr/0065 index eee5d0d83..ae6fc7f97 100644 --- a/test/stderr/0065 +++ b/test/stderr/0065 @@ -60,6 +60,7 @@ LOG: 10HmaX-0005vi-00 <= userx@somehost.example.com H=[1.2.3.4] P=smtp S=sss >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[1.2.3.5] F= rejected RCPT : relay not permitted LOG: 10HmaY-0005vi-00 <= userx@somehost.example.com H=[1.2.3.5] P=smtp S=sss @@ -125,6 +126,7 @@ LOG: 10HmaZ-0005vi-00 <= userx@somehost.example.com H=[1.2.4.5] P=smtp S=sss >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[1.3.2.4] F= rejected RCPT : relay not permitted LOG: 10HmbA-0005vi-00 <= userx@somehost.example.com H=[1.3.2.4] P=smtp S=sss diff --git a/test/stderr/0066 b/test/stderr/0066 index 59d9e69e9..9dbb6f08b 100644 --- a/test/stderr/0066 +++ b/test/stderr/0066 @@ -72,6 +72,7 @@ MUNGED: ::1 will be omitted in what follows >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[1.2.3.5] F= rejected RCPT : relay not permitted LOG: 10HmaY-0005vi-00 <= userx@somehost.example.com H=[1.2.3.5] P=smtp S=sss @@ -152,6 +153,7 @@ LOG: no host name found for IP address 1.3.2.4 >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[1.3.2.4] F= rejected RCPT : relay not permitted LOG: 10HmbA-0005vi-00 <= userx@somehost.example.com H=[1.3.2.4] P=smtp S=sss @@ -308,6 +310,7 @@ MUNGED: ::1 will be omitted in what follows >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.11.12.13] F= rejected RCPT : relay not permitted LOG: 10HmbE-0005vi-00 <= userx@somehost.example.com H=[V4NET.11.12.13] P=smtp S=sss diff --git a/test/stderr/0069 b/test/stderr/0069 index 1692a621f..2355b74cd 100644 --- a/test/stderr/0069 +++ b/test/stderr/0069 @@ -68,6 +68,7 @@ LOG: no IP address found for host non.existent.invalid (during SMTP connection f >>> host in "non.existent.invalid : V4NET.0.0.13"? no (failed to find IP address for non.existent.invalid) >>> accept: condition test failed in ACL "check_recipienty" >>> processing "deny" +>>> message: "Denied" >>> deny: condition test succeeded in ACL "check_recipienty" LOG: H=[V4NET.0.0.13] F= rejected RCPT : "Denied" >>> host in hosts_connection_nolog? no (option unset) @@ -111,6 +112,7 @@ LOG: no IP address found for host non.existent.invalid (during SMTP connection f LOG: list matching forced to fail: failed to find IP address for non.existent.invalid >>> accept: condition test failed in ACL "check_recipienty" >>> processing "deny" +>>> message: "Denied" >>> deny: condition test succeeded in ACL "check_recipienty" LOG: H=[V4NET.0.0.13] F= rejected RCPT : "Denied" >>> host in hosts_connection_nolog? no (option unset) diff --git a/test/stderr/0070 b/test/stderr/0070 index 4a2959d4f..bb6e554a8 100644 --- a/test/stderr/0070 +++ b/test/stderr/0070 @@ -28,6 +28,7 @@ MUNGED: ::1 will be omitted in what follows >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "rcpt" >>> processing "require" +>>> message: helo not verified >>> check verify = helo >>> verifying EHLO/HELO argument "NULL" >>> no EHLO/HELO command was issued @@ -55,6 +56,7 @@ MUNGED: ::1 will be omitted in what follows >>> HELO verification failed but host is in helo_try_verify_hosts >>> using ACL "rcpt" >>> processing "require" +>>> message: helo not verified >>> check verify = helo >>> require: condition test failed in ACL "rcpt" LOG: H=([V4NET.0.0.1]) [V4NET.0.0.2] F= rejected RCPT : helo not verified @@ -80,9 +82,11 @@ MUNGED: ::1 will be omitted in what follows >>> matched host address >>> using ACL "rcpt" >>> processing "require" +>>> message: helo not verified >>> check verify = helo >>> require: condition test succeeded in ACL "rcpt" >>> processing "deny" +>>> message: helo did verify >>> deny: condition test succeeded in ACL "rcpt" LOG: H=([V4NET.0.0.2]) [V4NET.0.0.2] F= rejected RCPT : helo did verify >>> host in hosts_connection_nolog? no (option unset) @@ -205,6 +209,7 @@ MUNGED: ::1 will be omitted in what follows >>> [V4NET.0.0.99] in helo_lookup_domains? no (end of list) >>> using ACL "rcpt" >>> processing "require" +>>> message: helo not verified >>> check verify = helo >>> verifying EHLO/HELO argument "[V4NET.0.0.99]" >>> require: condition test failed in ACL "rcpt" @@ -229,11 +234,13 @@ MUNGED: ::1 will be omitted in what follows >>> [V4NET.0.0.13] in helo_lookup_domains? no (end of list) >>> using ACL "rcpt" >>> processing "require" +>>> message: helo not verified >>> check verify = helo >>> verifying EHLO/HELO argument "[V4NET.0.0.13]" >>> matched host address >>> require: condition test succeeded in ACL "rcpt" >>> processing "deny" +>>> message: helo did verify >>> deny: condition test succeeded in ACL "rcpt" LOG: H=([V4NET.0.0.13]) [V4NET.0.0.13] F= rejected RCPT : helo did verify >>> host in hosts_connection_nolog? no (option unset) @@ -257,6 +264,7 @@ MUNGED: ::1 will be omitted in what follows >>> host in pipelining_advertise_hosts? yes (matched "*") >>> using ACL "rcpt" >>> processing "require" +>>> message: helo not verified >>> check verify = helo >>> verifying EHLO/HELO argument "rhubarb" >>> looking up host name for 99.99.99.99 diff --git a/test/stderr/0079 b/test/stderr/0079 index ebdd6b244..e00d79050 100644 --- a/test/stderr/0079 +++ b/test/stderr/0079 @@ -14,6 +14,8 @@ >>> host in ":"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "warn" +>>> message: X-Warning: $sender_host_address is blacklisted at $dnslist_domain +>>> l_message: $sender_host_address is in $dnslist_domain >>> check dnslists = rbl.test.ex >>> DNS list check: rbl.test.ex >>> new DNS lookup for 14.12.11.V4NET.rbl.test.ex @@ -22,6 +24,8 @@ >>> warn: condition test succeeded in ACL "check_recipient" LOG: H=(exim.test.ex) [V4NET.11.12.14] Warning: V4NET.11.12.14 is in rbl.test.ex >>> processing "warn" +>>> message: X-Warning: $sender_host_address is blacklisted at $dnslist_domain +>>> l_message: accepting postmaster from host in $dnslist_domain >>> check recipients = postmaster@exim.test.ex >>> exim.test.ex in "exim.test.ex"? yes (matched "exim.test.ex") >>> postmaster@exim.test.ex in "postmaster@exim.test.ex"? yes (matched "postmaster@exim.test.ex") @@ -43,6 +47,8 @@ LOG: H=(exim.test.ex) [V4NET.11.12.14] Warning: accepting postmaster from host i >>> host in ":"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "warn" +>>> message: X-Warning: $sender_host_address is blacklisted at $dnslist_domain +>>> l_message: $sender_host_address is in $dnslist_domain >>> check dnslists = rbl.test.ex >>> DNS list check: rbl.test.ex >>> using result of previous DNS lookup @@ -50,6 +56,8 @@ LOG: H=(exim.test.ex) [V4NET.11.12.14] Warning: accepting postmaster from host i >>> => that means V4NET.11.12.14 is listed at rbl.test.ex >>> warn: condition test succeeded in ACL "check_recipient" >>> processing "warn" +>>> message: X-Warning: $sender_host_address is blacklisted at $dnslist_domain +>>> l_message: accepting postmaster from host in $dnslist_domain >>> check recipients = postmaster@exim.test.ex >>> list@exim.test.ex in "postmaster@exim.test.ex"? no (end of list) >>> warn: condition test failed in ACL "check_recipient" @@ -58,6 +66,7 @@ LOG: H=(exim.test.ex) [V4NET.11.12.14] Warning: accepting postmaster from host i >>> list@exim.test.ex in "postmaster@exim.test.ex"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: host is listed in $dnslist_domain >>> check dnslists = rbl2.test.ex >>> DNS list check: rbl2.test.ex >>> using result of previous DNS lookup diff --git a/test/stderr/0080 b/test/stderr/0080 index 199d3a22c..0a0d03f47 100644 --- a/test/stderr/0080 +++ b/test/stderr/0080 @@ -20,6 +20,7 @@ >>> list@exim.test.ex in "postmaster@exim.test.ex"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: host is listed in $dnslist_domain >>> check dnslists = rbl.test.ex:rbl2.test.ex >>> DNS list check: rbl.test.ex >>> new DNS lookup for 14.12.11.V4NET.rbl.test.ex diff --git a/test/stderr/0089 b/test/stderr/0089 index a6e85e132..83fc35df4 100644 --- a/test/stderr/0089 +++ b/test/stderr/0089 @@ -39,6 +39,7 @@ LOG: rejected HELO from [V4NET.0.0.0]: syntactically invalid argument(s): @#$%^& >>> else.where in "+relay_domains"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=(abc_xyz) [V4NET.0.0.0] F= rejected RCPT : relay not permitted >>> host in hosts_connection_nolog? no (option unset) @@ -88,5 +89,6 @@ MUNGED: ::1 will be omitted in what follows >>> relay.two.ex in "+relay_domains"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=ten-99.test.ex (@#$%^&*()) [V4NET.0.0.99] F= rejected RCPT : relay not permitted diff --git a/test/stderr/0092 b/test/stderr/0092 index bdda28575..f7bdef819 100644 --- a/test/stderr/0092 +++ b/test/stderr/0092 @@ -21,6 +21,7 @@ LOG: SMTP command timeout on connection from [V4NET.0.0.1] >>> host in ":"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: unrouteable address >>> check recipients = verify@test.ex >>> userx@test.ex in "verify@test.ex"? no (end of list) >>> deny: condition test failed in ACL "check_recipient" @@ -46,6 +47,7 @@ exim: timed out while reading - message abandoned >>> host in ":"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: unrouteable address >>> check recipients = verify@test.ex >>> test.ex in "test.ex"? yes (matched "test.ex") >>> verify@test.ex in "verify@test.ex"? yes (matched "verify@test.ex") diff --git a/test/stderr/0094 b/test/stderr/0094 index 1450ab01b..77ca6bc2a 100644 --- a/test/stderr/0094 +++ b/test/stderr/0094 @@ -25,6 +25,7 @@ LOG: no host name found for IP address V4NET.11.12.13 >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.11.12.13] F= rejected RCPT : relay not permitted >>> host in hosts_connection_nolog? no (option unset) @@ -58,6 +59,7 @@ MUNGED: ::1 will be omitted in what follows >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=ten-1.test.ex [V4NET.0.0.1] F= rejected RCPT : relay not permitted Exim version x.yz .... @@ -141,6 +143,7 @@ host in "*.masq.test.ex"? no (end of list) host in "+relay_hosts"? no (end of list) accept: condition test failed in ACL "check_recipient" processing "deny" + message: relay not permitted deny: condition test succeeded in ACL "check_recipient" SMTP>> 550 relay not permitted LOG: MAIN REJECT diff --git a/test/stderr/0124 b/test/stderr/0124 index a7246fcf8..328d78084 100644 --- a/test/stderr/0124 +++ b/test/stderr/0124 @@ -25,6 +25,7 @@ LOG: no host name found for IP address V4NET.0.0.97 >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.0.0.97] F= rejected RCPT : relay not permitted >>> using ACL "check_recipient" @@ -42,5 +43,6 @@ LOG: H=[V4NET.0.0.97] F= rejected RCPT : >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.0.0.97] F= rejected RCPT : relay not permitted diff --git a/test/stderr/0130 b/test/stderr/0130 index bac07b8bf..50c29e938 100644 --- a/test/stderr/0130 +++ b/test/stderr/0130 @@ -8,6 +8,7 @@ >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "check_recipient" >>> processing "deny" +>>> message: unrouteable address >>> check !verify = recipient >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing userx@not.test.ex diff --git a/test/stderr/0138 b/test/stderr/0138 index 92f12813d..921115a6e 100644 --- a/test/stderr/0138 +++ b/test/stderr/0138 @@ -69,6 +69,7 @@ LOG: 10HmaX-0005vi-00 <= postmaster@exim.test.ex H=(exim.test.ex) [V4NET.11.12.1 >>> => that means V4NET.11.12.13 is not listed at rbl3.test.ex >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: host is listed in $dnslist_domain >>> check dnslists = rbl2.test.ex >>> DNS list check: rbl2.test.ex >>> new DNS lookup for 13.12.11.V4NET.rbl2.test.ex @@ -76,6 +77,7 @@ LOG: 10HmaX-0005vi-00 <= postmaster@exim.test.ex H=(exim.test.ex) [V4NET.11.12.1 >>> => that means V4NET.11.12.13 is not listed at rbl2.test.ex >>> deny: condition test failed in ACL "check_recipient" >>> processing "warn" +>>> message: X-Warning: $sender_host_address is listed at $dnslist_domain >>> check dnslists = rbl.test.ex >>> DNS list check: rbl.test.ex >>> new DNS lookup for 13.12.11.V4NET.rbl.test.ex @@ -98,6 +100,7 @@ LOG: 10HmaX-0005vi-00 <= postmaster@exim.test.ex H=(exim.test.ex) [V4NET.11.12.1 >>> ----------- end verify ------------ >>> require: condition test succeeded in ACL "check_recipient" >>> processing "deny" +>>> message: unrouteable address >>> check !verify = recipient >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing userx@exim.test.ex diff --git a/test/stderr/0139 b/test/stderr/0139 index 7e31007d2..c7f1f32eb 100644 --- a/test/stderr/0139 +++ b/test/stderr/0139 @@ -39,6 +39,7 @@ >>> accept: condition test succeeded in ACL "check_mail" >>> using ACL "check_recipient" >>> processing "warn" +>>> message: X-Warn: host is listed in $dnslist_domain but not =127.0.0.3${if def:dnslist_text{\n $dnslist_text}} >>> check dnslists = rbl3.test.ex!=127.0.0.3 >>> DNS list check: rbl3.test.ex!=127.0.0.3 >>> new DNS lookup for 14.12.11.V4NET.rbl3.test.ex @@ -46,6 +47,7 @@ >>> => that means V4NET.11.12.14 is listed at rbl3.test.ex >>> warn: condition test succeeded in ACL "check_recipient" >>> processing "deny" +>>> message: host is listed in $dnslist_domain with value 127.0.0.3${if def:dnslist_text{\n$dnslist_text}} >>> check dnslists = rbl3.test.ex=127.0.0.3 >>> DNS list check: rbl3.test.ex=127.0.0.3 >>> using result of previous DNS lookup @@ -69,6 +71,7 @@ >>> ----------- end verify ------------ >>> require: condition test succeeded in ACL "check_recipient" >>> processing "deny" +>>> message: unrouteable address >>> check !verify = recipient >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing userx@exim.test.ex @@ -86,6 +89,7 @@ >>> accept: condition test succeeded in ACL "check_recipient" >>> using ACL "check_recipient" >>> processing "warn" +>>> message: X-Warn: host is listed in $dnslist_domain but not =127.0.0.3${if def:dnslist_text{\n $dnslist_text}} >>> check dnslists = rbl3.test.ex!=127.0.0.3 >>> DNS list check: rbl3.test.ex!=127.0.0.3 >>> using result of previous DNS lookup @@ -93,6 +97,7 @@ >>> => that means V4NET.11.12.14 is listed at rbl3.test.ex >>> warn: condition test succeeded in ACL "check_recipient" >>> processing "deny" +>>> message: host is listed in $dnslist_domain with value 127.0.0.3${if def:dnslist_text{\n$dnslist_text}} >>> check dnslists = rbl3.test.ex=127.0.0.3 >>> DNS list check: rbl3.test.ex=127.0.0.3 >>> using result of previous DNS lookup @@ -105,6 +110,7 @@ >>> using cached sender verify result >>> require: condition test succeeded in ACL "check_recipient" >>> processing "deny" +>>> message: unrouteable address >>> check !verify = recipient >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing list@exim.test.ex @@ -160,6 +166,7 @@ LOG: 10HmaY-0005vi-00 <= postmaster@exim.test.ex H=[V4NET.11.12.14] P=smtp S=sss >>> accept: condition test succeeded in ACL "check_mail" >>> using ACL "check_recipient" >>> processing "warn" +>>> message: X-Warn: host is listed in $dnslist_domain but not =127.0.0.3${if def:dnslist_text{\n $dnslist_text}} >>> check dnslists = rbl3.test.ex!=127.0.0.3 >>> DNS list check: rbl3.test.ex!=127.0.0.3 >>> new DNS lookup for 15.12.11.V4NET.rbl3.test.ex @@ -168,6 +175,7 @@ LOG: 10HmaY-0005vi-00 <= postmaster@exim.test.ex H=[V4NET.11.12.14] P=smtp S=sss >>> => there was an exclude match for =127.0.0.3 >>> warn: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: host is listed in $dnslist_domain with value 127.0.0.3${if def:dnslist_text{\n$dnslist_text}} >>> check dnslists = rbl3.test.ex=127.0.0.3 >>> DNS list check: rbl3.test.ex=127.0.0.3 >>> using result of previous DNS lookup diff --git a/test/stderr/0157 b/test/stderr/0157 index 4980dc9c8..bcd4f6f78 100644 --- a/test/stderr/0157 +++ b/test/stderr/0157 @@ -19,6 +19,7 @@ >>> processing "accept" >>> check hosts = V4NET.0.0.1 >>> host in "V4NET.0.0.1"? yes (matched "V4NET.0.0.1") +>>> message: invalid sender >>> check senders = userx@test.ex >>> x@y.z in "userx@test.ex"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" @@ -37,6 +38,7 @@ LOG: H=[V4NET.0.0.1] F= rejected RCPT : invalid sender >>> processing "accept" >>> check hosts = V4NET.0.0.1 >>> host in "V4NET.0.0.1"? yes (matched "V4NET.0.0.1") +>>> message: invalid sender >>> check senders = userx@test.ex >>> test.ex in "test.ex"? yes (matched "test.ex") >>> userx@test.ex in "userx@test.ex"? yes (matched "userx@test.ex") @@ -114,6 +116,7 @@ LOG: H=[V4NET.0.0.1] F= rejected RCPT : invalid sender >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.0.0.3] F= rejected RCPT : relay not permitted >>> using ACL "check_recipient" @@ -135,5 +138,6 @@ LOG: H=[V4NET.0.0.3] F= rejected RCPT : relay not permitted >>> host in "+relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.0.0.3] F= rejected RCPT : relay not permitted diff --git a/test/stderr/0234 b/test/stderr/0234 index b382af22d..727641b57 100644 --- a/test/stderr/0234 +++ b/test/stderr/0234 @@ -13,6 +13,7 @@ >>> d in "+relay_domains"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=[V4NET.0.0.0] F= rejected RCPT : relay not permitted >>> using ACL "check_recipient" diff --git a/test/stderr/0243 b/test/stderr/0243 index 6b5aca3b3..b8aaf253c 100644 --- a/test/stderr/0243 +++ b/test/stderr/0243 @@ -10,6 +10,7 @@ >>> host in pipelining_advertise_hosts? yes (matched "*") >>> using ACL "check_recipient" >>> processing "deny" +>>> message: unrouteable address >>> check !verify = recipient >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing faq@nl.demon.net diff --git a/test/stderr/0251 b/test/stderr/0251 index b3d432499..982d9af3d 100644 --- a/test/stderr/0251 +++ b/test/stderr/0251 @@ -8,6 +8,7 @@ >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "check_recipient" >>> processing "deny" +>>> message: unrouteable address >>> check !verify = recipient >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing oklist@listr.test.ex @@ -33,6 +34,7 @@ >>> accept: condition test succeeded in ACL "check_recipient" >>> using ACL "check_recipient" >>> processing "deny" +>>> message: unrouteable address >>> check !verify = recipient >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing oklist@listr.test.ex diff --git a/test/stderr/0281 b/test/stderr/0281 index 93d75446b..88d08143f 100644 --- a/test/stderr/0281 +++ b/test/stderr/0281 @@ -8,6 +8,7 @@ >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl_rcpt_1" >>> processing "require" +>>> message: domain doesn't match @ or @[] >>> check domains = @ : @[] >>> myhost.test.ex in "@ : @[]"? yes (matched "@") >>> require: condition test succeeded in ACL "acl_rcpt_1" @@ -15,6 +16,7 @@ >>> accept: condition test succeeded in ACL "acl_rcpt_1" >>> using ACL "acl_rcpt_1" >>> processing "require" +>>> message: domain doesn't match @ or @[] >>> check domains = @ : @[] >>> [127.0.0.1] in "@ : @[]"? yes (matched "@[]") >>> require: condition test succeeded in ACL "acl_rcpt_1" @@ -22,12 +24,14 @@ >>> accept: condition test succeeded in ACL "acl_rcpt_1" >>> using ACL "acl_rcpt_1" >>> processing "require" +>>> message: domain doesn't match @ or @[] >>> check domains = @ : @[] >>> else.where in "@ : @[]"? no (end of list) >>> require: condition test failed in ACL "acl_rcpt_1" LOG: H=[V4NET.1.1.1] F= rejected RCPT <1@else.where>: domain doesn't match @ or @[] >>> using ACL "acl_rcpt_2" >>> processing "require" +>>> message: domain doesn't match @mx_any >>> check domains = @mx_any >>> other1.test.ex in hosts_treat_as_local? yes (matched "other1.test.ex") >>> local host has lowest MX @@ -37,6 +41,7 @@ LOG: H=[V4NET.1.1.1] F= rejected RCPT <1@else.where>: domain doesn't match >>> accept: condition test succeeded in ACL "acl_rcpt_2" >>> using ACL "acl_rcpt_2" >>> processing "require" +>>> message: domain doesn't match @mx_any >>> check domains = @mx_any >>> eximtesthost.test.ex in hosts_treat_as_local? no (end of list) >>> local host has lowest MX @@ -46,6 +51,7 @@ LOG: H=[V4NET.1.1.1] F= rejected RCPT <1@else.where>: domain doesn't match >>> accept: condition test succeeded in ACL "acl_rcpt_2" >>> using ACL "acl_rcpt_2" >>> processing "require" +>>> message: domain doesn't match @mx_any >>> check domains = @mx_any >>> ten-1.test.ex in hosts_treat_as_local? no (end of list) >>> eximtesthost.test.ex in hosts_treat_as_local? no (end of list) @@ -58,6 +64,7 @@ LOG: H=[V4NET.1.1.1] F= rejected RCPT <1@else.where>: domain doesn't match >>> accept: condition test succeeded in ACL "acl_rcpt_2" >>> using ACL "acl_rcpt_2" >>> processing "require" +>>> message: domain doesn't match @mx_any >>> check domains = @mx_any >>> ten-1.test.ex in hosts_treat_as_local? no (end of list) >>> ten-2.test.ex in hosts_treat_as_local? no (end of list) @@ -67,12 +74,14 @@ LOG: H=[V4NET.1.1.1] F= rejected RCPT <1@else.where>: domain doesn't match LOG: H=[V4NET.1.1.1] F= rejected RCPT <2@mxt9.test.ex>: domain doesn't match @mx_any >>> using ACL "acl_rcpt_2" >>> processing "require" +>>> message: domain doesn't match @mx_any >>> check domains = @mx_any >>> mxnone.test.ex in "@mx_any"? no (end of list) >>> require: condition test failed in ACL "acl_rcpt_2" LOG: H=[V4NET.1.1.1] F= rejected RCPT <2@mxnone.test.ex>: domain doesn't match @mx_any >>> using ACL "acl_rcpt_3" >>> processing "require" +>>> message: domain doesn't match @mx_primary >>> check domains = @mx_primary >>> ten-1.test.ex in hosts_treat_as_local? no (end of list) >>> eximtesthost.test.ex in hosts_treat_as_local? no (end of list) @@ -83,6 +92,7 @@ LOG: H=[V4NET.1.1.1] F= rejected RCPT <2@mxnone.test.ex>: domain doesn't ma >>> accept: condition test succeeded in ACL "acl_rcpt_3" >>> using ACL "acl_rcpt_3" >>> processing "require" +>>> message: domain doesn't match @mx_primary >>> check domains = @mx_primary >>> ten-1.test.ex in hosts_treat_as_local? no (end of list) >>> ten-2.test.ex in hosts_treat_as_local? no (end of list) @@ -95,6 +105,7 @@ LOG: H=[V4NET.1.1.1] F= rejected RCPT <2@mxnone.test.ex>: domain doesn't ma LOG: H=[V4NET.1.1.1] F= rejected RCPT <3@mxt6.test.ex>: domain doesn't match @mx_primary >>> using ACL "acl_rcpt_3" >>> processing "require" +>>> message: domain doesn't match @mx_primary >>> check domains = @mx_primary >>> ten-1.test.ex in hosts_treat_as_local? no (end of list) >>> ten-2.test.ex in hosts_treat_as_local? no (end of list) @@ -104,12 +115,14 @@ LOG: H=[V4NET.1.1.1] F= rejected RCPT <3@mxt6.test.ex>: domain doesn't matc LOG: H=[V4NET.1.1.1] F= rejected RCPT <3@mxt9.test.ex>: domain doesn't match @mx_primary >>> using ACL "acl_rcpt_3" >>> processing "require" +>>> message: domain doesn't match @mx_primary >>> check domains = @mx_primary >>> mxnone.test.ex in "@mx_primary"? no (end of list) >>> require: condition test failed in ACL "acl_rcpt_3" LOG: H=[V4NET.1.1.1] F= rejected RCPT <3@mxnone.test.ex>: domain doesn't match @mx_primary >>> using ACL "acl_rcpt_4" >>> processing "require" +>>> message: domain doesn't match @mx_secondary >>> check domains = @mx_secondary >>> eximtesthost.test.ex in hosts_treat_as_local? no (end of list) >>> local host has lowest MX @@ -118,6 +131,7 @@ LOG: H=[V4NET.1.1.1] F= rejected RCPT <3@mxnone.test.ex>: domain doesn't ma LOG: H=[V4NET.1.1.1] F= rejected RCPT <4@mxt5.test.ex>: domain doesn't match @mx_secondary >>> using ACL "acl_rcpt_4" >>> processing "require" +>>> message: domain doesn't match @mx_secondary >>> check domains = @mx_secondary >>> ten-1.test.ex in hosts_treat_as_local? no (end of list) >>> ten-2.test.ex in hosts_treat_as_local? no (end of list) @@ -131,6 +145,7 @@ LOG: H=[V4NET.1.1.1] F= rejected RCPT <4@mxt5.test.ex>: domain doesn't matc >>> accept: condition test succeeded in ACL "acl_rcpt_4" >>> using ACL "acl_rcpt_4" >>> processing "require" +>>> message: domain doesn't match @mx_secondary >>> check domains = @mx_secondary >>> ten-1.test.ex in hosts_treat_as_local? no (end of list) >>> ten-2.test.ex in hosts_treat_as_local? no (end of list) @@ -140,12 +155,14 @@ LOG: H=[V4NET.1.1.1] F= rejected RCPT <4@mxt5.test.ex>: domain doesn't matc LOG: H=[V4NET.1.1.1] F= rejected RCPT <4@mxt9.test.ex>: domain doesn't match @mx_secondary >>> using ACL "acl_rcpt_4" >>> processing "require" +>>> message: domain doesn't match @mx_secondary >>> check domains = @mx_secondary >>> mxnone.test.ex in "@mx_secondary"? no (end of list) >>> require: condition test failed in ACL "acl_rcpt_4" LOG: H=[V4NET.1.1.1] F= rejected RCPT <4@mxnone.test.ex>: domain doesn't match @mx_secondary >>> using ACL "acl_rcpt_5" >>> processing "require" +>>> message: host doesn't match @ or @[] >>> check hosts = @ : @[] MUNGED: ::1 will be omitted in what follows >>> get[host|ipnode]byname[2] looked up these IP addresses: @@ -163,6 +180,7 @@ LOG: H=[V4NET.1.1.1] F= rejected RCPT <5@myhost.test.ex>: host doesn't matc >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl_rcpt_5" >>> processing "require" +>>> message: host doesn't match @ or @[] >>> check hosts = @ : @[] MUNGED: ::1 will be omitted in what follows >>> get[host|ipnode]byname[2] looked up these IP addresses: @@ -181,6 +199,7 @@ MUNGED: ::1 will be omitted in what follows >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl_rcpt_5" >>> processing "require" +>>> message: host doesn't match @ or @[] >>> check hosts = @ : @[] MUNGED: ::1 will be omitted in what follows >>> get[host|ipnode]byname[2] looked up these IP addresses: @@ -199,6 +218,7 @@ MUNGED: ::1 will be omitted in what follows >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl_rcpt_2" >>> processing "require" +>>> message: domain doesn't match @mx_any >>> check domains = @mx_any >>> not-exist.test.ex in hosts_treat_as_local? no (end of list) >>> eximtesthost.test.ex in hosts_treat_as_local? no (end of list) @@ -210,6 +230,7 @@ MUNGED: ::1 will be omitted in what follows >>> accept: condition test succeeded in ACL "acl_rcpt_2" >>> using ACL "acl_rcpt_3" >>> processing "require" +>>> message: domain doesn't match @mx_primary >>> check domains = @mx_primary >>> not-exist.test.ex in hosts_treat_as_local? no (end of list) >>> eximtesthost.test.ex in hosts_treat_as_local? no (end of list) @@ -220,6 +241,7 @@ MUNGED: ::1 will be omitted in what follows LOG: H=[V4NET.1.1.1] F= rejected RCPT <3@mxt3.test.ex>: domain doesn't match @mx_primary >>> using ACL "acl_rcpt_4" >>> processing "require" +>>> message: domain doesn't match @mx_secondary >>> check domains = @mx_secondary >>> not-exist.test.ex in hosts_treat_as_local? no (end of list) >>> eximtesthost.test.ex in hosts_treat_as_local? no (end of list) diff --git a/test/stderr/0304 b/test/stderr/0304 index e8e7e0bb9..253287df2 100644 --- a/test/stderr/0304 +++ b/test/stderr/0304 @@ -8,32 +8,39 @@ >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> b1@x in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> b1@x in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> b1@x in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> x in "domain.only"? no (end of list) >>> x in "*.domain2.only"? no (end of list) >>> b1@x in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> b1@x in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> b1@x in "pqr@@"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 7 >>> check senders = : >>> in ":"? yes (matched "") >>> check recipients = b1@x @@ -43,38 +50,46 @@ LOG: H=[1.2.3.4] F=<> rejected RCPT : failed 7 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> b2@x in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> b2@x in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> b2@x in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> x in "domain.only"? no (end of list) >>> x in "*.domain2.only"? no (end of list) >>> b2@x in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> b2@x in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> b2@x in "pqr@@"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 7 >>> check senders = : >>> in ":"? yes (matched "") >>> check recipients = b1@x >>> b2@x in "b1@x"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 8 >>> check senders = ^\$ >>> in "^$"? yes (matched "^$") >>> check recipients = b2@x @@ -84,53 +99,64 @@ LOG: H=[1.2.3.4] F=<> rejected RCPT : failed 7 LOG: H=[1.2.3.4] F=<> rejected RCPT : failed 8 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> b9@x in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> b9@x in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> b9@x in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> x in "domain.only"? no (end of list) >>> x in "*.domain2.only"? no (end of list) >>> b9@x in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> b9@x in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> b9@x in "pqr@@"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 7 >>> check senders = : >>> in ":"? yes (matched "") >>> check recipients = b1@x >>> b9@x in "b1@x"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 8 >>> check senders = ^\$ >>> in "^$"? yes (matched "^$") >>> check recipients = b2@x >>> b9@x in "b2@x"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 9 >>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3 >>> x in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> b9@x in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 10 >>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4 >>> b9@x in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 11 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5 >>> b9@x in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list) >>> deny: condition test failed in ACL "acl1" @@ -138,18 +164,21 @@ LOG: H=[1.2.3.4] F=<> rejected RCPT : failed 8 >>> accept: condition test succeeded in ACL "acl1" >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> abc@w.x.y.z in "^abc.*@.*\.x\.y\.z : a@b"? yes (matched "^abc.*@.*\.x\.y\.z") >>> deny: condition test succeeded in ACL "acl1" LOG: H=[1.2.3.4] F= rejected RCPT : failed 1 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> abcdef@q.x.y.z in "^abc.*@.*\.x\.y\.z : a@b"? yes (matched "^abc.*@.*\.x\.y\.z") >>> deny: condition test succeeded in ACL "acl1" LOG: H=[1.2.3.4] F= rejected RCPT : failed 1 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> b in "b"? yes (matched "b") >>> a@b in "^abc.*@.*\.x\.y\.z : a@b"? yes (matched "a@b") @@ -157,50 +186,61 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 1 LOG: H=[1.2.3.4] F= rejected RCPT : failed 1 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> ok@ok in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> ok@ok in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> ok@ok in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> ok in "domain.only"? no (end of list) >>> ok in "*.domain2.only"? no (end of list) >>> ok@ok in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> ok@ok in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> ok@ok in "pqr@@"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 7 >>> check senders = : >>> y in ""? no (end of list) >>> x@y in ":"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 8 >>> check senders = ^\$ >>> x@y in "^$"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 9 >>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3 >>> ok in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> ok@ok in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 10 >>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4 >>> ok@ok in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 11 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5 >>> ok@ok in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list) >>> deny: condition test failed in ACL "acl1" @@ -208,70 +248,85 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 1 >>> accept: condition test succeeded in ACL "acl1" >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> x@a.b.c in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> x@a.b.c in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? yes (matched "lsearch*@;TESTSUITE/aux-fixed/0304.d1") >>> deny: condition test succeeded in ACL "acl1" LOG: H=[1.2.3.4] F= rejected RCPT : failed 2 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> abc@d.e.f in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> abc@d.e.f in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? yes (matched "lsearch*@;TESTSUITE/aux-fixed/0304.d1") >>> deny: condition test succeeded in ACL "acl1" LOG: H=[1.2.3.4] F= rejected RCPT : failed 2 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> x@d.e.f in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> x@d.e.f in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> x@d.e.f in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> d.e.f in "domain.only"? no (end of list) >>> d.e.f in "*.domain2.only"? no (end of list) >>> x@d.e.f in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> x@d.e.f in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> x@d.e.f in "pqr@@"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 7 >>> check senders = : >>> y in ""? no (end of list) >>> x@y in ":"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 8 >>> check senders = ^\$ >>> x@y in "^$"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 9 >>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3 >>> d.e.f in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> x@d.e.f in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 10 >>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4 >>> x@d.e.f in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 11 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5 >>> x@d.e.f in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list) >>> deny: condition test failed in ACL "acl1" @@ -279,92 +334,112 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 2 >>> accept: condition test succeeded in ACL "acl1" >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> abc@at.1 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> abc@at.1 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> abc@at.1 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? yes (matched "@@lsearch;TESTSUITE/aux-fixed/0304.d2") >>> deny: condition test succeeded in ACL "acl1" LOG: H=[1.2.3.4] F= rejected RCPT : failed 3 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> xyz@at.1 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> xyz@at.1 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> xyz@at.1 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? yes (matched "@@lsearch;TESTSUITE/aux-fixed/0304.d2") >>> deny: condition test succeeded in ACL "acl1" LOG: H=[1.2.3.4] F= rejected RCPT : failed 3 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> abcxyz@at.1 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> abcxyz@at.1 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> abcxyz@at.1 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? yes (matched "@@lsearch;TESTSUITE/aux-fixed/0304.d2") >>> deny: condition test succeeded in ACL "acl1" LOG: H=[1.2.3.4] F= rejected RCPT : failed 3 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> ok@at.1 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> ok@at.1 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> ok@at.1 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> at.1 in "domain.only"? no (end of list) >>> at.1 in "*.domain2.only"? no (end of list) >>> ok@at.1 in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> ok@at.1 in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> ok@at.1 in "pqr@@"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 7 >>> check senders = : >>> y in ""? no (end of list) >>> x@y in ":"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 8 >>> check senders = ^\$ >>> x@y in "^$"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 9 >>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3 >>> at.1 in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> ok@at.1 in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 10 >>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4 >>> ok@at.1 in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 11 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5 >>> ok@at.1 in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list) >>> deny: condition test failed in ACL "acl1" @@ -372,18 +447,22 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 3 >>> accept: condition test succeeded in ACL "acl1" >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> x@domain.only in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> x@domain.only in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> x@domain.only in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> domain.only in "domain.only"? yes (matched "domain.only") >>> x@domain.only in "domain.only : *.domain2.only"? yes (matched "domain.only") @@ -391,18 +470,22 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 3 LOG: H=[1.2.3.4] F= rejected RCPT : failed 4 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> x@abc.domain2.only in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> x@abc.domain2.only in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> x@abc.domain2.only in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> abc.domain2.only in "domain.only"? no (end of list) >>> abc.domain2.only in "*.domain2.only"? yes (matched "*.domain2.only") @@ -411,50 +494,61 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 4 LOG: H=[1.2.3.4] F= rejected RCPT : failed 4 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> x@domain2.only in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> x@domain2.only in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> x@domain2.only in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> domain2.only in "domain.only"? no (end of list) >>> domain2.only in "*.domain2.only"? no (end of list) >>> x@domain2.only in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> x@domain2.only in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> x@domain2.only in "pqr@@"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 7 >>> check senders = : >>> y in ""? no (end of list) >>> x@y in ":"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 8 >>> check senders = ^\$ >>> x@y in "^$"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 9 >>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3 >>> domain2.only in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> x@domain2.only in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 10 >>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4 >>> x@domain2.only in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 11 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5 >>> x@domain2.only in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list) >>> deny: condition test failed in ACL "acl1" @@ -462,24 +556,29 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 4 >>> accept: condition test succeeded in ACL "acl1" >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> abc@domain3 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> abc@domain3 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> abc@domain3 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> domain3 in "domain.only"? no (end of list) >>> domain3 in "*.domain2.only"? no (end of list) >>> abc@domain3 in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> domain3 in "domain3"? yes (matched "domain3") >>> abc@domain3 in "abc@domain3 : xyz@*.domain4"? yes (matched "abc@domain3") @@ -487,24 +586,29 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 4 LOG: H=[1.2.3.4] F= rejected RCPT : failed 5 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> xyz@x.domain4 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> xyz@x.domain4 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> xyz@x.domain4 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> x.domain4 in "domain.only"? no (end of list) >>> x.domain4 in "*.domain2.only"? no (end of list) >>> xyz@x.domain4 in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> x.domain4 in "*.domain4"? yes (matched "*.domain4") >>> xyz@x.domain4 in "abc@domain3 : xyz@*.domain4"? yes (matched "xyz@*.domain4") @@ -512,51 +616,62 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 5 LOG: H=[1.2.3.4] F= rejected RCPT : failed 5 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> abc@x.domain4 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> abc@x.domain4 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> abc@x.domain4 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> x.domain4 in "domain.only"? no (end of list) >>> x.domain4 in "*.domain2.only"? no (end of list) >>> abc@x.domain4 in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> x.domain4 in "domain3"? no (end of list) >>> abc@x.domain4 in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> abc@x.domain4 in "pqr@@"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 7 >>> check senders = : >>> y in ""? no (end of list) >>> x@y in ":"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 8 >>> check senders = ^\$ >>> x@y in "^$"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 9 >>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3 >>> x.domain4 in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> abc@x.domain4 in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 10 >>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4 >>> abc@x.domain4 in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 11 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5 >>> abc@x.domain4 in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list) >>> deny: condition test failed in ACL "acl1" @@ -564,52 +679,63 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 5 >>> accept: condition test succeeded in ACL "acl1" >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> xyz@domain3 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> xyz@domain3 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> xyz@domain3 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> domain3 in "domain.only"? no (end of list) >>> domain3 in "*.domain2.only"? no (end of list) >>> xyz@domain3 in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> domain3 in "*.domain4"? no (end of list) >>> xyz@domain3 in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> xyz@domain3 in "pqr@@"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 7 >>> check senders = : >>> y in ""? no (end of list) >>> x@y in ":"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 8 >>> check senders = ^\$ >>> x@y in "^$"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 9 >>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3 >>> domain3 in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> xyz@domain3 in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 10 >>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4 >>> domain3 in "lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list) >>> xyz@domain3 in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 11 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5 >>> xyz@domain3 in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list) >>> deny: condition test failed in ACL "acl1" @@ -617,28 +743,34 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 5 >>> accept: condition test succeeded in ACL "acl1" >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> pqr@myhost.test.ex in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> pqr@myhost.test.ex in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> pqr@myhost.test.ex in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> myhost.test.ex in "domain.only"? no (end of list) >>> myhost.test.ex in "*.domain2.only"? no (end of list) >>> pqr@myhost.test.ex in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> pqr@myhost.test.ex in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> myhost.test.ex in "@"? yes (matched "@") >>> pqr@myhost.test.ex in "pqr@@"? yes (matched "pqr@@") @@ -646,50 +778,61 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 5 LOG: H=[1.2.3.4] F= rejected RCPT : failed 6 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> xxx@myhost.test.ex in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> xxx@myhost.test.ex in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> xxx@myhost.test.ex in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> myhost.test.ex in "domain.only"? no (end of list) >>> myhost.test.ex in "*.domain2.only"? no (end of list) >>> xxx@myhost.test.ex in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> xxx@myhost.test.ex in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> xxx@myhost.test.ex in "pqr@@"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 7 >>> check senders = : >>> y in ""? no (end of list) >>> x@y in ":"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 8 >>> check senders = ^\$ >>> x@y in "^$"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 9 >>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3 >>> myhost.test.ex in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> xxx@myhost.test.ex in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 10 >>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4 >>> xxx@myhost.test.ex in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 11 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5 >>> xxx@myhost.test.ex in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list) >>> deny: condition test failed in ACL "acl1" @@ -697,42 +840,51 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 6 >>> accept: condition test succeeded in ACL "acl1" >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> domain5 in "b"? no (end of list) >>> a@domain5 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> a@domain5 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> a@domain5 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> domain5 in "domain.only"? no (end of list) >>> domain5 in "*.domain2.only"? no (end of list) >>> a@domain5 in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> a@domain5 in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> a@domain5 in "pqr@@"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 7 >>> check senders = : >>> y in ""? no (end of list) >>> x@y in ":"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 8 >>> check senders = ^\$ >>> x@y in "^$"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 9 >>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3 >>> domain5 in "lsearch;TESTSUITE/aux-fixed/0304.d3"? yes (matched "lsearch;TESTSUITE/aux-fixed/0304.d3") >>> a@domain5 in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? yes (matched "*@lsearch;TESTSUITE/aux-fixed/0304.d3") @@ -740,47 +892,57 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 6 LOG: H=[1.2.3.4] F= rejected RCPT : failed 9 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> xyz@domain6 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> xyz@domain6 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> xyz@domain6 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> domain6 in "domain.only"? no (end of list) >>> domain6 in "*.domain2.only"? no (end of list) >>> xyz@domain6 in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> domain6 in "*.domain4"? no (end of list) >>> xyz@domain6 in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> xyz@domain6 in "pqr@@"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 7 >>> check senders = : >>> y in ""? no (end of list) >>> x@y in ":"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 8 >>> check senders = ^\$ >>> x@y in "^$"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 9 >>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3 >>> domain6 in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> xyz@domain6 in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 10 >>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4 >>> domain6 in "lsearch;TESTSUITE/aux-fixed/0304.d4"? yes (matched "lsearch;TESTSUITE/aux-fixed/0304.d4") >>> xyz@domain6 in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? yes (matched "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4") @@ -788,51 +950,62 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 9 LOG: H=[1.2.3.4] F= rejected RCPT : failed 10 >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> abc@domain6 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> abc@domain6 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> abc@domain6 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> domain6 in "domain.only"? no (end of list) >>> domain6 in "*.domain2.only"? no (end of list) >>> abc@domain6 in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> domain6 in "domain3"? no (end of list) >>> abc@domain6 in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> abc@domain6 in "pqr@@"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 7 >>> check senders = : >>> y in ""? no (end of list) >>> x@y in ":"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 8 >>> check senders = ^\$ >>> x@y in "^$"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 9 >>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3 >>> domain6 in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> abc@domain6 in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 10 >>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4 >>> abc@domain6 in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 11 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5 >>> abc@domain6 in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? no (end of list) >>> deny: condition test failed in ACL "acl1" @@ -840,50 +1013,61 @@ LOG: H=[1.2.3.4] F= rejected RCPT : failed 10 >>> accept: condition test succeeded in ACL "acl1" >>> using ACL "acl1" >>> processing "deny" +>>> message: failed 1 >>> check recipients = \N^abc.*@.*\.x\.y\.z\N : a@b >>> x@domain7 in "^abc.*@.*\.x\.y\.z : a@b"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 2 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d1 >>> x@domain7 in "lsearch*@;TESTSUITE/aux-fixed/0304.d1"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 3 >>> check recipients = @@lsearch;TESTSUITE/aux-fixed/0304.d2 >>> x@domain7 in "@@lsearch;TESTSUITE/aux-fixed/0304.d2"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 4 >>> check recipients = domain.only : *.domain2.only >>> domain7 in "domain.only"? no (end of list) >>> domain7 in "*.domain2.only"? no (end of list) >>> x@domain7 in "domain.only : *.domain2.only"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 5 >>> check recipients = abc@domain3 : xyz@*.domain4 >>> x@domain7 in "abc@domain3 : xyz@*.domain4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 6 >>> check recipients = pqr@@ >>> x@domain7 in "pqr@@"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 7 >>> check senders = : >>> y in ""? no (end of list) >>> x@y in ":"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 8 >>> check senders = ^\$ >>> x@y in "^$"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 9 >>> check recipients = *@lsearch;TESTSUITE/aux-fixed/0304.d3 >>> domain7 in "lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> x@domain7 in "*@lsearch;TESTSUITE/aux-fixed/0304.d3"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 10 >>> check recipients = xyz@lsearch;TESTSUITE/aux-fixed/0304.d4 >>> x@domain7 in "xyz@lsearch;TESTSUITE/aux-fixed/0304.d4"? no (end of list) >>> deny: condition test failed in ACL "acl1" >>> processing "deny" +>>> message: failed 11 >>> check recipients = lsearch*@;TESTSUITE/aux-fixed/0304.d5 >>> x@domain7 in "lsearch*@;TESTSUITE/aux-fixed/0304.d5"? yes (matched "lsearch*@;TESTSUITE/aux-fixed/0304.d5") >>> deny: condition test succeeded in ACL "acl1" diff --git a/test/stderr/0325 b/test/stderr/0325 index f834f56c3..727ee56b1 100644 --- a/test/stderr/0325 +++ b/test/stderr/0325 @@ -30,5 +30,6 @@ r4: $local_part_data = LOCAL PART DATA >>> a.b.c in "+test_domains"? yes (matched "+test_domains" - cached) >>> check local_parts = +test_local_parts >>> xxx in "+test_local_parts"? yes (matched "+test_local_parts" - cached) +>>> message: \$domain_data=$domain_data \$local_part_data=$local_part_data >>> deny: condition test succeeded in ACL "a1" LOG: H=[V4NET.0.0.0] F= rejected RCPT xxx@a.b.c: $domain_data=DOMAIN DATA $local_part_data=LOCAL PART DATA diff --git a/test/stderr/0342 b/test/stderr/0342 index c3c65f20a..1e84be464 100644 --- a/test/stderr/0342 +++ b/test/stderr/0342 @@ -8,6 +8,7 @@ >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "check_rcpt" >>> processing "deny" +>>> message: unverifiable >>> check !verify = recipient >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing x@ten-1 diff --git a/test/stderr/0386 b/test/stderr/0386 index c0f200668..b796773d8 100644 --- a/test/stderr/0386 +++ b/test/stderr/0386 @@ -40,6 +40,8 @@ check local_parts = ^.*[@%!/|] 1 in "^.*[@%!/|]"? no (end of list) deny: condition test failed in ACL "TESTSUITE/aux-fixed/0386.acl1" processing "require" +l_message: Invalid sender + message: Couldn't verify the sender check verify = sender/defer_ok >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Verifying x@y @@ -64,6 +66,7 @@ routed by r1 router sender x@y verified ok require: condition test succeeded in ACL "TESTSUITE/aux-fixed/0386.acl1" processing "deny" + message: No such user here deny: condition test succeeded in ACL "TESTSUITE/aux-fixed/0386.acl1" SMTP>> 550 No such user here LOG: MAIN REJECT @@ -83,6 +86,8 @@ check local_parts = ^.*[@%!/|] 1 in "^.*[@%!/|]"? no (end of list) deny: condition test failed in ACL "TESTSUITE/aux-fixed/0386.acl1" processing "require" +l_message: Invalid sender + message: Couldn't verify the sender check verify = sender/defer_ok >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Verifying x@y @@ -106,6 +111,7 @@ routed by r1 router sender x@y verified ok require: condition test succeeded in ACL "TESTSUITE/aux-fixed/0386.acl1" processing "deny" + message: No such user here deny: condition test succeeded in ACL "TESTSUITE/aux-fixed/0386.acl1" SMTP>> 550 No such user here LOG: MAIN REJECT @@ -152,6 +158,8 @@ SMTP>> 250 OK SMTP<< rcpt to:<2@b> read ACL from file TESTSUITE/aux-fixed/0386.acl2 processing "warn" + message: X-Warning: $sender_host_address is listed at $dnslist_domain\nX-Warning: $dnslist_text +l_message: found in $dnslist_domain: $dnslist_text check dnslists = rbl.test.ex DNS list check: rbl.test.ex new DNS lookup for 13.12.11.V4NET.rbl.test.ex @@ -315,6 +323,8 @@ SMTP>> 250 OK SMTP<< rcpt to:<2@b> using ACL "TESTSUITE/aux-fixed/0386.acl2" processing "warn" + message: X-Warning: $sender_host_address is listed at $dnslist_domain\nX-Warning: $dnslist_text +l_message: found in $dnslist_domain: $dnslist_text check dnslists = rbl.test.ex DNS list check: rbl.test.ex using result of previous DNS lookup diff --git a/test/stderr/0398 b/test/stderr/0398 index 0ad911345..0acc6c21c 100644 --- a/test/stderr/0398 +++ b/test/stderr/0398 @@ -146,6 +146,7 @@ wrote callout cache domain record: dbfn_write: key=qq@remote wrote negative callout cache address record ----------- end verify ------------ +l_message: $acl_verify_message warn: condition test succeeded in ACL "rcpt" LOG: MAIN U=CALLER Warning: Sender verify failed: response to "RCPT TO:" from 127.0.0.1 [127.0.0.1] was: 550 Unknown @@ -223,6 +224,7 @@ dbfn_read: key=qq@remote callout cache: found address record callout cache: address record is negative ----------- end verify ------------ +l_message: $acl_verify_message warn: condition test succeeded in ACL "rcpt" LOG: MAIN U=CALLER Warning: Sender verify failed diff --git a/test/stderr/0422 b/test/stderr/0422 index c727372cc..36cfef60e 100644 --- a/test/stderr/0422 +++ b/test/stderr/0422 @@ -8,6 +8,7 @@ >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "connect" >>> processing "deny" +>>> message: dnslist_value is $dnslist_value >>> check dnslists = rbl.test.ex=127.0.0.2 >>> DNS list check: rbl.test.ex=127.0.0.2 >>> new DNS lookup for 1.13.13.V4NET.rbl.test.ex @@ -26,6 +27,7 @@ >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "connect" >>> processing "deny" +>>> message: dnslist_value is $dnslist_value >>> check dnslists = rbl.test.ex=127.0.0.2 >>> DNS list check: rbl.test.ex=127.0.0.2 >>> new DNS lookup for 2.13.13.V4NET.rbl.test.ex diff --git a/test/stderr/0423 b/test/stderr/0423 index 2fd0d33c6..47e674e52 100644 --- a/test/stderr/0423 +++ b/test/stderr/0423 @@ -8,5 +8,6 @@ >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "connect" >>> processing "deny" +>>> message: xxxxxxxxxxxxxx has refused this message because it looks like it is infected with the Sobig.E worm. See http://www.xxxx.xxx/xxxxxxxx/xxxx/xxxx/w32.sobig.e@xx.html for details. If you feel this determination is in error, please forward the entire message to postmaster@xxxxxxxxxxxxx.com and include code \"xx#1\" in the Subject >>> deny: condition test succeeded in ACL "connect" LOG: H=[V4NET.13.13.1] rejected connection in "connect" ACL: xxxxxxxxxxxxxx has refused this message because it looks like it is infected with the Sobig.E worm. See http://www.xxxx.xxx/xxxxxxxx/xxxx/xxxx/w32.sobig.e@xx.html for details. If you feel this determination is in error, please forward the entire message to postmaster@xxxxxxxxxxxxx.com and include code "xx#1" in the Subject diff --git a/test/stderr/0513 b/test/stderr/0513 index 1a62e6165..5ee113b7c 100644 --- a/test/stderr/0513 +++ b/test/stderr/0513 @@ -17,5 +17,6 @@ >>> r1 router declined for x@mxt2.test.ex >>> no more routers >>> ----------- end verify ------------ +>>> message: >$acl_verify_message< ++++ >>> defer: condition test succeeded in ACL "check_rcpt" LOG: H=(a.b.c.d) [1.2.3.4] F=<> temporarily rejected RCPT : all relevant MX records point to non-existent hosts diff --git a/test/stderr/0524 b/test/stderr/0524 index e466df52e..d839bc3d3 100644 --- a/test/stderr/0524 +++ b/test/stderr/0524 @@ -10,6 +10,7 @@ >>> host in pipelining_advertise_hosts? yes (matched "*") >>> using ACL "check_mail" >>> processing "accept" +>>> message: CSA status is $csa_status >>> check verify = csa >>> accept: condition test succeeded in ACL "check_mail" >>> host in smtp_accept_max_nonmail_hosts? yes (matched "*") @@ -17,6 +18,7 @@ >>> host in pipelining_advertise_hosts? yes (matched "*") >>> using ACL "check_mail" >>> processing "accept" +>>> message: CSA status is $csa_status >>> check verify = csa >>> accept: condition test failed in ACL "check_mail" >>> accept: endpass encountered - denying access @@ -33,6 +35,7 @@ LOG: H=(csa2.test.ex) [V4NET.9.8.7] rejected MAIL <>: client SMTP authorization >>> host in pipelining_advertise_hosts? yes (matched "*") >>> using ACL "check_mail" >>> processing "accept" +>>> message: CSA status is $csa_status >>> check verify = csa >>> accept: condition test failed in ACL "check_mail" >>> accept: endpass encountered - denying access @@ -42,6 +45,7 @@ LOG: H=(csa1.test.ex) [V4NET.9.8.8] rejected MAIL <>: client SMTP authorization >>> host in pipelining_advertise_hosts? yes (matched "*") >>> using ACL "check_mail" >>> processing "accept" +>>> message: CSA status is $csa_status >>> check verify = csa >>> accept: condition test failed in ACL "check_mail" >>> accept: endpass encountered - denying access diff --git a/test/stderr/0569 b/test/stderr/0569 new file mode 100644 index 000000000..ea01fa87a --- /dev/null +++ b/test/stderr/0569 @@ -0,0 +1,150 @@ +>>> host in hosts_connection_nolog? no (option unset) +>>> host in host_lookup? no (option unset) +>>> host in host_reject_connection? no (option unset) +>>> host in sender_unqualified_hosts? no (option unset) +>>> host in recipient_unqualified_hosts? no (end of list) +>>> host in helo_verify_hosts? no (option unset) +>>> host in helo_try_verify_hosts? no (option unset) +>>> host in helo_accept_junk_hosts? no (option unset) +>>> using ACL "check_from" +>>> processing "accept" +>>> check senders = usery@exim.test.ex +>>> userx@exim.test.ex in "usery@exim.test.ex"? no (end of list) +>>> accept: condition test failed in ACL "check_from" +>>> processing "accept" +>>> accept: condition test succeeded in ACL "check_from" +>>> processing "accept" +>>> accept: condition test succeeded in inline ACL +>>> host in ignore_fromline_hosts? no (option unset) +>>> using ACL "check_message" +>>> processing "require" +>>> message: ${if def:acl_m_message {$acl_m_message}} +>>> check verify = header_names_ascii +>>> require: condition test succeeded in ACL "check_message" +>>> processing "accept" +>>> accept: condition test succeeded in ACL "check_message" +LOG: 10HmaX-0005vi-00 <= userx@exim.test.ex H=[V4NET.10.10.10] P=smtp S=sss +>>> host in hosts_connection_nolog? no (option unset) +>>> host in host_lookup? no (option unset) +>>> host in host_reject_connection? no (option unset) +>>> host in sender_unqualified_hosts? no (option unset) +>>> host in recipient_unqualified_hosts? no (end of list) +>>> host in helo_verify_hosts? no (option unset) +>>> host in helo_try_verify_hosts? no (option unset) +>>> host in helo_accept_junk_hosts? no (option unset) +>>> using ACL "check_from" +>>> processing "accept" +>>> check senders = usery@exim.test.ex +>>> userx@exim.test.ex in "usery@exim.test.ex"? no (end of list) +>>> accept: condition test failed in ACL "check_from" +>>> processing "accept" +>>> accept: condition test succeeded in ACL "check_from" +>>> processing "accept" +>>> accept: condition test succeeded in inline ACL +>>> host in ignore_fromline_hosts? no (option unset) +>>> using ACL "check_message" +>>> processing "require" +>>> message: ${if def:acl_m_message {$acl_m_message}} +>>> check verify = header_names_ascii +>>> require: condition test failed in ACL "check_message" +LOG: 10HmbA-0005vi-00 H=[V4NET.10.10.10] F= rejected after DATA: Invalid character in header "Received" found +>>> host in hosts_connection_nolog? no (option unset) +>>> host in host_lookup? no (option unset) +>>> host in host_reject_connection? no (option unset) +>>> host in sender_unqualified_hosts? no (option unset) +>>> host in recipient_unqualified_hosts? no (end of list) +>>> host in helo_verify_hosts? no (option unset) +>>> host in helo_try_verify_hosts? no (option unset) +>>> host in helo_accept_junk_hosts? no (option unset) +>>> using ACL "check_from" +>>> processing "accept" +>>> check senders = usery@exim.test.ex +>>> exim.test.ex in "exim.test.ex"? yes (matched "exim.test.ex") +>>> usery@exim.test.ex in "usery@exim.test.ex"? yes (matched "usery@exim.test.ex") +>>> check set acl_m_message = I do not like your message +>>> accept: condition test succeeded in ACL "check_from" +>>> processing "accept" +>>> accept: condition test succeeded in inline ACL +>>> host in ignore_fromline_hosts? no (option unset) +>>> using ACL "check_message" +>>> processing "require" +>>> message: ${if def:acl_m_message {$acl_m_message}} +>>> check verify = header_names_ascii +>>> require: condition test failed in ACL "check_message" +LOG: 10HmbB-0005vi-00 H=[V4NET.10.10.10] F= rejected after DATA: Invalid character in header "Subjec⍅" found +>>> host in hosts_connection_nolog? no (option unset) +>>> host in host_lookup? no (option unset) +>>> host in host_reject_connection? no (option unset) +>>> host in sender_unqualified_hosts? no (option unset) +>>> host in recipient_unqualified_hosts? no (end of list) +>>> host in helo_verify_hosts? no (option unset) +>>> host in helo_try_verify_hosts? no (option unset) +>>> host in helo_accept_junk_hosts? no (option unset) +>>> using ACL "check_from" +>>> processing "accept" +>>> check senders = usery@exim.test.ex +>>> userx@exim.test.ex in "usery@exim.test.ex"? no (end of list) +>>> accept: condition test failed in ACL "check_from" +>>> processing "accept" +>>> accept: condition test succeeded in ACL "check_from" +>>> processing "accept" +>>> accept: condition test succeeded in inline ACL +>>> host in ignore_fromline_hosts? no (option unset) +>>> using ACL "check_message" +>>> processing "require" +>>> message: ${if def:acl_m_message {$acl_m_message}} +>>> check verify = header_names_ascii +>>> require: condition test failed in ACL "check_message" +LOG: 10HmbC-0005vi-00 H=[V4NET.10.10.10] F= rejected after DATA: Invalid character in header "Subjec⍅" found +>>> host in hosts_connection_nolog? no (option unset) +>>> host in host_lookup? no (option unset) +>>> host in host_reject_connection? no (option unset) +>>> host in sender_unqualified_hosts? no (option unset) +>>> host in recipient_unqualified_hosts? no (end of list) +>>> host in helo_verify_hosts? no (option unset) +>>> host in helo_try_verify_hosts? no (option unset) +>>> host in helo_accept_junk_hosts? no (option unset) +>>> using ACL "check_from" +>>> processing "accept" +>>> check senders = usery@exim.test.ex +>>> userx@exim.test.ex in "usery@exim.test.ex"? no (end of list) +>>> accept: condition test failed in ACL "check_from" +>>> processing "accept" +>>> accept: condition test succeeded in ACL "check_from" +>>> processing "accept" +>>> accept: condition test succeeded in inline ACL +>>> host in ignore_fromline_hosts? no (option unset) +>>> using ACL "check_message" +>>> processing "require" +>>> message: ${if def:acl_m_message {$acl_m_message}} +>>> check verify = header_names_ascii +>>> require: condition test succeeded in ACL "check_message" +>>> processing "accept" +>>> accept: condition test succeeded in ACL "check_message" +LOG: 10HmaY-0005vi-00 <= userx@exim.test.ex H=[V4NET.10.10.10] P=smtp S=sss +>>> host in hosts_connection_nolog? no (option unset) +>>> host in host_lookup? no (option unset) +>>> host in host_reject_connection? no (option unset) +>>> host in sender_unqualified_hosts? no (option unset) +>>> host in recipient_unqualified_hosts? no (end of list) +>>> host in helo_verify_hosts? no (option unset) +>>> host in helo_try_verify_hosts? no (option unset) +>>> host in helo_accept_junk_hosts? no (option unset) +>>> using ACL "check_from" +>>> processing "accept" +>>> check senders = usery@exim.test.ex +>>> userx@exim.test.ex in "usery@exim.test.ex"? no (end of list) +>>> accept: condition test failed in ACL "check_from" +>>> processing "accept" +>>> accept: condition test succeeded in ACL "check_from" +>>> processing "accept" +>>> accept: condition test succeeded in inline ACL +>>> host in ignore_fromline_hosts? no (option unset) +>>> using ACL "check_message" +>>> processing "require" +>>> message: ${if def:acl_m_message {$acl_m_message}} +>>> check verify = header_names_ascii +>>> require: condition test succeeded in ACL "check_message" +>>> processing "accept" +>>> accept: condition test succeeded in ACL "check_message" +LOG: 10HmaZ-0005vi-00 <= userx@exim.test.ex H=[V4NET.10.10.10] P=smtp S=sss diff --git a/test/stderr/1000 b/test/stderr/1000 index 6c0b60394..faa237ea8 100644 --- a/test/stderr/1000 +++ b/test/stderr/1000 @@ -8,6 +8,7 @@ >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "check_connect" >>> processing "warn" +>>> l_message: matched hostlist >>> check hosts = <; 2001:ab8:37f:20:0:0:0:1 ; v6.test.ex >>> host in "<; 2001:ab8:37f:20:0:0:0:1 ; v6.test.ex"? yes (matched "2001:ab8:37f:20:0:0:0:1") >>> warn: condition test succeeded in ACL "check_connect" @@ -33,6 +34,7 @@ MUNGED: ::1 will be omitted in what follows >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "check_connect" >>> processing "warn" +>>> l_message: matched hostlist >>> check hosts = <; 2001:ab8:37f:20:0:0:0:1 ; v6.test.ex MUNGED: ::1 will be omitted in what follows >>> get[host|ipnode]byname[2] looked up these IP addresses: @@ -55,6 +57,7 @@ LOG: H=test3.ipv6.test.ex [V6NET:1234:0005:0006:0007:0008:0abc:000d] rejected co >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "check_connect" >>> processing "warn" +>>> l_message: matched hostlist >>> check hosts = <; 2001:ab8:37f:20:0:0:0:1 ; v6.test.ex MUNGED: ::1 will be omitted in what follows >>> get[host|ipnode]byname[2] looked up these IP addresses: diff --git a/test/stderr/1002 b/test/stderr/1002 index c1a59fded..5a91a33c2 100644 --- a/test/stderr/1002 +++ b/test/stderr/1002 @@ -8,6 +8,7 @@ >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl_rcpt_1" >>> processing "require" +>>> message: domain doesn't match @ or @[] >>> check domains = @ : @[] >>> [::1] in "@ : @[]"? yes (matched "@[]") >>> require: condition test succeeded in ACL "acl_rcpt_1" @@ -15,6 +16,7 @@ >>> accept: condition test succeeded in ACL "acl_rcpt_1" >>> using ACL "acl_rcpt_6" >>> processing "require" +>>> message: domain doesn't match @mx_any/ignore=<;127.0.0.1;::1 >>> check domains = <+ @mx_any/ignore=<;127.0.0.1;::1 >>> ::1 in "<;127.0.0.1;::1"? yes (matched "::1") >>> 127.0.0.1 in "<;127.0.0.1;::1"? yes (matched "127.0.0.1") diff --git a/test/stderr/2600 b/test/stderr/2600 index 57026026d..a1adefa66 100644 --- a/test/stderr/2600 +++ b/test/stderr/2600 @@ -155,6 +155,7 @@ host in "sqlite;TESTSUITE/aux-fixed/sqlitedb select * from them where id='10.0.0 host in "+relay_hosts"? no (end of list) accept: condition test failed in ACL "check_recipient" processing "deny" + message: relay not permitted deny: condition test succeeded in ACL "check_recipient" SMTP>> 550 relay not permitted LOG: MAIN REJECT @@ -183,6 +184,7 @@ host in "sqlite;TESTSUITE/aux-fixed/sqlitedb select * from them where id='10.0.0 host in "+relay_hosts"? no (end of list) accept: condition test failed in ACL "check_recipient" processing "deny" + message: relay not permitted deny: condition test succeeded in ACL "check_recipient" SMTP>> 550 relay not permitted LOG: MAIN REJECT diff --git a/test/stderr/3400 b/test/stderr/3400 index 0a24b05fb..529ce480c 100644 --- a/test/stderr/3400 +++ b/test/stderr/3400 @@ -55,6 +55,7 @@ LOG: ETRN #abcd received from [10.0.0.2] >>> host in "10.0.0.0/24"? yes (matched "10.0.0.0/24") >>> require: condition test succeeded in ACL "check_etrn" >>> processing "warn" +>>> l_message: accepted ETRN $smtp_command_argument >>> warn: condition test succeeded in ACL "check_etrn" LOG: H=[10.0.0.2] Warning: accepted ETRN #abcd >>> processing "accept" @@ -85,6 +86,7 @@ LOG: H=[10.0.0.2] Warning: accepted ETRN #abcd >>> processing "deny" >>> check hosts = +auth_hosts >>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached) +>>> message: authentication required >>> check !authenticated = * >>> deny: condition test succeeded in ACL "check_vrfy" LOG: H=(test.host) [10.0.0.1] rejected VRFY userx@test.ex: authentication required @@ -92,6 +94,7 @@ LOG: H=(test.host) [10.0.0.1] rejected VRFY userx@test.ex: authentication requir >>> processing "deny" >>> check hosts = +auth_hosts >>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached) +>>> message: authentication required >>> check !authenticated = * >>> deny: condition test succeeded in ACL "check_expn" LOG: H=(test.host) [10.0.0.1] rejected EXPN list@test.ex: authentication required @@ -100,6 +103,7 @@ LOG: ETRN abcd received from (test.host) [10.0.0.1] >>> processing "deny" >>> check hosts = +auth_hosts >>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached) +>>> message: authentication required >>> check !authenticated = * >>> deny: condition test succeeded in ACL "check_etrn" LOG: H=(test.host) [10.0.0.1] rejected ETRN abcd: authentication required @@ -119,6 +123,7 @@ LOG: H=(test.host) [10.0.0.1] rejected ETRN abcd: authentication required >>> processing "deny" >>> check hosts = +auth_hosts >>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached) +>>> message: authentication required >>> check !authenticated = * >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=(test.host) [10.0.0.1] F= rejected RCPT : authentication required @@ -143,6 +148,7 @@ LOG: H=(test.host) [10.0.0.1] F= rejected RCPT >> processing "deny" >>> check hosts = +auth_hosts >>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached) +>>> message: authentication required >>> check !authenticated = * >>> mylogin in "*"? yes (matched "*") >>> deny: condition test failed in ACL "check_recipient" @@ -167,6 +173,7 @@ LOG: H=(test.host) [10.0.0.1] F= rejected RCPT >> processing "deny" >>> check hosts = +auth_hosts >>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached) +>>> message: authentication required >>> check !authenticated = * >>> mylogin in "*"? yes (matched "*") >>> deny: condition test failed in ACL "check_recipient" @@ -186,12 +193,14 @@ LOG: H=(test.host) [10.0.0.1] F= rejected RCPT >> host in "+auth_relay_hosts"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: relay not permitted >>> deny: condition test succeeded in ACL "check_recipient" LOG: H=(test.host) [10.0.0.1] F= A=mylogin rejected RCPT : relay not permitted >>> using ACL "check_vrfy" >>> processing "deny" >>> check hosts = +auth_hosts >>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached) +>>> message: authentication required >>> check !authenticated = * >>> mylogin in "*"? yes (matched "*") >>> deny: condition test failed in ACL "check_vrfy" @@ -208,6 +217,7 @@ LOG: H=(test.host) [10.0.0.1] F= A=mylogin rejected RCPT >>> processing "deny" >>> check hosts = +auth_hosts >>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached) +>>> message: authentication required >>> check !authenticated = * >>> mylogin in "*"? yes (matched "*") >>> deny: condition test failed in ACL "check_expn" @@ -226,6 +236,7 @@ LOG: ETRN #abcd received from (test.host) [10.0.0.1] >>> processing "deny" >>> check hosts = +auth_hosts >>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached) +>>> message: authentication required >>> check !authenticated = * >>> mylogin in "*"? yes (matched "*") >>> deny: condition test failed in ACL "check_etrn" @@ -234,6 +245,7 @@ LOG: ETRN #abcd received from (test.host) [10.0.0.1] >>> host in "10.0.0.0/24"? yes (matched "10.0.0.0/24") >>> require: condition test succeeded in ACL "check_etrn" >>> processing "warn" +>>> l_message: accepted ETRN $smtp_command_argument >>> warn: condition test succeeded in ACL "check_etrn" LOG: H=(test.host) [10.0.0.1] Warning: accepted ETRN #abcd >>> processing "accept" @@ -290,6 +302,7 @@ LOG: H=(test.host) [10.0.0.1] Warning: accepted ETRN #abcd >>> processing "accept" >>> check hosts = +auth_relay_hosts >>> host in "+auth_relay_hosts"? yes (matched "+auth_relay_hosts" - cached) +>>> message: authentication required >>> check authenticated = * >>> accept: condition test failed in ACL "check_recipient" >>> accept: endpass encountered - denying access @@ -328,6 +341,7 @@ LOG: H=(test.host) [10.0.0.3] F= rejected RCPT >> processing "accept" >>> check hosts = +auth_relay_hosts >>> host in "+auth_relay_hosts"? yes (matched "+auth_relay_hosts" - cached) +>>> message: authentication required >>> check authenticated = * >>> mylogin in "*"? yes (matched "*") >>> accept: condition test succeeded in ACL "check_recipient" diff --git a/test/stderr/3408 b/test/stderr/3408 index 9a59d31f3..753824558 100644 --- a/test/stderr/3408 +++ b/test/stderr/3408 @@ -29,6 +29,7 @@ >>> userx@exim.test.ex in "postmaster@exim.test.ex"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: host is listed in $dnslist_domain >>> check !authenticated = * >>> check dnslists = rbl.test.ex >>> DNS list check: rbl.test.ex @@ -78,6 +79,7 @@ LOG: 10HmaX-0005vi-00 <= postmaster@exim.test.ex H=(exim.test.ex) [V4NET.11.12.1 >>> userx@exim.test.ex in "postmaster@exim.test.ex"? no (end of list) >>> accept: condition test failed in ACL "check_recipient" >>> processing "deny" +>>> message: host is listed in $dnslist_domain >>> check !authenticated = * >>> plain in "*"? yes (matched "*") >>> deny: condition test failed in ACL "check_recipient" @@ -96,6 +98,7 @@ LOG: 10HmaX-0005vi-00 <= postmaster@exim.test.ex H=(exim.test.ex) [V4NET.11.12.1 >>> ----------- end verify ------------ >>> require: condition test succeeded in ACL "check_recipient" >>> processing "deny" +>>> message: unrouteable address >>> check !verify = recipient >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing userx@exim.test.ex diff --git a/test/stderr/3410 b/test/stderr/3410 index 6dcb2c5db..e129996a7 100644 --- a/test/stderr/3410 +++ b/test/stderr/3410 @@ -8,6 +8,7 @@ >>> host in helo_accept_junk_hosts? no (option unset) >>> using ACL "acl_5_6_9" >>> processing "accept" +>>> message: You must authenticate >>> check authenticated = * >>> accept: condition test failed in ACL "acl_5_6_9" >>> accept: endpass encountered - denying access @@ -25,6 +26,7 @@ LOG: H=[5.6.9.1] F= rejected RCPT : You must authenticate >>> expanded string: yes >>> using ACL "acl_5_6_9" >>> processing "accept" +>>> message: You must authenticate >>> check authenticated = * >>> auth1 in "*"? yes (matched "*") >>> accept: condition test succeeded in ACL "acl_5_6_9" diff --git a/test/stderr/3500 b/test/stderr/3500 index e19c8c9e4..ee07be398 100644 --- a/test/stderr/3500 +++ b/test/stderr/3500 @@ -49,6 +49,7 @@ >>> processing "deny" >>> check hosts = +auth_hosts >>> host in "+auth_hosts"? yes (matched "+auth_hosts" - cached) +>>> message: authentication required >>> check !authenticated = * >>> cram_md5 in "*"? yes (matched "*") >>> deny: condition test failed in ACL "check_recipient" @@ -86,6 +87,7 @@ LOG: cram_md5 authenticator failed for (test.host) [10.0.0.5]: 535 Incorrect aut >>> processing "warn" >>> check hosts = 10.0.0.5 >>> host in "10.0.0.5"? yes (matched "10.0.0.5") +>>> message: authentication-failed: $authentication_failed >>> warn: condition test succeeded in ACL "check_recipient" >>> processing "accept" >>> check hosts = 10.0.0.5 diff --git a/test/stderr/5400 b/test/stderr/5400 index 73934dd92..1c9b0d83a 100644 --- a/test/stderr/5400 +++ b/test/stderr/5400 @@ -26,7 +26,11 @@ processing "accept" accept: condition test succeeded in inline ACL SMTP>> DATA SMTP<< 354 Send data - SMTP>>(nl) +----------- start cutthrough headers send ----------- +added header line(s): +X-hdr-rtr-new: +++ +--- +----------- done cutthrough headers send ------------ SMTP>> . SMTP<< 250 OK LOG: MAIN @@ -69,7 +73,11 @@ processing "accept" accept: condition test succeeded in inline ACL SMTP>> DATA SMTP<< 354 Send data - SMTP>>(nl) +----------- start cutthrough headers send ----------- +added header line(s): +X-hdr-rtr-new: +++ +--- +----------- done cutthrough headers send ------------ SMTP>> . SMTP<< 250 OK LOG: MAIN @@ -147,6 +155,9 @@ not using PIPELINING SMTP>> DATA SMTP<< 354 Send data SMTP>> writing message and terminating "." +added header line(s): +X-hdr-rtr-new: +++ +--- writing data block fd=dddd size=sss timeout=300 SMTP<< 250 OK ok=1 send_quit=1 send_rset=0 continue_more=0 yield=0 first_address is NULL @@ -162,3 +173,54 @@ LOG: MAIN LOG: MAIN Completed >>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>> +Exim version x.yz .... +configuration file is TESTSUITE/test-config +admin user +LOG: smtp_connection MAIN + SMTP connection from CALLER +using ACL "ar" +processing "accept" +check control = cutthrough_delivery +check logwrite = rcpt for $local_part@$domain + = rcpt for userx@domain.com +LOG: MAIN + rcpt for userx@domain.com +accept: condition test succeeded in ACL "ar" +----------- start cutthrough setup ------------ +Connecting to 127.0.0.1 [127.0.0.1]:1224 from ip4.ip4.ip4.ip4 ... connected + SMTP<< 220 ESMTP + SMTP>> EHLO myhost.test.ex + SMTP<< 250 OK + SMTP>> MAIL FROM: + SMTP<< 250 Sender OK + SMTP>> RCPT TO: + SMTP<< 250 Recipient OK +----------- end cutthrough setup ------------ +processing "accept" +accept: condition test succeeded in inline ACL + SMTP>> DATA + SMTP<< 354 Send data +----------- start cutthrough headers send ----------- +removed header line: +X-hdr-rtr: qqq +--- +added header line(s): +X-hdr-rtr-new: +++ +--- +added header line: +X-hdr-tpt-new: new +--- +----------- done cutthrough headers send ------------ + SMTP>> . + SMTP<< 250 OK +LOG: MAIN + >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK" + SMTP>> QUIT +----------- cutthrough shutdown (delivered) ------------ +LOG: MAIN + <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss +LOG: MAIN + Completed +LOG: smtp_connection MAIN + SMTP connection from CALLER closed by QUIT +>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>> diff --git a/test/stderr/5401 b/test/stderr/5401 index 135c11ace..1bd14f8d5 100644 --- a/test/stderr/5401 +++ b/test/stderr/5401 @@ -23,7 +23,8 @@ processing "accept" accept: condition test succeeded in inline ACL SMTP>> DATA SMTP<< 354 Send data - SMTP>>(nl) +----------- start cutthrough headers send ----------- +----------- done cutthrough headers send ------------ SMTP>> . SMTP<< 250 OK LOG: MAIN diff --git a/test/stderr/5410 b/test/stderr/5410 index 40ef77c4a..ddd6dbcc6 100644 --- a/test/stderr/5410 +++ b/test/stderr/5410 @@ -80,6 +80,8 @@ expanding: ${if eq {$address_data}{userz}{*}{:}} 127.0.0.1 in hosts_verify_avoid_tls? no (end of list) SMTP>> STARTTLS SMTP<< 220 TLS go ahead +127.0.0.1 in hosts_require_ocsp? no (option unset) +127.0.0.1 in hosts_request_ocsp? yes (matched "*") SMTP>> EHLO myhost.test.ex SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4] 250-SIZE 52428800 @@ -137,7 +139,8 @@ expanding: for $received_for result: for userx@domain.com -PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +----------- start cutthrough headers send ----------- +----------- done cutthrough headers send ------------ expanding: ${tod_full} result: Tue, 2 Mar 1999 09:44:33 +0000 SMTP>> . @@ -270,7 +273,8 @@ expanding: for $received_for result: for usery@domain.com -PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +----------- start cutthrough headers send ----------- +----------- done cutthrough headers send ------------ expanding: ${tod_full} result: Tue, 2 Mar 1999 09:44:33 +0000 SMTP>> . @@ -403,7 +407,8 @@ expanding: for $received_for result: for usery@domain.com -PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +----------- start cutthrough headers send ----------- +----------- done cutthrough headers send ------------ expanding: ${tod_full} result: Tue, 2 Mar 1999 09:44:33 +0000 SMTP>> . diff --git a/test/stderr/5420 b/test/stderr/5420 index 1e4de9688..9eea77d05 100644 --- a/test/stderr/5420 +++ b/test/stderr/5420 @@ -80,6 +80,10 @@ expanding: ${if eq {$address_data}{userz}{*}{:}} 127.0.0.1 in hosts_verify_avoid_tls? no (end of list) SMTP>> STARTTLS SMTP<< 220 TLS go ahead +127.0.0.1 in hosts_require_ocsp? no (option unset) +127.0.0.1 in hosts_request_ocsp? yes (matched "*") + in tls_verify_hosts? no (option unset) + in tls_try_verify_hosts? no (option unset) SMTP>> EHLO myhost.test.ex SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4] 250-SIZE 52428800 @@ -137,7 +141,8 @@ expanding: for $received_for result: for userx@domain.com -PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +----------- start cutthrough headers send ----------- +----------- done cutthrough headers send ------------ expanding: ${tod_full} result: Tue, 2 Mar 1999 09:44:33 +0000 SMTP>> . @@ -270,7 +275,8 @@ expanding: for $received_for result: for usery@domain.com -PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +----------- start cutthrough headers send ----------- +----------- done cutthrough headers send ------------ expanding: ${tod_full} result: Tue, 2 Mar 1999 09:44:33 +0000 SMTP>> . @@ -403,7 +409,8 @@ expanding: for $received_for result: for usery@domain.com -PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +----------- start cutthrough headers send ----------- +----------- done cutthrough headers send ------------ expanding: ${tod_full} result: Tue, 2 Mar 1999 09:44:33 +0000 SMTP>> . diff --git a/test/stdout/0002 b/test/stdout/0002 index 1cf6a5b84..64e571944 100644 --- a/test/stdout/0002 +++ b/test/stdout/0002 @@ -64,6 +64,13 @@ > listcount: 3 > listcount: 2 > +> listextract: b +> listextract: XcX +> listextract: +> listextract: +> listextract: fail +> Failed: "extract" failed and "fail" requested +> > # Tests with iscntrl() and illegal separators > > map: 'a' @@ -556,7 +563,7 @@ > " yes" true EXPECT: true > " no" false EXPECT: false > "yes " true EXPECT: true -> Failed: unrecognised boolean value "-1" +> "-1" true EXPECT: true > "0" false EXPECT: false > "1" true EXPECT: true > " 0 " false EXPECT: false @@ -566,6 +573,7 @@ > " " false EXPECT: false > Failed: unrecognised boolean value "text" > Failed: unrecognised boolean value "text" +> Failed: unrecognised boolean value "-text" > Failed: unrecognised boolean value "text" > Failed: unrecognised boolean value "text" > "00" false EXPECT: false diff --git a/test/stdout/0023 b/test/stdout/0023 index 74ef7a0f6..b805f334b 100644 --- a/test/stdout/0023 +++ b/test/stdout/0023 @@ -429,12 +429,17 @@ 250 OK id=10HmbK-0005vi-00 250 OK 451 Temporary local problem - please try later +250 Reset OK +250 OK +250 accepted by condition +354 Enter message, ending with "." on a line by itself +250 OK id=10HmbL-0005vi-00 221 myhost.test.ex closing connection 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 250 OK 250 Accepted 354 Enter message, ending with "." on a line by itself -250 OK id=10HmbL-0005vi-00 +250 OK id=10HmbM-0005vi-00 221 myhost.test.ex closing connection 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 250 OK @@ -445,7 +450,7 @@ 550 Administrative prohibition 550 Administrative prohibition 354 Enter message, ending with "." on a line by itself -250 OK id=10HmbM-0005vi-00 +250 OK id=10HmbN-0005vi-00 221 myhost.test.ex closing connection 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 250 OK diff --git a/test/stdout/0569 b/test/stdout/0569 new file mode 100644 index 000000000..9d825581c --- /dev/null +++ b/test/stdout/0569 @@ -0,0 +1,75 @@ + +**** SMTP testing session as if from host V4NET.10.10.10 +**** but without any ident (RFC 1413) callback. +**** This is not for real! + +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +250 OK id=10HmaX-0005vi-00 + +**** SMTP testing: that is not a real message id! + +221 myhost.test.ex closing connection + +**** SMTP testing session as if from host V4NET.10.10.10 +**** but without any ident (RFC 1413) callback. +**** This is not for real! + +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +550 Administrative prohibition +221 myhost.test.ex closing connection + +**** SMTP testing session as if from host V4NET.10.10.10 +**** but without any ident (RFC 1413) callback. +**** This is not for real! + +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +550 I do not like your message +221 myhost.test.ex closing connection + +**** SMTP testing session as if from host V4NET.10.10.10 +**** but without any ident (RFC 1413) callback. +**** This is not for real! + +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +550 Administrative prohibition +221 myhost.test.ex closing connection + +**** SMTP testing session as if from host V4NET.10.10.10 +**** but without any ident (RFC 1413) callback. +**** This is not for real! + +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +250 OK id=10HmaY-0005vi-00 + +**** SMTP testing: that is not a real message id! + +221 myhost.test.ex closing connection + +**** SMTP testing session as if from host V4NET.10.10.10 +**** but without any ident (RFC 1413) callback. +**** This is not for real! + +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +250 OK id=10HmaZ-0005vi-00 + +**** SMTP testing: that is not a real message id! + +221 myhost.test.ex closing connection diff --git a/test/stdout/0600 b/test/stdout/0600 new file mode 100644 index 000000000..2b1941f58 --- /dev/null +++ b/test/stdout/0600 @@ -0,0 +1,12 @@ +220 the.local.host.name ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +250 OK id=10HmaX-0005vi-00 +221 the.local.host.name closing connection +220 the.local.host.name ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +250 OK id=10HmaY-0005vi-00 +221 the.local.host.name closing connection diff --git a/test/stdout/2002 b/test/stdout/2002 index a248be7c0..ec3c1f954 100644 --- a/test/stdout/2002 +++ b/test/stdout/2002 @@ -97,8 +97,8 @@ Attempting to start TLS Failed to start TLS End of script Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected -Certificate file = TESTSUITE/aux-fixed/cert2 -Key file = TESTSUITE/aux-fixed/cert2 +Certificate file = TESTSUITE/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem +Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> ehlo rhu.barb diff --git a/test/stdout/2024 b/test/stdout/2024 index 2e30f7dd6..ecedd4193 100644 --- a/test/stdout/2024 +++ b/test/stdout/2024 @@ -20,7 +20,7 @@ Key file = aux-fixed/cert2 ??? 220 <<< 220 TLS go ahead Attempting to start TLS -Failed to start TLS +Succeeded in starting TLS End of script Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected Certificate file = aux-fixed/cert2 diff --git a/test/stdout/2102 b/test/stdout/2102 index 23c39cdf4..77ae109b2 100644 --- a/test/stdout/2102 +++ b/test/stdout/2102 @@ -145,8 +145,8 @@ pppp:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s Failed to start TLS End of script Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected -Certificate file = TESTSUITE/aux-fixed/cert2 -Key file = TESTSUITE/aux-fixed/cert2 +Certificate file = TESTSUITE/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem +Key file = TESTSUITE/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> ehlo rhu.barb diff --git a/test/stdout/5400 b/test/stdout/5400 index 74c2d2358..4895072a3 100644 --- a/test/stdout/5400 +++ b/test/stdout/5400 @@ -32,6 +32,17 @@ 354 Enter message, ending with "." on a line by itself 250 OK id=10HmaZ-0005vi-00 221 myhost.test.ex closing connection +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250-myhost.test.ex Hello CALLER at myhost.test.ex +250-SIZE 52428800 +250-8BITMIME +250-PIPELINING +250 HELP +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +250 OK id=10HmbA-0005vi-00 +221 myhost.test.ex closing connection ******** SERVER ******** Listening on port 1224 ... @@ -53,6 +64,7 @@ Received: from CALLER (helo=myhost.test.ex) Message-Id: From: CALLER_NAME Date: Tue, 2 Mar 1999 09:44:33 +0000 +X-hdr-rtr-new: +++ . 250 OK @@ -80,6 +92,7 @@ Received: from CALLER (helo=myhost.test.ex) Message-Id: From: CALLER_NAME Date: Tue, 2 Mar 1999 09:44:33 +0000 +X-hdr-rtr-new: +++ . 250 OK @@ -117,7 +130,37 @@ Received: from CALLER (helo=myhost.test.ex) Message-Id: From: CALLER_NAME Date: Tue, 2 Mar 1999 09:44:33 +0000 +X-hdr-rtr-new: +++ + +. +250 OK +QUIT +250 OK +End of script +Listening on port 1224 ... +Connection request from [ip4.ip4.ip4.ip4] +220 ESMTP +EHLO myhost.test.ex +250 OK +MAIL FROM: +250 Sender OK +RCPT TO: +250 Recipient OK +DATA +354 Send data +Received: from CALLER (helo=myhost.test.ex) + by myhost.test.ex with local-esmtp (Exim x.yz) + (envelope-from ) + id 10HmbA-0005vi-00 + for userx@domain.com; Tue, 2 Mar 1999 09:44:33 +0000 +X-hdr-tpt: zzz +Message-Id: +From: CALLER_NAME +Date: Tue, 2 Mar 1999 09:44:33 +0000 +X-hdr-rtr-new: +++ + +body . 250 OK QUIT diff --git a/test/stdout/5650 b/test/stdout/5650 new file mode 100644 index 000000000..e0bbf4507 --- /dev/null +++ b/test/stdout/5650 @@ -0,0 +1,80 @@ +Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected +Certificate file = aux-fixed/cert2 +Key file = aux-fixed/cert2 +??? 220 +<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> ehlo rhu.barb +??? 250- +<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4] +??? 250- +<<< 250-SIZE 52428800 +??? 250- +<<< 250-8BITMIME +??? 250- +<<< 250-PIPELINING +??? 250- +<<< 250-STARTTLS +??? 250 +<<< 250 HELP +>>> starttls +??? 220 +<<< 220 TLS go ahead +Attempting to start TLS +>>> mail from: +??? 250 +<<< 250 OK +>>> rcpt to: +??? 250 +<<< 250 Accepted +>>> quit +??? 221 +<<< 221 server1.example.com closing connection +End of script +Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected +Certificate file = aux-fixed/cert2 +Key file = aux-fixed/cert2 +??? 220 +<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> ehlo rhu.barb +??? 250- +<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4] +??? 250- +<<< 250-SIZE 52428800 +??? 250- +<<< 250-8BITMIME +??? 250- +<<< 250-PIPELINING +??? 250- +<<< 250-STARTTLS +??? 250 +<<< 250 HELP +>>> starttls +??? 220 +<<< 220 TLS go ahead +Attempting to start TLS +Bad certificate +End of script +Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected +Certificate file = aux-fixed/cert2 +Key file = aux-fixed/cert2 +??? 220 +<<< 220 server1.example.com ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> ehlo rhu.barb +??? 250- +<<< 250-server1.example.com Hello rhu.barb [ip4.ip4.ip4.ip4] +??? 250- +<<< 250-SIZE 52428800 +??? 250- +<<< 250-8BITMIME +??? 250- +<<< 250-PIPELINING +??? 250- +<<< 250-STARTTLS +??? 250 +<<< 250 HELP +>>> starttls +??? 220 +<<< 220 TLS go ahead +Attempting to start TLS +Bad certificate +End of script