From 44e35f5f592b4fb993a6a23ad9e0446af8a6d527 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 5 Nov 2023 21:29:53 +0000 Subject: [PATCH] DANE: handle servefail for TLSA during Rverify. Bug 3030 --- doc/doc-txt/ChangeLog | 17 ++++++--- src/src/verify.c | 4 +- test/confs/5803 | 71 ++++++++++++++++++++++++++++++++++++ test/dnszones-src/db.test.ex | 5 +++ test/scripts/5800-DANE/5803 | 8 ++++ 5 files changed, 97 insertions(+), 8 deletions(-) create mode 100644 test/confs/5803 create mode 100644 test/scripts/5800-DANE/5803 diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 990e72823..2ea8caf23 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -8,12 +8,17 @@ Exim version 4.98 JH/01 Support list of dkim results in the dkim_status ACL condition, making it more usable in the data ACL. -JH/02 Handle error on close of the spool data file during reception. Previously - This was only logged, on the assumption that errors would be seen for - a previous fflush(). However, a fuse filesystem has been reported as - showing this an error for the fclose(). The spool is now in an uncertain - state, and we have logged and responded acceptance. Change this to - respond with a temp-reject, wipe spoolfiles, and log the error detail. +JH/02 Bug 3040: Handle error on close of the spool data file during reception. + Previously This was only logged, on the assumption that errors would be + seen for a previous fflush(). However, a fuse filesystem has been + reported as showing this an error for the fclose(). The spool is now in + an uncertain state, and we have logged and responded acceptance. Change + this to respond with a temp-reject, wipe spoolfiles, and log the error + detail. + +JH/03 Bug 3030: fix handling of DNS servfail respons for DANE TLSA. When hit + during a recipient verify callout, a QUIT command was attempted on the + now-closed callout channel, causing a paniclog entry. Exim version 4.97 diff --git a/src/src/verify.c b/src/src/verify.c index d8ebf5925..6361aa434 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -677,7 +677,7 @@ coding means skipping this whole loop and doing the append separately. */ sx->conn_args.interface = interface; sx->helo_data = tf->helo_data; sx->conn_args.tblock = addr->transport; - sx->conn_args.sock = -1; + sx->cctx.sock = sx->conn_args.sock = -1; sx->verify = TRUE; tls_retry_connection: @@ -1152,7 +1152,7 @@ no_conn: /* Ensure no cutthrough on multiple verifies that were incompatible */ if (options & vopt_callout_recipsender) cancel_cutthrough_connection(TRUE, US"not usable for cutthrough"); - if (sx->send_quit) + if (sx->send_quit && sx->cctx.sock >= 0) if (smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n") != -1) /* Wait a short time for response, and discard it */ smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', 1); diff --git a/test/confs/5803 b/test/confs/5803 new file mode 100644 index 000000000..465959775 --- /dev/null +++ b/test/confs/5803 @@ -0,0 +1,71 @@ +# Exim test configuration 5801 +# DANE common + +SERVER= + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = myhost.test.ex + +# ----- Main settings ----- + +acl_smtp_rcpt = accept verify = recipient/callout + +log_selector = +received_recipients +tls_certificate_verified +tls_sni + +queue_run_in_order + +tls_advertise_hosts = * +.ifdef _HAVE_GNUTLS +# needed to force generation +tls_dhparam = historic +.endif + +CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com + + +tls_certificate = CDIR2/fullchain.pem +tls_privatekey = CDIR2/server1.example.com.unlocked.key + +# ----- Routers ----- + +begin routers + +client: + driver = dnslookup + condition = ${if eq {SERVER}{}} + dnssec_request_domains = * + self = send + transport = send_to_server + errors_to = "" + +server: + driver = redirect + data = :blackhole: + + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_fastopen = : + + hosts_try_dane = * + tls_verify_certificates = + + + +# ----- Retry ----- + + +begin retry + +* * F,5d,10s + + +# End diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index d39e9cf1e..6ff1a6af4 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -583,6 +583,11 @@ DNSSEC danemixed A 127.0.0.1 DNSSEC _1225._tcp.danemixed TLSA 2 0 1 0d643c1ebcdf2cb83634e0c2f5102c1e268983401c9f4d8711d60b44d7fb7a3e DNSSEC TLSA 3 1 1 8276000000000000000000000000000000000000000000000000000000000000 +; have the TLSA lookup, only, return SERVFAIL +; +DNSSEC daneservfail A 127.0.0.1 +DNSSEC _1225._tcp.daneservfail CNAME test.again.dns. + ; ------- Testing delays ------------ DELAY=500 delay500 A HOSTIPV4 diff --git a/test/scripts/5800-DANE/5803 b/test/scripts/5800-DANE/5803 new file mode 100644 index 000000000..f217e6297 --- /dev/null +++ b/test/scripts/5800-DANE/5803 @@ -0,0 +1,8 @@ +# DANE Rverify, TLSA SERVFAIL +# +exim -odf -bs +HELO test +MAIL FROM: +RCPT TO: +QUIT +**** -- 2.30.2