From 899b8bbc6d360af6362c2a41d40b786279f41492 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 19 Dec 2017 15:06:49 +0000 Subject: [PATCH] DANE: support under GnuTLS. Bug 1523 GnuTLS version 3.0.0 onwards; still Experimental --- doc/doc-txt/NewStuff | 3 + doc/doc-txt/experimental-spec.txt | 2 + src/OS/Makefile-Base | 16 +-- src/scripts/MakeLinks | 2 +- src/src/EDITME | 5 +- src/src/dane-gnu.c | 21 ---- src/src/dane.c | 4 +- src/src/tls-gnu.c | 174 +++++++++++++++++++++++----- src/src/transports/smtp.c | 11 +- test/confs/5820 | 52 ++++++--- test/confs/5840 | 14 +-- test/confs/5860 | 14 +-- test/dnszones-src/db.test.ex | 35 ++++-- test/log/5820 | 107 +++++++++++++++++ test/log/5840 | 58 +++++++--- test/log/5860 | 8 +- test/scripts/5820-DANE-GnuTLS/5820 | 102 +++++++++++++++- test/scripts/5840-DANE-OpenSSL/5840 | 37 ++++-- test/stderr/5820 | 100 ++++++++++++++++ test/stderr/5840 | 30 +++-- test/stdout/5800 | 2 +- test/stdout/5820 | 45 +++++++ test/stdout/5840 | 30 +++-- 23 files changed, 707 insertions(+), 165 deletions(-) delete mode 100644 src/src/dane-gnu.c create mode 100644 test/log/5820 create mode 100644 test/stderr/5820 create mode 100644 test/stdout/5820 diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index ddadd3eb6..f53ce5741 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -12,6 +12,9 @@ Version 4.next 1. Dual-certificate stacks on servers now support OCSP stapling, under GnuTLS version 3.5.6 or later. + 2. DANE is now supported under GnuTLS version 3.0.0 or later (adding to the + previous OpenSSL implementation, but still Experimental). + Version 4.90 ------------ diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 1e826aee1..db7a9a51d 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -928,6 +928,8 @@ verification succeeded using DANE and "no" otherwise (only useful in combination with EXPERIMENTAL_EVENT), and a new variable $tls_out_tlsa_usage (detailed above). +Under GnuTLS, DANE is only supported from versin 3.0.0 onwards + DSN extra information diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base index dcd87c29c..bb250ff91 100644 --- a/src/OS/Makefile-Base +++ b/src/OS/Makefile-Base @@ -471,13 +471,13 @@ convert4r4: config ../src/convert4r4.src OBJ_WITH_CONTENT_SCAN = malware.o mime.o regex.o spam.o spool_mbox.o OBJ_EXPERIMENTAL = bmi_spam.o \ - dane.o \ - dcc.o \ - dmarc.o \ - imap_utf7.o \ - spf.o \ - srs.o \ - utf8.o + dane.o \ + dcc.o \ + dmarc.o \ + imap_utf7.o \ + spf.o \ + srs.o \ + utf8.o # Targets for final binaries; the main one has a build number which is # updated each time. We don't bother with that for the auxiliaries. @@ -821,7 +821,7 @@ spool_mbox.o: $(HDRS) spool_mbox.c # Dependencies for EXPERIMENTAL_* modules bmi_spam.o: $(HDRS) bmi_spam.c -dane.o: $(HDRS) dane.c dane-gnu.c dane-openssl.c +dane.o: $(HDRS) dane.c dane-openssl.c dcc.o: $(HDRS) dcc.h dcc.c dmarc.o: $(HDRS) pdkim/pdkim.h dmarc.h dmarc.c imap_utf7.o: $(HDRS) imap_utf7.c diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks index 770591dc8..7fc1d19b4 100755 --- a/src/scripts/MakeLinks +++ b/src/scripts/MakeLinks @@ -122,7 +122,7 @@ do done # EXPERIMENTAL_* -for f in bmi_spam.c bmi_spam.h dcc.c dcc.h dane.c dane-gnu.c dane-openssl.c \ +for f in bmi_spam.c bmi_spam.h dcc.c dcc.h dane.c dane-openssl.c \ danessl.h imap_utf7.c spf.c spf.h srs.c srs.h utf8.c do ln -s ../src/$f $f diff --git a/src/src/EDITME b/src/src/EDITME index 72e26ce0e..947a4db0e 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -489,7 +489,7 @@ EXIM_MONITOR=eximon.bin # Uncomment the following line to add DANE support # Note: Enabling this unconditionally overrides DISABLE_DNSSEC -# Note: DANE is only supported when using OpenSSL +# For DANE under GnuTLS we need an additional library. See TLS_LIBS below. # EXPERIMENTAL_DANE=yes # Uncomment the following to include extra information in fail DSN message (bounces) @@ -797,6 +797,9 @@ HEADERS_CHARSET="ISO-8859-1" # or # TLS_LIBS=-L/opt/gnu/lib -lgnutls -ltasn1 -lgcrypt +# For DANE under GnuTLS we need an additional library. +TLS_LIBS += -lgnutls-dane + # TLS_LIBS is included only on the command for linking Exim itself, not on any # auxiliary programs. If the include files are not in a standard place, you can # set TLS_INCLUDE to specify where they are, for example: diff --git a/src/src/dane-gnu.c b/src/src/dane-gnu.c deleted file mode 100644 index b98bffad6..000000000 --- a/src/src/dane-gnu.c +++ /dev/null @@ -1,21 +0,0 @@ -/************************************************* -* Exim - an Internet mail transport agent * -*************************************************/ - -/* Copyright (c) University of Cambridge 1995 - 2013 */ -/* See the file NOTICE for conditions of use and distribution. */ - -/* This file (will) provide DANE support for Exim using the GnuTLS library, -but is not yet an available supported implementation. This file is #included -into dane.c when USE_GNUTLS has been set. */ - -/* As of March 2014, the reference implementation for DANE that we are -using was written by Viktor Dukhovny and it supports OpenSSL only. At -some point we will add GnuTLS support, but for right now just abort the -build and explain why. */ - - -#error No support for DANE using GnuTLS yet. - - -/* End of dane-gnu.c */ diff --git a/src/src/dane.c b/src/src/dane.c index 137c75418..b632d80dd 100644 --- a/src/src/dane.c +++ b/src/src/dane.c @@ -38,9 +38,7 @@ static void dummy(int x) { dummy(x-1); } # error DANE support requires that the DNS resolver library supports DNSSEC # endif -# ifdef USE_GNUTLS -# include "dane-gnu.c" -# else +# ifndef USE_GNUTLS # include "dane-openssl.c" # endif diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index e69fc8bee..9f166691a 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -66,10 +66,16 @@ require current GnuTLS, then we'll drop support for the ancient libraries). #if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP) # define SUPPORT_SRV_OCSP_STACK #endif +#if GNUTLS_VERSION_NUMBER >= 0x030000 && defined(EXPERIMENTAL_DANE) +# define SUPPORT_DANE +#endif #ifndef DISABLE_OCSP # include #endif +#ifdef SUPPORT_DANE +# include +#endif /* GnuTLS 2 vs 3 @@ -85,7 +91,7 @@ Changes: /* Values for verify_requirement */ enum peer_verify_requirement - { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED }; + { VERIFY_NONE, VERIFY_OPTIONAL, VERIFY_REQUIRED, VERIFY_DANE }; /* This holds most state for server or client; with this, we can set up an outbound TLS-enabled connection in an ACL callout, while not stomping all @@ -106,6 +112,7 @@ typedef struct exim_gnutls_state { int fd_in; int fd_out; BOOL peer_cert_verified; + BOOL peer_dane_verified; BOOL trigger_sni_changes; BOOL have_set_peerdn; const struct host_item *host; @@ -130,6 +137,10 @@ typedef struct exim_gnutls_state { #ifndef DISABLE_EVENT uschar *event_action; #endif +#ifdef SUPPORT_DANE + char * const * dane_data; + const int * dane_data_len; +#endif tls_support *tlsp; /* set in tls_init() */ @@ -148,6 +159,7 @@ static const exim_gnutls_state_st exim_gnutls_state_init = { .fd_in = -1, .fd_out = -1, .peer_cert_verified = FALSE, + .peer_dane_verified = FALSE, .trigger_sni_changes =FALSE, .have_set_peerdn = FALSE, .host = NULL, @@ -438,6 +450,9 @@ tlsp->cipher = state->ciphersuite; DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite); tlsp->certificate_verified = state->peer_cert_verified; +#ifdef SUPPORT_DANE +tlsp->dane_verified = state->peer_dane_verified; +#endif /* note that tls_channelbinding_b64 is not saved to the spool file, since it's only available for use for authenticators while this TLS session is running. */ @@ -1549,8 +1564,8 @@ gnutls_certificate_set_verify_function() to fail the handshake if we dislike the peer information, but that's too new for some OSes. Arguments: - state exim_gnutls_state_st * - errstr where to put an error message + state exim_gnutls_state_st * + errstr where to put an error message Returns: FALSE if the session should be rejected @@ -1561,7 +1576,10 @@ static BOOL verify_certificate(exim_gnutls_state_st *state, uschar ** errstr) { int rc; -unsigned int verify; +uint verify; + +if (state->verify_requirement == VERIFY_NONE) + return TRUE; *errstr = NULL; @@ -1571,10 +1589,49 @@ if ((rc = peer_status(state, errstr)) != OK) *errstr = US"certificate not supplied"; } else + + { +#ifdef SUPPORT_DANE + if (state->verify_requirement == VERIFY_DANE && state->host) + { + /* Using dane_verify_session_crt() would be easy, as it does it all for us + including talking to a DNS resolver. But we want to do that bit ourselves + as the testsuite intercepts and fakes its own DNS environment. */ + + dane_state_t s; + dane_query_t r; + const gnutls_datum_t * certlist; + uint lsize; + + certlist = gnutls_certificate_get_peers(state->session, &lsize); + + if ( (rc = dane_state_init(&s, 0)) + || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len, + 1, 0)) + || (rc = dane_verify_crt_raw(s, certlist, lsize, + gnutls_certificate_type_get(state->session), + r, 0, 0, &verify)) + ) + + { + *errstr = string_sprintf("TLSA record problem: %s", dane_strerror(rc)); + goto badcert; + } + if (verify != 0) + { + gnutls_datum_t str; + (void) dane_verification_status_print(verify, &str, 0); + *errstr = US str.data; /* don't bother to free */ + goto badcert; + } + state->peer_dane_verified = TRUE; + } +#endif + rc = gnutls_certificate_verify_peers2(state->session, &verify); + } -/* Handle the result of verification. INVALID seems to be set as well -as REVOKED, but leave the test for both. */ +/* Handle the result of verification. INVALID is set if any others are. */ if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED) @@ -1590,11 +1647,7 @@ if (rc < 0 || *errstr, state->peerdn ? state->peerdn : US""); if (state->verify_requirement >= VERIFY_REQUIRED) - { - gnutls_alert_send(state->session, - GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE); - return FALSE; - } + goto badcert; DEBUG(D_tls) debug_printf("TLS verify failure overridden (host in tls_try_verify_hosts)\n"); } @@ -1614,11 +1667,7 @@ else DEBUG(D_tls) debug_printf("TLS certificate verification failed: cert name mismatch\n"); if (state->verify_requirement >= VERIFY_REQUIRED) - { - gnutls_alert_send(state->session, - GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE); - return FALSE; - } + goto badcert; return TRUE; } } @@ -1628,8 +1677,11 @@ else } state->tlsp->peerdn = state->peerdn; - return TRUE; + +badcert: + gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE); + return FALSE; } @@ -1955,8 +2007,7 @@ DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n"); /* Verify after the fact */ -if ( state->verify_requirement != VERIFY_NONE - && !verify_certificate(state, errstr)) +if (!verify_certificate(state, errstr)) { if (state->verify_requirement != VERIFY_OPTIONAL) { @@ -2014,6 +2065,55 @@ if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK) } + + +#ifdef SUPPORT_DANE +/* Given our list of RRs from the TLSA lookup, build a lookup block in +GnuTLS-DANE's preferred format. Hang it on the state str for later +use in DANE verification. + +We point at the dnsa data not copy it, so it must remain valid until +after verification is done.*/ + +static void +dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa) +{ +dns_record * rr; +dns_scan dnss; +int i; +const char ** dane_data; +int * dane_data_len; + +for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS), i = 1; + rr; + rr = dns_next_rr(dnsa, &dnss, RESET_NEXT) + ) if (rr->type == T_TLSA) i++; + +dane_data = store_get(i * sizeof(uschar *)); +dane_data_len = store_get(i * sizeof(int)); + +for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS), i = 0; + rr; + rr = dns_next_rr(dnsa, &dnss, RESET_NEXT) + ) if (rr->type == T_TLSA) + { + const uschar * p = rr->data; + uint8_t usage = *p; + + tls_out.tlsa_usage |= 1<size; + } +dane_data[i] = NULL; +dane_data_len[i] = 0; + +state->dane_data = (char * const *)dane_data; +state->dane_data_len = dane_data_len; +} +#endif + + + /************************************************* * Start a TLS session in a client * *************************************************/ @@ -2025,7 +2125,11 @@ Arguments: host connected host (for messages) addr the first address (not used) tb transport (always smtp) - + tlsa_dnsa non-NULL, either request or require dane for this host, and + a TLSA record found. Therefore, dane verify required. + Which implies cert must be requested and supplied, dane + verify must pass, and cert verify irrelevant (incl. + hostnames), and (caller handled) require_tls errstr error string pointer Returns: OK/DEFER/FAIL (because using common functions), @@ -2037,14 +2141,14 @@ tls_client_start(int fd, host_item *host, address_item *addr ARG_UNUSED, transport_instance * tb, #ifdef EXPERIMENTAL_DANE - dns_answer * tlsa_dnsa ARG_UNUSED, + dns_answer * tlsa_dnsa, #endif uschar ** errstr) { smtp_transport_options_block *ob = (smtp_transport_options_block *)tb->options_block; int rc; -exim_gnutls_state_st *state = NULL; +exim_gnutls_state_st * state = NULL; #ifndef DISABLE_OCSP BOOL require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK; @@ -2080,12 +2184,23 @@ if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey, set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only the specified host patterns if one of them is defined */ -if ( ( state->exp_tls_verify_certificates - && !ob->tls_verify_hosts - && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts) - ) - || verify_check_given_host(&ob->tls_verify_hosts, host) == OK - ) +#ifdef SUPPORT_DANE +if (tlsa_dnsa) + { + DEBUG(D_tls) + debug_printf("TLS: server certificate DANE required.\n"); + state->verify_requirement = VERIFY_DANE; + gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE); + dane_tlsa_load(state, tlsa_dnsa); + } +else +#endif + if ( ( state->exp_tls_verify_certificates + && !ob->tls_verify_hosts + && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts) + ) + || verify_check_given_host(&ob->tls_verify_hosts, host) == OK + ) { tls_client_setup_hostname_checks(host, state, ob); DEBUG(D_tls) @@ -2160,8 +2275,7 @@ DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n"); /* Verify late */ -if (state->verify_requirement != VERIFY_NONE && - !verify_certificate(state, errstr)) +if (!verify_certificate(state, errstr)) return tls_error(US"certificate verification failed", *errstr, state->host, errstr); #ifndef DISABLE_OCSP diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 61e8d8a4f..a1b677e19 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1217,14 +1217,15 @@ DEBUG(D_transport) switch (rc) { - case DNS_SUCCEED: - if (sec) return OK; - - log_write(0, LOG_MAIN, "DANE error: TLSA lookup not DNSSEC"); - /*FALLTHROUGH*/ case DNS_AGAIN: return DEFER; /* just defer this TLS'd conn */ + case DNS_SUCCEED: + if (sec) return OK; + log_write(0, LOG_MAIN, + "DANE error: TLSA lookup for %s not DNSSEC", host->name); + /*FALLTRHOUGH*/ + case DNS_NODATA: /* no TLSA RR for this lookup */ case DNS_NOMATCH: /* no records at all for this lookup */ return dane_required ? FAIL : FAIL_FORCED; diff --git a/test/confs/5820 b/test/confs/5820 index 6c2f26ce0..d4dce2f85 100644 --- a/test/confs/5820 +++ b/test/confs/5820 @@ -1,19 +1,22 @@ -# Exim test configuration 5800 -# DANE +# Exim test configuration 5820 +# DANE/GnuTLS SERVER= -.include DIR/aux-var/std_conf_prefix +.include DIR/aux-var/tls_conf_prefix primary_hostname = myhost.test.ex # ----- Main settings ----- -acl_smtp_rcpt = accept +.ifndef OPT +acl_smtp_rcpt = accept logwrite = "rcpt ACL" +.else +acl_smtp_rcpt = accept verify = recipient/callout +.endif -log_selector = +tls_peerdn +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified -queue_only queue_run_in_order tls_advertise_hosts = * @@ -21,23 +24,33 @@ tls_advertise_hosts = * tls_dhparam = historic # Set certificate only if server +CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -#tls_verify_hosts = * -#tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} +tls_certificate = ${if eq {SERVER}{server} \ + {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ + {CDIR2/fullchain.pem}\ + {CDIR1/fullchain.pem}}}\ + fail} +tls_privatekey = ${if eq {SERVER}{server} \ + {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ + {CDIR2/server1.example.com.unlocked.key}\ + {CDIR1/server1.example.net.unlocked.key}}}\ + fail} # ----- Routers ----- begin routers client: - driver = accept - condition = ${if eq {SERVER}{server}{no}{yes}} - retry_use_local_part + driver = dnslookup + condition = ${if eq {SERVER}{}} + dnssec_request_domains = * + self = send transport = send_to_server + errors_to = "" server: driver = redirect @@ -51,11 +64,14 @@ begin transports send_to_server: driver = smtp allow_localhost - hosts = 127.0.0.1 - port = PORT_D -# tls_certificate = DIR/aux-fixed/cert2 -# tls_privatekey = DIR/aux-fixed/cert2 -# tls_verify_certificates = DIR/aux-fixed/cert2 + port = ${if match {$host}{\Ntest.ex$\N} {PORT_D}{25}} + + hosts_try_dane = * + hosts_require_dane = HOSTIPV4 + tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} + tls_try_verify_hosts = thishost.test.ex + tls_verify_certificates = CDIR2/ca_chain.pem + # ----- Retry ----- diff --git a/test/confs/5840 b/test/confs/5840 index 1a16e1c09..10ca2111b 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -1,5 +1,5 @@ # Exim test configuration 5840 -# DANE +# DANE/OpenSSL SERVER= @@ -10,7 +10,7 @@ primary_hostname = myhost.test.ex # ----- Main settings ----- .ifndef OPT -acl_smtp_rcpt = accept +acl_smtp_rcpt = accept logwrite = "rcpt ACL" .else acl_smtp_rcpt = accept verify = recipient/callout .endif @@ -22,16 +22,16 @@ queue_run_in_order tls_advertise_hosts = * # Set certificate only if server -CDIR1 = DIR/aux-fixed +CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com .ifdef CERT tls_certificate = CERT .else tls_certificate = ${if eq {SERVER}{server} \ - {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}}} \ + {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ {CDIR2/fullchain.pem}\ - {CDIR1/cert1}}}\ + {CDIR1/fullchain.pem}}}\ fail} .endif @@ -39,9 +39,9 @@ tls_certificate = ${if eq {SERVER}{server} \ tls_privatekey = ALLOW .else tls_privatekey = ${if eq {SERVER}{server} \ - {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}}} \ + {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ {CDIR2/server1.example.com.unlocked.key}\ - {CDIR1/cert1}}}\ + {CDIR1/server1.example.net.unlocked.key}}}\ fail} .endif diff --git a/test/confs/5860 b/test/confs/5860 index 94436c344..82079fe38 100644 --- a/test/confs/5860 +++ b/test/confs/5860 @@ -19,20 +19,10 @@ queue_run_in_order tls_advertise_hosts = * # Set certificate only if server -CDIR1 = DIR/aux-fixed CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com -tls_certificate = ${if eq {SERVER}{server} \ - {${if eq {DETAILS}{ta} \ - {CDIR2/fullchain.pem}\ - {CDIR1/cert1}}}\ - fail} - -tls_privatekey = ${if eq {SERVER}{server} \ - {${if eq {DETAILS}{ta} \ - {CDIR2/server1.example.com.unlocked.key}\ - {CDIR1/cert1}}}\ - fail} +tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem} fail} +tls_privatekey = ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key} fail} begin acl diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index 4cf3a108e..0b8e3f1f4 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -419,35 +419,35 @@ DNSSEC l-sec A 127.0.0.1 AA a-aa A V4NET.0.0.100 ; ------- Testing DANE ------------ +; Since these refer to certs in the exim-ca tree, they must be regenerated any time that tree is. +; ; full suite dns chain, sha512 ; -; openssl x509 -in aux-fixed/cert1 -noout -pubkey \ +; openssl x509 -in aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem -noout -pubkey \ ; | openssl pkey -pubin -outform DER \ ; | openssl dgst -sha512 \ ; | awk '{print $2}' ; DNSSEC mxdane512ee MX 1 dane512ee DNSSEC dane512ee A HOSTIPV4 -DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d +DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 69e8a5ddf24df2c51dc503959d26e621be4ce3853f71890512de3ae3390c5749ef3368dd4d274669b0653da8c3663f12ca092cd98e5e242e4de57ee6aa01cde1 ; A-only, sha256 ; -; openssl x509 -in aux-fixed/cert1 -noout -pubkey \ +; openssl x509 -in aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem -noout -pubkey \ ; | openssl pkey -pubin -outform DER \ ; | openssl dgst -sha256 \ ; | awk '{print $2}' ; DNSSEC dane256ee A HOSTIPV4 -DNSSEC _1225._tcp.dane256ee TLSA 3 1 1 2bb55f418bb03411a5007cecbfcd3ec1c94404312c0d53a44bb2166b32654db3 +DNSSEC _1225._tcp.dane256ee TLSA 3 1 1 827664533176a58b3578e0e91d77d79d036d3a97f023d82baeefa8b8e13b44f8 ; full MX, sha256, TA-mode ; ; openssl x509 -in aux-fixed/exim-ca/example.com/CA/CA.pem -fingerprint -sha256 -noout \ ; | awk -F= '{print $2}' | tr -d : | tr '[A-F]' '[a-f]' ; -; Since this refers to a cert in the exim-ca tree, it must be regenerated any time that tree is. -; DNSSEC mxdane256ta MX 1 dane256ta DNSSEC dane256ta A HOSTIPV4 DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 cb0fa6a633e52c787657f5ca0da1030800223cac459577b9b6a55ac9733348e5 @@ -465,8 +465,6 @@ DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 cb0fa6a633e52c787657f5ca0da1030800223cac4 ; | openssl dgst -sha256 \ ; | awk '{print $2}' ; -; Since this refers to a cert in the exim-ca tree, it must be regenerated any time that tree is. -; DNSSEC mxdane256tak MX 1 dane256tak DNSSEC dane256tak A HOSTIPV4 DNSSEC _1225._tcp.dane256tak TLSA 2 1 1 73e279c0f5f5a9ee9851bbbc39023603d7b266acfd0764419c3b07cc380b79f9 @@ -491,6 +489,27 @@ DNSSEC dane.no.2 A 127.0.0.1 DNSSEC danebroken1 A 127.0.0.1 _1225._tcp.danebroken1 CNAME test.fail.dns. +; a broken dane config (or under attack) where the TLSA record is wrong +; (127.0.0.1 for merely dane-requested, but having gotten the TLSA it is supposedly definitive) +DNSSEC danebroken2 A 127.0.0.1 +DNSSEC _1225._tcp.danebroken2 TLSA 2 0 1 cb0fa60000000000000000000000000000000000000000000000000000000000 + +; a broken dane config (or under attack) where the TLSA record is correct but not DNSSEC-assured +; (record copied from dane256ee above) +; 3 for dane-requested, 4 for dane-required +DNSSEC danebroken3 A 127.0.0.1 +_1225._tcp.danebroken3 TLSA 2 0 1 827664533176a58b3578e0e91d77d79d036d3a97f023d82baeefa8b8e13b44f8 +DNSSEC danebroken4 A HOSTIPV4 +_1225._tcp.danebroken4 TLSA 2 0 1 827664533176a58b3578e0e91d77d79d036d3a97f023d82baeefa8b8e13b44f8 + +; a broken dane config (or under attack) where the address record is correct but not DNSSEC-assured +; (TLSA record copied from dane256ee above) +; 5 for dane-requested, 6 for dane-required +danebroken5 A 127.0.0.1 +DNSSEC _1225._tcp.danebroken5 TLSA 2 0 1 827664533176a58b3578e0e91d77d79d036d3a97f023d82baeefa8b8e13b44f8 +danebroken6 A HOSTIPV4 +DNSSEC _1225._tcp.danebroken6 TLSA 2 0 1 827664533176a58b3578e0e91d77d79d036d3a97f023d82baeefa8b8e13b44f8 + ; a good dns config saying there is no dane support, by securely returning NOXDOMAIN for TLSA lookups ; 3 for dane-required, 4 for merely requested ; the TLSA data here is dummy; ignored diff --git a/test/log/5820 b/test/log/5820 new file mode 100644 index 000000000..767e70e68 --- /dev/null +++ b/test/log/5820 @@ -0,0 +1,107 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=dane DN="CN=server1.example.com" C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=dane DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ta.test.ex +1999-03-02 09:44:33 10HmbB-0005vi-00 => CALLER@mxdane256ta.test.ex R=client T=send_to_server H=dane256ta.test.ex [ip4.ip4.ip4.ip4] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=dane DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@thishost.test.ex +1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.net" C="250 OK id=10HmbE-0005vi-00" +1999-03-02 09:44:33 10HmbD-0005vi-00 Completed +1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@thishost.test.ex +1999-03-02 09:44:33 10HmbF-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00" +1999-03-02 09:44:33 10HmbF-0005vi-00 Completed +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdanelazy.test.ex +1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.1.test.ex +1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.2.test.ex +1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken1.test.ex +1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.3.test.ex +1999-03-02 09:44:33 10HmbM-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.4.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy.test.ex [ip4.ip4.ip4.ip4]: DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbH-0005vi-00 == CALLER@mxdanelazy.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbI-0005vi-00 ** CALLER@dane.no.1.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL +1999-03-02 09:44:33 10HmbI-0005vi-00 CALLER@dane.no.1.test.ex: error ignored +1999-03-02 09:44:33 10HmbI-0005vi-00 Completed +1999-03-02 09:44:33 10HmbJ-0005vi-00 => CALLER@dane.no.2.test.ex R=client T=send_to_server H=dane.no.2.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbN-0005vi-00" +1999-03-02 09:44:33 10HmbJ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbK-0005vi-00 H=danebroken1.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbK-0005vi-00 == CALLER@danebroken1.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbL-0005vi-00 ** CALLER@dane.no.3.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL +1999-03-02 09:44:33 10HmbL-0005vi-00 CALLER@dane.no.3.test.ex: error ignored +1999-03-02 09:44:33 10HmbL-0005vi-00 Completed +1999-03-02 09:44:33 10HmbM-0005vi-00 => CALLER@dane.no.4.test.ex R=client T=send_to_server H=dane.no.4.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbO-0005vi-00" +1999-03-02 09:44:33 10HmbM-0005vi-00 Completed +1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbP-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken2.test.ex +1999-03-02 09:44:33 10HmbP-0005vi-00 DANE attempt failed; TLS connection to danebroken2.test.ex [127.0.0.1]: (certificate verification failed): Verification failed. CA constrains were violated. +1999-03-02 09:44:33 10HmbP-0005vi-00 == CALLER@danebroken2.test.ex R=client T=send_to_server defer (-37) H=danebroken2.test.ex [127.0.0.1]: TLS session: (certificate verification failed): Verification failed. CA constrains were violated. +1999-03-02 09:44:33 10HmbQ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken3.test.ex +1999-03-02 09:44:33 10HmbQ-0005vi-00 DANE error: TLSA lookup for danebroken3.test.ex not DNSSEC +1999-03-02 09:44:33 10HmbQ-0005vi-00 => CALLER@danebroken3.test.ex R=client T=send_to_server H=danebroken3.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbR-0005vi-00" +1999-03-02 09:44:33 10HmbQ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbS-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken4.test.ex +1999-03-02 09:44:33 10HmbS-0005vi-00 DANE error: TLSA lookup for danebroken4.test.ex not DNSSEC +1999-03-02 09:44:33 10HmbS-0005vi-00 ** CALLER@danebroken4.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL +1999-03-02 09:44:33 10HmbS-0005vi-00 CALLER@danebroken4.test.ex: error ignored +1999-03-02 09:44:33 10HmbS-0005vi-00 Completed +1999-03-02 09:44:33 10HmbT-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken5.test.ex +1999-03-02 09:44:33 10HmbT-0005vi-00 => CALLER@danebroken5.test.ex R=client T=send_to_server H=danebroken5.test.ex [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbU-0005vi-00" +1999-03-02 09:44:33 10HmbT-0005vi-00 Completed +1999-03-02 09:44:33 10HmbV-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken6.test.ex +1999-03-02 09:44:33 10HmbV-0005vi-00 ** CALLER@danebroken6.test.ex R=client T=send_to_server: DANE error: danebroken6.test.ex lookup not DNSSEC +1999-03-02 09:44:33 10HmbV-0005vi-00 CALLER@danebroken6.test.ex: error ignored +1999-03-02 09:44:33 10HmbV-0005vi-00 Completed + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ta.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for CALLER@thishost.test.ex +1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbE-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbG-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex for CALLER@thishost.test.ex +1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbG-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbN-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbJ-0005vi-00@myhost.test.ex for CALLER@dane.no.2.test.ex +1999-03-02 09:44:33 10HmbN-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbN-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbO-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbM-0005vi-00@myhost.test.ex for CALLER@dane.no.4.test.ex +1999-03-02 09:44:33 10HmbO-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbO-0005vi-00 Completed +1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (recv): A TLS fatal alert has been received.: Certificate is bad +1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (send): The specified session has been invalidated for some reason. +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbR-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbQ-0005vi-00@myhost.test.ex for CALLER@danebroken3.test.ex +1999-03-02 09:44:33 10HmbR-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbR-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbU-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbT-0005vi-00@myhost.test.ex for CALLER@danebroken5.test.ex +1999-03-02 09:44:33 10HmbU-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbU-0005vi-00 Completed diff --git a/test/log/5840 b/test/log/5840 index c2d5b9482..2c9a16f0f 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -1,9 +1,9 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane256ta.test.ex @@ -13,12 +13,9 @@ 1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@mxdane256tak.test.ex R=client T=send_to_server H=dane256tak.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/CN=server2.example.com" C="250 OK id=10HmbE-0005vi-00" 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@thishost.test.ex -1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmbF-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock -1999-03-02 09:44:33 10HmbF-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="thishost.test.ex" -1999-03-02 09:44:33 10HmbF-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbG-0005vi-00" +1999-03-02 09:44:33 10HmbF-0005vi-00 [127.0.0.1] SSL verify error: depth=2 error=self signed certificate in certificate chain cert=/O=example.net/CN=clica CA rsa +1999-03-02 09:44:33 10HmbF-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/CN=server1.example.net" C="250 OK id=10HmbG-0005vi-00" 1999-03-02 09:44:33 10HmbF-0005vi-00 Completed -1999-03-02 09:44:33 End queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@thishost.test.ex 1999-03-02 09:44:33 10HmbH-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbI-0005vi-00" 1999-03-02 09:44:33 10HmbH-0005vi-00 Completed @@ -37,49 +34,84 @@ 1999-03-02 09:44:33 10HmbK-0005vi-00 ** CALLER@dane.no.1.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL 1999-03-02 09:44:33 10HmbK-0005vi-00 CALLER@dane.no.1.test.ex: error ignored 1999-03-02 09:44:33 10HmbK-0005vi-00 Completed -1999-03-02 09:44:33 10HmbL-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock -1999-03-02 09:44:33 10HmbL-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="dane.no.2.test.ex" -1999-03-02 09:44:33 10HmbL-0005vi-00 => CALLER@dane.no.2.test.ex R=client T=send_to_server H=dane.no.2.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbP-0005vi-00" +1999-03-02 09:44:33 10HmbL-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/CN=server1.example.com" H="dane.no.2.test.ex" +1999-03-02 09:44:33 10HmbL-0005vi-00 => CALLER@dane.no.2.test.ex R=client T=send_to_server H=dane.no.2.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbP-0005vi-00" 1999-03-02 09:44:33 10HmbL-0005vi-00 Completed 1999-03-02 09:44:33 10HmbM-0005vi-00 H=danebroken1.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 10HmbM-0005vi-00 == CALLER@danebroken1.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 10HmbN-0005vi-00 ** CALLER@dane.no.3.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL 1999-03-02 09:44:33 10HmbN-0005vi-00 CALLER@dane.no.3.test.ex: error ignored 1999-03-02 09:44:33 10HmbN-0005vi-00 Completed -1999-03-02 09:44:33 10HmbO-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock -1999-03-02 09:44:33 10HmbO-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="dane.no.4.test.ex" -1999-03-02 09:44:33 10HmbO-0005vi-00 => CALLER@dane.no.4.test.ex R=client T=send_to_server H=dane.no.4.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbQ-0005vi-00" +1999-03-02 09:44:33 10HmbO-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/CN=server1.example.com" H="dane.no.4.test.ex" +1999-03-02 09:44:33 10HmbO-0005vi-00 => CALLER@dane.no.4.test.ex R=client T=send_to_server H=dane.no.4.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbQ-0005vi-00" 1999-03-02 09:44:33 10HmbO-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbR-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken2.test.ex +1999-03-02 09:44:33 10HmbR-0005vi-00 DANE attempt failed; TLS connection to danebroken2.test.ex [127.0.0.1]: (SSL_connect): error:xxxxxxxx:SSL routines:ssl3_get_server_certificate:certificate verify failed +1999-03-02 09:44:33 10HmbR-0005vi-00 == CALLER@danebroken2.test.ex R=client T=send_to_server defer (-37) H=danebroken2.test.ex [127.0.0.1]: TLS session: (SSL_connect): error: <> +1999-03-02 09:44:33 10HmbS-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken3.test.ex +1999-03-02 09:44:33 10HmbS-0005vi-00 DANE error: TLSA lookup for danebroken3.test.ex not DNSSEC +1999-03-02 09:44:33 10HmbS-0005vi-00 => CALLER@danebroken3.test.ex R=client T=send_to_server H=danebroken3.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbT-0005vi-00" +1999-03-02 09:44:33 10HmbS-0005vi-00 Completed +1999-03-02 09:44:33 10HmbU-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken4.test.ex +1999-03-02 09:44:33 10HmbU-0005vi-00 DANE error: TLSA lookup for danebroken4.test.ex not DNSSEC +1999-03-02 09:44:33 10HmbU-0005vi-00 ** CALLER@danebroken4.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL +1999-03-02 09:44:33 10HmbU-0005vi-00 CALLER@danebroken4.test.ex: error ignored +1999-03-02 09:44:33 10HmbU-0005vi-00 Completed +1999-03-02 09:44:33 10HmbV-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken5.test.ex +1999-03-02 09:44:33 10HmbV-0005vi-00 => CALLER@danebroken5.test.ex R=client T=send_to_server H=danebroken5.test.ex [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbW-0005vi-00" +1999-03-02 09:44:33 10HmbV-0005vi-00 Completed +1999-03-02 09:44:33 10HmbX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken6.test.ex +1999-03-02 09:44:33 10HmbX-0005vi-00 ** CALLER@danebroken6.test.ex R=client T=send_to_server: DANE error: danebroken6.test.ex lookup not DNSSEC +1999-03-02 09:44:33 10HmbX-0005vi-00 CALLER@danebroken6.test.ex: error ignored +1999-03-02 09:44:33 10HmbX-0005vi-00 Completed ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 "rcpt ACL" 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@dane256ee.test.ex 1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" 1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for CALLER@mxdane512ee.test.ex 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 "rcpt ACL" 1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for CALLER@mxdane256ta.test.ex 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 "rcpt ACL" 1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for CALLER@mxdane256tak.test.ex 1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 "rcpt ACL" 1999-03-02 09:44:33 10HmbG-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex for CALLER@thishost.test.ex 1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbG-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 "rcpt ACL" 1999-03-02 09:44:33 10HmbI-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbH-0005vi-00@myhost.test.ex for CALLER@thishost.test.ex 1999-03-02 09:44:33 10HmbI-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbI-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 "rcpt ACL" 1999-03-02 09:44:33 10HmbP-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbL-0005vi-00@myhost.test.ex for CALLER@dane.no.2.test.ex 1999-03-02 09:44:33 10HmbP-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbP-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" 1999-03-02 09:44:33 10HmbQ-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbO-0005vi-00@myhost.test.ex for CALLER@dane.no.4.test.ex 1999-03-02 09:44:33 10HmbQ-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbQ-0005vi-00 Completed +1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <> +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbT-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbS-0005vi-00@myhost.test.ex for CALLER@danebroken3.test.ex +1999-03-02 09:44:33 10HmbT-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbT-0005vi-00 Completed +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmbW-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbV-0005vi-00@myhost.test.ex for CALLER@danebroken5.test.ex +1999-03-02 09:44:33 10HmbW-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbW-0005vi-00 Completed diff --git a/test/log/5860 b/test/log/5860 index 3d39b7878..143548082 100644 --- a/test/log/5860 +++ b/test/log/5860 @@ -1,12 +1,12 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane256ee.test.ex 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdane512ee.test.ex 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 tls:cert depth = 0 -1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 tls:cert depth = 0 +1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@dane256ee.test.ex R=client T=send_to_server H=dane256ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 msg:delivery dane=yes 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth = 0 -1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 tls:cert depth = 0 +1999-03-02 09:44:33 10HmaY-0005vi-00 => CALLER@mxdane512ee.test.ex R=client T=send_to_server H=dane512ee.test.ex [ip4.ip4.ip4.ip4] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 msg:delivery dane=yes 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/scripts/5820-DANE-GnuTLS/5820 b/test/scripts/5820-DANE-GnuTLS/5820 index 07ad7406d..84684da53 100644 --- a/test/scripts/5820-DANE-GnuTLS/5820 +++ b/test/scripts/5820-DANE-GnuTLS/5820 @@ -1,14 +1,106 @@ # DANE client: general # -gnutls -# -exim -DSERVER=server -bd -oX PORT_D +exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D +**** +### TLSA (3 1 1) +exim -odq CALLER@dane256ee.test.ex +Testing **** -exim CALLER@test.ex +### TLSA (3 1 2) +exim -odq CALLER@mxdane512ee.test.ex Testing **** exim -qf **** +# +# +### Recipient callout +exim -DOPT=callout -bhc 127.0.0.1 +MAIL FROM: +RCPT TO: +**** +killdaemon +# +# +exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D +**** +### TLSA (2 0 1) +exim -odf CALLER@mxdane256ta.test.ex +Testing +**** +killdaemon +# +# +### A server with a nonverifying cert and no TLSA +# Check we get a non-CV but TLS connection, with try_dane but no require_dane +exim -DSERVER=server -DDETAILS=no -bd -oX PORT_D +**** +exim -odf CALLER@thishost.test.ex +Testing +**** killdaemon -exim -DSERVER=server -DNOTDAEMON -qf +# +### A server with a verifying cert and no TLSA +# Check we get a CV and TLS connection, with try_dane but no require_dane +exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D +**** +exim -odf CALLER@thishost.test.ex +Testing +**** +exim -DOPT=no_certname -qf +**** +killdaemon +# +# +exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D +**** +### A server with two MXs for which both TLSA lookups return defer (delivery should defer) +exim -odq CALLER@mxdanelazy.test.ex +Testing +**** +### A server lacking a TLSA, dane required (should fail) +exim -odq CALLER@dane.no.1.test.ex +Testing +**** +### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC) +exim -odq CALLER@dane.no.2.test.ex +Testing +**** +### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer) +exim -odq CALLER@danebroken1.test.ex +Testing +**** +### A server securely saying "no TLSA records here", dane required (delivery should fail) +exim -odq CALLER@dane.no.3.test.ex +Testing +**** +### A server securely saying "no TLSA records here", dane requested only (should deliver) +exim -odq CALLER@dane.no.4.test.ex +Testing +**** +exim -qf **** +# +### A server securely serving a wrong TLSA record, dane requested only (delivery should fail) +exim -odf CALLER@danebroken2.test.ex +Testing +**** +### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE) +exim -odf CALLER@danebroken3.test.ex +Testing +**** +### A server insecurely serving a good TLSA record, dane required (delivery should fail) +exim -odf CALLER@danebroken4.test.ex +Testing +**** +### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE) +exim -odf CALLER@danebroken5.test.ex +Testing +**** +### A server insecurely serving a good A record, dane required (delivery should fail) +exim -odf CALLER@danebroken6.test.ex +Testing +**** +# +killdaemon +no_msglog_check diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840 index a86ec310c..7d86621cc 100644 --- a/test/scripts/5840-DANE-OpenSSL/5840 +++ b/test/scripts/5840-DANE-OpenSSL/5840 @@ -30,6 +30,7 @@ Testing **** killdaemon # +# OpenSSL-specific regression testcase: certificate having Authority Key ID extension exim -DSERVER=server -DCERT=DIR/aux-fixed/exim-ca/example.com/server2.example.com/fullchain.pem -DALLOW=DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key -bd -oX PORT_D **** ### TLSA (2 1 1) @@ -42,11 +43,9 @@ killdaemon # Check we get a non-CV but TLS connection, with try_dane but no require_dane exim -DSERVER=server -DDETAILS=no -bd -oX PORT_D **** -exim -odq CALLER@thishost.test.ex +exim -odf CALLER@thishost.test.ex Testing **** -exim -qf -**** killdaemon # ### A server with a verifying cert and no TLSA @@ -63,7 +62,7 @@ killdaemon # exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D **** -### A server with two MXs for which both TLSA lookups return defer +### A server with two MXs for which both TLSA lookups return defer (delivery should defer) exim -odq CALLER@mxdanelazy.test.ex Testing **** @@ -71,23 +70,45 @@ Testing exim -odq CALLER@dane.no.1.test.ex Testing **** -### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) +### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC) exim -odq CALLER@dane.no.2.test.ex Testing **** -### A server where the A is dnssec and the TLSA _fails_ +### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer) exim -odq CALLER@danebroken1.test.ex Testing **** -### A server securely saying "no TLSA records here", dane required (should fail) +### A server securely saying "no TLSA records here", dane required (delivery should fail) exim -odq CALLER@dane.no.3.test.ex Testing **** -### A server securely saying "no TLSA records here", dane requested only (should transmit) +### A server securely saying "no TLSA records here", dane requested only (should deliver) exim -odq CALLER@dane.no.4.test.ex Testing **** exim -qf **** +# +### A server securely serving a wrong TLSA record, dane requested only (delivery should fail) +exim -odf CALLER@danebroken2.test.ex +Testing +**** +### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE) +exim -odf CALLER@danebroken3.test.ex +Testing +**** +### A server insecurely serving a good TLSA record, dane required (delivery should fail) +exim -odf CALLER@danebroken4.test.ex +Testing +**** +### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE) +exim -odf CALLER@danebroken5.test.ex +Testing +**** +### A server insecurely serving a good A record, dane required (delivery should fail) +exim -odf CALLER@danebroken6.test.ex +Testing +**** +# killdaemon no_msglog_check diff --git a/test/stderr/5820 b/test/stderr/5820 new file mode 100644 index 000000000..8cd66384e --- /dev/null +++ b/test/stderr/5820 @@ -0,0 +1,100 @@ +### TLSA (3 1 1) +### TLSA (3 1 2) +### Recipient callout +>>> host in hosts_connection_nolog? no (option unset) +>>> host in host_lookup? no (option unset) +>>> host in host_reject_connection? no (option unset) +>>> host in sender_unqualified_hosts? no (option unset) +>>> host in recipient_unqualified_hosts? no (option unset) +>>> host in helo_verify_hosts? no (option unset) +>>> host in helo_try_verify_hosts? no (option unset) +>>> host in helo_accept_junk_hosts? no (option unset) +>>> processing "accept" +>>> check verify = recipient/callout +>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +>>> routing rcptuser@dane256ee.test.ex +>>> calling client router +>>> dane256ee.test.ex in "*"? yes (matched "*") +>>> local host found for non-MX address +>>> routed by client router +>>> Attempting full verification using callout +>>> callout cache: no domain record found for dane256ee.test.ex +>>> callout cache: no address record found for rcptuser@dane256ee.test.ex +>>> ip4.ip4.ip4.ip4 in hosts_require_dane? yes (matched "ip4.ip4.ip4.ip4") +>>> interface=NULL port=1225 +>>> Connecting to dane256ee.test.ex [ip4.ip4.ip4.ip4]:1225 ... connected +>>> SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> ip4.ip4.ip4.ip4 in hosts_avoid_esmtp? no (option unset) +>>> SMTP>> EHLO myhost.test.ex +>>> cmd buf flush 21 bytes +>>> SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4] +>>> 250-SIZE 52428800 +>>> 250-8BITMIME +>>> 250-PIPELINING +>>> 250-STARTTLS +>>> 250 HELP +>>> ip4.ip4.ip4.ip4 in hosts_avoid_tls? no (option unset) +>>> ip4.ip4.ip4.ip4 in hosts_verify_avoid_tls? no (option unset) +>>> SMTP>> STARTTLS +>>> cmd buf flush 10 bytes +>>> SMTP<< 220 TLS go ahead +>>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset) +>>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? yes (matched "*") +>>> SMTP>> EHLO myhost.test.ex +>>> cmd buf flush 21 bytes +>>> SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4] +>>> 250-SIZE 52428800 +>>> 250-8BITMIME +>>> 250-PIPELINING +>>> 250 HELP +>>> ip4.ip4.ip4.ip4 in hosts_avoid_pipelining? no (option unset) +>>> ip4.ip4.ip4.ip4 in hosts_require_auth? no (option unset) +>>> SMTP>> MAIL FROM:<> +>>> SMTP>> RCPT TO: +>>> cmd buf flush 52 bytes +>>> SMTP<< 250 OK +>>> SMTP<< 250 Accepted +>>> SMTP>> QUIT +>>> cmd buf flush 6 bytes +>>> SMTP<< 221 myhost.test.ex closing connection +>>> SMTP(close)>> +>>> wrote callout cache domain record for dane256ee.test.ex: +>>> result=1 postmaster=0 random=0 +>>> wrote positive callout cache address record for rcptuser@dane256ee.test.ex +>>> ----------- end verify ------------ +>>> accept: condition test succeeded in inline ACL +>>> end of inline ACL: ACCEPT +LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs +### TLSA (2 0 1) +### A server with a nonverifying cert and no TLSA +### A server with a verifying cert and no TLSA +### A server with two MXs for which both TLSA lookups return defer (delivery should defer) +### A server lacking a TLSA, dane required (should fail) +### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer) +### A server securely saying "no TLSA records here", dane required (delivery should fail) +### A server securely saying "no TLSA records here", dane requested only (should deliver) +### A server securely serving a wrong TLSA record, dane requested only (delivery should fail) +### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good TLSA record, dane required (delivery should fail) +### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good A record, dane required (delivery should fail) + +******** SERVER ******** +### TLSA (3 1 1) +### TLSA (3 1 2) +### Recipient callout +### TLSA (2 0 1) +### A server with a nonverifying cert and no TLSA +### A server with a verifying cert and no TLSA +### A server with two MXs for which both TLSA lookups return defer (delivery should defer) +### A server lacking a TLSA, dane required (should fail) +### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer) +### A server securely saying "no TLSA records here", dane required (delivery should fail) +### A server securely saying "no TLSA records here", dane requested only (should deliver) +### A server securely serving a wrong TLSA record, dane requested only (delivery should fail) +### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good TLSA record, dane required (delivery should fail) +### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good A record, dane required (delivery should fail) diff --git a/test/stderr/5840 b/test/stderr/5840 index 6f3643e5d..81a812149 100644 --- a/test/stderr/5840 +++ b/test/stderr/5840 @@ -70,12 +70,17 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs ### TLSA (2 1 1) ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA -### A server with two MXs for which both TLSA lookups return defer +### A server with two MXs for which both TLSA lookups return defer (delivery should defer) ### A server lacking a TLSA, dane required (should fail) -### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) -### A server where the A is dnssec and the TLSA _fails_ -### A server securely saying "no TLSA records here", dane required (should fail) -### A server securely saying "no TLSA records here", dane requested only (should transmit) +### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer) +### A server securely saying "no TLSA records here", dane required (delivery should fail) +### A server securely saying "no TLSA records here", dane requested only (should deliver) +### A server securely serving a wrong TLSA record, dane requested only (delivery should fail) +### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good TLSA record, dane required (delivery should fail) +### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good A record, dane required (delivery should fail) ******** SERVER ******** ### TLSA (3 1 1) @@ -85,9 +90,14 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs ### TLSA (2 1 1) ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA -### A server with two MXs for which both TLSA lookups return defer +### A server with two MXs for which both TLSA lookups return defer (delivery should defer) ### A server lacking a TLSA, dane required (should fail) -### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) -### A server where the A is dnssec and the TLSA _fails_ -### A server securely saying "no TLSA records here", dane required (should fail) -### A server securely saying "no TLSA records here", dane requested only (should transmit) +### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer) +### A server securely saying "no TLSA records here", dane required (delivery should fail) +### A server securely saying "no TLSA records here", dane requested only (should deliver) +### A server securely serving a wrong TLSA record, dane requested only (delivery should fail) +### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good TLSA record, dane required (delivery should fail) +### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good A record, dane required (delivery should fail) diff --git a/test/stdout/5800 b/test/stdout/5800 index b9c64fea0..a2c4ae476 100644 --- a/test/stdout/5800 +++ b/test/stdout/5800 @@ -1,4 +1,4 @@ > -> dnslookup tlsa: 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d +> dnslookup tlsa: 3 1 2 69e8a5ddf24df2c51dc503959d26e621be4ce3853f71890512de3ae3390c5749ef3368dd4d274669b0653da8c3663f12ca092cd98e5e242e4de57ee6aa01cde1 > > diff --git a/test/stdout/5820 b/test/stdout/5820 new file mode 100644 index 000000000..49dac098a --- /dev/null +++ b/test/stdout/5820 @@ -0,0 +1,45 @@ +### TLSA (3 1 1) +### TLSA (3 1 2) +### Recipient callout + +**** SMTP testing session as if from host 127.0.0.1 +**** but without any ident (RFC 1413) callback. +**** This is not for real! + +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250 OK +250 Accepted +421 myhost.test.ex lost input connection +### TLSA (2 0 1) +### A server with a nonverifying cert and no TLSA +### A server with a verifying cert and no TLSA +### A server with two MXs for which both TLSA lookups return defer (delivery should defer) +### A server lacking a TLSA, dane required (should fail) +### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer) +### A server securely saying "no TLSA records here", dane required (delivery should fail) +### A server securely saying "no TLSA records here", dane requested only (should deliver) +### A server securely serving a wrong TLSA record, dane requested only (delivery should fail) +### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good TLSA record, dane required (delivery should fail) +### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good A record, dane required (delivery should fail) + +******** SERVER ******** +### TLSA (3 1 1) +### TLSA (3 1 2) +### Recipient callout +### TLSA (2 0 1) +### A server with a nonverifying cert and no TLSA +### A server with a verifying cert and no TLSA +### A server with two MXs for which both TLSA lookups return defer (delivery should defer) +### A server lacking a TLSA, dane required (should fail) +### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer) +### A server securely saying "no TLSA records here", dane required (delivery should fail) +### A server securely saying "no TLSA records here", dane requested only (should deliver) +### A server securely serving a wrong TLSA record, dane requested only (delivery should fail) +### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good TLSA record, dane required (delivery should fail) +### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good A record, dane required (delivery should fail) diff --git a/test/stdout/5840 b/test/stdout/5840 index 7fb5dd959..36a3bd158 100644 --- a/test/stdout/5840 +++ b/test/stdout/5840 @@ -14,12 +14,17 @@ ### TLSA (2 1 1) ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA -### A server with two MXs for which both TLSA lookups return defer +### A server with two MXs for which both TLSA lookups return defer (delivery should defer) ### A server lacking a TLSA, dane required (should fail) -### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) -### A server where the A is dnssec and the TLSA _fails_ -### A server securely saying "no TLSA records here", dane required (should fail) -### A server securely saying "no TLSA records here", dane requested only (should transmit) +### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer) +### A server securely saying "no TLSA records here", dane required (delivery should fail) +### A server securely saying "no TLSA records here", dane requested only (should deliver) +### A server securely serving a wrong TLSA record, dane requested only (delivery should fail) +### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good TLSA record, dane required (delivery should fail) +### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good A record, dane required (delivery should fail) ******** SERVER ******** ### TLSA (3 1 1) @@ -29,9 +34,14 @@ ### TLSA (2 1 1) ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA -### A server with two MXs for which both TLSA lookups return defer +### A server with two MXs for which both TLSA lookups return defer (delivery should defer) ### A server lacking a TLSA, dane required (should fail) -### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) -### A server where the A is dnssec and the TLSA _fails_ -### A server securely saying "no TLSA records here", dane required (should fail) -### A server securely saying "no TLSA records here", dane requested only (should transmit) +### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer) +### A server securely saying "no TLSA records here", dane required (delivery should fail) +### A server securely saying "no TLSA records here", dane requested only (should deliver) +### A server securely serving a wrong TLSA record, dane requested only (delivery should fail) +### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good TLSA record, dane required (delivery should fail) +### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE) +### A server insecurely serving a good A record, dane required (delivery should fail) -- 2.30.2