From 9940096804c9f3985ca3bc9d862cefa0daa29c96 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 4 Jun 2012 14:54:13 +0100 Subject: [PATCH] Add hosts_verify_avoid_tls option to smtp transport. --- doc/doc-docbook/spec.xfpt | 7 ++ src/src/transports/smtp.c | 5 + src/src/transports/smtp.h | 1 + src/src/verify.c | 5 +- test/confs/5410 | 5 +- test/confs/5420 | 5 +- test/log/5410 | 5 + test/log/5420 | 5 + test/scripts/5410-cutthrough-OpenSSL/5410 | 15 ++- test/scripts/5420-cutthrough-GnuTLS/5420 | 14 ++- test/stderr/5410 | 146 ++++++++++++++++++++++ test/stderr/5420 | 146 ++++++++++++++++++++++ test/stdout/5410 | 12 ++ test/stdout/5420 | 12 ++ 14 files changed, 375 insertions(+), 8 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index ee3193bef..858438431 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -22302,6 +22302,13 @@ that matches this list, even if the server host advertises PIPELINING support. Exim will not try to start a TLS session when delivering to any host that matches this list. See chapter &<>& for details of TLS. +.option hosts_verify_avoid_tls smtp "host list&!!" * +.cindex "TLS" "avoiding for certain hosts" +Exim will not try to start a TLS session for a verify callout, +or when delivering in cutthrough mode, +to any host that matches this list. +Note that the default is to not use TLS. + .option hosts_max_try smtp integer 5 .cindex "host" "maximum number to try" diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index a63f48fac..94b848540 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -106,6 +106,10 @@ optionlist smtp_transport_options[] = { #endif { "hosts_try_auth", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_try_auth) }, +#ifdef SUPPORT_TLS + { "hosts_verify_avoid_tls", opt_stringptr, + (void *)offsetof(smtp_transport_options_block, hosts_verify_avoid_tls) }, +#endif { "interface", opt_stringptr, (void *)offsetof(smtp_transport_options_block, interface) }, { "keepalive", opt_bool, @@ -170,6 +174,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { NULL, /* hosts_require_auth */ NULL, /* hosts_require_tls */ NULL, /* hosts_avoid_tls */ + US"*", /* hosts_verify_avoid_tls */ NULL, /* hosts_avoid_pipelining */ NULL, /* hosts_avoid_esmtp */ NULL, /* hosts_nopass_tls */ diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index 067681118..79f1b8c50 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -23,6 +23,7 @@ typedef struct { uschar *hosts_require_auth; uschar *hosts_require_tls; uschar *hosts_avoid_tls; + uschar *hosts_verify_avoid_tls; uschar *hosts_avoid_pipelining; uschar *hosts_avoid_esmtp; uschar *hosts_nopass_tls; diff --git a/src/src/verify.c b/src/src/verify.c index 6e3e6a3af..eaab14dc9 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -601,7 +601,10 @@ else #ifdef SUPPORT_TLS if (tls_offered && verify_check_this_host(&(ob->hosts_avoid_tls), NULL, host->name, - host->address, NULL) != OK) + host->address, NULL) != OK && + verify_check_this_host(&(ob->hosts_verify_avoid_tls), NULL, host->name, + host->address, NULL) != OK + ) { uschar buffer2[4096]; if ( !smtps diff --git a/test/confs/5410 b/test/confs/5410 index aff16fad4..576967cac 100644 --- a/test/confs/5410 +++ b/test/confs/5410 @@ -1,4 +1,4 @@ -# Exim test configuration 5402 +# Exim test configuration 5410 exim_path = EXIM_PATH host_lookup_order = bydns @@ -52,7 +52,8 @@ smtp: driver = smtp interface = HOSTIPV4 port = PORT_D - hosts_avoid_tls = ${if eq {$address_data}{usery}{*}{:}} + hosts_avoid_tls = ${if eq {$address_data}{usery}{*}{:}} + hosts_verify_avoid_tls = ${if eq {$address_data}{userz}{*}{:}} # End diff --git a/test/confs/5420 b/test/confs/5420 index aff16fad4..2a7ebda1b 100644 --- a/test/confs/5420 +++ b/test/confs/5420 @@ -1,4 +1,4 @@ -# Exim test configuration 5402 +# Exim test configuration 5420 exim_path = EXIM_PATH host_lookup_order = bydns @@ -52,7 +52,8 @@ smtp: driver = smtp interface = HOSTIPV4 port = PORT_D - hosts_avoid_tls = ${if eq {$address_data}{usery}{*}{:}} + hosts_avoid_tls = ${if eq {$address_data}{usery}{*}{:}} + hosts_verify_avoid_tls = ${if eq {$address_data}{userz}{*}{:}} # End diff --git a/test/log/5410 b/test/log/5410 index ba90ed791..efcee1b4f 100644 --- a/test/log/5410 +++ b/test/log/5410 @@ -9,3 +9,8 @@ 1999-03-02 09:44:33 10HmbA-0005vi-00 >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbC-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbB-0005vi-00 no immediate delivery: queued by ACL +1999-03-02 09:44:33 10HmbC-0005vi-00 >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed diff --git a/test/log/5420 b/test/log/5420 index e85916237..5dcefb30f 100644 --- a/test/log/5420 +++ b/test/log/5420 @@ -9,3 +9,8 @@ 1999-03-02 09:44:33 10HmbA-0005vi-00 >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbC-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbB-0005vi-00 no immediate delivery: queued by ACL +1999-03-02 09:44:33 10HmbC-0005vi-00 >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed diff --git a/test/scripts/5410-cutthrough-OpenSSL/5410 b/test/scripts/5410-cutthrough-OpenSSL/5410 index d670abf4e..9938e00e5 100644 --- a/test/scripts/5410-cutthrough-OpenSSL/5410 +++ b/test/scripts/5410-cutthrough-OpenSSL/5410 @@ -1,6 +1,7 @@ # cutthrough_delivery to target oferring TLS exim -DSERVER=server -bd -oX PORT_D **** +# this one should succeed exim -d-all+acl+transport+expand+lists -bs EHLO myhost.test.ex MAIL FROM: @@ -10,7 +11,19 @@ DATA . QUIT **** -# via a transport setting never-tls +# via a transport setting hosts_avoid_tls +# so this one should not use TLS +exim -d-all+acl+transport+expand+lists -bs +EHLO myhost.test.ex +MAIL FROM: +RCPT TO: +DATA + +. +QUIT +**** +# via a transport setting hosts_verify_avoid_tls +# so this one should not use TLS exim -d-all+acl+transport+expand+lists -bs EHLO myhost.test.ex MAIL FROM: diff --git a/test/scripts/5420-cutthrough-GnuTLS/5420 b/test/scripts/5420-cutthrough-GnuTLS/5420 index d670abf4e..c43e1865b 100644 --- a/test/scripts/5420-cutthrough-GnuTLS/5420 +++ b/test/scripts/5420-cutthrough-GnuTLS/5420 @@ -1,4 +1,4 @@ -# cutthrough_delivery to target oferring TLS +# cutthrough_delivery to target offering TLS exim -DSERVER=server -bd -oX PORT_D **** exim -d-all+acl+transport+expand+lists -bs @@ -10,7 +10,17 @@ DATA . QUIT **** -# via a transport setting never-tls +# via a transport setting hosts_avoid_tls +exim -d-all+acl+transport+expand+lists -bs +EHLO myhost.test.ex +MAIL FROM: +RCPT TO: +DATA + +. +QUIT +**** +# via a transport setting hosts_verify_avoid_tls exim -d-all+acl+transport+expand+lists -bs EHLO myhost.test.ex MAIL FROM: diff --git a/test/stderr/5410 b/test/stderr/5410 index 7babe3546..f8b31a750 100644 --- a/test/stderr/5410 +++ b/test/stderr/5410 @@ -64,6 +64,20 @@ expanding: : expanding: ${if eq {$address_data}{usery}{*}{:}} result: : 127.0.0.1 in hosts_avoid_tls? no (end of list) +expanding: $address_data + result: userx +expanding: userz + result: userz +condition: eq {$address_data}{userz} + result: false +expanding: * + result: * +skipping: result is not used +expanding: : + result: : +expanding: ${if eq {$address_data}{userz}{*}{:}} + result: : +127.0.0.1 in hosts_verify_avoid_tls? no (end of list) SMTP>> STARTTLS SMTP<< 220 TLS go ahead SMTP>> EHLO myhost.test.ex @@ -270,5 +284,137 @@ LOG: MAIN LOG: smtp_connection MAIN SMTP connection from CALLER closed by QUIT >>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>> +Exim version x.yz .... +configuration file is TESTSUITE/test-config +admin user + in hosts_connection_nolog? no (option unset) +LOG: smtp_connection MAIN + SMTP connection from CALLER +expanding: $smtp_active_hostname ESMTP Exim $version_number $tod_full + result: myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 + in pipelining_advertise_hosts? yes (matched "*") + in tls_advertise_hosts? yes (matched "*") +expanding: SERVER + result: SERVER +expanding: server + result: server +condition: eq {SERVER}{server} + result: false +expanding: queue + result: queue +skipping: result is not used +expanding: cutthrough + result: cutthrough +expanding: ${if eq {SERVER}{server}{queue}{cutthrough}} + result: cutthrough +using ACL "cutthrough" +processing "accept" +check control = cutthrough_delivery +check verify = recipient +domain.com in "test.ex : *.test.ex"? no (end of list) +domain.com in "! +local_domains"? yes (end of list) +expanding: $local_part + result: usery +domain.com in "*"? yes (matched "*") +----------- end verify ------------ +accept: condition test succeeded in ACL "cutthrough" +----------- start cutthrough setup ------------ +domain.com in "test.ex : *.test.ex"? no (end of list) +domain.com in "! +local_domains"? yes (end of list) +expanding: $local_part + result: usery +domain.com in "*"? yes (matched "*") +Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected +expanding: $primary_hostname + result: myhost.test.ex + SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +127.0.0.1 in hosts_avoid_esmtp? no (option unset) + SMTP>> EHLO myhost.test.ex + SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4] + 250-SIZE 52428800 + 250-8BITMIME + 250-PIPELINING + 250-STARTTLS + 250 HELP +expanding: $address_data + result: usery +expanding: usery + result: usery +condition: eq {$address_data}{usery} + result: true +expanding: * + result: * +expanding: : + result: : +skipping: result is not used +expanding: ${if eq {$address_data}{usery}{*}{:}} + result: * +127.0.0.1 in hosts_avoid_tls? yes (matched "*") + SMTP>> MAIL FROM: + SMTP<< 250 OK + SMTP>> RCPT TO: + SMTP<< 250 Accepted +----------- end cutthrough setup ------------ +processing "accept" +accept: condition test succeeded in inline ACL + SMTP>> DATA + SMTP<< 354 Enter message, ending with "." on a line by itself +expanding: ${tod_full} + result: Tue, 2 Mar 1999 09:44:33 +0000 +condition: def:sender_rcvhost + result: false +expanding: from $sender_rcvhost + + result: from + +skipping: result is not used +condition: def:sender_ident + result: true +expanding: $sender_ident + result: CALLER +expanding: from ${quote_local_part:$sender_ident} + result: from CALLER +condition: def:sender_helo_name + result: true +expanding: (helo=$sender_helo_name) + + result: (helo=myhost.test.ex) + +expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) + }} + result: from CALLER (helo=myhost.test.ex) + +condition: def:received_protocol + result: true +expanding: with $received_protocol + result: with local-esmtp +condition: def:sender_address + result: true +expanding: (envelope-from <$sender_address>) + + result: (envelope-from ) + +condition: def:received_for + result: true +expanding: + for $received_for + result: + for usery@domain.com +PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +expanding: ${tod_full} + result: Tue, 2 Mar 1999 09:44:33 +0000 + SMTP>> . + SMTP<< 250 OK id=10HmbB-0005vi-00 +LOG: MAIN + >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbB-0005vi-00" + SMTP>> QUIT +----------- cutthrough shutdown (delivered) ------------ +LOG: MAIN + <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss +LOG: MAIN + Completed +LOG: smtp_connection MAIN + SMTP connection from CALLER closed by QUIT +>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>> ******** SERVER ******** diff --git a/test/stderr/5420 b/test/stderr/5420 index 90592286b..e711184f5 100644 --- a/test/stderr/5420 +++ b/test/stderr/5420 @@ -64,6 +64,20 @@ expanding: : expanding: ${if eq {$address_data}{usery}{*}{:}} result: : 127.0.0.1 in hosts_avoid_tls? no (end of list) +expanding: $address_data + result: userx +expanding: userz + result: userz +condition: eq {$address_data}{userz} + result: false +expanding: * + result: * +skipping: result is not used +expanding: : + result: : +expanding: ${if eq {$address_data}{userz}{*}{:}} + result: : +127.0.0.1 in hosts_verify_avoid_tls? no (end of list) SMTP>> STARTTLS SMTP<< 220 TLS go ahead SMTP>> EHLO myhost.test.ex @@ -270,5 +284,137 @@ LOG: MAIN LOG: smtp_connection MAIN SMTP connection from CALLER closed by QUIT >>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>> +Exim version x.yz .... +configuration file is TESTSUITE/test-config +admin user + in hosts_connection_nolog? no (option unset) +LOG: smtp_connection MAIN + SMTP connection from CALLER +expanding: $smtp_active_hostname ESMTP Exim $version_number $tod_full + result: myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 + in pipelining_advertise_hosts? yes (matched "*") + in tls_advertise_hosts? yes (matched "*") +expanding: SERVER + result: SERVER +expanding: server + result: server +condition: eq {SERVER}{server} + result: false +expanding: queue + result: queue +skipping: result is not used +expanding: cutthrough + result: cutthrough +expanding: ${if eq {SERVER}{server}{queue}{cutthrough}} + result: cutthrough +using ACL "cutthrough" +processing "accept" +check control = cutthrough_delivery +check verify = recipient +domain.com in "test.ex : *.test.ex"? no (end of list) +domain.com in "! +local_domains"? yes (end of list) +expanding: $local_part + result: usery +domain.com in "*"? yes (matched "*") +----------- end verify ------------ +accept: condition test succeeded in ACL "cutthrough" +----------- start cutthrough setup ------------ +domain.com in "test.ex : *.test.ex"? no (end of list) +domain.com in "! +local_domains"? yes (end of list) +expanding: $local_part + result: usery +domain.com in "*"? yes (matched "*") +Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected +expanding: $primary_hostname + result: myhost.test.ex + SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +127.0.0.1 in hosts_avoid_esmtp? no (option unset) + SMTP>> EHLO myhost.test.ex + SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4] + 250-SIZE 52428800 + 250-8BITMIME + 250-PIPELINING + 250-STARTTLS + 250 HELP +expanding: $address_data + result: usery +expanding: usery + result: usery +condition: eq {$address_data}{usery} + result: true +expanding: * + result: * +expanding: : + result: : +skipping: result is not used +expanding: ${if eq {$address_data}{usery}{*}{:}} + result: * +127.0.0.1 in hosts_avoid_tls? yes (matched "*") + SMTP>> MAIL FROM: + SMTP<< 250 OK + SMTP>> RCPT TO: + SMTP<< 250 Accepted +----------- end cutthrough setup ------------ +processing "accept" +accept: condition test succeeded in inline ACL + SMTP>> DATA + SMTP<< 354 Enter message, ending with "." on a line by itself +expanding: ${tod_full} + result: Tue, 2 Mar 1999 09:44:33 +0000 +condition: def:sender_rcvhost + result: false +expanding: from $sender_rcvhost + + result: from + +skipping: result is not used +condition: def:sender_ident + result: true +expanding: $sender_ident + result: CALLER +expanding: from ${quote_local_part:$sender_ident} + result: from CALLER +condition: def:sender_helo_name + result: true +expanding: (helo=$sender_helo_name) + + result: (helo=myhost.test.ex) + +expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name) + }} + result: from CALLER (helo=myhost.test.ex) + +condition: def:received_protocol + result: true +expanding: with $received_protocol + result: with local-esmtp +condition: def:sender_address + result: true +expanding: (envelope-from <$sender_address>) + + result: (envelope-from ) + +condition: def:received_for + result: true +expanding: + for $received_for + result: + for usery@domain.com +PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +expanding: ${tod_full} + result: Tue, 2 Mar 1999 09:44:33 +0000 + SMTP>> . + SMTP<< 250 OK id=10HmbB-0005vi-00 +LOG: MAIN + >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbB-0005vi-00" + SMTP>> QUIT +----------- cutthrough shutdown (delivered) ------------ +LOG: MAIN + <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss +LOG: MAIN + Completed +LOG: smtp_connection MAIN + SMTP connection from CALLER closed by QUIT +>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>> ******** SERVER ******** diff --git a/test/stdout/5410 b/test/stdout/5410 index 252c82917..edf01f8ba 100644 --- a/test/stdout/5410 +++ b/test/stdout/5410 @@ -22,3 +22,15 @@ 354 Enter message, ending with "." on a line by itself 250 OK id=10HmbA-0005vi-00 221 myhost.test.ex closing connection +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250-myhost.test.ex Hello CALLER at myhost.test.ex +250-SIZE 52428800 +250-8BITMIME +250-PIPELINING +250-STARTTLS +250 HELP +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +250 OK id=10HmbC-0005vi-00 +221 myhost.test.ex closing connection diff --git a/test/stdout/5420 b/test/stdout/5420 index 252c82917..edf01f8ba 100644 --- a/test/stdout/5420 +++ b/test/stdout/5420 @@ -22,3 +22,15 @@ 354 Enter message, ending with "." on a line by itself 250 OK id=10HmbA-0005vi-00 221 myhost.test.ex closing connection +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250-myhost.test.ex Hello CALLER at myhost.test.ex +250-SIZE 52428800 +250-8BITMIME +250-PIPELINING +250-STARTTLS +250 HELP +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +250 OK id=10HmbC-0005vi-00 +221 myhost.test.ex closing connection -- 2.30.2