host to which Exim is connected supports TLS encryption.
.new
-.vitem &%-MCt%&&~<&'IP&~address'&>&~<&'port'&>
+.vitem &%-MCt%&&~<&'IP&~address'&>&~<&'port'&>&~<&'cipher'&>
.oindex "&%-MCt%&"
This option is not intended for use by external callers. It is used internally
by Exim in conjunction with the &%-MC%& option, and passes on the fact that the
connection is being proxied by a parent process for handling TLS encryption.
-The pair of arguments give the local address and port being proxied.
+The arguments give the local address and port being proxied, and the TLS cipher.
.wen
.vitem &%-Mc%&&~<&'message&~id'&>&~<&'message&~id'&>&~...
lines for the second and subsequent messages.
.new
When two or more messages are delivered down a single TLS connection, the
-DNS and TLS-related information logged for the first message delivered
+DNS and some TLS-related information logged for the first message delivered
will not be present in the log lines for the second and subsequent messages.
-A TLS-marker indication of &'X=*'& is added to the log line instead of
-cipher information.
+TLS cipher information is still available.
.wen
.cindex "delivery" "cutthrough; logging"
&`T `& on &`<=`& lines: message subject (topic)
&` `& on &`=>`& &`**`& and &`==`& lines: transport name
&`U `& local user or RFC 1413 identity
-&`X `& TLS cipher suite, or TLS usage mark
+&`X `& TLS cipher suite
.endd
the passed-on TCP connection. Instead, proxy the child (and any
subsequent ones) for TLS via a unix-domain socket channel. Logging is
affected: the continued delivery log lines do not have any DNSSEC, TLS
- cipher, Certificate or OCSP information. A "continued-TLS" marker is
- added instead of the cipher information: "X=*".
+ Certificate or OCSP information. TLS cipher information is still logged.
JH/04 Shorten the log line for daemon startup by collapsing adjacent sets of
identical IP addresses on different listening ports. Will also affect
rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer);
}
- else if (continue_proxy) /* known TLS, but no cipher info */
- rmt_dlv_checked_write(fd, 'X', '1', US"*\0", 3);
+ else if (continue_proxy_cipher)
+ {
+ ptr = big_buffer + sprintf(CS big_buffer, "%.128s", continue_proxy_cipher) + 1;
+ *ptr++ = 0;
+ rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer);
+ }
if (addr->peercert)
{
/* Set up $sending_ip_address and $sending_port, unless proxied */
- if (!continue_proxy)
+ if (!continue_proxy_cipher)
if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
&size) == 0)
sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
#ifdef SUPPORT_TLS
/* -MCt: similar to -MCT below but the connection is still open
via a proxy proces which handles the TLS context and coding.
- Require two arguments for the proxied local address and port. */
+ Require three arguments for the proxied local address and port,
+ and the TLS cipher. */
- case 't': continue_proxy = TRUE;
- if (++i < argc) sending_ip_address = argv[i];
+ case 't': if (++i < argc) sending_ip_address = argv[i];
else badarg = TRUE;
if (++i < argc) sending_port = (int)(Uatol(argv[i]));
else badarg = TRUE;
+ if (++i < argc) continue_proxy_cipher = argv[i];
+ else badarg = TRUE;
/*FALLTHROUGH*/
/* -MCT: set the tls_offered flag; this is useful only when it
#endif
int connection_max_messages= -1;
+uschar *continue_proxy_cipher = NULL;
uschar *continue_hostname = NULL;
uschar *continue_host_address = NULL;
BOOL continue_more = FALSE;
int continue_sequence = 1;
-BOOL continue_proxy = FALSE;
uschar *continue_transport = NULL;
uschar *csa_status = NULL;
extern uschar *config_main_filename; /* File name actually used */
extern uschar *config_main_directory; /* Directory where the main config file was found */
extern uid_t config_uid; /* Additional owner */
+extern uschar *continue_proxy_cipher; /* TLS cipher for proxied continued delivery */
extern uschar *continue_hostname; /* Host for continued delivery */
extern uschar *continue_host_address; /* IP address for ditto */
extern BOOL continue_more; /* Flag more addresses waiting */
extern int continue_sequence; /* Sequence num for continued delivery */
-extern BOOL continue_proxy; /* Continued delivery is proxied for TLS */
extern uschar *continue_transport; /* Transport for continued delivery */
extern uschar *csa_status; /* Client SMTP Authorization result */
if ((pid = fork()) == 0)
{
- int i = 19;
+ int i = 20;
const uschar **argv;
/* Disconnect entirely from the parent process. If we are running in the
if (smtp_peer_options & PEER_OFFERED_SIZE) argv[i++] = US"-MCS";
#ifdef SUPPORT_TLS
if (smtp_peer_options & PEER_OFFERED_TLS)
- if (tls_out.active >= 0 || continue_proxy)
+ if (tls_out.active >= 0 || continue_proxy_cipher)
{
argv[i++] = US"-MCt";
argv[i++] = sending_ip_address;
argv[i++] = string_sprintf("%d", sending_port);
+ argv[i++] = tls_out.active >= 0 ? tls_out.cipher : continue_proxy_cipher;
}
else
argv[i++] = US"-MCT";
/* For a continued connection with TLS being proxied for us, nothing
more to do. */
- if (continue_proxy)
+ if (continue_proxy_cipher)
{
sx->peer_offered = smtp_peer_options;
pipelining_active = !!(smtp_peer_options & PEER_OFFERED_PIPE);
|| continue_more
|| (
#ifdef SUPPORT_TLS
- ( tls_out.active < 0 && !continue_proxy
+ ( tls_out.active < 0 && !continue_proxy_cipher
|| verify_check_given_host(&sx.ob->hosts_nopass_tls, host) != OK
)
&&
1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbB-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbC-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qqf
1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbB-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbC-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qqf
SMTP<< 250 OK id=10HmbB-0005vi-00
SMTP(close)>>
LOG: MAIN
- => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbB-0005vi-00"
+ => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbB-0005vi-00"
LOG: MAIN
Completed
>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
SMTP(close)>>
>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
LOG: MAIN
- => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbC-0005vi-00"
+ => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbC-0005vi-00"
LOG: MAIN
Completed
>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
SMTP<< 250 OK id=10HmbB-0005vi-00
SMTP(close)>>
LOG: MAIN
- => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbB-0005vi-00"
+ => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbB-0005vi-00"
LOG: MAIN
Completed
>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
SMTP(close)>>
>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
LOG: MAIN
- => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbC-0005vi-00"
+ => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbC-0005vi-00"
LOG: MAIN
Completed
>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
git://git.exim.org / users / heiko / exim.git / commitdiff