if (host->dnssec == DS_YES)
{
- if( dane_required
- || verify_check_given_host(&ob->hosts_try_dane, host) == OK
+ if( ( dane_required
+ || verify_check_given_host(&ob->hosts_try_dane, host) == OK
+ )
+ && (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK
)
- if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK)
- return rc;
+ return rc;
}
else if (dane_required)
{
deliver_domain = addr->domain;
transport_name = addr->transport->name;
- if (!smtp_get_interface(tf->interface, host_af, addr, NULL, &interface,
- US"callout") ||
- !smtp_get_port(tf->port, addr, &port, US"callout"))
+ if ( !smtp_get_interface(tf->interface, host_af, addr, NULL, &interface,
+ US"callout")
+ || !smtp_get_port(tf->port, addr, &port, US"callout")
+ )
log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
addr->message);
HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", interface, port);
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
- {
- int rc;
-
- tls_out.dane_verified = FALSE;
- tls_out.tlsa_usage = 0;
-
- dane_required =
- verify_check_given_host(&ob->hosts_require_dane, host) == OK;
-
- if (host->dnssec == DS_YES)
- {
- if( dane_required
- || verify_check_given_host(&ob->hosts_try_dane, host) == OK
- )
- if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK)
- return rc;
- }
- else if (dane_required)
- {
- log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name);
- return FAIL;
- }
-
- if (dane)
- ob->tls_tempfail_tryclear = FALSE;
- }
-#endif /*DANE*/
-
/* Set up the buffer for reading SMTP response packets. */
inblock.buffer = inbuffer;
continue;
}
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
+ {
+ int rc;
+
+ tls_out.dane_verified = FALSE;
+ tls_out.tlsa_usage = 0;
+
+ dane_required =
+ verify_check_given_host(&ob->hosts_require_dane, host) == OK;
+
+ if (host->dnssec == DS_YES)
+ {
+ if( ( dane_required
+ || verify_check_given_host(&ob->hosts_try_dane, host) == OK
+ )
+ && (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK
+ )
+ return rc;
+ }
+ else if (dane_required)
+ {
+ log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name);
+ return FAIL;
+ }
+
+ if (dane)
+ ob->tls_tempfail_tryclear = FALSE;
+ }
+#endif /*DANE*/
+
/* Expand the helo_data string to find the host name to use. */
if (tf->helo_data != NULL)
# ----- Main settings -----
+.ifndef OPT
acl_smtp_rcpt = accept
+.else
+acl_smtp_rcpt = accept verify = recipient/callout
+.endif
log_selector = +received_recipients +tls_peerdn +tls_certificate_verified
allow_localhost
port = PORT_D
+ hosts_verify_avoid_tls = :
hosts_try_dane = *
hosts_require_dane = !thishost.test.ex
hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \
****
exim -qf
****
+#
+#
+# Recipient callout
+exim -DOPT=callout -bhc 127.0.0.1
+MAIL FROM: <CALLER@myhost.test.ex>
+RCPT TO: <CALLER@dane256ee.test.ex>
+****
killdaemon
#
#
--- /dev/null
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> processing "accept"
+>>> check verify = recipient/callout
+>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+>>> routing CALLER@dane256ee.test.ex
+>>> calling client router
+>>> dane256ee.test.ex in "*"? yes (matched "*")
+>>> local host found for non-MX address
+>>> routed by client router
+>>> Attempting full verification using callout
+>>> callout cache: no domain record found
+>>> callout cache: no address record found
+>>> interface=NULL port=1225
+>>> Connecting to dane256ee.test.ex [ip4.ip4.ip4.ip4]:1225 ... connected
+MUNGED: ::1 will be omitted in what follows
+>>> get[host|ipnode]byname[2] looked up these IP addresses:
+>>> name=thishost.test.ex address=127.0.0.1
+>>> ip4.ip4.ip4.ip4 in hosts_require_dane? yes (end of list)
+>>> SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ip4.ip4.ip4.ip4 in hosts_avoid_esmtp? no (option unset)
+>>> SMTP>> EHLO myhost.test.ex
+>>> SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+>>> 250-SIZE 52428800
+>>> 250-8BITMIME
+>>> 250-PIPELINING
+>>> 250-STARTTLS
+>>> 250 HELP
+>>> ip4.ip4.ip4.ip4 in hosts_avoid_tls? no (option unset)
+>>> ip4.ip4.ip4.ip4 in hosts_verify_avoid_tls? no (end of list)
+>>> SMTP>> STARTTLS
+>>> SMTP<< 220 TLS go ahead
+>>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset)
+>>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? yes (matched "*")
+>>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset)
+>>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? no (end of list)
+>>> SMTP>> EHLO myhost.test.ex
+>>> SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+>>> 250-SIZE 52428800
+>>> 250-8BITMIME
+>>> 250-PIPELINING
+>>> 250 HELP
+>>> ip4.ip4.ip4.ip4 in hosts_require_auth? no (option unset)
+>>> SMTP>> MAIL FROM:<>
+>>> SMTP<< 250 OK
+>>> SMTP>> RCPT TO:<CALLER@dane256ee.test.ex>
+>>> SMTP<< 250 Accepted
+>>> SMTP>> QUIT
+>>> wrote callout cache domain record:
+>>> result=1 postmaster=0 random=0
+>>> wrote positive callout cache address record
+>>> ----------- end verify ------------
+>>> accept: condition test succeeded in inline ACL
+>>> end of inline ACL: ACCEPT
+LOG: unexpected disconnection while reading SMTP command from [127.0.0.1]
+
+******** SERVER ********
--- /dev/null
+
+**** SMTP testing session as if from host 127.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250 OK\r
+250 Accepted\r
+421 myhost.test.ex lost input connection\r