Logging: dnssec status on accept & delivery lines

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index ba32403d6f85864b1de191f45376bd1db6f603c0..736a45800cc2b5ddcf823c5b8132260825de3ea6 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -35528,6 +35528,7 @@ the following table:
 &`CV  `&        certificate verification status
 &`D   `&        duration of &"no mail in SMTP session"&
 &`DN  `&        distinguished name from peer certificate
+&`DS  `&        DNSSEC secured lookups
 &`DT  `&        on &`=>`& lines: time taken for a delivery
 &`F   `&        sender address (on delivery lines)
 &`H   `&        host name and IP address
@@ -35618,6 +35619,7 @@ selection marked by asterisks:
 &` deliver_time               `&  time taken to perform delivery
 &` delivery_size              `&  add &`S=`&&'nnn'& to => lines
 &`*dnslist_defer              `&  defers of DNS list (aka RBL) lookups
+&` dnssec                     `&  DNSSEC secured lookups
 &`*etrn                       `&  ETRN commands
 &`*host_lookup_failed         `&  as it says
 &` ident_timeout              `&  timeout for ident connection
@@ -35725,6 +35727,14 @@ the &"=>"& line, tagged with S=.
 &%dnslist_defer%&: A log entry is written if an attempt to look up a host in a
 DNS black list suffers a temporary error.
 .next
+.cindex log dnssec
+.cindex dnssec logging
+&%dnssec%&: For message acceptance and (attempted) delivery log lines, when
+dns lookups gave secure results a tag of DS is added.
+For acceptance this covers the reverse and forward lookups for host name verification.
+It does not cover helo-name verification.
+For delivery this covers the SRV, MX, A and/or AAAA lookups.
+.next
 .cindex "log" "ETRN commands"
 .cindex "ETRN" "logging"
 &%etrn%&: Every valid ETRN command that is received is logged, before the ACL

diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 07e6f1dba0e15ae6501255db5089569381824102..659c830bdaead00ae1e0a9b831d024450a70d5eb 100644 (file)
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -9,9 +9,11 @@ the documentation is updated, this file is reduced to a short list.
 Version 4.88
 ------------
 
- 1. The new perl_tainmode option allows to run the embedded perl
+ 1. The new perl_taintmode option allows to run the embedded perl
     interpreter in taint mode.
 
+ 2. New log_selector: dnssec, adds a "DS" tag to acceptance and delivery lines.
+
 
 Version 4.87
 ------------

diff --git a/src/src/deliver.c b/src/src/deliver.c
index 743fc83e81d8ea3a97b79774614c1155516a67c3..1421852aa1e8f8aba2216e2567b5720dec9a22a2 100644 (file)
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -711,25 +711,31 @@ return s;
 
 
 static uschar *
-d_hostlog(uschar *s, int *sizep, int *ptrp, address_item *addr)
+d_hostlog(uschar * s, int * sp, int * pp, address_item * addr)
 {
-s = string_append(s, sizep, ptrp, 5, US" H=", addr->host_used->name,
-  US" [", addr->host_used->address, US"]");
+host_item * h = addr->host_used;
+
+s = string_append(s, sp, pp, 2, US" H=", h->name);
+
+if (LOGGING(dnssec) && h->dnssec == DS_YES)
+  s = string_cat(s, sp, pp, US" DS");
+
+s = string_append(s, sp, pp, 3, US" [", h->address, US"]");
+
 if (LOGGING(outgoing_port))
-  s = string_append(s, sizep, ptrp, 2, US":", string_sprintf("%d",
-    addr->host_used->port));
+  s = string_append(s, sp, pp, 2, US":", string_sprintf("%d", h->port));
 
 #ifdef SUPPORT_SOCKS
 if (LOGGING(proxy) && proxy_local_address)
   {
-  s = string_append(s, sizep, ptrp, 3, US" PRX=[", proxy_local_address, US"]");
+  s = string_append(s, sp, pp, 3, US" PRX=[", proxy_local_address, US"]");
   if (LOGGING(outgoing_port))
-    s = string_append(s, sizep, ptrp, 2, US":", string_sprintf("%d",
+    s = string_append(s, sp, pp, 2, US":", string_sprintf("%d",
       proxy_local_port));
   }
 #endif
 
-return d_log_interface(s, sizep, ptrp);
+return d_log_interface(s, sp, pp);
 }
 
 

diff --git a/src/src/globals.c b/src/src/globals.c
index be1fae849298ddb732d941136e7f27e5bffb05c1..0586fdd986ee2195bf475915cf023f780fc0a6ae 100644 (file)
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -864,6 +864,7 @@ bit_table log_options[]        = { /* must be in alphabetical order */
   BIT_TABLE(L, deliver_time),
   BIT_TABLE(L, delivery_size),
   BIT_TABLE(L, dnslist_defer),
+  BIT_TABLE(L, dnssec),
   BIT_TABLE(L, etrn),
   BIT_TABLE(L, host_lookup_failed),
   BIT_TABLE(L, ident_timeout),

diff --git a/src/src/macros.h b/src/src/macros.h
index 275458b8fbc7fea6405baeab987664aa2f084561..53abeb5c235447cdf313c4786b7df77686d0566d 100644 (file)
--- a/src/src/macros.h
+++ b/src/src/macros.h
@@ -446,15 +446,19 @@ enum {
   LOG_BIT(smtp_protocol_error),
   LOG_BIT(smtp_syntax_error),
 
-  Li_acl_warn_skipped = BITWORDSIZE,
+  Li_8bitmime = BITWORDSIZE,
+  Li_acl_warn_skipped,
   Li_arguments,
   Li_deliver_time,
   Li_delivery_size,
+  Li_dnssec,
   Li_ident_timeout,
   Li_incoming_interface,
   Li_incoming_port,
+  Li_outgoing_interface,
   Li_outgoing_port,
   Li_pid,
+  Li_proxy,
   Li_queue_time,
   Li_queue_time_overall,
   Li_received_sender,
@@ -464,6 +468,7 @@ enum {
   Li_sender_on_delivery,
   Li_sender_verify_fail,
   Li_smtp_confirmation,
+  Li_smtp_mailauth,
   Li_smtp_no_mail,
   Li_subject,
   Li_tls_certificate_verified,
@@ -471,12 +476,8 @@ enum {
   Li_tls_peerdn,
   Li_tls_sni,
   Li_unknown_in_list,
-  Li_8bitmime,
-  Li_smtp_mailauth,
-  Li_proxy,
-  Li_outgoing_interface,
 
-  log_selector_size = BITWORD(Li_outgoing_interface) + 1
+  log_selector_size = BITWORD(Li_unknown_in_list) + 1
 };
 
 #define LOGGING(opt) BIT_TEST(log_selector, log_selector_size, Li_##opt)

diff --git a/src/src/receive.c b/src/src/receive.c
index 2628570d8c50427d3ad4ce744187af7a279d31d8..92ec2cd87d59037e7e23d62576eeb0b82df48b3d 100644 (file)
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -1123,16 +1123,17 @@ Returns:      the extended string
 */
 
 static uschar *
-add_host_info_for_log(uschar *s, int *sizeptr, int *ptrptr)
+add_host_info_for_log(uschar * s, int * sizeptr, int * ptrptr)
 {
-if (sender_fullhost != NULL)
+if (sender_fullhost)
   {
+  if (LOGGING(dnssec) && sender_host_dnssec)   /*XXX sender_helo_dnssec? */
+    s = string_cat(s, sizeptr, ptrptr, US" DS");
   s = string_append(s, sizeptr, ptrptr, 2, US" H=", sender_fullhost);
   if (LOGGING(incoming_interface) && interface_address != NULL)
     {
-    uschar *ss = string_sprintf(" I=[%s]:%d", interface_address,
-      interface_port);
-    s = string_cat(s, sizeptr, ptrptr, ss);
+    s = string_cat(s, sizeptr, ptrptr,
+      string_sprintf(" I=[%s]:%d", interface_address, interface_port));
     }
   }
 if (sender_ident != NULL)

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 1398e620b6e7bc2e9116da8cc5c5a7c9673627b5..d66b59e302363016e5a24da5db23cdcaea190136 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -2837,14 +2837,18 @@ is closing if required and return 2.  */
 if (log_reject_target != 0)
   {
 #ifdef SUPPORT_TLS
-  uschar * s = s_tlslog(NULL, NULL, NULL);
-  if (!s) s = US"";
+  uschar * tls = s_tlslog(NULL, NULL, NULL);
+  if (!tls) tls = US"";
 #else
-  uschar * s = US"";
+  uschar * tls = US"";
 #endif
-  log_write(0, log_reject_target, "%s%s %s%srejected %s%s",
-    host_and_ident(TRUE), s,
-    sender_info, (rc == FAIL)? US"" : US"temporarily ", what, log_msg);
+  log_write(0, log_reject_target, "%s%s%s %s%srejected %s%s",
+    LOGGING(dnssec) && sender_host_dnssec ? US" DS" : US"",
+    host_and_ident(TRUE),
+    tls,
+    sender_info,
+    rc == FAIL ? US"" : US"temporarily ",
+    what, log_msg);
   }
 
 if (!drop) return 0;

diff --git a/test/confs/4804 b/test/confs/4804
new file mode 100644 (file)
index 0000000..a1ba90d
--- /dev/null
+++ b/test/confs/4804
@@ -0,0 +1,50 @@
+# Exim test configuration 4804
+
+SERVER=
+OPT=
+
+exim_path = EXIM_PATH
+keep_environment =
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+timezone = UTC
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector = OPT
+tls_advertise_hosts = :
+
+# ------ ACL ------
+
+begin acl
+
+# ----- Routers -----
+
+begin routers
+
+server:
+  condition = ${if eq {SERVER}{server} {yes}{no}}
+  driver = redirect
+  data = :blackhole:
+
+client:
+  driver = dnslookup
+  dnssec_request_domains = *
+  self = send
+  transport = send_to_server
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+  driver = smtp
+  port = PORT_D
+
+# End

diff --git a/test/log/4804 b/test/log/4804
new file mode 100644 (file)
index 0000000..c7ae705
--- /dev/null
+++ b/test/log/4804
@@ -0,0 +1,19 @@
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <nologging@l-sec.test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaX-0005vi-00 => nologging@l-sec.test.ex R=client T=send_to_server H=l-sec.test.ex [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <withlogging@l-sec.test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => withlogging@l-sec.test.ex R=client T=send_to_server H=l-sec.test.ex DS [127.0.0.1] C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmbB-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <withlogging@thishost.test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 => withlogging@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed

diff --git a/test/scripts/4800-dnssec-dnslookup/4804 b/test/scripts/4800-dnssec-dnslookup/4804
new file mode 100644 (file)
index 0000000..ea4f2de
--- /dev/null
+++ b/test/scripts/4800-dnssec-dnslookup/4804
@@ -0,0 +1,11 @@
+# dnssec log_selector (client)
+exim -DSERVER=server -bd -oX PORT_D
+****
+exim -DOPT= -odf nologging@l-sec.test.ex
+****
+exim -DOPT=+dnssec -odf withlogging@l-sec.test.ex
+****
+exim -DOPT=+dnssec -odf withlogging@thishost.test.ex
+****
+killdaemon
+no_msglog_check