From 7044dd8fd62e215572ecf5a2c7f1bb9581cf6628 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 19 Aug 2020 21:09:04 +0100 Subject: [PATCH] DANE: force SNI to use $domain. Bug 2265 Note: this is not a complete fix for the issue --- doc/doc-docbook/spec.xfpt | 14 ++++++++++++-- doc/doc-txt/ChangeLog | 13 ++++++++++--- src/src/receive.c | 2 +- src/src/smtp_in.c | 2 +- src/src/tls-gnu.c | 2 +- src/src/tls-openssl.c | 1 + src/src/transports/smtp.c | 1 + test/confs/5820 | 3 ++- test/confs/5840 | 3 ++- test/log/2030 | 2 +- test/log/2031 | 4 ++-- test/log/2130 | 2 +- test/log/2131 | 4 ++-- test/log/5820 | 10 +++++----- test/log/5840 | 10 +++++----- test/stderr/5820 | 2 +- test/stderr/5840 | 2 +- 17 files changed, 49 insertions(+), 28 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 37bfeb3f3..ab13a427b 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -25761,7 +25761,11 @@ See &<>& for details. .cindex "TLS" SNI .cindex SNI "setting in client" .vindex "&$tls_sni$&" -If this option is set then it sets the $tls_out_sni variable and causes any +If this option is set +.new +and the connection is not DANE-validated +.wen +then it sets the $tls_out_sni variable and causes any TLS session to pass this value as the Server Name Indication extension to the remote side, which can be used by the remote side to select an appropriate certificate and private key for the session. @@ -29395,6 +29399,11 @@ nothing more to it. Choosing a sensible value not derived insecurely is the only point of caution. The &$tls_out_sni$& variable will be set to this string for the lifetime of the client connection (including during authentication). +.new +If DAVE validated the connection attempt then the value of the &%tls_sni%& option +is forced to the domain part of the recipient address. +.wen + Except during SMTP client sessions, if &$tls_in_sni$& is set then it is a string received from a client. It can be logged with the &%log_selector%& item &`+tls_sni`&. @@ -29692,7 +29701,7 @@ by (a) is thought to be smaller than that of the set of root CAs. It also allows the server to declare (implicitly) that connections to it should use TLS. An MITM could simply fail to pass on a server's STARTTLS. -DANE scales better than having to maintain (and side-channel communicate) copies of server certificates +DANE scales better than having to maintain (and communicate via side-channel) copies of server certificates for every possible target server. It also scales (slightly) better than having to maintain on an SMTP client a copy of the standard CAs bundle. It also means not having to pay a CA for certificates. @@ -29837,6 +29846,7 @@ If DANE is requested and useable (see above) the following transport options are tls_verify_certificates tls_crl tls_verify_cert_hostnames + tls_sni .endd If DANE is not usable, whether requested or not, and CA-anchored diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 8c4126e89..eb64e0abf 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -100,9 +100,16 @@ JH/20 Bug 2631: ACL dnslist conditions now ignore and log any lookups returns not in 127.0.0.0/8 to help in spotting list domains taken over by a domain-parking registrar. -JH/21 Bug 2630: Fix trace eol-replacement string for the ${readsocket } - expansion. Previously when a whitespace character was specified it - was not inserted after removing the newline. +JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion. + Previously when a whitespace character was specified it was not inserted + after removing the newline. + +JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be + the domain part of the recipient address. This overrides any tls_sni + option set, which was previously used. + +JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI + in quotes. Exim version 4.94 diff --git a/src/src/receive.c b/src/src/receive.c index 707fe07f7..95c44c01c 100644 --- a/src/src/receive.c +++ b/src/src/receive.c @@ -4004,7 +4004,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher) if (LOGGING(tls_peerdn) && tls_in.peerdn) g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\""); if (LOGGING(tls_sni) && tls_in.sni) - g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); + g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE)); #endif if (sender_host_authenticated) diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 3325d54c6..aa1d5b09c 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -1812,7 +1812,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher) if (LOGGING(tls_peerdn) && tls_in.peerdn) g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\""); if (LOGGING(tls_sni) && tls_in.sni) - g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); + g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE)); return g; } #endif diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 013d9c0e8..cf3804982 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -2868,7 +2868,7 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->so /* If dane is flagged, have either request or require dane for this host, and a TLSA record found. Therefore, dane verify required. Which implies cert must be requested and supplied, dane verify must pass, and cert verify irrelevant -(incl. hostnames), and (caller handled) require_tls */ +(incl. hostnames), and (caller handled) require_tls and sni=$domain */ if (conn_args->dane && ob->dane_require_tls_ciphers) { diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 64f60b7e4..5bc9f8f53 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -3200,6 +3200,7 @@ tlsp->tlsa_usage = 0; #ifndef DISABLE_OCSP { # ifdef SUPPORT_DANE + /*XXX this should be moved to caller, to be common across gnutls/openssl */ if ( conn_args->dane && ob->hosts_request_ocsp[0] == '*' && ob->hosts_request_ocsp[1] == '\0' diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 341acde2d..fef4717f5 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -2018,6 +2018,7 @@ if (!continue_hostname) { case OK: sx->conn_args.dane = TRUE; ob->tls_tempfail_tryclear = FALSE; + ob->tls_sni = sx->addrlist->domain; break; case FAIL_FORCED: break; default: set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER, diff --git a/test/confs/5820 b/test/confs/5820 index 76dc75efe..7ee165221 100644 --- a/test/confs/5820 +++ b/test/confs/5820 @@ -16,7 +16,8 @@ acl_smtp_rcpt = accept logwrite = "rcpt ACL" acl_smtp_rcpt = accept verify = recipient/callout .endif -log_selector = +received_recipients +tls_peerdn +tls_certificate_verified +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified \ + +tls_sni queue_run_in_order diff --git a/test/confs/5840 b/test/confs/5840 index 5852ef2c0..1b3b122b3 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -16,7 +16,8 @@ acl_smtp_rcpt = accept logwrite = "rcpt ACL" acl_smtp_rcpt = accept verify = recipient/callout .endif -log_selector = +received_recipients +tls_peerdn +tls_certificate_verified +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified \ + +tls_sni queue_run_in_order diff --git a/test/log/2030 b/test/log/2030 index d64f145d9..9c926fd6e 100644 --- a/test/log/2030 +++ b/test/log/2030 @@ -5,6 +5,6 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 SNI -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=fred S=sss id=E10HmaX-0005vi-00@myhost.test.ex 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed diff --git a/test/log/2031 b/test/log/2031 index 37679a24b..3b8f61de8 100644 --- a/test/log/2031 +++ b/test/log/2031 @@ -8,10 +8,10 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 SNI -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=fred S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@test.ex 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 SNI -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="bill" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=bill S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed diff --git a/test/log/2130 b/test/log/2130 index 564aa0a95..fc45c0a47 100644 --- a/test/log/2130 +++ b/test/log/2130 @@ -5,6 +5,6 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 SNI -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=fred S=sss id=E10HmaX-0005vi-00@myhost.test.ex 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed diff --git a/test/log/2131 b/test/log/2131 index e5c93f700..38aa87171 100644 --- a/test/log/2131 +++ b/test/log/2131 @@ -8,10 +8,10 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 SNI -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=fred S=sss id=E10HmaX-0005vi-00@myhost.test.ex for CALLER@test.ex 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 SNI -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="bill" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=bill S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed diff --git a/test/log/5820 b/test/log/5820 index 62425a1d0..a26927024 100644 --- a/test/log/5820 +++ b/test/log/5820 @@ -81,17 +81,17 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 "rcpt ACL" -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for t1@dane256ee.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256ee.test.ex S=sss id=E10HmaX-0005vi-00@myhost.test.ex for t1@dane256ee.test.ex 1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed 1999-03-02 09:44:33 "rcpt ACL" -1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for t2@mxdane512ee.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane512ee.test.ex S=sss id=E10HmaY-0005vi-00@myhost.test.ex for t2@mxdane512ee.test.ex 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed 1999-03-02 09:44:33 "rcpt ACL" 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 "rcpt ACL" -1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for t4@mxdane256ta.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane256ta.test.ex S=sss id=E10HmbB-0005vi-00@myhost.test.ex for t4@mxdane256ta.test.ex 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D @@ -123,13 +123,13 @@ 1999-03-02 09:44:33 10HmbU-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbU-0005vi-00 Completed 1999-03-02 09:44:33 "rcpt ACL" -1999-03-02 09:44:33 10HmbX-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbW-0005vi-00@myhost.test.ex for t18a@danemixed.test.ex +1999-03-02 09:44:33 10HmbX-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=danemixed.test.ex S=sss id=E10HmbW-0005vi-00@myhost.test.ex for t18a@danemixed.test.ex 1999-03-02 09:44:33 10HmbX-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbX-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (recv): A TLS fatal alert has been received: Certificate is bad 1999-03-02 09:44:33 "rcpt ACL" -1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for t20@danebroken8.example.com +1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=danebroken8.example.com S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for t20@danebroken8.example.com 1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmcA-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D diff --git a/test/log/5840 b/test/log/5840 index c20028825..b351197e2 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -81,22 +81,22 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 "rcpt ACL" -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for t1@dane256ee.test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256ee.test.ex S=sss id=E10HmaX-0005vi-00@myhost.test.ex for t1@dane256ee.test.ex 1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed 1999-03-02 09:44:33 "rcpt ACL" -1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaY-0005vi-00@myhost.test.ex for t2@mxdane512ee.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane512ee.test.ex S=sss id=E10HmaY-0005vi-00@myhost.test.ex for t2@mxdane512ee.test.ex 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed 1999-03-02 09:44:33 "rcpt ACL" 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 "rcpt ACL" -1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbB-0005vi-00@myhost.test.ex for t4@mxdane256ta.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane256ta.test.ex S=sss id=E10HmbB-0005vi-00@myhost.test.ex for t4@mxdane256ta.test.ex 1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 "rcpt ACL" -1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex for t5@mxdane256tak.test.ex +1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane256tak.test.ex S=sss id=E10HmbD-0005vi-00@myhost.test.ex for t5@mxdane256tak.test.ex 1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D @@ -130,7 +130,7 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <> 1999-03-02 09:44:33 "rcpt ACL" -1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for t20@danebroken8.example.com +1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=danebroken8.example.com S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for t20@danebroken8.example.com 1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmcA-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D diff --git a/test/stderr/5820 b/test/stderr/5820 index 032f2b9f3..5bb902961 100644 --- a/test/stderr/5820 +++ b/test/stderr/5820 @@ -9,7 +9,7 @@ >>> host in helo_verify_hosts? no (option unset) >>> host in helo_try_verify_hosts? no (option unset) >>> host in helo_accept_junk_hosts? no (option unset) ->>> processing "accept" (TESTSUITE/test-config 87) +>>> processing "accept" (TESTSUITE/test-config 88) >>> check verify = recipient/callout >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing rcptuser@dane256ee.test.ex diff --git a/test/stderr/5840 b/test/stderr/5840 index dbd4d235c..423ed83a3 100644 --- a/test/stderr/5840 +++ b/test/stderr/5840 @@ -9,7 +9,7 @@ >>> host in helo_verify_hosts? no (option unset) >>> host in helo_try_verify_hosts? no (option unset) >>> host in helo_accept_junk_hosts? no (option unset) ->>> processing "accept" (TESTSUITE/test-config 92) +>>> processing "accept" (TESTSUITE/test-config 93) >>> check verify = recipient/callout >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing rcptuser@dane256ee.test.ex -- 2.30.2