From bf7aabb41b04efb076bed9de84b15b03f3006073 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 24 Mar 2015 15:32:08 +0000 Subject: [PATCH] Fix default-port TLSA lookup done by callout. Bug 1602 --- src/src/transports/smtp.c | 9 ++-- src/src/verify.c | 66 +++++++++++++++-------------- test/confs/5840 | 5 +++ test/scripts/5840-DANE-OpenSSL/5840 | 7 +++ test/stderr/5840 | 63 +++++++++++++++++++++++++++ test/stdout/5840 | 9 ++++ 6 files changed, 123 insertions(+), 36 deletions(-) create mode 100644 test/stderr/5840 create mode 100644 test/stdout/5840 diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 3c983220d..6a8fbc439 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1450,11 +1450,12 @@ if (continue_hostname == NULL) if (host->dnssec == DS_YES) { - if( dane_required - || verify_check_given_host(&ob->hosts_try_dane, host) == OK + if( ( dane_required + || verify_check_given_host(&ob->hosts_try_dane, host) == OK + ) + && (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK ) - if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK) - return rc; + return rc; } else if (dane_required) { diff --git a/src/src/verify.c b/src/src/verify.c index d85ef3b4f..678ee6315 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -575,9 +575,10 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. deliver_domain = addr->domain; transport_name = addr->transport->name; - if (!smtp_get_interface(tf->interface, host_af, addr, NULL, &interface, - US"callout") || - !smtp_get_port(tf->port, addr, &port, US"callout")) + if ( !smtp_get_interface(tf->interface, host_af, addr, NULL, &interface, + US"callout") + || !smtp_get_port(tf->port, addr, &port, US"callout") + ) log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address, addr->message); @@ -588,35 +589,6 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", interface, port); -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE) - { - int rc; - - tls_out.dane_verified = FALSE; - tls_out.tlsa_usage = 0; - - dane_required = - verify_check_given_host(&ob->hosts_require_dane, host) == OK; - - if (host->dnssec == DS_YES) - { - if( dane_required - || verify_check_given_host(&ob->hosts_try_dane, host) == OK - ) - if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK) - return rc; - } - else if (dane_required) - { - log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name); - return FAIL; - } - - if (dane) - ob->tls_tempfail_tryclear = FALSE; - } -#endif /*DANE*/ - /* Set up the buffer for reading SMTP response packets. */ inblock.buffer = inbuffer; @@ -653,6 +625,36 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. continue; } +#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE) + { + int rc; + + tls_out.dane_verified = FALSE; + tls_out.tlsa_usage = 0; + + dane_required = + verify_check_given_host(&ob->hosts_require_dane, host) == OK; + + if (host->dnssec == DS_YES) + { + if( ( dane_required + || verify_check_given_host(&ob->hosts_try_dane, host) == OK + ) + && (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK + ) + return rc; + } + else if (dane_required) + { + log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name); + return FAIL; + } + + if (dane) + ob->tls_tempfail_tryclear = FALSE; + } +#endif /*DANE*/ + /* Expand the helo_data string to find the host name to use. */ if (tf->helo_data != NULL) diff --git a/test/confs/5840 b/test/confs/5840 index cd9e8b9c3..0447ce36d 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -13,7 +13,11 @@ gecos_name = CALLER_NAME # ----- Main settings ----- +.ifndef OPT acl_smtp_rcpt = accept +.else +acl_smtp_rcpt = accept verify = recipient/callout +.endif log_selector = +received_recipients +tls_peerdn +tls_certificate_verified @@ -62,6 +66,7 @@ send_to_server: allow_localhost port = PORT_D + hosts_verify_avoid_tls = : hosts_try_dane = * hosts_require_dane = !thishost.test.ex hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \ diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840 index c0133eae3..deff4a6a4 100644 --- a/test/scripts/5840-DANE-OpenSSL/5840 +++ b/test/scripts/5840-DANE-OpenSSL/5840 @@ -12,6 +12,13 @@ Testing **** exim -qf **** +# +# +# Recipient callout +exim -DOPT=callout -bhc 127.0.0.1 +MAIL FROM: +RCPT TO: +**** killdaemon # # diff --git a/test/stderr/5840 b/test/stderr/5840 new file mode 100644 index 000000000..eeffc1103 --- /dev/null +++ b/test/stderr/5840 @@ -0,0 +1,63 @@ +>>> host in hosts_connection_nolog? no (option unset) +>>> host in host_lookup? no (option unset) +>>> host in host_reject_connection? no (option unset) +>>> host in sender_unqualified_hosts? no (option unset) +>>> host in recipient_unqualified_hosts? no (option unset) +>>> host in helo_verify_hosts? no (option unset) +>>> host in helo_try_verify_hosts? no (option unset) +>>> host in helo_accept_junk_hosts? no (option unset) +>>> processing "accept" +>>> check verify = recipient/callout +>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +>>> routing CALLER@dane256ee.test.ex +>>> calling client router +>>> dane256ee.test.ex in "*"? yes (matched "*") +>>> local host found for non-MX address +>>> routed by client router +>>> Attempting full verification using callout +>>> callout cache: no domain record found +>>> callout cache: no address record found +>>> interface=NULL port=1225 +>>> Connecting to dane256ee.test.ex [ip4.ip4.ip4.ip4]:1225 ... connected +MUNGED: ::1 will be omitted in what follows +>>> get[host|ipnode]byname[2] looked up these IP addresses: +>>> name=thishost.test.ex address=127.0.0.1 +>>> ip4.ip4.ip4.ip4 in hosts_require_dane? yes (end of list) +>>> SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> ip4.ip4.ip4.ip4 in hosts_avoid_esmtp? no (option unset) +>>> SMTP>> EHLO myhost.test.ex +>>> SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4] +>>> 250-SIZE 52428800 +>>> 250-8BITMIME +>>> 250-PIPELINING +>>> 250-STARTTLS +>>> 250 HELP +>>> ip4.ip4.ip4.ip4 in hosts_avoid_tls? no (option unset) +>>> ip4.ip4.ip4.ip4 in hosts_verify_avoid_tls? no (end of list) +>>> SMTP>> STARTTLS +>>> SMTP<< 220 TLS go ahead +>>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset) +>>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? yes (matched "*") +>>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset) +>>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? no (end of list) +>>> SMTP>> EHLO myhost.test.ex +>>> SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4] +>>> 250-SIZE 52428800 +>>> 250-8BITMIME +>>> 250-PIPELINING +>>> 250 HELP +>>> ip4.ip4.ip4.ip4 in hosts_require_auth? no (option unset) +>>> SMTP>> MAIL FROM:<> +>>> SMTP<< 250 OK +>>> SMTP>> RCPT TO: +>>> SMTP<< 250 Accepted +>>> SMTP>> QUIT +>>> wrote callout cache domain record: +>>> result=1 postmaster=0 random=0 +>>> wrote positive callout cache address record +>>> ----------- end verify ------------ +>>> accept: condition test succeeded in inline ACL +>>> end of inline ACL: ACCEPT +LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] + +******** SERVER ******** diff --git a/test/stdout/5840 b/test/stdout/5840 new file mode 100644 index 000000000..0829c56fc --- /dev/null +++ b/test/stdout/5840 @@ -0,0 +1,9 @@ + +**** SMTP testing session as if from host 127.0.0.1 +**** but without any ident (RFC 1413) callback. +**** This is not for real! + +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250 OK +250 Accepted +421 myhost.test.ex lost input connection -- 2.30.2