or need not succeed respectively.
The &%tls_verify_cert_hostnames%& option lists hosts for which additional
-checks are made: that the host name (the one in the DNS A record)
-is valid for the certificate.
+name checks are made on the server certificate.
+.new
+The match against this list is, as per other Exim usage, the
+IP for the host. That is most closely associated with the
+name on the DNS A (or AAAA) record for the host.
+However, the name that needs to be in the certificate
+is the one at the head of any CNAME chain leading to the A record.
+.wen
The option defaults to always checking.
The &(smtp)& transport has two OCSP-related options:
path, an error occurred on trying to open it. Use the transport's working
directory.
+JH/06 Bug 2594: Change the name used for certificate name checks in the smtp
+ transport. Previously it was the name on the DNS A-record; use instead
+ the head of the CNAME chain leading there (if there is one). This seems
+ to align better with RFC 6125.
+
Exim version 4.94
-----------------
JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
A single TCP connection by a client will now hold a TLS connection open
- for multiple message deliveries, by default. Previoud the default was to
+ for multiple message deliveries, by default. Previously the default was to
not do so.
JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
int af;
#endif
+#ifndef DISABLE_TLS
+/* Copy the host name at this point to the value which is used for
+TLS certificate name checking, before anything modifies it. */
+
+host->certname = host->name;
+#endif
+
/* Make sure DNS options are set as required. This appears to be necessary in
some circumstances when the get..byname() function actually calls the DNS. */
{
host_item *next = store_get(sizeof(host_item), FALSE);
next->name = host->name;
+#ifndef DISABLE_TLS
+ next->certname = host->certname;
+#endif
next->mx = host->mx;
next->address = text_address;
next->port = PORT_NONE;
NULL. If temp_error is set, at least one of the lookups gave a temporary error,
so we pass that back. */
-if (host->address == NULL)
+if (!host->address)
{
uschar *msg =
#ifndef STAND_ALONE
- (message_id[0] == 0 && smtp_in != NULL)?
- string_sprintf("no IP address found for host %s (during %s)", host->name,
+ message_id[0] == 0 && smtp_in
+ ? string_sprintf("no IP address found for host %s (during %s)", host->name,
smtp_get_connection_info()) :
#endif
string_sprintf("no IP address found for host %s", host->name);
BOOL dnssec_fail = FALSE;
int i;
+#ifndef DISABLE_TLS
+/* Copy the host name at this point to the value which is used for
+TLS certificate name checking, before any CNAME-following modifies it. */
+
+host->certname = host->name;
+#endif
+
/* If allow_ip is set, a name which is an IP address returns that value
as its address. This is used for MX records when allow_mx_to_ip is set, for
those sites that feel they have to flaunt the RFC rules. */
typedef struct host_item {
struct host_item *next;
- const uschar *name; /* Host name */
- const uschar *address; /* IP address in text form */
- int port; /* port value in host order (if SRV lookup) */
- int mx; /* MX value if found via MX records */
- int sort_key; /* MX*1000 plus random "fraction" */
- int status; /* Usable, unusable, or unknown */
- int why; /* Why host is unusable */
- int last_try; /* Time of last try if known */
+ const uschar *name; /* Host name */
+#ifndef DISABLE_TLS
+ const uschar *certname; /* Name used for certificate checks */
+#endif
+ const uschar *address; /* IP address in text form */
+ int port; /* port value in host order (if SRV lookup) */
+ int mx; /* MX value if found via MX records */
+ int sort_key; /* MX*1000 plus random "fraction" */
+ int status; /* Usable, unusable, or unknown */
+ int why; /* Why host is unusable */
+ int last_try; /* Time of last try if known */
dnssec_status_t dnssec;
} host_item;
{
state->exp_tls_verify_cert_hostnames =
#ifdef SUPPORT_I18N
- string_domain_utf8_to_alabel(host->name, NULL);
+ string_domain_utf8_to_alabel(host->certname, NULL);
#else
- host->name;
+ host->certname;
#endif
DEBUG(D_tls)
debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
} ocsp_resplist;
typedef struct tls_ext_ctx_cb {
- tls_support * tlsp;
- uschar *certificate;
- uschar *privatekey;
- BOOL is_server;
+ tls_support * tlsp;
+ uschar * certificate;
+ uschar * privatekey;
+ BOOL is_server;
#ifndef DISABLE_OCSP
STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
union {
} client;
} u_ocsp;
#endif
- uschar *dhparam;
+ uschar * dhparam;
/* these are cached from first expand */
- uschar *server_cipher_list;
+ uschar * server_cipher_list;
/* only passed down to tls_error: */
- host_item *host;
+ host_item * host;
const uschar * verify_cert_hostnames;
#ifndef DISABLE_EVENT
- uschar * event_action;
+ uschar * event_action;
#endif
} tls_ext_ctx_cb;
{
cbinfo->verify_cert_hostnames =
#ifdef SUPPORT_I18N
- string_domain_utf8_to_alabel(host->name, NULL);
+ string_domain_utf8_to_alabel(host->certname, NULL);
#else
- host->name;
+ host->certname;
#endif
DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
cbinfo->verify_cert_hostnames);
retry_use_local_part
transport = send_to_server_req_passname
+client_t:
+ driver = accept
+ local_parts = usert
+ retry_use_local_part
+ transport = send_to_server_req_failchain
+
+client_u:
+ driver = accept
+ local_parts = useru
+ retry_use_local_part
+ transport = send_to_server_req_passchain
+
# ----- Transports -----
# this will fail to verify the cert name and fallback to unencrypted
send_to_server_req_failname:
- driver = smtp
+ driver = smtp
allow_localhost
- hosts = HOSTIPV4
- port = PORT_D
- hosts_try_fastopen = :
- tls_certificate = CERT2
- tls_privatekey = CERT2
+ hosts = serverbadname.example.com
+ port = PORT_D
+ hosts_try_fastopen = :
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
- tls_verify_certificates = CA1
- tls_verify_cert_hostnames = server1.example.net : server1.example.org
- tls_verify_hosts = *
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = HOSTIPV4
+ tls_verify_hosts = *
# this will pass the cert verify including name check
send_to_server_req_passname:
- driver = smtp
+ driver = smtp
allow_localhost
- hosts = HOSTIPV4
- port = PORT_D
- hosts_try_fastopen = :
- tls_certificate = CERT2
- tls_privatekey = CERT2
+ hosts = server1.example.com
+ port = PORT_D
+ hosts_try_fastopen = :
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = HOSTIPV4
+ tls_verify_hosts = *
+
+ # this will fail the cert verify name check, because CNAME rules
+ send_to_server_req_failchain:
+ driver = smtp
+ allow_localhost
+ hosts = serverchain1.example.com
+ port = PORT_D
+ hosts_try_fastopen = :
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = HOSTIPV4
+ tls_verify_hosts = *
+
+ # this will pass the cert verify name check, because CNAME rules
+ send_to_server_req_passchain:
+ driver = smtp
+ allow_localhost
+ hosts = alternatename.server1.example.com
+ port = PORT_D
+ hosts_try_fastopen = :
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
- tls_verify_certificates = CA1
- tls_verify_cert_hostnames = noway.example.com : server1.example.com
- tls_verify_hosts = *
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = HOSTIPV4
+ tls_verify_hosts = *
# End
retry_use_local_part
transport = send_to_server_req_passname
+client_t:
+ driver = accept
+ local_parts = usert
+ retry_use_local_part
+ transport = send_to_server_req_failchain
+
+client_u:
+ driver = accept
+ local_parts = useru
+ retry_use_local_part
+ transport = send_to_server_req_passchain
+
# ----- Transports -----
# this will fail to verify the cert name and fallback to unencrypted
send_to_server_req_failname:
- driver = smtp
+ driver = smtp
allow_localhost
- hosts = HOSTIPV4
- port = PORT_D
- hosts_try_fastopen = :
- tls_certificate = CERT2
- tls_privatekey = CERT2
+ hosts = serverbadname.example.com
+ port = PORT_D
+ hosts_try_fastopen = :
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
- tls_verify_certificates = CA1
- tls_verify_cert_hostnames = server1.example.net : server1.example.org
- tls_verify_hosts = *
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = HOSTIPV4
+ tls_verify_hosts = *
# this will pass the cert verify including name check
send_to_server_req_passname:
- driver = smtp
+ driver = smtp
allow_localhost
- hosts = HOSTIPV4
- port = PORT_D
- hosts_try_fastopen = :
- tls_certificate = CERT2
- tls_privatekey = CERT2
+ hosts = server1.example.com
+ port = PORT_D
+ hosts_try_fastopen = :
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = HOSTIPV4
+ tls_verify_hosts = *
+
+ # this will fail the cert verify name check, because CNAME rules
+ send_to_server_req_failchain:
+ driver = smtp
+ allow_localhost
+ hosts = serverchain1.example.com
+ port = PORT_D
+ hosts_try_fastopen = :
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
- tls_verify_certificates = CA1
- tls_verify_cert_hostnames = noway.example.com : server1.example.com
- tls_verify_hosts = *
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = HOSTIPV4
+ tls_verify_hosts = *
+
+ # this will pass the cert verify name check, because CNAME rules
+ send_to_server_req_passchain:
+ driver = smtp
+ allow_localhost
+ hosts = alternatename.server1.example.com
+ port = PORT_D
+ hosts_try_fastopen = :
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = HOSTIPV4
+ tls_verify_hosts = *
# End
; Alias A record for the local host, under the name "server1"
-server1 A HOSTIPV4
+server1 A HOSTIPV4
+serverbadname A HOSTIPV4
+serverchain1 CNAME server1
+alternatename.server1 CNAME server1
; DANE testing
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (certificate verification failed): certificate invalid
1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@test.ex: retry timeout exceeded
1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbF-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session: (certificate verification failed): certificate invalid: delivering unencrypted to H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbH-0005vi-00"
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net
-1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 TLS session: (certificate verification failed): delivering unencrypted to H=serverbadname.example.com [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=serverbadname.example.com [ip4.ip4.ip4.ip4] C="250 OK id=10HmbI-0005vi-00"
1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbC-0005vi-00 no IP address found for host noway.example.com
-1999-03-02 09:44:33 10HmbC-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbJ-0005vi-00"
1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 TLS session: (certificate verification failed): delivering unencrypted to H=server1.example.com [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmbD-0005vi-00 => usert@test.ex R=client_t T=send_to_server_req_failchain H=server1.example.com [ip4.ip4.ip4.ip4] C="250 OK id=10HmbK-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbE-0005vi-00 => useru@test.ex R=client_u T=send_to_server_req_passchain H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbL-0005vi-00"
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received: Certificate is bad
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received: Certificate is bad
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received: Certificate is bad
-1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received: Certificate is bad
+1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbB-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received: Certificate is bad
+1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbD-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbE-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for userr@test.ex
1999-03-02 09:44:33 this will pass the cert verify including name check
1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for user_s@test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for usert@test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for useru@test.ex
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: TLS session: (SSL_connect): error: <<detail omitted>>
1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaY-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbF-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaZ-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=server1.example.com
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbA-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbH-0005vi-00"
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net
-1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: certificate name mismatch: DN="/CN=server1.example.com" H="serverbadname.example.com"
+1999-03-02 09:44:33 10HmbB-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=serverbadname.example.com [ip4.ip4.ip4.ip4] C="250 OK id=10HmbI-0005vi-00"
1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbC-0005vi-00 no IP address found for host noway.example.com
-1999-03-02 09:44:33 10HmbC-0005vi-00 => user_s@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 => user_s@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbJ-0005vi-00"
1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbD-0005vi-00 [ip4.ip4.ip4.ip4] SSL verify error: certificate name mismatch: DN="/CN=server1.example.com" H="serverchain1.example.com"
+1999-03-02 09:44:33 10HmbD-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbD-0005vi-00 => usert@test.ex R=client_t T=send_to_server_req_failchain H=server1.example.com [ip4.ip4.ip4.ip4] C="250 OK id=10HmbK-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbE-0005vi-00 => useru@test.ex R=client_u T=send_to_server_req_passchain H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbL-0005vi-00"
+1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery@test.ex
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz@test.ex
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex for usery@test.ex
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for userz@test.ex
1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex for userq@test.ex
-1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@myhost.test.ex for userr@test.ex
-1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@myhost.test.ex for user_s@test.ex
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex for userq@test.ex
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbB-0005vi-00@myhost.test.ex for userr@test.ex
+1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@myhost.test.ex for user_s@test.ex
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbD-0005vi-00@myhost.test.ex for usert@test.ex
+1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbE-0005vi-00@myhost.test.ex for useru@test.ex
Testing
****
exim usery@test.ex
-Testing
****
exim userz@test.ex
-Testing
****
exim userq@test.ex
-Testing
****
exim userr@test.ex
-Testing
****
exim users@test.ex
-Testing
+****
+exim usert@test.ex
+****
+exim useru@test.ex
****
exim -qf
****
exim -z 'this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok'
****
exim usery@test.ex
-Testing
****
#
#
exim -z 'this will fail to verify the cert but continue unverified though crypted'
****
exim userz@test.ex
-Testing
****
#
#
exim -z 'this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted'
****
exim userq@test.ex
-Testing
****
#
#
exim -z 'this will fail to verify the cert name and fallback to unencrypted'
****
exim userr@test.ex
-Testing
****
#
#
exim -z 'this will pass the cert verify including name check'
****
exim user_s@test.ex
-Testing
+****
+#
+#
+exim usert@test.ex
+****
+#
+exim useru@test.ex
****
#
#