From: Jeremy Harris Date: Tue, 21 May 2019 18:36:50 +0000 (+0100) Subject: Change the default for hosts_try_dane, enabling use by default X-Git-Url: https://git.exim.org/users/jgh/exim.git/commitdiff_plain/59c0959a36649c4554bd0f18f2c2e74571ed41eb Change the default for hosts_try_dane, enabling use by default --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 39757a156..856bb0c15 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -24696,7 +24696,7 @@ This option provides a list of servers to which, provided they announce CHUNKING support, Exim will attempt to use BDAT commands rather than DATA. BDAT will not be used in conjunction with a transport filter. -.option hosts_try_dane smtp "host list&!!" unset +.option hosts_try_dane smtp "host list&!!" * .cindex DANE "transport options" .cindex DANE "attempting for certain servers" If built with DANE support, Exim will lookup a diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 065ec2812..789593ab3 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -107,6 +107,10 @@ JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default. for multiple message deliveries, by default. Previoud the default was to not do so. +JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by + default. If built with the facility, DANE will be used. The facility is + now enabled in the prototype build Makefile "EDITME". + Exim version 4.92 diff --git a/src/src/EDITME b/src/src/EDITME index dea4e4cf8..415f021ee 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -367,10 +367,10 @@ PCRE_CONFIG=yes #------------------------------------------------------------------------------ -# Uncomment the following line to add DANE support +# Comment out the following line to remove DANE support # Note: Enabling this unconditionally overrides DISABLE_DNSSEC # For DANE under GnuTLS we need an additional library. See TLS_LIBS below. -# SUPPORT_DANE=yes +SUPPORT_DANE=yes #------------------------------------------------------------------------------ # Additional libraries and include directories may be required for some diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 041ed9393..3d7aaae6b 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -240,7 +240,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { .hosts_require_auth = NULL, .hosts_try_chunking = US"*", #ifdef SUPPORT_DANE - .hosts_try_dane = NULL, + .hosts_try_dane = US"*", .hosts_require_dane = NULL, .dane_require_tls_ciphers = NULL, #endif diff --git a/test/confs/5820 b/test/confs/5820 index bcb1a8f34..b038558de 100644 --- a/test/confs/5820 +++ b/test/confs/5820 @@ -2,6 +2,7 @@ # DANE/GnuTLS SERVER= +CONTROL= * .include DIR/aux-var/tls_conf_prefix @@ -66,7 +67,7 @@ send_to_server: allow_localhost port = PORT_D - hosts_try_dane = * + hosts_try_dane = CONTROL hosts_require_dane = HOSTIPV4 tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} tls_try_verify_hosts = thishost.test.ex diff --git a/test/confs/5840 b/test/confs/5840 index 407846a8a..bda328a97 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -2,6 +2,7 @@ # DANE/OpenSSL SERVER= +CONTROL= * .include DIR/aux-var/tls_conf_prefix @@ -71,7 +72,7 @@ send_to_server: allow_localhost port = PORT_D - hosts_try_dane = * + hosts_try_dane = CONTROL hosts_require_dane = HOSTIPV4 tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} tls_try_verify_hosts = thishost.test.ex diff --git a/test/log/5820 b/test/log/5820 index 8b6cd5f4d..4952d8337 100644 --- a/test/log/5820 +++ b/test/log/5820 @@ -68,6 +68,9 @@ 1999-03-02 09:44:33 10HmbZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken8.example.com 1999-03-02 09:44:33 10HmbZ-0005vi-00 => CALLER@danebroken8.example.com R=client T=send_to_server H=danebroken8.example.com [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="CN=server1.example.net" C="250 OK id=10HmcA-0005vi-00" 1999-03-02 09:44:33 10HmbZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmcB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken2.test.ex +1999-03-02 09:44:33 10HmcB-0005vi-00 => CALLER@danebroken2.test.ex R=client T=send_to_server H=danebroken2.test.ex [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="CN=server1.example.com" C="250 OK id=10HmcC-0005vi-00" +1999-03-02 09:44:33 10HmcB-0005vi-00 Completed ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D @@ -123,3 +126,8 @@ 1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for CALLER@danebroken8.example.com 1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmcA-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmcC-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcB-0005vi-00@myhost.test.ex for CALLER@danebroken2.test.ex +1999-03-02 09:44:33 10HmcC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmcC-0005vi-00 Completed diff --git a/test/log/5840 b/test/log/5840 index 3cbc7d8bb..581a19ba0 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -68,6 +68,9 @@ 1999-03-02 09:44:33 10HmbZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken8.example.com 1999-03-02 09:44:33 10HmbZ-0005vi-00 => CALLER@danebroken8.example.com R=client T=send_to_server H=danebroken8.example.com [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="/CN=server1.example.net" C="250 OK id=10HmcA-0005vi-00" 1999-03-02 09:44:33 10HmbZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmcB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken2.test.ex +1999-03-02 09:44:33 10HmcB-0005vi-00 => CALLER@danebroken2.test.ex R=client T=send_to_server H=danebroken2.test.ex [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmcC-0005vi-00" +1999-03-02 09:44:33 10HmcB-0005vi-00 Completed ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D @@ -124,3 +127,8 @@ 1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for CALLER@danebroken8.example.com 1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmcA-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 "rcpt ACL" +1999-03-02 09:44:33 10HmcC-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcB-0005vi-00@myhost.test.ex for CALLER@danebroken2.test.ex +1999-03-02 09:44:33 10HmcC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmcC-0005vi-00 Completed diff --git a/test/scripts/5820-DANE-GnuTLS/5820 b/test/scripts/5820-DANE-GnuTLS/5820 index d7824a38c..4b5f9dd87 100644 --- a/test/scripts/5820-DANE-GnuTLS/5820 +++ b/test/scripts/5820-DANE-GnuTLS/5820 @@ -103,7 +103,7 @@ Testing **** # ### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode) -# that way round to excersize more code in the implementation +# that way round to exercise more code in the implementation exim -odf CALLER@danemixed.test.ex Testing **** @@ -123,6 +123,15 @@ Testing exim -odf CALLER@danebroken8.example.com Testing **** +killdaemon +# # +sudo rm DIR/spool/db/retry +exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D +**** +### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane) +exim -odf -DCONTROL=: CALLER@danebroken2.test.ex +**** killdaemon +# no_msglog_check diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840 index 4d88131ea..f988cd1cd 100644 --- a/test/scripts/5840-DANE-OpenSSL/5840 +++ b/test/scripts/5840-DANE-OpenSSL/5840 @@ -2,11 +2,11 @@ # exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D **** -### TLSA (3 1 1) +### TLSA (3 1 1) (DANE-EE SPKI SHA2-256) exim -odq CALLER@dane256ee.test.ex Testing **** -### TLSA (3 1 2) +### TLSA (3 1 2) ( SHA2-512) exim -odq CALLER@mxdane512ee.test.ex Testing **** @@ -24,7 +24,7 @@ killdaemon # exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D **** -### TLSA (2 0 1) +### TLSA (2 0 1) (DANE-TA CERT SHA2-256) exim -odf CALLER@mxdane256ta.test.ex Testing **** @@ -111,8 +111,9 @@ Testing **** # killdaemon - - +# +# +# ### A server with a name not matching the cert. TA-mode; should fail exim -DSERVER=server -DDETAILS=cert.net -bd -oX PORT_D **** @@ -124,6 +125,15 @@ Testing exim -odf CALLER@danebroken8.example.com Testing **** +killdaemon +# # +sudo rm DIR/spool/db/retry +exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D +**** +### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane) +exim -odf -DCONTROL=: CALLER@danebroken2.test.ex +**** killdaemon +# no_msglog_check diff --git a/test/stderr/5820 b/test/stderr/5820 index 84005afe3..f218f0c51 100644 --- a/test/stderr/5820 +++ b/test/stderr/5820 @@ -9,7 +9,7 @@ >>> host in helo_verify_hosts? no (option unset) >>> host in helo_try_verify_hosts? no (option unset) >>> host in helo_accept_junk_hosts? no (option unset) ->>> processing "accept" (TESTSUITE/test-config 85) +>>> processing "accept" (TESTSUITE/test-config 86) >>> check verify = recipient/callout >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing rcptuser@dane256ee.test.ex @@ -80,6 +80,7 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs ### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode) ### A server with a name not matching the cert. TA-mode; should fail ### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode +### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane) ******** SERVER ******** ### TLSA (3 1 1) (DANE-EE SPKI SHA2-256) @@ -102,3 +103,4 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs ### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode) ### A server with a name not matching the cert. TA-mode; should fail ### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode +### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane) diff --git a/test/stderr/5840 b/test/stderr/5840 index 6a2b6e209..0991dc695 100644 --- a/test/stderr/5840 +++ b/test/stderr/5840 @@ -1,5 +1,5 @@ -### TLSA (3 1 1) -### TLSA (3 1 2) +### TLSA (3 1 1) (DANE-EE SPKI SHA2-256) +### TLSA (3 1 2) ( SHA2-512) ### Recipient callout >>> host in hosts_connection_nolog? no (option unset) >>> host in host_lookup? no (option unset) @@ -9,7 +9,7 @@ >>> host in helo_verify_hosts? no (option unset) >>> host in helo_try_verify_hosts? no (option unset) >>> host in helo_accept_junk_hosts? no (option unset) ->>> processing "accept" (TESTSUITE/test-config 90) +>>> processing "accept" (TESTSUITE/test-config 91) >>> check verify = recipient/callout >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> routing rcptuser@dane256ee.test.ex @@ -63,7 +63,7 @@ >>> accept: condition test succeeded in inline ACL >>> end of inline ACL: ACCEPT LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs -### TLSA (2 0 1) +### TLSA (2 0 1) (DANE-TA CERT SHA2-256) ### TLSA (2 1 1) ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA @@ -80,12 +80,13 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs ### A server insecurely serving a good A record, dane required (delivery should fail) ### A server with a name not matching the cert. TA-mode; should fail ### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode +### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane) ******** SERVER ******** -### TLSA (3 1 1) -### TLSA (3 1 2) +### TLSA (3 1 1) (DANE-EE SPKI SHA2-256) +### TLSA (3 1 2) ( SHA2-512) ### Recipient callout -### TLSA (2 0 1) +### TLSA (2 0 1) (DANE-TA CERT SHA2-256) ### TLSA (2 1 1) ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA @@ -102,3 +103,4 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs ### A server insecurely serving a good A record, dane required (delivery should fail) ### A server with a name not matching the cert. TA-mode; should fail ### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode +### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane) diff --git a/test/stdout/5820 b/test/stdout/5820 index 4b26b4c79..acaec1415 100644 --- a/test/stdout/5820 +++ b/test/stdout/5820 @@ -27,6 +27,7 @@ ### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode) ### A server with a name not matching the cert. TA-mode; should fail ### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode +### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane) ******** SERVER ******** ### TLSA (3 1 1) (DANE-EE SPKI SHA2-256) @@ -49,3 +50,4 @@ ### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode) ### A server with a name not matching the cert. TA-mode; should fail ### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode +### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane) diff --git a/test/stdout/5840 b/test/stdout/5840 index 947f802a7..e6bd55bf9 100644 --- a/test/stdout/5840 +++ b/test/stdout/5840 @@ -1,5 +1,5 @@ -### TLSA (3 1 1) -### TLSA (3 1 2) +### TLSA (3 1 1) (DANE-EE SPKI SHA2-256) +### TLSA (3 1 2) ( SHA2-512) ### Recipient callout **** SMTP testing session as if from host 127.0.0.1 @@ -10,7 +10,7 @@ 250 OK 250 Accepted 421 myhost.test.ex lost input connection -### TLSA (2 0 1) +### TLSA (2 0 1) (DANE-TA CERT SHA2-256) ### TLSA (2 1 1) ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA @@ -27,12 +27,13 @@ ### A server insecurely serving a good A record, dane required (delivery should fail) ### A server with a name not matching the cert. TA-mode; should fail ### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode +### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane) ******** SERVER ******** -### TLSA (3 1 1) -### TLSA (3 1 2) +### TLSA (3 1 1) (DANE-EE SPKI SHA2-256) +### TLSA (3 1 2) ( SHA2-512) ### Recipient callout -### TLSA (2 0 1) +### TLSA (2 0 1) (DANE-TA CERT SHA2-256) ### TLSA (2 1 1) ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA @@ -49,3 +50,4 @@ ### A server insecurely serving a good A record, dane required (delivery should fail) ### A server with a name not matching the cert. TA-mode; should fail ### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode +### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)