Gitweb:
http://git.exim.org/exim.git/commitdiff/578897ea8764001d0538b8b645d161524ba1fa4e
Commit: 578897ea8764001d0538b8b645d161524ba1fa4e
Parent: 2b4a568dfa3d79a9a968984cf5b23829c084a951
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Apr 27 18:17:29 2014 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Apr 27 18:17:29 2014 +0100
Add options dnssec_request_domains, dnssec_require_domains to the smtp transport
Note there are no testsuite cases included.
TODO in this area:
- dnssec during verify-callouts
- dnssec on the forward lookup of a verify=helo and verify=reverse_host_lookup
---
doc/doc-docbook/spec.xfpt | 31 ++++++++++++++++++++++++++++---
doc/doc-txt/ChangeLog | 3 ++-
doc/doc-txt/NewStuff | 2 ++
src/src/transports/smtp.c | 10 +++++++++-
src/src/transports/smtp.h | 2 ++
5 files changed, 43 insertions(+), 5 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 0e6a38b..0ecbaac 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -11457,7 +11457,7 @@ the space value is -1. See also the &%check_log_space%& option.
.vitem &$lookup_dnssec_authenticated$&
.vindex "&$lookup_dnssec_authenticated$&"
This variable is set after a DNS lookup done by
-either a dnslookup router or a dnsdb lookup expansion.
+a dnsdb lookup expansion, dnslookup router or smtp transport.
It will be empty if &(DNSSEC)& was not requested,
&"no"& if the result was not labelled as authenticated data
and &"yes"& if it was.
@@ -17673,8 +17673,6 @@ when there is a DNS lookup error.
DNS lookups for domains matching &%dnssec_request_domains%& will be done with
the dnssec request bit set.
This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
-
-See also the &$lookup_dnssec_authenticated$& variable.
.wen
@@ -22596,6 +22594,33 @@ See the &%search_parents%& option in chapter &<<CHAPdnslookup>>& for more
details.
+.new
+.option dnssec_request_domains smtp "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.
+This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
+
+
+
+.new
+.option dnssec_require_domains smtp "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set. Any returns not having the Authenticated Data bit
+(AD bit) set wil be ignored and logged as a host-lookup failure.
+This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
+
+
+
.option dscp smtp string&!! unset
.cindex "DCSP" "outbound"
This option causes the DSCP value associated with a socket to be set to one
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index cff9803..d4240fa 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -85,7 +85,8 @@ TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly
JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455.
JH/14 New options dnssec_request_domains, dnssec_require_domains on the
- dnslookup router (applying to the forward lookup).
+ dnslookup router and the smtp transport (applying to the forward
+ lookup).
TL/08 Bugzilla 1453: New LDAP "SERVERS=" option allows admin to override list
of ldap servers used for a specific lookup. Patch provided by Heiko
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 6a1a5e8..33c66ce 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -42,6 +42,8 @@ Version 4.83
8. EXPERIMENTAL_OCSP now supports GnuTLS also, if you have version 3.1.3
or later of that.
+ 9. Support for DNSSEC on outbound connections.
+
Version 4.82
------------
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 57b66b8..9e0ab15 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -55,6 +55,10 @@ optionlist smtp_transport_options[] = {
(void *)offsetof(smtp_transport_options_block, dns_qualify_single) },
{ "dns_search_parents", opt_bool,
(void *)offsetof(smtp_transport_options_block, dns_search_parents) },
+ { "dnssec_request_domains", opt_stringptr,
+ (void *)offsetof(smtp_transport_options_block, dnssec_request_domains) },
+ { "dnssec_require_domains", opt_stringptr,
+ (void *)offsetof(smtp_transport_options_block, dnssec_require_domains) },
{ "dscp", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, dscp) },
{ "fallback_hosts", opt_stringptr,
@@ -213,6 +217,8 @@ smtp_transport_options_block smtp_transport_option_defaults = {
FALSE, /* gethostbyname */
TRUE, /* dns_qualify_single */
FALSE, /* dns_search_parents */
+ NULL, /* dnssec_request_domains */
+ NULL, /* dnssec_require_domains */
TRUE, /* delay_after_cutoff */
FALSE, /* hosts_override */
FALSE, /* hosts_randomize */
@@ -2816,7 +2822,7 @@ for (cutoff_retry = 0; expired &&
rc = host_find_byname(host, NULL, flags, &canonical_name, TRUE);
else
rc = host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
- NULL, NULL, /*XXX todo: smtp tpt hosts_require_dnssec */
+ ob->dnssec_request_domains, ob->dnssec_require_domains,
&canonical_name, NULL);
/* Update the host (and any additional blocks, resulting from
@@ -3429,4 +3435,6 @@ DEBUG(D_transport) debug_printf("Leaving %s transport\n", tblock->name);
return TRUE; /* Each address has its status */
}
+/* vi: aw ai sw=2
+*/
/* End of transport/smtp.c */
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index 6d33802..6912ad8 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -46,6 +46,8 @@ typedef struct {
BOOL gethostbyname;
BOOL dns_qualify_single;
BOOL dns_search_parents;
+ uschar *dnssec_request_domains;
+ uschar *dnssec_require_domains;
BOOL delay_after_cutoff;
BOOL hosts_override;
BOOL hosts_randomize;