[exim-cvs] Add options dnssec_request_domains, dnssec_requir…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Exim Git Commits Mailing List
Date:  
À: exim-cvs
Sujet: [exim-cvs] Add options dnssec_request_domains, dnssec_require_domains to the smtp transport
Gitweb: http://git.exim.org/exim.git/commitdiff/578897ea8764001d0538b8b645d161524ba1fa4e
Commit:     578897ea8764001d0538b8b645d161524ba1fa4e
Parent:     2b4a568dfa3d79a9a968984cf5b23829c084a951
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Apr 27 18:17:29 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Apr 27 18:17:29 2014 +0100


    Add options dnssec_request_domains, dnssec_require_domains to the smtp transport


    Note there are no testsuite cases included.


    TODO in this area:
    - dnssec during verify-callouts
    - dnssec on the forward lookup of a verify=helo and verify=reverse_host_lookup
---
 doc/doc-docbook/spec.xfpt |   31 ++++++++++++++++++++++++++++---
 doc/doc-txt/ChangeLog     |    3 ++-
 doc/doc-txt/NewStuff      |    2 ++
 src/src/transports/smtp.c |   10 +++++++++-
 src/src/transports/smtp.h |    2 ++
 5 files changed, 43 insertions(+), 5 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 0e6a38b..0ecbaac 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -11457,7 +11457,7 @@ the space value is -1. See also the &%check_log_space%& option.
.vitem &$lookup_dnssec_authenticated$&
.vindex "&$lookup_dnssec_authenticated$&"
This variable is set after a DNS lookup done by
-either a dnslookup router or a dnsdb lookup expansion.
+a dnsdb lookup expansion, dnslookup router or smtp transport.
It will be empty if &(DNSSEC)& was not requested,
&"no"& if the result was not labelled as authenticated data
and &"yes"& if it was.
@@ -17673,8 +17673,6 @@ when there is a DNS lookup error.
DNS lookups for domains matching &%dnssec_request_domains%& will be done with
the dnssec request bit set.
This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
-
-See also the &$lookup_dnssec_authenticated$& variable.
.wen


@@ -22596,6 +22594,33 @@ See the &%search_parents%& option in chapter &<<CHAPdnslookup>>& for more
details.


+.new
+.option dnssec_request_domains smtp "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.
+This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
+
+
+
+.new
+.option dnssec_require_domains smtp "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set. Any returns not having the Authenticated Data bit
+(AD bit) set wil be ignored and logged as a host-lookup failure.
+This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
+
+
+
.option dscp smtp string&!! unset
.cindex "DCSP" "outbound"
This option causes the DSCP value associated with a socket to be set to one
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index cff9803..d4240fa 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -85,7 +85,8 @@ TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly
JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455.

 JH/14 New options dnssec_request_domains, dnssec_require_domains on the
-      dnslookup router (applying to the forward lookup).
+      dnslookup router and the smtp transport (applying to the forward
+      lookup).


 TL/08 Bugzilla 1453: New LDAP "SERVERS=" option allows admin to override list
       of ldap servers used for a specific lookup.  Patch provided by Heiko
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 6a1a5e8..33c66ce 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -42,6 +42,8 @@ Version 4.83
  8. EXPERIMENTAL_OCSP now supports GnuTLS also, if you have version 3.1.3
     or later of that.


+ 9. Support for DNSSEC on outbound connections.
+

 Version 4.82
 ------------
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 57b66b8..9e0ab15 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -55,6 +55,10 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, dns_qualify_single) },
   { "dns_search_parents",   opt_bool,
       (void *)offsetof(smtp_transport_options_block, dns_search_parents) },
+  { "dnssec_request_domains", opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, dnssec_request_domains) },
+  { "dnssec_require_domains", opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, dnssec_require_domains) },
   { "dscp",                 opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, dscp) },
   { "fallback_hosts",       opt_stringptr,
@@ -213,6 +217,8 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   FALSE,               /* gethostbyname */
   TRUE,                /* dns_qualify_single */
   FALSE,               /* dns_search_parents */
+  NULL,                /* dnssec_request_domains */
+  NULL,                /* dnssec_require_domains */
   TRUE,                /* delay_after_cutoff */
   FALSE,               /* hosts_override */
   FALSE,               /* hosts_randomize */
@@ -2816,7 +2822,7 @@ for (cutoff_retry = 0; expired &&
         rc = host_find_byname(host, NULL, flags, &canonical_name, TRUE);
       else
         rc = host_find_bydns(host, NULL, flags, NULL, NULL, NULL,
-      NULL, NULL,    /*XXX todo: smtp tpt hosts_require_dnssec */
+      ob->dnssec_request_domains, ob->dnssec_require_domains,
           &canonical_name, NULL);


       /* Update the host (and any additional blocks, resulting from
@@ -3429,4 +3435,6 @@ DEBUG(D_transport) debug_printf("Leaving %s transport\n", tblock->name);
 return TRUE;   /* Each address has its status */
 }


+/* vi: aw ai sw=2
+*/
 /* End of transport/smtp.c */
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index 6d33802..6912ad8 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -46,6 +46,8 @@ typedef struct {
   BOOL    gethostbyname;
   BOOL    dns_qualify_single;
   BOOL    dns_search_parents;
+  uschar *dnssec_request_domains;
+  uschar *dnssec_require_domains;
   BOOL    delay_after_cutoff;
   BOOL    hosts_override;
   BOOL    hosts_randomize;