[exim-cvs] Fix default-port TLSA lookup done by callout. Bug…

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Fix default-port TLSA lookup done by callout. Bug 1602
Gitweb: http://git.exim.org/exim.git/commitdiff/bf7aabb41b04efb076bed9de84b15b03f3006073
Commit:     bf7aabb41b04efb076bed9de84b15b03f3006073
Parent:     b8bf753b7092246e03152e934d7e92c5db80dca1
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Mar 24 15:32:08 2015 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Tue Mar 24 15:32:08 2015 +0000


    Fix default-port TLSA lookup done by callout. Bug 1602
---
 src/src/transports/smtp.c           |    9 +++--
 src/src/verify.c                    |   66 ++++++++++++++++++-----------------
 test/confs/5840                     |    5 +++
 test/scripts/5840-DANE-OpenSSL/5840 |    7 ++++
 test/stderr/5840                    |   63 +++++++++++++++++++++++++++++++++
 test/stdout/5840                    |    9 +++++
 6 files changed, 123 insertions(+), 36 deletions(-)


diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 3c98322..6a8fbc4 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1450,11 +1450,12 @@ if (continue_hostname == NULL)

     if (host->dnssec == DS_YES)
       {
-      if(  dane_required
-    || verify_check_given_host(&ob->hosts_try_dane, host) == OK
+      if(  (  dane_required
+       || verify_check_given_host(&ob->hosts_try_dane, host) == OK
+       )
+    && (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK
     )
-    if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK)
-      return rc;
+    return rc;
       }
     else if (dane_required)
       {
diff --git a/src/src/verify.c b/src/src/verify.c
index d85ef3b..678ee63 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -575,9 +575,10 @@ can do it there for the non-rcpt-verify case.  For this we keep an addresscount.
     deliver_domain = addr->domain;
     transport_name = addr->transport->name;


-    if (!smtp_get_interface(tf->interface, host_af, addr, NULL, &interface,
-            US"callout") ||
-        !smtp_get_port(tf->port, addr, &port, US"callout"))
+    if (  !smtp_get_interface(tf->interface, host_af, addr, NULL, &interface,
+            US"callout")
+       || !smtp_get_port(tf->port, addr, &port, US"callout")
+       )
       log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
         addr->message);


@@ -588,35 +589,6 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount.

     HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", interface, port);


-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
-      {
-      int rc;
-
-      tls_out.dane_verified = FALSE;
-      tls_out.tlsa_usage = 0;
-
-      dane_required =
-    verify_check_given_host(&ob->hosts_require_dane, host) == OK;
-
-      if (host->dnssec == DS_YES)
-    {
-    if(  dane_required
-      || verify_check_given_host(&ob->hosts_try_dane, host) == OK
-      )
-      if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK)
-        return rc;
-    }
-      else if (dane_required)
-    {
-    log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name);
-    return FAIL;
-    }
-
-      if (dane)
-    ob->tls_tempfail_tryclear = FALSE;
-      }
-#endif  /*DANE*/
-
     /* Set up the buffer for reading SMTP response packets. */


     inblock.buffer = inbuffer;
@@ -653,6 +625,36 @@ can do it there for the non-rcpt-verify case.  For this we keep an addresscount.
       continue;
       }


+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
+      {
+      int rc;
+
+      tls_out.dane_verified = FALSE;
+      tls_out.tlsa_usage = 0;
+
+      dane_required =
+    verify_check_given_host(&ob->hosts_require_dane, host) == OK;
+
+      if (host->dnssec == DS_YES)
+    {
+    if(  (  dane_required
+         || verify_check_given_host(&ob->hosts_try_dane, host) == OK
+         )
+      && (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK
+      )
+      return rc;
+    }
+      else if (dane_required)
+    {
+    log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name);
+    return FAIL;
+    }
+
+      if (dane)
+    ob->tls_tempfail_tryclear = FALSE;
+      }
+#endif  /*DANE*/
+
     /* Expand the helo_data string to find the host name to use. */


     if (tf->helo_data != NULL)
diff --git a/test/confs/5840 b/test/confs/5840
index cd9e8b9..0447ce3 100644
--- a/test/confs/5840
+++ b/test/confs/5840
@@ -13,7 +13,11 @@ gecos_name = CALLER_NAME


# ----- Main settings -----

+.ifndef OPT
acl_smtp_rcpt = accept
+.else
+acl_smtp_rcpt = accept verify = recipient/callout
+.endif

log_selector = +received_recipients +tls_peerdn +tls_certificate_verified

@@ -62,6 +66,7 @@ send_to_server:
allow_localhost
port = PORT_D

+  hosts_verify_avoid_tls = :
   hosts_try_dane =     *
   hosts_require_dane = !thishost.test.ex
   hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \
diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840
index c0133ea..deff4a6 100644
--- a/test/scripts/5840-DANE-OpenSSL/5840
+++ b/test/scripts/5840-DANE-OpenSSL/5840
@@ -12,6 +12,13 @@ Testing
 ****
 exim -qf
 ****
+#
+#
+# Recipient callout
+exim -DOPT=callout -bhc 127.0.0.1
+MAIL FROM: <CALLER@???>
+RCPT TO: <CALLER@???>
+****
 killdaemon
 #
 #
diff --git a/test/stderr/5840 b/test/stderr/5840
new file mode 100644
index 0000000..eeffc11
--- /dev/null
+++ b/test/stderr/5840
@@ -0,0 +1,63 @@
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> processing "accept"
+>>> check verify = recipient/callout
+>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+>>> routing CALLER@???
+>>> calling client router
+>>> dane256ee.test.ex in "*"? yes (matched "*")
+>>> local host found for non-MX address
+>>> routed by client router
+>>> Attempting full verification using callout
+>>> callout cache: no domain record found
+>>> callout cache: no address record found
+>>> interface=NULL port=1225
+>>> Connecting to dane256ee.test.ex [ip4.ip4.ip4.ip4]:1225 ... connected
+MUNGED: ::1 will be omitted in what follows
+>>> get[host|ipnode]byname[2] looked up these IP addresses:
+>>>   name=thishost.test.ex address=127.0.0.1
+>>> ip4.ip4.ip4.ip4 in hosts_require_dane? yes (end of list)
+>>>   SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> ip4.ip4.ip4.ip4 in hosts_avoid_esmtp? no (option unset)
+>>>   SMTP>> EHLO myhost.test.ex
+>>>   SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+>>>          250-SIZE 52428800
+>>>          250-8BITMIME
+>>>          250-PIPELINING
+>>>          250-STARTTLS
+>>>          250 HELP
+>>> ip4.ip4.ip4.ip4 in hosts_avoid_tls? no (option unset)
+>>> ip4.ip4.ip4.ip4 in hosts_verify_avoid_tls? no (end of list)
+>>>   SMTP>> STARTTLS
+>>>   SMTP<< 220 TLS go ahead
+>>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset)
+>>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? yes (matched "*")
+>>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset)
+>>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? no (end of list)
+>>>   SMTP>> EHLO myhost.test.ex
+>>>   SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+>>>          250-SIZE 52428800
+>>>          250-8BITMIME
+>>>          250-PIPELINING
+>>>          250 HELP
+>>> ip4.ip4.ip4.ip4 in hosts_require_auth? no (option unset)
+>>>   SMTP>> MAIL FROM:<>
+>>>   SMTP<< 250 OK
+>>>   SMTP>> RCPT TO:<CALLER@???>
+>>>   SMTP<< 250 Accepted
+>>>   SMTP>> QUIT
+>>> wrote callout cache domain record:
+>>>   result=1 postmaster=0 random=0
+>>> wrote positive callout cache address record
+>>> ----------- end verify ------------
+>>> accept: condition test succeeded in inline ACL
+>>> end of inline ACL: ACCEPT
+LOG: unexpected disconnection while reading SMTP command from [127.0.0.1]
+
+******** SERVER ********
diff --git a/test/stdout/5840 b/test/stdout/5840
new file mode 100644
index 0000000..0829c56
--- /dev/null
+++ b/test/stdout/5840
@@ -0,0 +1,9 @@
+
+**** SMTP testing session as if from host 127.0.0.1
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250 OK
+250 Accepted
+421 myhost.test.ex lost input connection