Gitweb:
https://git.exim.org/exim.git/commitdiff/59c0959a36649c4554bd0f18f2c2e74571ed41eb
Commit: 59c0959a36649c4554bd0f18f2c2e74571ed41eb
Parent: 8c94e6b324886ec53604d0ebfde61731a3d1adf6
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Tue May 21 19:36:50 2019 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Wed May 22 00:44:05 2019 +0100
Change the default for hosts_try_dane, enabling use by default
---
doc/doc-docbook/spec.xfpt | 2 +-
doc/doc-txt/ChangeLog | 4 ++++
src/src/EDITME | 4 ++--
src/src/transports/smtp.c | 2 +-
test/confs/5820 | 3 ++-
test/confs/5840 | 3 ++-
test/log/5820 | 8 ++++++++
test/log/5840 | 8 ++++++++
test/scripts/5820-DANE-GnuTLS/5820 | 11 ++++++++++-
test/scripts/5840-DANE-OpenSSL/5840 | 20 +++++++++++++++-----
test/stderr/5820 | 4 +++-
test/stderr/5840 | 16 +++++++++-------
test/stdout/5820 | 2 ++
test/stdout/5840 | 14 ++++++++------
14 files changed, 75 insertions(+), 26 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 39757a1..856bb0c 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -24696,7 +24696,7 @@ This option provides a list of servers to which, provided they announce
CHUNKING support, Exim will attempt to use BDAT commands rather than DATA.
BDAT will not be used in conjunction with a transport filter.
-.option hosts_try_dane smtp "host list&!!" unset
+.option hosts_try_dane smtp "host list&!!" *
.cindex DANE "transport options"
.cindex DANE "attempting for certain servers"
If built with DANE support, Exim will lookup a
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 065ec28..789593a 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -107,6 +107,10 @@ JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
for multiple message deliveries, by default. Previoud the default was to
not do so.
+JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
+ default. If built with the facility, DANE will be used. The facility is
+ now enabled in the prototype build Makefile "EDITME".
+
Exim version 4.92
diff --git a/src/src/EDITME b/src/src/EDITME
index dea4e4c..415f021 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -367,10 +367,10 @@ PCRE_CONFIG=yes
#------------------------------------------------------------------------------
-# Uncomment the following line to add DANE support
+# Comment out the following line to remove DANE support
# Note: Enabling this unconditionally overrides DISABLE_DNSSEC
# For DANE under GnuTLS we need an additional library. See TLS_LIBS below.
-# SUPPORT_DANE=yes
+SUPPORT_DANE=yes
#------------------------------------------------------------------------------
# Additional libraries and include directories may be required for some
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 041ed93..3d7aaae 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -240,7 +240,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
.hosts_require_auth = NULL,
.hosts_try_chunking = US"*",
#ifdef SUPPORT_DANE
- .hosts_try_dane = NULL,
+ .hosts_try_dane = US"*",
.hosts_require_dane = NULL,
.dane_require_tls_ciphers = NULL,
#endif
diff --git a/test/confs/5820 b/test/confs/5820
index bcb1a8f..b038558 100644
--- a/test/confs/5820
+++ b/test/confs/5820
@@ -2,6 +2,7 @@
# DANE/GnuTLS
SERVER=
+CONTROL= *
.include DIR/aux-var/tls_conf_prefix
@@ -66,7 +67,7 @@ send_to_server:
allow_localhost
port = PORT_D
- hosts_try_dane = *
+ hosts_try_dane = CONTROL
hosts_require_dane = HOSTIPV4
tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
tls_try_verify_hosts = thishost.test.ex
diff --git a/test/confs/5840 b/test/confs/5840
index 407846a..bda328a 100644
--- a/test/confs/5840
+++ b/test/confs/5840
@@ -2,6 +2,7 @@
# DANE/OpenSSL
SERVER=
+CONTROL= *
.include DIR/aux-var/tls_conf_prefix
@@ -71,7 +72,7 @@ send_to_server:
allow_localhost
port = PORT_D
- hosts_try_dane = *
+ hosts_try_dane = CONTROL
hosts_require_dane = HOSTIPV4
tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
tls_try_verify_hosts = thishost.test.ex
diff --git a/test/log/5820 b/test/log/5820
index 8b6cd5f..4952d83 100644
--- a/test/log/5820
+++ b/test/log/5820
@@ -68,6 +68,9 @@
1999-03-02 09:44:33 10HmbZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
1999-03-02 09:44:33 10HmbZ-0005vi-00 => CALLER@??? R=client T=send_to_server H=danebroken8.example.com [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="CN=server1.example.net" C="250 OK id=10HmcA-0005vi-00"
1999-03-02 09:44:33 10HmbZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmcB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
+1999-03-02 09:44:33 10HmcB-0005vi-00 => CALLER@??? R=client T=send_to_server H=danebroken2.test.ex [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="CN=server1.example.com" C="250 OK id=10HmcC-0005vi-00"
+1999-03-02 09:44:33 10HmcB-0005vi-00 Completed
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
@@ -123,3 +126,8 @@
1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@??? for CALLER@???
1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: <CALLER@???> R=server
1999-03-02 09:44:33 10HmcA-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmcC-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcB-0005vi-00@??? for CALLER@???
+1999-03-02 09:44:33 10HmcC-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmcC-0005vi-00 Completed
diff --git a/test/log/5840 b/test/log/5840
index 3cbc7d8..581a19b 100644
--- a/test/log/5840
+++ b/test/log/5840
@@ -68,6 +68,9 @@
1999-03-02 09:44:33 10HmbZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
1999-03-02 09:44:33 10HmbZ-0005vi-00 => CALLER@??? R=client T=send_to_server H=danebroken8.example.com [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="/CN=server1.example.net" C="250 OK id=10HmcA-0005vi-00"
1999-03-02 09:44:33 10HmbZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmcB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
+1999-03-02 09:44:33 10HmcB-0005vi-00 => CALLER@??? R=client T=send_to_server H=danebroken2.test.ex [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmcC-0005vi-00"
+1999-03-02 09:44:33 10HmcB-0005vi-00 Completed
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
@@ -124,3 +127,8 @@
1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@??? for CALLER@???
1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: <CALLER@???> R=server
1999-03-02 09:44:33 10HmcA-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmcC-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcB-0005vi-00@??? for CALLER@???
+1999-03-02 09:44:33 10HmcC-0005vi-00 => :blackhole: <CALLER@???> R=server
+1999-03-02 09:44:33 10HmcC-0005vi-00 Completed
diff --git a/test/scripts/5820-DANE-GnuTLS/5820 b/test/scripts/5820-DANE-GnuTLS/5820
index d7824a3..4b5f9dd 100644
--- a/test/scripts/5820-DANE-GnuTLS/5820
+++ b/test/scripts/5820-DANE-GnuTLS/5820
@@ -103,7 +103,7 @@ Testing
****
#
### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
-# that way round to excersize more code in the implementation
+# that way round to exercise more code in the implementation
exim -odf CALLER@???
Testing
****
@@ -123,6 +123,15 @@ Testing
exim -odf CALLER@???
Testing
****
+killdaemon
+#
#
+sudo rm DIR/spool/db/retry
+exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
+****
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
+exim -odf -DCONTROL=: CALLER@???
+****
killdaemon
+#
no_msglog_check
diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840
index 4d88131..f988cd1 100644
--- a/test/scripts/5840-DANE-OpenSSL/5840
+++ b/test/scripts/5840-DANE-OpenSSL/5840
@@ -2,11 +2,11 @@
#
exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
****
-### TLSA (3 1 1)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
exim -odq CALLER@???
Testing
****
-### TLSA (3 1 2)
+### TLSA (3 1 2) ( SHA2-512)
exim -odq CALLER@???
Testing
****
@@ -24,7 +24,7 @@ killdaemon
#
exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D
****
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
exim -odf CALLER@???
Testing
****
@@ -111,8 +111,9 @@ Testing
****
#
killdaemon
-
-
+#
+#
+#
### A server with a name not matching the cert. TA-mode; should fail
exim -DSERVER=server -DDETAILS=cert.net -bd -oX PORT_D
****
@@ -124,6 +125,15 @@ Testing
exim -odf CALLER@???
Testing
****
+killdaemon
+#
#
+sudo rm DIR/spool/db/retry
+exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
+****
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
+exim -odf -DCONTROL=: CALLER@???
+****
killdaemon
+#
no_msglog_check
diff --git a/test/stderr/5820 b/test/stderr/5820
index 84005af..f218f0c 100644
--- a/test/stderr/5820
+++ b/test/stderr/5820
@@ -9,7 +9,7 @@
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
->>> processing "accept" (TESTSUITE/test-config 85)
+>>> processing "accept" (TESTSUITE/test-config 86)
>>> check verify = recipient/callout
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing rcptuser@???
@@ -80,6 +80,7 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
******** SERVER ********
### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
@@ -102,3 +103,4 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
diff --git a/test/stderr/5840 b/test/stderr/5840
index 6a2b6e2..0991dc6 100644
--- a/test/stderr/5840
+++ b/test/stderr/5840
@@ -1,5 +1,5 @@
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) ( SHA2-512)
### Recipient callout
>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? no (option unset)
@@ -9,7 +9,7 @@
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
->>> processing "accept" (TESTSUITE/test-config 90)
+>>> processing "accept" (TESTSUITE/test-config 91)
>>> check verify = recipient/callout
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing rcptuser@???
@@ -63,7 +63,7 @@
>>> accept: condition test succeeded in inline ACL
>>> end of inline ACL: ACCEPT
LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
### TLSA (2 1 1)
### A server with a nonverifying cert and no TLSA
### A server with a verifying cert and no TLSA
@@ -80,12 +80,13 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
### A server insecurely serving a good A record, dane required (delivery should fail)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
******** SERVER ********
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) ( SHA2-512)
### Recipient callout
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
### TLSA (2 1 1)
### A server with a nonverifying cert and no TLSA
### A server with a verifying cert and no TLSA
@@ -102,3 +103,4 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
### A server insecurely serving a good A record, dane required (delivery should fail)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
diff --git a/test/stdout/5820 b/test/stdout/5820
index 4b26b4c..acaec14 100644
--- a/test/stdout/5820
+++ b/test/stdout/5820
@@ -27,6 +27,7 @@
### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
******** SERVER ********
### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
@@ -49,3 +50,4 @@
### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
diff --git a/test/stdout/5840 b/test/stdout/5840
index 947f802..e6bd55b 100644
--- a/test/stdout/5840
+++ b/test/stdout/5840
@@ -1,5 +1,5 @@
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) ( SHA2-512)
### Recipient callout
**** SMTP testing session as if from host 127.0.0.1
@@ -10,7 +10,7 @@
250 OK
250 Accepted
421 myhost.test.ex lost input connection
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
### TLSA (2 1 1)
### A server with a nonverifying cert and no TLSA
### A server with a verifying cert and no TLSA
@@ -27,12 +27,13 @@
### A server insecurely serving a good A record, dane required (delivery should fail)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
******** SERVER ********
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) ( SHA2-512)
### Recipient callout
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
### TLSA (2 1 1)
### A server with a nonverifying cert and no TLSA
### A server with a verifying cert and no TLSA
@@ -49,3 +50,4 @@
### A server insecurely serving a good A record, dane required (delivery should fail)
### A server with a name not matching the cert. TA-mode; should fail
### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
