Re: [exim-dev] [Bug 2594] New: CNAME handing can break TLS …

Top Page
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: exim-dev
CC: chris
Subject: Re: [exim-dev] [Bug 2594] New: CNAME handing can break TLS certificate verification

On Mon, 8 Jun 2020, admin--- via Exim-dev wrote:

> https://bugs.exim.org/show_bug.cgi?id=2594
>
>            Bug ID: 2594
>           Summary: CNAME handing can break TLS certificate verification


>         Component: TLS
>          Assignee: jgh146exb@???
>          Reporter: chris@???
>                CC: exim-dev@???

         ...        ...        ...

> Here is the smtp transport debug output:
>
> smarthost_smtp transport entered
>  root@???
> hostlist:
>  'mail.edesix.local' IP 192.168.1.6 port -1
> checking status of mail.edesix.local
> locking /var/spool/exim/db/retry.lockfile
> locked  /var/spool/exim/db/retry.lockfile
> EXIM_DBOPEN: file </var/spool/exim/db/retry> dir </var/spool/exim/db>
> flags=O_RDONLY
> returned from EXIM_DBOPEN: 0x5635b371d370
> opened hints database /var/spool/exim/db/retry: flags=O_RDONLY
> dbfn_read: key=T:mail.edesix.local:192.168.1.6
> dbfn_read: key=T:mail.edesix.local:192.168.1.6:1jiFk5-0006UE-9S
> EXIM_DBCLOSE(0x5635b371d370)
> closed hints database and lockfile
> no message retry record
> mail.edesix.local [192.168.1.6] retry-status = usable
> 192.168.1.6 in serialize_hosts? no (option unset)
> delivering 1jiFk5-0006UE-9S to mail.edesix.local [192.168.1.6]
> (root@???)
> set_process_info: 25033 delivering 1jiFk5-0006UE-9S to mail.edesix.local
> [192.168.1.6] (root@???)
> 192.168.1.6 in hosts_require_dane? no (option unset)
> Connecting to mail.edesix.local [192.168.1.6]:25 ... 192.168.1.6 in
> hosts_try_fastopen? yes (matched "*")
> TFO mode sendto, no data: EINPROGRESS
> connected
> read response data: size=72
>  SMTP<< 220 aulus.edesix.com ESMTP Exim 4.80.1 Mon, 08 Jun 2020 13:31:02 +0100
> 192.168.1.6 in hosts_avoid_esmtp? no (option unset)
>  SMTP>> EHLO juno.edesix.local
> cmd buf flush 24 bytes
> read response data: size=134
>  SMTP<< 250-aulus.edesix.com Hello juno.edesix.local [192.168.1.10]
>         250-SIZE 52428800
>         250-8BITMIME
>         250-PIPELINING
>         250-STARTTLS
>         250 HELP
> 192.168.1.6 in hosts_avoid_tls? no (option unset)
>  SMTP>> STARTTLS
> cmd buf flush 10 bytes
> read response data: size=18
>  SMTP<< 220 TLS go ahead
> 192.168.1.6 in hosts_require_ocsp? no (option unset)
> 192.168.1.6 in hosts_request_ocsp? yes (matched "*")


Is 192.168.1.6 in hosts_require_ocsp? Is this a red herring ?

-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???