Re: [exim-dev] [Bug 2594] New: CNAME handing can break TLS …

Top Page
Delete this message
Reply to this message
Author: Chris Paulson-Ellis
Date:  
To: Andrew C Aitchison
CC: exim-dev
Subject: Re: [exim-dev] [Bug 2594] New: CNAME handing can break TLS certificate verification
Hi Andrew,

In short - yes.
The smtp transport has already been given the wrong (in my opinion) host
name to verify against when it was entered.
There are no ocsp settings in my exim.conf.

Chris.

On Mon, 8 Jun 2020 at 15:27, Andrew C Aitchison <andrew@???>
wrote:

>
> On Mon, 8 Jun 2020, admin--- via Exim-dev wrote:
>
> > https://bugs.exim.org/show_bug.cgi?id=2594
> >
> >            Bug ID: 2594
> >           Summary: CNAME handing can break TLS certificate verification

>
> >         Component: TLS
> >          Assignee: jgh146exb@???
> >          Reporter: chris@???
> >                CC: exim-dev@???
>                 ...             ...             ...
> > Here is the smtp transport debug output:

> >
> > smarthost_smtp transport entered
> >  root@???
> > hostlist:
> >  'mail.edesix.local' IP 192.168.1.6 port -1
> > checking status of mail.edesix.local
> > locking /var/spool/exim/db/retry.lockfile
> > locked  /var/spool/exim/db/retry.lockfile
> > EXIM_DBOPEN: file </var/spool/exim/db/retry> dir </var/spool/exim/db>
> > flags=O_RDONLY
> > returned from EXIM_DBOPEN: 0x5635b371d370
> > opened hints database /var/spool/exim/db/retry: flags=O_RDONLY
> > dbfn_read: key=T:mail.edesix.local:192.168.1.6
> > dbfn_read: key=T:mail.edesix.local:192.168.1.6:1jiFk5-0006UE-9S
> > EXIM_DBCLOSE(0x5635b371d370)
> > closed hints database and lockfile
> > no message retry record
> > mail.edesix.local [192.168.1.6] retry-status = usable
> > 192.168.1.6 in serialize_hosts? no (option unset)
> > delivering 1jiFk5-0006UE-9S to mail.edesix.local [192.168.1.6]
> > (root@???)
> > set_process_info: 25033 delivering 1jiFk5-0006UE-9S to mail.edesix.local
> > [192.168.1.6] (root@???)
> > 192.168.1.6 in hosts_require_dane? no (option unset)
> > Connecting to mail.edesix.local [192.168.1.6]:25 ... 192.168.1.6 in
> > hosts_try_fastopen? yes (matched "*")
> > TFO mode sendto, no data: EINPROGRESS
> > connected
> > read response data: size=72
> >  SMTP<< 220 aulus.edesix.com ESMTP Exim 4.80.1 Mon, 08 Jun 2020
> 13:31:02 +0100
> > 192.168.1.6 in hosts_avoid_esmtp? no (option unset)
> >  SMTP>> EHLO juno.edesix.local
> > cmd buf flush 24 bytes
> > read response data: size=134
> >  SMTP<< 250-aulus.edesix.com Hello juno.edesix.local [192.168.1.10]
> >         250-SIZE 52428800
> >         250-8BITMIME
> >         250-PIPELINING
> >         250-STARTTLS
> >         250 HELP
> > 192.168.1.6 in hosts_avoid_tls? no (option unset)
> >  SMTP>> STARTTLS
> > cmd buf flush 10 bytes
> > read response data: size=18
> >  SMTP<< 220 TLS go ahead
> > 192.168.1.6 in hosts_require_ocsp? no (option unset)
> > 192.168.1.6 in hosts_request_ocsp? yes (matched "*")

>
> Is 192.168.1.6 in hosts_require_ocsp? Is this a red herring ?
>
> --
> Andrew C. Aitchison                                     Kendal, UK
>                         andrew@???

>