[exim-cvs] DANE: force SNI to use $domain. Bug 2265

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Exim Git Commits Mailing List
Ημερομηνία:  
Προς: exim-cvs
Αντικείμενο: [exim-cvs] DANE: force SNI to use $domain. Bug 2265
Gitweb: https://git.exim.org/exim.git/commitdiff/7044dd8fd62e215572ecf5a2c7f1bb9581cf6628
Commit:     7044dd8fd62e215572ecf5a2c7f1bb9581cf6628
Parent:     7f83b348ccf4cd815e9758ab9ca1012e66324e9d
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Wed Aug 19 21:09:04 2020 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Thu Aug 20 00:00:22 2020 +0100


    DANE: force SNI to use $domain.  Bug 2265


    Note: this is not a complete fix for the issue
---
 doc/doc-docbook/spec.xfpt | 14 ++++++++++++--
 doc/doc-txt/ChangeLog     | 13 ++++++++++---
 src/src/receive.c         |  2 +-
 src/src/smtp_in.c         |  2 +-
 src/src/tls-gnu.c         |  2 +-
 src/src/tls-openssl.c     |  1 +
 src/src/transports/smtp.c |  1 +
 test/confs/5820           |  3 ++-
 test/confs/5840           |  3 ++-
 test/log/2030             |  2 +-
 test/log/2031             |  4 ++--
 test/log/2130             |  2 +-
 test/log/2131             |  4 ++--
 test/log/5820             | 10 +++++-----
 test/log/5840             | 10 +++++-----
 test/stderr/5820          |  2 +-
 test/stderr/5840          |  2 +-
 17 files changed, 49 insertions(+), 28 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 37bfeb3..ab13a42 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -25761,7 +25761,11 @@ See &<<SECTresumption>>& for details.
.cindex "TLS" SNI
.cindex SNI "setting in client"
.vindex "&$tls_sni$&"
-If this option is set then it sets the $tls_out_sni variable and causes any
+If this option is set
+.new
+and the connection is not DANE-validated
+.wen
+then it sets the $tls_out_sni variable and causes any
TLS session to pass this value as the Server Name Indication extension to
the remote side, which can be used by the remote side to select an appropriate
certificate and private key for the session.
@@ -29395,6 +29399,11 @@ nothing more to it. Choosing a sensible value not derived insecurely is the
only point of caution. The &$tls_out_sni$& variable will be set to this string
for the lifetime of the client connection (including during authentication).

+.new
+If DAVE validated the connection attempt then the value of the &%tls_sni%& option
+is forced to the domain part of the recipient address.
+.wen
+
Except during SMTP client sessions, if &$tls_in_sni$& is set then it is a string
received from a client.
It can be logged with the &%log_selector%& item &`+tls_sni`&.
@@ -29692,7 +29701,7 @@ by (a) is thought to be smaller than that of the set of root CAs.
It also allows the server to declare (implicitly) that connections to it should use TLS. An MITM could simply
fail to pass on a server's STARTTLS.

-DANE scales better than having to maintain (and side-channel communicate) copies of server certificates
+DANE scales better than having to maintain (and communicate via side-channel) copies of server certificates
for every possible target server. It also scales (slightly) better than having to maintain on an SMTP
client a copy of the standard CAs bundle. It also means not having to pay a CA for certificates.

@@ -29837,6 +29846,7 @@ If DANE is requested and useable (see above) the following transport options are
tls_verify_certificates
tls_crl
tls_verify_cert_hostnames
+ tls_sni
.endd

 If DANE is not usable, whether requested or not, and CA-anchored
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 8c4126e..eb64e0a 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -100,9 +100,16 @@ JH/20 Bug 2631: ACL dnslist conditions now ignore and log any lookups returns
       not in 127.0.0.0/8 to help in spotting list domains taken over by a
       domain-parking registrar.


-JH/21 Bug 2630: Fix trace eol-replacement string for the ${readsocket }
-      expansion.  Previously when a whitespace character was specified it
-      was not inserted after removing the newline.
+JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion.
+      Previously when a whitespace character was specified it was not inserted
+      after removing the newline.
+
+JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be
+      the domain part of the recipient address.  This overrides any tls_sni
+      option set, which was previously used.
+
+JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI
+      in quotes.



Exim version 4.94
diff --git a/src/src/receive.c b/src/src/receive.c
index 707fe07..95c44c0 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -4004,7 +4004,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher)
if (LOGGING(tls_peerdn) && tls_in.peerdn)
g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\"");
if (LOGGING(tls_sni) && tls_in.sni)
- g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\"");
+ g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE));
#endif

if (sender_host_authenticated)
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 3325d54..aa1d5b0 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -1812,7 +1812,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher)
if (LOGGING(tls_peerdn) && tls_in.peerdn)
g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\"");
if (LOGGING(tls_sni) && tls_in.sni)
- g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\"");
+ g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE));
return g;
}
#endif
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 013d9c0..cf38049 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -2868,7 +2868,7 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->so
/* If dane is flagged, have either request or require dane for this host, and
a TLSA record found. Therefore, dane verify required. Which implies cert must
be requested and supplied, dane verify must pass, and cert verify irrelevant
-(incl. hostnames), and (caller handled) require_tls */
+(incl. hostnames), and (caller handled) require_tls and sni=$domain */

 if (conn_args->dane && ob->dane_require_tls_ciphers)
   {
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 64f60b7..5bc9f8f 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -3200,6 +3200,7 @@ tlsp->tlsa_usage = 0;
 #ifndef DISABLE_OCSP
   {
 # ifdef SUPPORT_DANE
+  /*XXX this should be moved to caller, to be common across gnutls/openssl */
   if (  conn_args->dane
      && ob->hosts_request_ocsp[0] == '*'
      && ob->hosts_request_ocsp[1] == '\0'
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 341acde..fef4717 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -2018,6 +2018,7 @@ if (!continue_hostname)
       {
       case OK:        sx->conn_args.dane = TRUE;
                 ob->tls_tempfail_tryclear = FALSE;
+                ob->tls_sni = sx->addrlist->domain;
                 break;
       case FAIL_FORCED:    break;
       default:        set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER,
diff --git a/test/confs/5820 b/test/confs/5820
index 76dc75e..7ee1652 100644
--- a/test/confs/5820
+++ b/test/confs/5820
@@ -16,7 +16,8 @@ acl_smtp_rcpt = accept logwrite = "rcpt ACL"
 acl_smtp_rcpt = accept verify = recipient/callout
 .endif


-log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
+log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified \
+        +tls_sni


queue_run_in_order

diff --git a/test/confs/5840 b/test/confs/5840
index 5852ef2..1b3b122 100644
--- a/test/confs/5840
+++ b/test/confs/5840
@@ -16,7 +16,8 @@ acl_smtp_rcpt = accept logwrite = "rcpt ACL"
acl_smtp_rcpt = accept verify = recipient/callout
.endif

-log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
+log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified \
+        +tls_sni


queue_run_in_order

diff --git a/test/log/2030 b/test/log/2030
index d64f145..9c926fd 100644
--- a/test/log/2030
+++ b/test/log/2030
@@ -5,6 +5,6 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 SNI <fred>
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=fred S=sss id=E10HmaX-0005vi-00@???
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@???> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/2031 b/test/log/2031
index 37679a2..3b8f61d 100644
--- a/test/log/2031
+++ b/test/log/2031
@@ -8,10 +8,10 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 SNI <fred>
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@??? for CALLER@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=fred S=sss id=E10HmaX-0005vi-00@??? for CALLER@???
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@???> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 SNI <bill>
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="bill" S=sss id=E10HmaZ-0005vi-00@??? for abcd@???
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=bill S=sss id=E10HmaZ-0005vi-00@??? for abcd@???
1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <abcd@???> R=server
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/log/2130 b/test/log/2130
index 564aa0a..fc45c0a 100644
--- a/test/log/2130
+++ b/test/log/2130
@@ -5,6 +5,6 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 SNI <fred>
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=fred S=sss id=E10HmaX-0005vi-00@???
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@???> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/2131 b/test/log/2131
index e5c93f7..38aa871 100644
--- a/test/log/2131
+++ b/test/log/2131
@@ -8,10 +8,10 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 SNI <fred>
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="fred" S=sss id=E10HmaX-0005vi-00@??? for CALLER@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=fred S=sss id=E10HmaX-0005vi-00@??? for CALLER@???
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <CALLER@???> R=server
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 SNI <bill>
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI="bill" S=sss id=E10HmaZ-0005vi-00@??? for abcd@???
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=bill S=sss id=E10HmaZ-0005vi-00@??? for abcd@???
1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <abcd@???> R=server
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/log/5820 b/test/log/5820
index 62425a1..a269270 100644
--- a/test/log/5820
+++ b/test/log/5820
@@ -81,17 +81,17 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@??? for t1@???
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256ee.test.ex S=sss id=E10HmaX-0005vi-00@??? for t1@???
1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: <t1@???> R=server
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaY-0005vi-00@??? for t2@???
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane512ee.test.ex S=sss id=E10HmaY-0005vi-00@??? for t2@???
1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <t2@???> R=server
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
1999-03-02 09:44:33 "rcpt ACL"
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbB-0005vi-00@??? for t4@???
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane256ta.test.ex S=sss id=E10HmbB-0005vi-00@??? for t4@???
1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <t4@???> R=server
1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
@@ -123,13 +123,13 @@
1999-03-02 09:44:33 10HmbU-0005vi-00 => :blackhole: <t17@???> R=server
1999-03-02 09:44:33 10HmbU-0005vi-00 Completed
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbX-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbW-0005vi-00@??? for t18a@???
+1999-03-02 09:44:33 10HmbX-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=danemixed.test.ex S=sss id=E10HmbW-0005vi-00@??? for t18a@???
1999-03-02 09:44:33 10HmbX-0005vi-00 => :blackhole: <t18a@???> R=server
1999-03-02 09:44:33 10HmbX-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (recv): A TLS fatal alert has been received: Certificate is bad
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@??? for t20@???
+1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=danebroken8.example.com S=sss id=E10HmbZ-0005vi-00@??? for t20@???
1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: <t20@???> R=server
1999-03-02 09:44:33 10HmcA-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
diff --git a/test/log/5840 b/test/log/5840
index c200288..b351197 100644
--- a/test/log/5840
+++ b/test/log/5840
@@ -81,22 +81,22 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@??? for t1@???
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256ee.test.ex S=sss id=E10HmaX-0005vi-00@??? for t1@???
1999-03-02 09:44:33 10HmaZ-0005vi-00 => :blackhole: <t1@???> R=server
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaY-0005vi-00@??? for t2@???
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane512ee.test.ex S=sss id=E10HmaY-0005vi-00@??? for t2@???
1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <t2@???> R=server
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
1999-03-02 09:44:33 "rcpt ACL"
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbB-0005vi-00@??? for t4@???
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane256ta.test.ex S=sss id=E10HmbB-0005vi-00@??? for t4@???
1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <t4@???> R=server
1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@??? for t5@???
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=mxdane256tak.test.ex S=sss id=E10HmbD-0005vi-00@??? for t5@???
1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <t5@???> R=server
1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
@@ -130,7 +130,7 @@
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
1999-03-02 09:44:33 "rcpt ACL"
-1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@??? for t20@???
+1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=danebroken8.example.com S=sss id=E10HmbZ-0005vi-00@??? for t20@???
1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: <t20@???> R=server
1999-03-02 09:44:33 10HmcA-0005vi-00 Completed
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
diff --git a/test/stderr/5820 b/test/stderr/5820
index 032f2b9..5bb9029 100644
--- a/test/stderr/5820
+++ b/test/stderr/5820
@@ -9,7 +9,7 @@
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)

->>> processing "accept" (TESTSUITE/test-config 87)
+>>> processing "accept" (TESTSUITE/test-config 88)
>>> check verify = recipient/callout
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing rcptuser@???

diff --git a/test/stderr/5840 b/test/stderr/5840
index dbd4d23..423ed83 100644
--- a/test/stderr/5840
+++ b/test/stderr/5840
@@ -9,7 +9,7 @@
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)

->>> processing "accept" (TESTSUITE/test-config 92)
+>>> processing "accept" (TESTSUITE/test-config 93)
>>> check verify = recipient/callout
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing rcptuser@???