[exim-cvs] DANE: handle servefail for TLSA during Rverify. …

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] DANE: handle servefail for TLSA during Rverify. Bug 3030
Gitweb: https://git.exim.org/exim.git/commitdiff/44e35f5f592b4fb993a6a23ad9e0446af8a6d527
Commit:     44e35f5f592b4fb993a6a23ad9e0446af8a6d527
Parent:     51894f20e0c03113b4c4e07898ac5e955b21ec41
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Nov 5 21:29:53 2023 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Nov 5 21:29:53 2023 +0000


    DANE: handle servefail for TLSA during Rverify.  Bug 3030
---
 doc/doc-txt/ChangeLog        | 17 +++++++----
 src/src/verify.c             |  4 +--
 test/confs/5803              | 71 ++++++++++++++++++++++++++++++++++++++++++++
 test/dnszones-src/db.test.ex |  5 ++++
 test/scripts/5800-DANE/5803  |  8 +++++
 5 files changed, 97 insertions(+), 8 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 990e72823..2ea8caf23 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -8,12 +8,17 @@ Exim version 4.98
 JH/01 Support list of dkim results in the dkim_status ACL condition, making
       it more usable in the data ACL.


-JH/02 Handle error on close of the spool data file during reception.  Previously
-      This was only logged, on the assumption that errors would be seen for
-      a previous fflush().  However, a fuse filesystem has been reported as
-      showing this an error for the fclose().  The spool is now in an uncertain
-      state, and we have logged and responded acceptance.  Change this to
-      respond with a temp-reject, wipe spoolfiles, and log the error detail.
+JH/02 Bug 3040: Handle error on close of the spool data file during reception. 
+      Previously This was only logged, on the assumption that errors would be
+      seen for a previous fflush().  However, a fuse filesystem has been
+      reported as showing this an error for the fclose().  The spool is now in
+      an uncertain state, and we have logged and responded acceptance.  Change
+      this to respond with a temp-reject, wipe spoolfiles, and log the error
+      detail.
+
+JH/03 Bug 3030: fix handling of DNS servfail respons for DANE TLSA.  When hit
+      during a recipient verify callout, a QUIT command was attempted on the
+      now-closed callout channel, causing a paniclog entry.



 Exim version 4.97
diff --git a/src/src/verify.c b/src/src/verify.c
index d8ebf5925..6361aa434 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -677,7 +677,7 @@ coding means skipping this whole loop and doing the append separately.  */
     sx->conn_args.interface = interface;
     sx->helo_data = tf->helo_data;
     sx->conn_args.tblock = addr->transport;
-    sx->conn_args.sock = -1;
+    sx->cctx.sock = sx->conn_args.sock = -1;
     sx->verify = TRUE;


 tls_retry_connection:
@@ -1152,7 +1152,7 @@ no_conn:
       /* Ensure no cutthrough on multiple verifies that were incompatible */
       if (options & vopt_callout_recipsender)
         cancel_cutthrough_connection(TRUE, US"not usable for cutthrough");
-      if (sx->send_quit)
+      if (sx->send_quit && sx->cctx.sock >= 0)
     if (smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n") != -1)
       /* Wait a short time for response, and discard it */
       smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', 1);
diff --git a/test/confs/5803 b/test/confs/5803
new file mode 100644
index 000000000..465959775
--- /dev/null
+++ b/test/confs/5803
@@ -0,0 +1,71 @@
+# Exim test configuration 5801
+# DANE common
+
+SERVER=
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept verify = recipient/callout
+
+log_selector =  +received_recipients +tls_certificate_verified +tls_sni
+
+queue_run_in_order
+
+tls_advertise_hosts = *
+.ifdef _HAVE_GNUTLS
+# needed to force generation
+tls_dhparam = historic
+.endif
+
+CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net
+CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
+
+
+tls_certificate = CDIR2/fullchain.pem
+tls_privatekey =  CDIR2/server1.example.com.unlocked.key
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver =    dnslookup
+  condition =    ${if eq {SERVER}{}}
+  dnssec_request_domains = *
+  self =    send
+  transport =    send_to_server
+  errors_to =    ""
+
+server:
+  driver =    redirect
+  data =    :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+  driver =        smtp
+  allow_localhost
+  port =        PORT_D
+  hosts_try_fastopen =    :
+
+  hosts_try_dane =    *
+  tls_verify_certificates =
+
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex
index d39e9cf1e..6ff1a6af4 100644
--- a/test/dnszones-src/db.test.ex
+++ b/test/dnszones-src/db.test.ex
@@ -583,6 +583,11 @@ DNSSEC danemixed            A      127.0.0.1
 DNSSEC _1225._tcp.danemixed TLSA  2 0 1 0d643c1ebcdf2cb83634e0c2f5102c1e268983401c9f4d8711d60b44d7fb7a3e
 DNSSEC                      TLSA  3 1 1 8276000000000000000000000000000000000000000000000000000000000000


+; have the TLSA lookup, only, return SERVFAIL
+;
+DNSSEC daneservfail         A      127.0.0.1
+DNSSEC _1225._tcp.daneservfail CNAME test.again.dns.
+
 ; ------- Testing delays ------------


DELAY=500 delay500 A HOSTIPV4
diff --git a/test/scripts/5800-DANE/5803 b/test/scripts/5800-DANE/5803
new file mode 100644
index 000000000..f217e6297
--- /dev/null
+++ b/test/scripts/5800-DANE/5803
@@ -0,0 +1,8 @@
+# DANE Rverify, TLSA SERVFAIL
+#
+exim -odf -bs
+HELO test
+MAIL FROM:<CALLER@???>
+RCPT TO:<t@???>
+QUIT
+****

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/