Gitweb:
https://git.exim.org/exim.git/commitdiff/44e35f5f592b4fb993a6a23ad9e0446af8a6d527
Commit: 44e35f5f592b4fb993a6a23ad9e0446af8a6d527
Parent: 51894f20e0c03113b4c4e07898ac5e955b21ec41
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Nov 5 21:29:53 2023 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Nov 5 21:29:53 2023 +0000
DANE: handle servefail for TLSA during Rverify. Bug 3030
---
doc/doc-txt/ChangeLog | 17 +++++++----
src/src/verify.c | 4 +--
test/confs/5803 | 71 ++++++++++++++++++++++++++++++++++++++++++++
test/dnszones-src/db.test.ex | 5 ++++
test/scripts/5800-DANE/5803 | 8 +++++
5 files changed, 97 insertions(+), 8 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 990e72823..2ea8caf23 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -8,12 +8,17 @@ Exim version 4.98
JH/01 Support list of dkim results in the dkim_status ACL condition, making
it more usable in the data ACL.
-JH/02 Handle error on close of the spool data file during reception. Previously
- This was only logged, on the assumption that errors would be seen for
- a previous fflush(). However, a fuse filesystem has been reported as
- showing this an error for the fclose(). The spool is now in an uncertain
- state, and we have logged and responded acceptance. Change this to
- respond with a temp-reject, wipe spoolfiles, and log the error detail.
+JH/02 Bug 3040: Handle error on close of the spool data file during reception.
+ Previously This was only logged, on the assumption that errors would be
+ seen for a previous fflush(). However, a fuse filesystem has been
+ reported as showing this an error for the fclose(). The spool is now in
+ an uncertain state, and we have logged and responded acceptance. Change
+ this to respond with a temp-reject, wipe spoolfiles, and log the error
+ detail.
+
+JH/03 Bug 3030: fix handling of DNS servfail respons for DANE TLSA. When hit
+ during a recipient verify callout, a QUIT command was attempted on the
+ now-closed callout channel, causing a paniclog entry.
Exim version 4.97
diff --git a/src/src/verify.c b/src/src/verify.c
index d8ebf5925..6361aa434 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -677,7 +677,7 @@ coding means skipping this whole loop and doing the append separately. */
sx->conn_args.interface = interface;
sx->helo_data = tf->helo_data;
sx->conn_args.tblock = addr->transport;
- sx->conn_args.sock = -1;
+ sx->cctx.sock = sx->conn_args.sock = -1;
sx->verify = TRUE;
tls_retry_connection:
@@ -1152,7 +1152,7 @@ no_conn:
/* Ensure no cutthrough on multiple verifies that were incompatible */
if (options & vopt_callout_recipsender)
cancel_cutthrough_connection(TRUE, US"not usable for cutthrough");
- if (sx->send_quit)
+ if (sx->send_quit && sx->cctx.sock >= 0)
if (smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n") != -1)
/* Wait a short time for response, and discard it */
smtp_read_response(sx, sx->buffer, sizeof(sx->buffer), '2', 1);
diff --git a/test/confs/5803 b/test/confs/5803
new file mode 100644
index 000000000..465959775
--- /dev/null
+++ b/test/confs/5803
@@ -0,0 +1,71 @@
+# Exim test configuration 5801
+# DANE common
+
+SERVER=
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept verify = recipient/callout
+
+log_selector = +received_recipients +tls_certificate_verified +tls_sni
+
+queue_run_in_order
+
+tls_advertise_hosts = *
+.ifdef _HAVE_GNUTLS
+# needed to force generation
+tls_dhparam = historic
+.endif
+
+CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net
+CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
+
+
+tls_certificate = CDIR2/fullchain.pem
+tls_privatekey = CDIR2/server1.example.com.unlocked.key
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = dnslookup
+ condition = ${if eq {SERVER}{}}
+ dnssec_request_domains = *
+ self = send
+ transport = send_to_server
+ errors_to = ""
+
+server:
+ driver = redirect
+ data = :blackhole:
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+ driver = smtp
+ allow_localhost
+ port = PORT_D
+ hosts_try_fastopen = :
+
+ hosts_try_dane = *
+ tls_verify_certificates =
+
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex
index d39e9cf1e..6ff1a6af4 100644
--- a/test/dnszones-src/db.test.ex
+++ b/test/dnszones-src/db.test.ex
@@ -583,6 +583,11 @@ DNSSEC danemixed A 127.0.0.1
DNSSEC _1225._tcp.danemixed TLSA 2 0 1 0d643c1ebcdf2cb83634e0c2f5102c1e268983401c9f4d8711d60b44d7fb7a3e
DNSSEC TLSA 3 1 1 8276000000000000000000000000000000000000000000000000000000000000
+; have the TLSA lookup, only, return SERVFAIL
+;
+DNSSEC daneservfail A 127.0.0.1
+DNSSEC _1225._tcp.daneservfail CNAME test.again.dns.
+
; ------- Testing delays ------------
DELAY=500 delay500 A HOSTIPV4
diff --git a/test/scripts/5800-DANE/5803 b/test/scripts/5800-DANE/5803
new file mode 100644
index 000000000..f217e6297
--- /dev/null
+++ b/test/scripts/5800-DANE/5803
@@ -0,0 +1,8 @@
+# DANE Rverify, TLSA SERVFAIL
+#
+exim -odf -bs
+HELO test
+MAIL FROM:<CALLER@???>
+RCPT TO:<t@???>
+QUIT
+****
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
