Commit | Line | Data |
---|---|---|
c4b57fdd JH |
1 | # DANE client: dane-fail events |
2 | # | |
3 | ### A server with a nonverifying cert and no TLSA | |
4 | # Check we get a non-CV but TLS connection, with try_dane but no require_dane | |
5 | # There should not be a dane-fail event | |
6 | exim -DSERVER=server -DDETAILS=no -bd -oX PORT_D | |
7 | **** | |
8 | exim -odf CALLER@thishost.test.ex | |
9 | Testing | |
10 | **** | |
11 | killdaemon | |
12 | # | |
13 | ### A server with a verifying cert and no TLSA | |
14 | # Check we get a CV and TLS connection, with try_dane but no require_dane | |
15 | # There should not be a dane-fail event | |
16 | exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D | |
17 | **** | |
18 | exim -odf CALLER@thishost.test.ex | |
19 | Testing | |
20 | **** | |
21 | exim -DOPT=no_certname -qf | |
22 | **** | |
23 | killdaemon | |
24 | # | |
25 | # | |
26 | exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D | |
27 | **** | |
28 | ### A server with two MXs for which both TLSA lookups return defer (delivery should defer) | |
29 | # One dane-fail event, as one of the MXs was dane-required | |
30 | exim -odf CALLER@mxdanelazy.test.ex | |
31 | Testing | |
32 | **** | |
33 | ### A server lacking a TLSA, dane required (should fail; should get an event) | |
34 | exim -odf CALLER@dane.no.1.test.ex | |
35 | Testing | |
36 | **** | |
37 | ### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC) | |
38 | # No event | |
39 | exim -odf CALLER@dane.no.2.test.ex | |
40 | Testing | |
41 | **** | |
42 | ### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer) | |
43 | # gets an event, as the TLSA fail was non-dnssec | |
44 | exim -odf CALLER@danebroken1.test.ex | |
45 | Testing | |
46 | **** | |
47 | ### A server securely saying "no TLSA records here", dane required (delivery should fail) | |
48 | # An event; dane-required | |
49 | exim -odf CALLER@dane.no.3.test.ex | |
50 | Testing | |
51 | **** | |
52 | ### A server securely saying "no TLSA records here", dane requested only (should deliver) | |
53 | # No event (dane is not supported by this target, so not a failure) | |
54 | exim -odf CALLER@dane.no.4.test.ex | |
55 | Testing | |
56 | **** | |
57 | # | |
58 | ### A server securely serving a wrong TLSA record, dane requested only (delivery should fail) | |
59 | # An event (validation-failure) | |
60 | exim -odf CALLER@danebroken2.test.ex | |
61 | Testing | |
62 | **** | |
63 | ### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE) | |
64 | # No event (we didn't get a usable TLSA, so dane is not supported by...) | |
65 | exim -odf CALLER@danebroken3.test.ex | |
66 | Testing | |
67 | **** | |
68 | ### A server insecurely serving a good TLSA record, dane required (delivery should fail) | |
69 | # An event (dane-required) | |
70 | exim -odf CALLER@danebroken4.test.ex | |
71 | Testing | |
72 | **** | |
73 | ### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE) | |
74 | # No event (not dane-worthy) | |
75 | exim -odf CALLER@danebroken5.test.ex | |
76 | Testing | |
77 | **** | |
78 | ### A server insecurely serving a good A record, dane required (delivery should fail) | |
79 | # An event (dane-required) | |
80 | exim -odf CALLER@danebroken6.test.ex | |
81 | Testing | |
82 | **** | |
83 | # | |
84 | killdaemon | |
85 | # | |
86 | # | |
87 | # | |
88 | ### A server with a name not matching the cert. TA-mode; should fail | |
89 | # An event (validation-failure) | |
90 | exim -DSERVER=server -DDETAILS=cert.net -bd -oX PORT_D | |
91 | **** | |
92 | exim -odf CALLER@danebroken7.example.com | |
93 | Testing | |
94 | **** | |
95 | # | |
96 | ### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode | |
97 | # No event (no failure) | |
98 | exim -odf CALLER@danebroken8.example.com | |
99 | Testing | |
100 | **** | |
101 | # | |
102 | killdaemon | |
103 | no_msglog_check | |
104 | no_stderr_check |