-REQUIRETLS support
-------------------
-Ref: https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03
-
-If compiled with EXPERIMENTAL_REQUIRETLS support is included for this
-feature, where a REQUIRETLS option is added to the MAIL command.
-The client may not retry in clear if the MAIL+REQUIRETLS fails (or was never
-offered), and the server accepts an obligation that any onward transmission
-by SMTP of the messages accepted will also use REQUIRETLS - or generate a
-fail DSN.
-
-The Exim implementation includes
-- a main-part option tls_advertise_requiretls; host list, default "*"
-- an observability variable $requiretls returning yes/no
-- an ACL "control = requiretls" modifier for setting the requirement
-- Log lines and Received: headers capitalise the S in the protocol
- element: "P=esmtpS"
-
-Differences from spec:
-- we support upgrading the requirement for REQUIRETLS, including adding
- it from cold, within an MTA. The spec only define the sourcing MUA
- as being able to source the requirement, and makes no mention of upgrade.
-- No support is coded for the RequireTLS header (which can be used
- to annul DANE and/or STS policiy). [this can _almost_ be done in
- transport option expansions, but not quite: it requires tha DANE-present
- but STARTTLS-failing targets fallback to cleartext, which current DANE
- coding specifically blocks]
-
-Note that REQUIRETLS is only advertised once a TLS connection is achieved
-(in contrast to STARTTLS). If you want to check the advertising, do something
-like "swaks -s 127.0.0.1 -tls -q HELO".
-
-
-
-
Early pipelining support
------------------------
Ref: https://datatracker.ietf.org/doc/draft-harris-early-pipe/
# Uncomment the following line to add queuefile transport support
# EXPERIMENTAL_QUEUEFILE=yes
-# Uncomment the following to add REQUIRETLS support.
-# You must also have SUPPORT_TLS enabled.
-# Ref: https://datatracker.ietf.org/doc/draft-fenton-smtp-require-tls
-# EXPERIMENTAL_REQUIRETLS=yes
-
###############################################################################
# THESE ARE THINGS YOU MIGHT WANT TO SPECIFY #
###############################################################################
CONTROL_NO_PIPELINING,
CONTROL_QUEUE_ONLY,
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
- CONTROL_REQUIRETLS,
-#endif
CONTROL_SUBMISSION,
CONTROL_SUPPRESS_LOCAL_FIXUPS,
#ifdef SUPPORT_I18N
},
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-[CONTROL_REQUIRETLS] =
- { US"requiretls", FALSE,
- (unsigned)
- ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA |
- ACL_BIT_DATA | ACL_BIT_MIME |
- ACL_BIT_NOTSMTP)
- },
-#endif
-
[CONTROL_SUBMISSION] =
{ US"submission", TRUE,
(unsigned)
cancel_cutthrough_connection(TRUE, US"queueing forced");
break;
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
- case CONTROL_REQUIRETLS:
- tls_requiretls |= REQUIRETLS_MSG;
- break;
-#endif
case CONTROL_SUBMISSION:
originator_name = US"";
f.submission_mode = TRUE;
static void (*oldsignal)(int);
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-static uschar tls_requiretls_copy = 0;
-#endif
-
/*************************************************
* Ensure an fd has a given value *
int extra = pcount ? *pcount : 0;
uschar **argv;
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-if (tls_requiretls) extra++;
-#endif
-
argv = store_get((extra + acount + MAX_CLMACROS + 18) * sizeof(char *));
/* In all case, the list starts out with the path, any macros, and a changed
}
}
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-if (tls_requiretls_copy & REQUIRETLS_MSG)
- argv[n++] = US"-MS";
-#endif
-
/* Now add in any others that are in the call. Remember which they were,
for more helpful diagnosis on failure. */
if (pid == 0)
{
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
- tls_requiretls_copy = tls_requiretls;
-#endif
force_fd(pfd[pipe_read], 0);
(void)close(pfd[pipe_write]);
if (debug_fd > 0) force_fd(debug_fd, 2);
#define DMARC_TLD_FILE "/etc/exim/opendmarc.tlds"
#define EXPERIMENTAL_LMDB
#define EXPERIMENTAL_PIPE_CONNECT
-#define EXPERIMENTAL_REQUIRETLS
#define EXPERIMENTAL_QUEUEFILE
#define EXPERIMENTAL_SRS
#ifdef SUPPORT_TLS
if (!regex_STARTTLS) regex_STARTTLS =
regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
-
-# ifdef EXPERIMENTAL_REQUIRETLS
-if (!regex_REQUIRETLS) regex_REQUIRETLS =
- regex_must_compile(US"\\n250[\\s\\-]REQUIRETLS(\\s|\\n|$)", FALSE, TRUE);
-# endif
#endif
if (!regex_CHUNKING) regex_CHUNKING =
#ifdef EXPERIMENTAL_DSN_INFO
fprintf(fp, " Experimental_DSN_info");
#endif
-#ifdef EXPERIMENTAL_REQUIRETLS
- fprintf(fp, " Experimental_REQUIRETLS");
-#endif
#ifdef EXPERIMENTAL_PIPE_CONNECT
fprintf(fp, " Experimental_PIPE_CONNECT");
#endif
break;
}
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
- /* -MS set REQUIRETLS on (new) message */
-
- else if (*argrest == 'S')
- {
- tls_requiretls |= REQUIRETLS_MSG;
- break;
- }
-#endif
-
/* -M[x]: various operations on the following list of message ids:
-M deliver the messages, ignoring next retry times and thawing
-Mc deliver the messages, checking next retry times, no thawing
{ "regex_match_string", vtype_stringptr, ®ex_match_string },
#endif
{ "reply_address", vtype_reply, NULL },
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
- { "requiretls", vtype_bool, &tls_requiretls },
-#endif
{ "return_path", vtype_stringptr, &return_path },
{ "return_size_limit", vtype_int, &bounce_return_size_limit },
{ "router_name", vtype_stringptr, &router_name },
uschar *tls_privatekey = NULL;
BOOL tls_remember_esmtp = FALSE;
uschar *tls_require_ciphers = NULL;
-# ifdef EXPERIMENTAL_REQUIRETLS
-uschar tls_requiretls = 0; /* REQUIRETLS_MSG etc. bit #defines */
-uschar *tls_advertise_requiretls = US"*";
-const pcre *regex_REQUIRETLS = NULL;
-# endif
uschar *tls_try_verify_hosts = NULL;
uschar *tls_verify_certificates= US"system";
uschar *tls_verify_hosts = NULL;
extern uschar *tls_ocsp_file; /* OCSP stapling proof file */
# endif
extern uschar *tls_privatekey; /* Private key file */
-# ifdef EXPERIMENTAL_REQUIRETLS
-extern uschar tls_requiretls; /* REQUIRETLS active for this message */
-extern uschar *tls_advertise_requiretls; /* hosts for which REQUIRETLS adv */
-extern const pcre *regex_REQUIRETLS; /* for recognising the command */
-# endif
extern BOOL tls_remember_esmtp; /* For YAEB */
extern uschar *tls_require_ciphers; /* So some can be avoided */
extern uschar *tls_try_verify_hosts; /* Optional client verification */
#ifdef EXPERIMENTAL_DSN_INFO
builtin_macro_create(US"_HAVE_DSN_INFO");
#endif
-#ifdef EXPERIMENTAL_REQUIRETLS
- builtin_macro_create(US"_HAVE_REQTLS");
-#endif
#ifdef EXPERIMENTAL_PIPE_CONNECT
builtin_macro_create(US"_HAVE_PIPE_CONNECT");
#endif
#ifdef SUPPORT_I18N
# define ERRNO_UTF8_FWD (-49) /* target not supporting SMTPUTF8 */
#endif
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-# define ERRNO_REQUIRETLS (-50) /* REQUIRETLS session not started */
-#endif
+ /* -50 free for re-use */
/* These must be last, so all retry deferments can easily be identified */
#define OPTION_PIPE BIT(5)
#define OPTION_SIZE BIT(6)
#define OPTION_CHUNKING BIT(7)
-#define OPTION_REQUIRETLS BIT(8)
-#define OPTION_EARLY_PIPE BIT(9)
-
-/* Codes for tls_requiretls requests (usually by sender) */
-
-#define REQUIRETLS_MSG BIT(0) /* REQUIRETLS onward use */
+#define OPTION_EARLY_PIPE BIT(8)
/* Argument for *_getc */
{ "timezone", opt_stringptr, &timezone_string },
{ "tls_advertise_hosts", opt_stringptr, &tls_advertise_hosts },
#ifdef SUPPORT_TLS
-# ifdef EXPERIMENTAL_REQUIRETLS
- { "tls_advertise_requiretls", opt_stringptr, &tls_advertise_requiretls },
-# endif
{ "tls_certificate", opt_stringptr, &tls_certificate },
{ "tls_crl", opt_stringptr, &tls_crl },
{ "tls_dh_max_bits", opt_int, &tls_dh_max_bits },
BOOL auth_advertised :1;
#ifdef SUPPORT_TLS
BOOL tls_advertised :1;
-# ifdef EXPERIMENTAL_REQUIRETLS
- BOOL requiretls_advertised :1;
-# endif
#endif
BOOL dsn_advertised :1;
BOOL esmtp :1;
ENV_MAIL_OPT_RET, ENV_MAIL_OPT_ENVID,
#ifdef SUPPORT_I18N
ENV_MAIL_OPT_UTF8,
-#endif
-#ifdef EXPERIMENTAL_REQUIRETLS
- ENV_MAIL_OPT_REQTLS,
#endif
};
typedef struct {
{ US"ENVID", ENV_MAIL_OPT_ENVID, TRUE },
#ifdef SUPPORT_I18N
{ US"SMTPUTF8",ENV_MAIL_OPT_UTF8, FALSE }, /* rfc6531 */
-#endif
-#ifdef EXPERIMENTAL_REQUIRETLS
- /* https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03 */
- { US"REQUIRETLS",ENV_MAIL_OPT_REQTLS, FALSE },
#endif
/* keep this the last entry */
{ US"NULL", ENV_MAIL_OPT_NULL, FALSE },
tls_in.sni = NULL;
tls_in.ocsp = OCSP_NOT_REQ;
fl.tls_advertised = FALSE;
-# ifdef EXPERIMENTAL_REQUIRETLS
-fl.requiretls_advertised = FALSE;
-# endif
#endif
fl.dsn_advertised = FALSE;
#ifdef SUPPORT_I18N
f.smtp_in_pipelining_advertised = FALSE;
#ifdef SUPPORT_TLS
fl.tls_advertised = FALSE;
-# ifdef EXPERIMENTAL_REQUIRETLS
- fl.requiretls_advertised = FALSE;
-# endif
#endif
fl.dsn_advertised = FALSE;
#ifdef SUPPORT_I18N
g = string_catn(g, US"-STARTTLS\r\n", 11);
fl.tls_advertised = TRUE;
}
-
-# ifdef EXPERIMENTAL_REQUIRETLS
- /* Advertise REQUIRETLS only once we are in a secure connection */
- if ( tls_in.active.sock >= 0
- && verify_check_host(&tls_advertise_requiretls) != FAIL)
- {
- g = string_catn(g, smtp_code, 3);
- g = string_catn(g, US"-REQUIRETLS\r\n", 13);
- fl.requiretls_advertised = TRUE;
- }
-# endif
#endif
#ifndef DISABLE_PRDR
break;
#endif
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
- case ENV_MAIL_OPT_REQTLS:
- {
- uschar * r, * t;
-
- if (!fl.requiretls_advertised)
- {
- done = synprot_error(L_smtp_syntax_error, 555, NULL,
- US"unadvertised MAIL option: REQUIRETLS");
- goto COMMAND_LOOP;
- }
-
- DEBUG(D_receive) debug_printf("requiretls requested\n");
- tls_requiretls = REQUIRETLS_MSG;
-
- r = string_copy_malloc(received_protocol);
- if ((t = Ustrrchr(r, 's'))) *t = 'S';
- received_protocol = r;
- }
- break;
-#endif
-
/* No valid option. Stick back the terminator characters and break
the loop. Do the name-terminator second as extract_option sets
value==name when it found no equal-sign.
if (arg_error) break;
}
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
- if (tls_requiretls & REQUIRETLS_MSG)
- {
- /* Ensure headers-only bounces whether a RET option was given or not. */
-
- DEBUG(D_receive) if (dsn_ret == dsn_ret_full)
- debug_printf("requiretls override: dsn_ret_full -> dsn_ret_hdrs\n");
- dsn_ret = dsn_ret_hdrs;
- }
-#endif
-
/* If we have passed the threshold for rate limiting, apply the current
delay, and update it for next time, provided this is a limited host. */
tls_in.peerdn = NULL;
tls_in.sni = NULL;
tls_in.ocsp = OCSP_NOT_REQ;
-# if defined(EXPERIMENTAL_REQUIRETLS) && !defined(COMPILE_UTILITY)
-tls_requiretls = 0;
-# endif
#endif
#ifdef WITH_CONTENT_SCAN
tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
else if (Ustrncmp(q, "ocsp", 4) == 0)
tls_in.ocsp = big_buffer[10] - '0';
-# if defined(EXPERIMENTAL_REQUIRETLS) && !defined(COMPILE_UTILITY)
- else if (Ustrncmp(q, "requiretls", 10) == 0)
- tls_requiretls = strtol(CS big_buffer+16, NULL, 0);
-# endif
}
break;
#endif
fprintf(fp, "-tls_ourcert %s\n", CS big_buffer);
}
if (tls_in.ocsp) fprintf(fp, "-tls_ocsp %d\n", tls_in.ocsp);
-
-# ifdef EXPERIMENTAL_REQUIRETLS
-if (tls_requiretls) fprintf(fp, "-tls_requiretls 0x%x\n", tls_requiretls);
-# endif
#endif
#ifdef SUPPORT_I18N
? &sx->ehlo_resp.cleartext_auths : &sx->ehlo_resp.crypted_auths;
peer_offered = ehlo_response(sx->buffer,
- (tls_out.active.sock < 0 ? OPTION_TLS : OPTION_REQUIRETLS)
+ (tls_out.active.sock < 0 ? OPTION_TLS : 0)
| OPTION_CHUNKING | OPTION_PRDR | OPTION_DSN | OPTION_PIPE | OPTION_SIZE
| OPTION_UTF8 | OPTION_EARLY_PIPE
);
/* debug_printf("%s: check for 0x%04x\n", __FUNCTION__, checks); */
#ifdef SUPPORT_TLS
-# ifdef EXPERIMENTAL_REQUIRETLS
-if ( checks & OPTION_REQUIRETLS
- && pcre_exec(regex_REQUIRETLS, NULL, CS buf,bsize, 0, PCRE_EOPT, NULL,0) < 0)
-# endif
- checks &= ~OPTION_REQUIRETLS;
-
if ( checks & OPTION_TLS
&& pcre_exec(regex_STARTTLS, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
#endif
else if ( sx->smtps
# ifdef SUPPORT_DANE
|| sx->conn_args.dane
-# endif
-# ifdef EXPERIMENTAL_REQUIRETLS
- || tls_requiretls & REQUIRETLS_MSG
# endif
|| verify_check_given_host(CUSS &ob->hosts_require_tls, sx->conn_args.host) == OK
)
{
- errno =
-# ifdef EXPERIMENTAL_REQUIRETLS
- tls_requiretls & REQUIRETLS_MSG ? ERRNO_REQUIRETLS :
-# endif
- ERRNO_TLSREQUIRED;
+ errno = ERRNO_TLSREQUIRED;
message = string_sprintf("a TLS session is required, but %s",
smtp_peer_options & OPTION_TLS
? "an attempt to start TLS failed" : "the server did not offer TLS support");
#ifdef EXPERIMENTAL_PIPE_CONNECT
| (sx->lmtp && ob->lmtp_ignore_quota ? OPTION_IGNQ : 0)
| OPTION_DSN | OPTION_PIPE | OPTION_SIZE
- | OPTION_CHUNKING | OPTION_PRDR | OPTION_UTF8 | OPTION_REQUIRETLS
+ | OPTION_CHUNKING | OPTION_PRDR | OPTION_UTF8
| (tls_out.active.sock >= 0 ? OPTION_EARLY_PIPE : 0) /* not for lmtp */
#else
| OPTION_DSN
| OPTION_PIPE
| (ob->size_addition >= 0 ? OPTION_SIZE : 0)
-# if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
- | (tls_requiretls & REQUIRETLS_MSG ? OPTION_REQUIRETLS : 0)
-# endif
#endif
);
#ifdef EXPERIMENTAL_PIPE_CONNECT
DEBUG(D_transport) debug_printf("%susing DSN\n",
sx->peer_offered & OPTION_DSN ? "" : "not ");
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
- if (sx->peer_offered & OPTION_REQUIRETLS)
- {
- smtp_peer_options |= OPTION_REQUIRETLS;
- DEBUG(D_transport) debug_printf(
- tls_requiretls & REQUIRETLS_MSG
- ? "using REQUIRETLS\n" : "REQUIRETLS offered\n");
- }
-#endif
-
#ifdef EXPERIMENTAL_PIPE_CONNECT
if ( sx->early_pipe_ok
&& !sx->early_pipe_active
}
#endif /*SUPPORT_I18N*/
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
- /*XXX should tls_requiretls actually be per-addr? */
-
-if ( tls_requiretls & REQUIRETLS_MSG
- && !(sx->peer_offered & OPTION_REQUIRETLS)
- )
- {
- sx->setting_up = TRUE;
- errno = ERRNO_REQUIRETLS;
- message = US"REQUIRETLS support is required from the server"
- " but it was not offered";
- DEBUG(D_transport) debug_printf("%s\n", message);
- goto TLS_FAILED;
- }
-#endif
-
return OK;
#ifdef SUPPORT_TLS
TLS_FAILED:
-# ifdef EXPERIMENTAL_REQUIRETLS
- if (errno == ERRNO_REQUIRETLS)
- code = '5', yield = FAIL;
- /*XXX DSN will be labelled 500; prefer 530 5.7.4 */
- else
-# endif
- code = '4', yield = DEFER;
+ code = '4', yield = DEFER;
goto FAILED;
#endif
Ustrcpy(p, " SMTPUTF8"), p += 9;
#endif
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-if (tls_requiretls & REQUIRETLS_MSG)
- Ustrcpy(p, " REQUIRETLS") , p += 11;
-#endif
-
/* check if all addresses have DSN-lasthop flag; do not send RET and ENVID if so */
for (sx->dsn_all_lasthop = TRUE, addr = addrlist, address_count = 0;
addr && address_count < sx->max_rcpt;
a host list with hosts_override set, use the host list supplied with the
transport. It is an error for this not to exist. */
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-if (tls_requiretls & REQUIRETLS_MSG)
- ob->tls_tempfail_tryclear = FALSE; /*XXX surely we should have a local for this
- rather than modifying the transport? */
-#endif
-
if (!hostlist || (ob->hosts_override && ob->hosts))
{
if (!ob->hosts)
done = TRUE;
}
break;
-#endif
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
- case ERRNO_REQUIRETLS:
- addr->user_message = US"530 5.7.4 REQUIRETLS support required";
- yield = FAIL;
- done = TRUE;
- break;
#endif
case ECONNREFUSED:
sx.send_quit = FALSE;
+++ /dev/null
-# Exim test configuration 5910
-
-SERVER=
-
-# advertise REQUIRETLS unless commandline override
-SRV= *
-# set on commandline to add an extra rcpt-time acl condition
-ACL=
-
-exim_path = EXIM_PATH
-keep_environment =
-host_lookup_order = bydns
-spool_directory = DIR/spool
-
-.ifdef SERVER
-log_file_path = DIR/spool/log/SERVER%slog
-.else
-log_file_path = DIR/spool/log/%slog
-.endif
-
-gecos_pattern = ""
-gecos_name = CALLER_NAME
-chunking_advertise_hosts =
-.ifdef _HAVE_PIPE_CONNECT
-pipelining_connect_advertise_hosts =
-.endif
-
-primary_hostname = myhost.test.ex
-
-# ----- Main settings -----
-
-acl_smtp_mail = m
-acl_smtp_rcpt = r
-acl_not_smtp = n
-
-log_selector = +tls_peerdn +received_recipients
-
-queue_only
-queue_run_in_order
-
-tls_advertise_hosts = *
-tls_advertise_requiretls = SRV
-
-# Set certificate only if server
-
-tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-
-#tls_verify_hosts = *
-#tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
-
-
-# ----- ACL -----
-
-begin acl
-
-m:
- accept senders = :
- deny condition = ${if eq {SERVER}{server}}
- !sender_domains = test.ex : myhost.test.ex
- accept
-
-r:
- warn condition = ${if eq {SERVER}{server}}
- logwrite = requiretls: $requiretls
-
-# define this to upgrade messages to REQUIRETLS
-.ifdef OPT
- warn
- condition = ${if !bool{$requiretls}}
- logwrite = upgrading
- control = requiretls
-.endif
- accept ACL
-
-n:
-.ifdef OPT
- accept
- condition = ${if !bool{$requiretls}}
- logwrite = upgrading
- control = requiretls
-.endif
- accept
-# ----- Routers -----
-
-begin routers
-
-bounces:
- driver = redirect
- condition = ${if !def:sender_address}
- condition = ${if first_delivery}
- data = :defer:
- allow_defer
-
-final:
- driver = accept
- condition = ${if eq {$received_ip_address}{HOSTIPV4} {yes}{no}}
- transport = file_a_bounce
-
-client:
- driver = accept
- transport = send_to_server
-
-
-# ----- Transports -----
-
-begin transports
-
-file_a_bounce:
- driver = appendfile
- delivery_date_add
- envelope_to_add
- file = DIR/test-mail/$local_part
- return_path_add
- user = CALLER
-
-send_to_server:
- driver = smtp
- allow_localhost
- hosts = HOSTIPV4
- port = PORT_D
- tls_certificate = DIR/aux-fixed/cert2
- tls_privatekey = DIR/aux-fixed/cert2
- tls_verify_certificates = DIR/aux-fixed/cert2
- tls_try_verify_hosts = :
-
-
-# ----- Retry -----
-
-
-begin retry
-
-* * F,5d,10s
-
-
-# End
+++ /dev/null
-1999-03-02 09:44:33 Start queue run: pid=pppp
-1999-03-02 09:44:33 10HmaX-0005vi-00 => dump@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS_proto_and_cipher CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 End queue run: pid=pppp
-1999-03-02 09:44:33 Start queue run: pid=pppp
-1999-03-02 09:44:33 10HmaY-0005vi-00 => dump <dump@test.ex> R=final T=file_a_bounce
-1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 End queue run: pid=pppp
-1999-03-02 09:44:33 upgrading
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-smtp S=sss for b@test.ex
-1999-03-02 09:44:33 Start queue run: pid=pppp
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => b@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS_proto_and_cipher CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 End queue run: pid=pppp
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 requiretls: yes
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= a@test.ex H=(test.ex) [127.0.0.1] P=esmtpS X=TLS_proto_and_cipher CV=no S=sss for dump@test.ex
-1999-03-02 09:44:33 requiretls: yes
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= a@test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtpS X=TLS_proto_and_cipher CV=no S=sss for dump@test.ex
-1999-03-02 09:44:33 requiretls: yes
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtpS X=TLS_proto_and_cipher CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for b@test.ex
+++ /dev/null
-From a@test.ex Tue Mar 02 09:44:33 1999
-Return-path: <a@test.ex>
-Envelope-to: dump@test.ex
-Delivery-date: Tue, 2 Mar 1999 09:44:33 +0000
-Received: from the.local.host.name ([ip4.ip4.ip4.ip4] helo=myhost.test.ex)
- by myhost.test.ex with esmtpS (TLS_proto_and_cipher)
- (Exim x.yz)
- (envelope-from <a@test.ex>)
- id 10HmaY-0005vi-00
- for dump@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
-Received: from [127.0.0.1] (helo=test.ex)
- by myhost.test.ex with esmtpS (TLS_proto_and_cipher)
- (Exim x.yz)
- (envelope-from <a@test.ex>)
- id 10HmaX-0005vi-00
- for dump@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
-Subject: foo
-
-content
-
+++ /dev/null
-# REQUIRETLS basics
-#
-munge tls_anycipher
-#
-# Server advertises feature, onward transmission, observability
-exim -DSERVER=server -bd -oX PORT_D
-****
-#
-client-ssl 127.0.0.1 PORT_D
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-STARTTLS
-??? 250 HELP
-STARTTLS
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-REQUIRETLS
-??? 250 HELP
-MAIL FROM:<a@test.ex> REQUIRETLS
-??? 250
-RCPT TO:<dump@test.ex>
-??? 250
-DATA
-??? 354
-Subject: foo
-
-content
-.
-??? 250
-QUIT
-??? 221
-****
-#
-exim -q
-****
-exim -q
-****
-#
-#
-# upgrade in-MTA
-exim -DOPT=y -bs
-MAIL FROM:<a@test.ex>
-RCPT TO:<b@test.ex>
-DATA
-Subject: foo
-
-content
-.
-QUIT
-****
-#
-exim -q
-****
-#
-killdaemon
-no_msglog_check
+++ /dev/null
-# REQUIRETLS bounce cases
-#
-munge tls_anycipher
-#
-# Server does not offer STARTTLS
-server PORT_D
-220 Hi there
-EHLO
-250 wotcher
-QUIT
-*eof
-****
-exim -DOPT=requiretls -odf -bs
-MAIL FROM:<a@test.ex>
-RCPT TO:<a@test.ex>
-DATA
-
-.
-QUIT
-****
-# ... the resulting bounce must be delivered with REQUIRETLS
-exim -DSERVER=server -bd -oX PORT_D
-****
-exim -qf
-****
-killdaemon
-#
-#
-# Server does not offer REQUIRETLS
-# Client message upgraded in-MTA for "require"
-exim -DSERVER=server -DSRV='' -bd -oX PORT_D
-****
-exim -DOPT=requiretls -odf -bs
-MAIL FROM:<b@test.ex>
-RCPT TO:<b@test.ex>
-DATA
-
-.
-QUIT
-****
-exim -qf
-****
-exim -qf
-****
-killdaemon
-#
-#
-# Server does not offer REQUIRETLS
-# Client message received with REQUIRETLS
-exim -DSERVER=server -bd -oX PORT_S
-****
-client-ssl 127.0.0.1 PORT_S
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-STARTTLS
-??? 250 HELP
-STARTTLS
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-REQUIRETLS
-??? 250 HELP
-MAIL FROM:<b@test.ex> REQUIRETLS
-??? 250
-RCPT TO:<d@test.ex>
-??? 250
-DATA
-??? 354
-Subject: foo
-
-content
-.
-??? 250
-QUIT
-??? 221
-****
-killdaemon
-exim -DSERVER=server -DSRV='' -bd -oX PORT_D
-****
-exim -qf
-****
-exim -qf
-****
-killdaemon
-#
-#
-# Server refuses MAIL
-exim -DSERVER=server -bd -oX PORT_D
-****
-sudo exim -DOPT=requiretls -odf -f a@serverrefusethis.ex c@test.ex
-
-****
-exim -qf
-****
-exim -qf
-****
-killdaemon
-#
-# Server does not advertise REQUIRETLS, client tries to use it anyway
-exim -DSERVER=server -bd -oX PORT_D
-****
-client-ssl 127.0.0.1 PORT_D
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-STARTTLS
-??? 250 HELP
-MAIL FROM:<d@test.ex> REQUIRETLS
-??? 555
-QUIT
-??? 221
-???*eof
-****
-killdaemon
-no_msglog_check
+++ /dev/null
-# REQUIRETLS smtp-time fails
-# Test these by having the MTA do a receipient-verify callout
-#
-# Server does not offer STARTTLS
-server PORT_D
-220 Hi there
-EHLO
-250 wotcher
-QUIT
-*eof
-****
-exim -DOPT=requiretls -DACL=verify=recipient/callout -odf -bs
-MAIL FROM:<CALLER@myhost.test.ex>
-RCPT TO:<a@test.ex>
-QUIT
-****
-#
-# Sever does not offer REQUIRETLS
-exim -DSERVER=server -DSRV='' -bd -oX PORT_D
-****
-exim -DOPT=requiretls -DACL=verify=recipient/callout -odf -bs
-MAIL FROM:<CALLER@myhost.test.ex>
-RCPT TO:<b@test.ex>
-QUIT
-****
-killdaemon
-#
-# Accepted callout
-exim -DSERVER=server -bd -oX PORT_D
-****
-exim -DOPT=requiretls -DACL=verify=recipient/callout -odf -bs
-MAIL FROM:<CALLER@myhost.test.ex>
-RCPT TO:<c@test.ex>
-QUIT
-****
-killdaemon
-#
+++ /dev/null
-support Experimental_REQUIRETLS
-running IPv4
127.0.0.1 [127.0.0.1]:1111 retry-status = usable
delivering 10HmbG-0005vi-00 to 127.0.0.1 [127.0.0.1] (extchange@test.ex)
Transport port=25 replaced by host-specific port=1225
-EHLO response bits from cache: cleartext 0x0220 crypted 0x0000
+EHLO response bits from cache: cleartext 0x0120 crypted 0x0000
Using cached cleartext PIPE_CONNECT
SMTP>> EHLO the.local.host.name
using PIPELINING
250-X_PIPE_CONNECT
250-STARTTLS
250 ok
-EHLO cleartext extensions changed, 0x0220/0x0000 -> 0x0221/0x0000
-writing clr 0221/0000 cry 0000/0000
+EHLO cleartext extensions changed, 0x0120/0x0000 -> 0x0121/0x0000
+writing clr 0121/0000 cry 0000/0000
sync_responses expect mail
SMTP<< 250 mail-from accepted
sync_responses expect rcpt
+++ /dev/null
-Connecting to 127.0.0.1 port 1225 ... connected
-??? 220
-<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
->>> EHLO test.ex
-??? 250-
-<<< 250-myhost.test.ex Hello test.ex [127.0.0.1]
-??? 250-SIZE
-<<< 250-SIZE 52428800
-??? 250-8BITMIME
-<<< 250-8BITMIME
-??? 250-PIPELINING
-<<< 250-PIPELINING
-??? 250-STARTTLS
-<<< 250-STARTTLS
-??? 250 HELP
-<<< 250 HELP
->>> STARTTLS
-??? 220
-<<< 220 TLS go ahead
-Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHAnnn
-Succeeded in starting TLS
->>> EHLO test.ex
-??? 250-
-<<< 250-myhost.test.ex Hello test.ex [127.0.0.1]
-??? 250-SIZE
-<<< 250-SIZE 52428800
-??? 250-8BITMIME
-<<< 250-8BITMIME
-??? 250-PIPELINING
-<<< 250-PIPELINING
-??? 250-REQUIRETLS
-<<< 250-REQUIRETLS
-??? 250 HELP
-<<< 250 HELP
->>> MAIL FROM:<a@test.ex> REQUIRETLS
-??? 250
-<<< 250 OK
->>> RCPT TO:<dump@test.ex>
-??? 250
-<<< 250 Accepted
->>> DATA
-??? 354
-<<< 354 Enter message, ending with "." on a line by itself
->>> Subject: foo
->>>
->>> content
->>> .
-??? 250
-<<< 250 OK id=10HmaX-0005vi-00
->>> QUIT
-??? 221
-<<< 221 myhost.test.ex closing connection
-End of script
-220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
-250 OK\r
-250 Accepted\r
-354 Enter message, ending with "." on a line by itself\r
-250 OK id=10HmaZ-0005vi-00\r
-221 myhost.test.ex closing connection\r