Previously it only applied to the main-section connection policy
options.
+JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext.
+
Exim version 4.87
-----------------
if (rc != OK)
{
# ifdef EXPERIMENTAL_DANE
- if (rc == DEFER && lflags.dane)
- {
- log_write(0, LOG_MAIN,
+ if (lflags.dane) log_write(0, LOG_MAIN,
"DANE attempt failed; no TLS connection to %s [%s]",
host->name, host->address);
- }
# endif
save_errno = ERRNO_TLSFAILURE;
addr->transport);
if (inblock.sock < 0)
{
+ HDEBUG(D_verify) debug_printf("connect: %s\n", strerror(errno));
addr->message = string_sprintf("could not connect to %s [%s]: %s",
host->name, host->address, strerror(errno));
transport_name = NULL;
connection, if the options permit it for this host. */
if (rc != OK)
{
- if (rc == DEFER)
- {
- (void)close(inblock.sock);
+ HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP(close)>>\n");
+ (void)close(inblock.sock);
# ifndef DISABLE_EVENT
- (void) event_raise(addr->transport->event_action,
- US"tcp:close", NULL);
+ (void) event_raise(addr->transport->event_action,
+ US"tcp:close", NULL);
# endif
- if ( ob->tls_tempfail_tryclear
- && !smtps
- && verify_check_given_host(&ob->hosts_require_tls, host) != OK
- )
- {
- log_write(0, LOG_MAIN, "TLS session failure:"
- " delivering unencrypted to %s [%s] (not in hosts_require_tls)",
- host->name, host->address);
- suppress_tls = TRUE;
- goto tls_retry_connection;
- }
+ if ( ob->tls_tempfail_tryclear
+ && !smtps
+ && verify_check_given_host(&ob->hosts_require_tls, host) != OK
+ )
+ {
+ log_write(0, LOG_MAIN, "TLS session failure:"
+ " callout unencrypted to %s [%s] (not in hosts_require_tls)",
+ host->name, host->address);
+ suppress_tls = TRUE;
+ goto tls_retry_connection;
}
/*save_errno = ERRNO_TLSFAILURE;*/
#ifdef SUPPORT_TLS
tls_close(FALSE, TRUE);
#endif
+ HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP(close)>>\n");
(void)close(inblock.sock);
#ifndef DISABLE_EVENT
(void) event_raise(addr->transport->event_action,
#ifdef SUPPORT_TLS
tls_close(FALSE, TRUE);
#endif
+ HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP(close)>>\n");
(void)close(inblock.sock);
#ifndef DISABLE_EVENT
(void) event_raise(addr->transport->event_action, US"tcp:close", NULL);
#ifdef SUPPORT_TLS
tls_close(FALSE, TRUE);
#endif
+ HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP(close)>>\n");
(void)close(cutthrough.fd);
cutthrough.fd = -1;
HDEBUG(D_acl) debug_printf("----------- cutthrough shutdown (%s) ------------\n", why);
--- /dev/null
+2151
\ No newline at end of file
--- /dev/null
+# Exim test configuration 2151
+
+.include DIR/aux-var/tls_conf_prefix
+
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = acl_rcpt
+callout_random_local_part = $primary_hostname--testing
+trusted_users = CALLER
+
+tls_advertise_hosts = 127.0.0.1 : HOSTIPV4
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
+
+# ----- ACL -----
+
+begin acl
+
+acl_rcpt:
+ accept verify = recipient/callout=1s,use_sender
+
+# ----- Routers -----
+
+begin routers
+
+callout:
+ driver = manualroute
+ transport = smtp
+ route_data = 127.0.0.1
+ self = send
+
+
+# ----- Transports -----
+
+begin transports
+
+smtp:
+ driver = smtp
+ port = PORT_S
+
+# End
--- /dev/null
+1999-03-02 09:44:33 H=127.0.0.1 [127.0.0.1] TLS error on connection (gnutls_handshake): timed out
+1999-03-02 09:44:33 TLS session failure: callout unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= s1@test.ex U=CALLER P=local-esmtp S=sss
--- /dev/null
+1999-03-02 09:44:33 H=127.0.0.1 [127.0.0.1] TLS error on connection (SSL_connect): timed out
+1999-03-02 09:44:33 TLS session failure: callout unencrypted to 127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= s1@test.ex U=CALLER P=local-esmtp S=sss
--- /dev/null
+../2100-OpenSSL/2151
\ No newline at end of file
--- /dev/null
+# TLS client: recipient callout - TLS fail, retry in clear
+need_ipv4
+#
+server PORT_S 2
+220 Server ready
+EHLO
+250-wotcher mate
+250-STARTTLS
+250 OK
+STARTTLS
+250
+.
+220 Server ready
+EHLO
+250-wotcher mate
+250-STARTTLS
+250 OK
+MAIL FROM
+250 OK
+RCPT TO
+250 OK
+QUIT
+250 OK
+****
+exim -odq -bs
+ehlo xxxx
+mail from: s1@test.ex
+rcpt to: r1@test.ex
+data
+.
+quit
+****
+no_stdout_check
+no_msglog_check
SMTP>> RCPT TO:<ok@localhost>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
LOG: smtp_connection MAIN
SMTP connection from root closed by QUIT
LOG: smtp_connection MAIN
SMTP>> RCPT TO:<bad@localhost>
SMTP<< 550 Unknown user
SMTP>> QUIT
+ SMTP(close)>>
LOG: MAIN REJECT
H=[V4NET.0.0.1] U=root sender verify fail for <bad@localhost>: response to "RCPT TO:<bad@localhost>" from 127.0.0.1 [127.0.0.1] was: 550 Unknown user
LOG: MAIN REJECT
SMTP>> RCPT TO:<uncheckable@localhost1>
SMTP<< 450 Temporary error
SMTP>> QUIT
+ SMTP(close)>>
LOG: MAIN REJECT
H=[V4NET.0.0.1] U=root sender verify defer for <uncheckable@localhost1>: response to "RCPT TO:<uncheckable@localhost1>" from 127.0.0.1 [127.0.0.1] was: 450 Temporary error
LOG: MAIN REJECT
SMTP>> MAIL FROM:<>
SMTP<< 550 Error for <>
SMTP>> QUIT
+ SMTP(close)>>
LOG: MAIN REJECT
H=[V4NET.0.0.1] U=root sender verify fail for <uncheckable2@localhost1>: response to "MAIL FROM:<>" from 127.0.0.1 [127.0.0.1] was: 550 Error for <>
LOG: MAIN REJECT
SMTP<< 550-Multiline error for <>
550 Here's the second line
SMTP>> QUIT
+ SMTP(close)>>
LOG: MAIN REJECT
H=[V4NET.0.0.1] U=root sender verify fail for <uncheckable@localhost1>: response to "MAIL FROM:<>" from 127.0.0.1 [127.0.0.1] was: 550-Multiline error for <>\n550 Here's the second line
LOG: MAIN REJECT
SMTP>> RCPT TO:<z@remote.domain>
SMTP<< 550 Recipient not liked
SMTP>> QUIT
+ SMTP(close)>>
LOG: MAIN REJECT
H=[V4NET.0.0.3] U=root F=<uncheckable@localhost1> rejected RCPT <z@remote.domain>: response to "RCPT TO:<z@remote.domain>" from 127.0.0.1 [127.0.0.1] was: 550 Recipient not liked
LOG: smtp_connection MAIN
SMTP<< 550-Recipient not liked on two lines
550 Here's the second
SMTP>> QUIT
+ SMTP(close)>>
LOG: MAIN REJECT
H=[V4NET.0.0.3] U=root F=<uncheckable@localhost1> rejected RCPT <z@remote.domain>: response to "RCPT TO:<z@remote.domain>" from 127.0.0.1 [127.0.0.1] was: 550-Recipient not liked on two lines\n550 Here's the second
LOG: smtp_connection MAIN
SMTP>> RCPT TO:<abcd@x.y.z>
SMTP<< 550 Not liked
SMTP>> QUIT
+ SMTP(close)>>
LOG: MAIN REJECT
H=[V4NET.0.0.4] U=root F=<uncheckable@localhost1> rejected after DATA: there is no valid sender in any header line
LOG: smtp_connection MAIN
SMTP>> RCPT TO:<abcd@x.y.z>
SMTP<< 550 Not liked
SMTP>> QUIT
+ SMTP(close)>>
LOG: MAIN REJECT
H=[V4NET.0.0.4] U=root F=<uncheckable@localhost1> rejected after DATA: there is no valid sender in any header line
LOG: smtp_connection MAIN
SMTP>> RCPT TO:<postmaster@localhost1>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
LOG: MAIN REJECT
H=[V4NET.0.0.5] U=root F=<ok@localhost1> rejected RCPT <z@remote.domain>: relay not permitted
LOG: smtp_connection MAIN
SMTP>> RCPT TO:<postmaster@localhost1>
SMTP<< 550 Don't like postmaster
SMTP>> QUIT
+ SMTP(close)>>
LOG: MAIN REJECT
H=[V4NET.0.0.5] U=root sender verify fail for <ok@localhost1>: response to "RCPT TO:<postmaster@localhost1>" from 127.0.0.1 [127.0.0.1] was: 550 Don't like postmaster
LOG: MAIN REJECT
SMTP>> RCPT TO:<z@remote.lmtp>
SMTP<< 550 Recipient not liked
SMTP>> QUIT
+ SMTP(close)>>
LOG: MAIN REJECT
H=[V4NET.0.0.3] U=root F=<uncheckable@localhost1> rejected RCPT <z@remote.lmtp>: response to "RCPT TO:<z@remote.lmtp>" from 127.0.0.1 [127.0.0.1] was: 550 Recipient not liked
LOG: smtp_connection MAIN
SMTP connection from root
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP>> QUIT
+ SMTP(close)>>
LOG: MAIN REJECT
H=[V4NET.0.0.1] U=root sender verify defer for <bad@localhost1>: response to "initial connection" from 127.0.0.1 [127.0.0.1] was: connection dropped
LOG: MAIN REJECT
SMTP>> RCPT TO:<ok@localhost>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for localhost:
result=1 postmaster=0 random=0
wrote positive callout cache address record for ok@localhost
callout cache: address record expired for ok@localhost
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... failed: Connection refused
+connect: Connection refused
LOG: MAIN REJECT
H=[V4NET.0.0.1] U=root sender verify defer for <ok@localhost>: could not connect to 127.0.0.1 [127.0.0.1]: Connection refused
created log directory TESTSUITE/spool/log
SMTP>> RCPT TO:<bad@localhost>
SMTP<< 550 REJECTED
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for localhost:
result=1 postmaster=0 random=0
wrote negative callout cache address record for bad@localhost
SMTP>> MAIL FROM:<>
SMTP<< 550 REJECT MAIL FROM
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for localhost:
result=3 postmaster=0 random=0
LOG: MAIN REJECT
SMTP>> RCPT TO:<postmaster@otherhost>
SMTP<< 550 NOT OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for otherhost:
result=1 postmaster=2 random=0
wrote positive callout cache address record for ok@otherhost
SMTP>> RCPT TO:<postmaster@otherhost2>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for otherhost2:
result=1 postmaster=1 random=0
wrote positive callout cache address record for ok@otherhost2
SMTP>> RCPT TO:<myhost.test.ex-dddddddd-testing@otherhost3>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for otherhost3:
result=1 postmaster=0 random=1
LOG: smtp_connection MAIN
SMTP>> RCPT TO:<myhost.test.ex-dddddddd-testing@otherhost4>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for otherhost4:
result=1 postmaster=0 random=1
LOG: smtp_connection MAIN
SMTP>> RCPT TO:<postmaster@otherhost41>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for otherhost41:
result=1 postmaster=1 random=2
wrote positive callout cache address record for ok@otherhost41
SMTP>> RCPT TO:<postmaster@otherhost21>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for otherhost21:
result=1 postmaster=1 random=0
wrote positive callout cache address record for ok@otherhost21
SMTP>> RCPT TO:<ok2@otherhost21>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for otherhost21:
result=1 postmaster=1 random=0
wrote positive callout cache address record for ok2@otherhost21
SMTP>> RCPT TO:<ok@otherhost31>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for otherhost31:
result=1 postmaster=0 random=2
wrote positive callout cache address record for ok@otherhost31
SMTP>> RCPT TO:<okok@otherhost31>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for otherhost31:
result=1 postmaster=0 random=2
wrote positive callout cache address record for okok@otherhost31
SMTP>> RCPT TO:<okokok@otherhost31>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for otherhost31:
result=1 postmaster=0 random=2
wrote positive callout cache address record for okokok@otherhost31
SMTP<< 250 OK
SMTP>> RCPT TO:<myhost.test.ex-dddddddd-testing@otherhost51>
SMTP timeout
+ SMTP(close)>>
wrote callout cache domain record for otherhost51:
result=1 postmaster=0 random=0
LOG: MAIN REJECT
SMTP>> RCPT TO:<postmaster@otherhost52>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for otherhost52:
result=1 postmaster=1 random=0
wrote positive callout cache address record for okokok@otherhost52
SMTP>> RCPT TO:<abcd@x.y.z>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for x.y.z:
result=1 postmaster=0 random=0
wrote positive callout cache address record for abcd@x.y.z/<somesender@a.domain>
SMTP<< 250 OK
SMTP>> RCPT TO:<abcd@x.y.z>
SMTP timeout
+ SMTP(close)>>
wrote callout cache domain record for x.y.z:
result=1 postmaster=0 random=0
LOG: MAIN
SMTP>> RCPT TO:<postmaster>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for otherhost9:
result=1 postmaster=1 random=0
wrote positive callout cache address record for ok@otherhost9
SMTP>> RCPT TO:<postmaster@test.ex>
SMTP<< 250 OK
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for test.ex:
result=1 postmaster=1 random=2
wrote positive callout cache address record for z@test.ex/<postmaster@myhost.test.ex>
SMTP<< 550 Unknown
SMTP>> QUIT
cmd buf flush ddd bytes
+ SMTP(close)>>
locking TESTSUITE/spool/db/callout.lockfile
locked TESTSUITE/spool/db/callout.lockfile
EXIM_DBOPEN(TESTSUITE/spool/db/callout)
SMTP<< 250 OK
SMTP>> QUIT
cmd buf flush ddd bytes
+ SMTP(close)>>
locking TESTSUITE/spool/db/callout.lockfile
locked TESTSUITE/spool/db/callout.lockfile
EXIM_DBOPEN(TESTSUITE/spool/db/callout)
>>> SMTP<< 250 OK
>>> SMTP>> QUIT
>>> cmd buf flush 6 bytes
+>>> SMTP(close)>>
>>> wrote callout cache domain record for b:
>>> result=1 postmaster=0 random=0
>>> wrote positive callout cache address record for a@b
>>> SMTP>> EHLO myhost.test.ex
>>> cmd buf flush 21 bytes
>>> SMTP timeout
+>>> SMTP(close)>>
>>> ----------- end verify ------------
>>> accept: condition test deferred in ACL "mail"
LOG: H=[1.2.3.4] sender verify defer for <p1@q>: Could not complete sender verify callout
SMTP>> RCPT TO:<postmaster@localhost>
SMTP<< 550 NO
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for localhost:
result=1 postmaster=2 random=0
wrote positive callout cache address record for Ok@localhost
SMTP>> RCPT TO:<NOTok@elsewhere>
SMTP<< 550 NO
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for elsewhere:
result=1 postmaster=0 random=0
wrote negative callout cache address record for NOTok@elsewhere
SMTP>> RCPT TO:<NOTok2@elsewhere>
SMTP<< 550 NO
SMTP>> QUIT
+ SMTP(close)>>
wrote callout cache domain record for elsewhere:
result=1 postmaster=0 random=0
wrote negative callout cache address record for NOTok2@elsewhere
SMTP<< 250 OK
SMTP>> RCPT TO:<r11@two.test.ex>
SMTP timeout
+ SMTP(close)>>
wrote callout cache domain record for two.test.ex:
result=1 postmaster=0 random=0
LOG: MAIN REJECT
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP timeout
+ SMTP(close)>>
LOG: MAIN REJECT
U=CALLER F=<x11@two.test.ex> temporarily rejected RCPT r11@two.test.ex: Could not complete recipient verify callout
LOG: smtp_connection MAIN
>>> accept: condition test succeeded in ACL "ar"
>>> end of ACL "ar": ACCEPT
>>> SMTP>> QUIT
+>>> SMTP(close)>>
>>> ----------- cutthrough shutdown (host-checking mode) ------------
LOG: 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=(myhost.test.ex) [1.2.3.4] P=esmtp S=sss for verify@domain.com
LOG: MAIN
>> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmaY-0005vi-00"
SMTP>> QUIT
+ SMTP(close)>>
----------- cutthrough shutdown (delivered) ------------
LOG: MAIN
<= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
LOG: MAIN
>> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbA-0005vi-00"
SMTP>> QUIT
+ SMTP(close)>>
----------- cutthrough shutdown (delivered) ------------
LOG: MAIN
<= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
LOG: MAIN
>> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbC-0005vi-00"
SMTP>> QUIT
+ SMTP(close)>>
----------- cutthrough shutdown (delivered) ------------
LOG: MAIN
<= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
LOG: MAIN
>> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmaY-0005vi-00"
SMTP>> QUIT
+ SMTP(close)>>
----------- cutthrough shutdown (delivered) ------------
LOG: MAIN
<= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
LOG: MAIN
>> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbA-0005vi-00"
SMTP>> QUIT
+ SMTP(close)>>
----------- cutthrough shutdown (delivered) ------------
LOG: MAIN
<= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
LOG: MAIN
>> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbC-0005vi-00"
SMTP>> QUIT
+ SMTP(close)>>
----------- cutthrough shutdown (delivered) ------------
LOG: MAIN
<= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
>>> SMTP<< 250 Accepted
>>> SMTP>> QUIT
>>> cmd buf flush 6 bytes
+>>> SMTP(close)>>
>>> wrote callout cache domain record for dane256ee.test.ex:
>>> result=1 postmaster=0 random=0
>>> wrote positive callout cache address record for CALLER@dane256ee.test.ex
projects / exim.git / commitdiff