From e45a1c3738f3cec60acf36ae268f8cbf35a2ce7d Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 9 Mar 2014 16:41:20 +0000 Subject: [PATCH] Log incoming-TLS details on rejects. Bug 305 --- doc/doc-docbook/spec.xfpt | 1 + doc/doc-txt/ChangeLog | 3 +++ src/src/smtp_in.c | 48 ++++++++++++++++++++++++++++----------- 3 files changed, 39 insertions(+), 13 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 09220857d..345effd0e 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -34056,6 +34056,7 @@ the following table: &`R `& on &`<=`& lines: reference for local bounce &` `& on &`=>`& &`**`& and &`==`& lines: router name &`S `& size of message +&`SNI `& server name indication from TLS client hello &`ST `& shadow transport name &`T `& on &`<=`& lines: message subject (topic) &` `& on &`=>`& &`**`& and &`==`& lines: transport name diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 83c255c24..0c51bc393 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -48,6 +48,9 @@ TL/05 Rename SPF condition results err_perm and err_temp to standardized JH/04 Add ${utf8clean:} operator. Contributed by Alex Rau. +JH/05 Bugzilla 305: Log incoming-TLS details on rejects, subject to log + selectors, in both main and reject logs. + Exim version 4.82 ----------------- diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 1d62bab05..9981e8d51 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -1163,6 +1163,32 @@ return string_sprintf("SMTP connection from %s", hostname); +#ifdef SUPPORT_TLS +static uschar * +s_tlslog(uschar * s, int * sizep, int * ptrp) +{ + int size = sizep ? *sizep : 0; + int ptr = ptrp ? *ptrp : 0; + + if ((log_extra_selector & LX_tls_cipher) != 0 && tls_in.cipher != NULL) + s = string_append(s, &size, &ptr, 2, US" X=", tls_in.cipher); + if ((log_extra_selector & LX_tls_certificate_verified) != 0 && + tls_in.cipher != NULL) + s = string_append(s, &size, &ptr, 2, US" CV=", + tls_in.certificate_verified? "yes":"no"); + if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_in.peerdn != NULL) + s = string_append(s, &size, &ptr, 3, US" DN=\"", + string_printing(tls_in.peerdn), US"\""); + if ((log_extra_selector & LX_tls_sni) != 0 && tls_in.sni != NULL) + s = string_append(s, &size, &ptr, 3, US" SNI=\"", + string_printing(tls_in.sni), US"\""); + + if (sizep) *sizep = size; + if (ptrp) *ptrp = ptr; + return s; +} +#endif + /************************************************* * Log lack of MAIL if so configured * *************************************************/ @@ -1195,18 +1221,7 @@ if (sender_host_authenticated != NULL) } #ifdef SUPPORT_TLS -if ((log_extra_selector & LX_tls_cipher) != 0 && tls_in.cipher != NULL) - s = string_append(s, &size, &ptr, 2, US" X=", tls_in.cipher); -if ((log_extra_selector & LX_tls_certificate_verified) != 0 && - tls_in.cipher != NULL) - s = string_append(s, &size, &ptr, 2, US" CV=", - tls_in.certificate_verified? "yes":"no"); -if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_in.peerdn != NULL) - s = string_append(s, &size, &ptr, 3, US" DN=\"", - string_printing(tls_in.peerdn), US"\""); -if ((log_extra_selector & LX_tls_sni) != 0 && tls_in.sni != NULL) - s = string_append(s, &size, &ptr, 3, US" SNI=\"", - string_printing(tls_in.sni), US"\""); +s = s_tlslog(s, &size, &ptr); #endif sep = (smtp_connection_had[SMTP_HBUFF_SIZE-1] != SCH_NONE)? @@ -2694,8 +2709,13 @@ the connection is not forcibly to be dropped, return 0. Otherwise, log why it is closing if required and return 2. */ if (log_reject_target != 0) - log_write(0, log_reject_target, "%s %s%srejected %s%s", + log_write(0, log_reject_target, "%s%s %s%srejected %s%s", host_and_ident(TRUE), +#ifdef SUPPORT_TLS + s_tlslog(NULL, NULL, NULL), +#else + "", +#endif sender_info, (rc == FAIL)? US"" : US"temporarily ", what, log_msg); if (!drop) return 0; @@ -4777,4 +4797,6 @@ while (done <= 0) return done - 2; /* Convert yield values */ } +/* vi: aw ai sw=2 +*/ /* End of smtp_in.c */ -- 2.25.1